Heck, we wouldn’t be bloggers, and we wouldn’t care about our industry, cloud or information security if we didn’t spend time reading this executive order and seeing what hidden neat treats there are in there.
Overall I am impressed with this executive order as it looks like someone actually thought about it in the first place. The thing that worries me the most about this is that I know we are not ready. I know that industry isn’t listening; I know that even the FBI gets into P2P downloading introducing unknown or exploitable errors and vulnerabilities in their systems.
I know for a fact that over 10 million computers are running known vulnerable versions of awstats that has remote exploits that allow shell interaction as a remote exploitable. I know for a fact that there are hundreds of scada systems exposed on the internet just ripe for the hacking. I know for a fact that if it comes to cyber warfare there is going to be an initial push that will drive many systems and companies both critical and important to their knees.
This executive order isn’t enough, because it does not address the current sorry state we are in industrially or politically to actually deal with the current level of exposures that we have. We are asking people to clean up in house, but we are lacking will, money, and desire. We have a lot of very good information security people in our industry, but we are expensive when it comes to specialized information on how to get into these systems. Hacking Scada systems is a super rare skill, much like Cloud Computing security, they are hard to find, and expensive when you do.
They are expensive for a reason, they have specialized into a field that needs to grow capability, but can’t because of limitations on school, education, and in large part, because many companies might be blissfully unaware of how many people are already in their systems, or at least the monitoring portion of their systems.
We have a systemic issue, we are in our own Catch-22, can’t fly if you are crazy, you’re not crazy if you don’t want to fly. Scada, Cloud, Databases, Operating systems, mobile systems, all have their own flaws, zero days, and just simply poor systems administration. We can’t fix them because no one wants to listen, or they will immediately accuse the reporter as a hacker, why are you hacking us. It is better to stay silent than to report.
And we want to share more information with companies and government?
We need to move away from the cop mentality, and into a more collaborative space. We need to move away from these quiet little enclaves with super-secret squirrel ideas like “fusion centers” that don’t work, and into a space where we all work together, work together well, and there is a safe place to report, share, grow, and understand the total picture.
Right now we have points on a map, a catch-22 and a cop mentality where we can’t talk to anyone outside of the super-secret squirrel gang.
To truly implement this executive order, we need to collaborate, we need to share, we need to be able to report, and we need freedom of action. We need the ability to really work with companies, government, law enforcement, universities, and in many cases even high schools to get this process together. One of the most important things we can do is organize, and I don’t see us doing it.
Most information security people are mired deep in standards, but do not really understand what it is like to find an unprotected Windows or Linux server on the internet that can become your plaything. We are so wrapped around policies and procedures because our laws point us in that direction, that we miss teaching people and reaching people with wicked skills when it comes to actually penetrating a computer system and seeing what it does.
We are mired in paperwork, good but too generic “best practices”, an educational and operational process that looks only at the compliance and governance side without really looking at the hack and pen side. Companies might get pen tested once a year, but what are the skills of the pen testing company? Do they really do a good job? I know of one security firm that is awesome in research and does amazing things in research, but as a rubber meets the road hack and pen they suck. Does your hack and pen testers suck? Can your security department even tell if they are getting value for their dollars spent? Or is it just another box to mark off on your way to compliance and governance.
Personally I would like to see a real liaison with a ton of inspired people, with skill levels all over the map to become an informal cyber militia that works hand in hand with government, military, education, and business.
But that won’t happen, it can’t, too many people, too many policies, too many politics, and too many people out there thinking that they know everything, when they know just enough to be dangerous, and won’t listen enough to others and acting stupid.
It is a nice idea, but we need to organize this puppy so that it makes sense, works, and is something different from what we have already. If we really want to be capable in cyber warfare, we need what we see during the CCDC competitions, not what we see with the burned out information security people that inhabit cubicles in Dilbert land. We need more doing, more collaboration, more fun, less handcuffs, and frankly fewer checklists.
(Cross-posted @ Hacking Cloud Computing)