-
December 5th, 2008, 05:25 PM
#11
Thank God for camera phones for those 1-page screenshots on a SIPRNet and NIPRNet connected secured card accessed workstation. Thank Jesus for LinuxBoot cd's with usb turned on to read NTFS Documents and Settings. Thank God for bored and lazy sheep in the military who care less. Thank Microsoft for reintroducing virii and bugs that were addressed in older distrubitions but forgotten in newer versions so security experts can pay their rent for the month
Last edited by Linen0ise; December 5th, 2008 at 05:49 PM.
-
December 7th, 2008, 03:46 PM
#12
As NukEvil says:
Flash drives/other removable media have nothing to do with their current problem.Stupidity seems to be the major issue. Another issue is a lack of adherence to policies (if they even have any) regarding basic system protection (weak/blank passwords, etc)...
This is a much more fundamental and deep seated problem that has nothing to do with technology or operating systems. In fact, to suggest that it has is to make an even greater mistake of suggesting that technology can provide the solution. Which, of itself, it cannot.
This is about:
1. A security model.
2. Security policies.
3. Security processes to enforce the policies.
4. Security procedures to support the processes.
5. Governance & management of the security system.
Given that there is generally a high turnover of personel in military and government environments it is vital that there is an appropriate succession and training mechanism to prevent the whole system being gradually degraded.
-
December 7th, 2008, 11:23 PM
#13
This is about :
1. A...model.
2. ...policies.
3. ...processes to enforce...policies.
4. ...procedures to support...processes.
5. Governance & management of...???
The tech is changing every week or every month. Code is inherently
insecure. Human beings are...sinners. Hardware's spread from here
to kingdom come and tied to some database, now tied to some other
database. And the newest 'model' is...a cloud?
Noam Eppel is right...security is absurd. CYA. No one else will.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
December 8th, 2008, 04:10 PM
#14
Originally Posted by nihil
@ phernandez and The-Spec,
Correct me if I am wrong, but I seem to recall that there was a scandal about flash drives when we first went into Iraq?
You mean when soldiers film the battlefield operations meant to stay secret only to have the young soldier remove the 8GB micro-sd card. I bet 99% of them don't know what a stamp flash drive look like. You could easily walk past Gomer Pile.
http://counterterrorismblog.org/
Who is watching the watchers? funny stuff
Last edited by Linen0ise; December 8th, 2008 at 04:13 PM.
-
December 8th, 2008, 11:10 PM
#15
You mean when soldiers film the battlefield operations meant to stay secret only to have the young soldier remove the 8GB micro-sd card.
No, this was just kit around offices etc where they employed locals as janitors and support staff. They just stole it because it was easy pickings?
Linen0ise
Roaches have eaten your Avatar man!!!!!!
Time for you to use your "RAID" knowledge huh?
-
December 14th, 2008, 04:40 AM
#16
-
December 30th, 2008, 07:30 PM
#17
Flash drives are allowed on certain networks, banned on others. The Federal government does not have a global policy on this, although there are numerous "recommendations."
My network bans flash drives and most writeable media. I almost thought that they were concerned about security, until I discovered that Cisco's Port Security is actually considered to be a security measure, and not just a way to piss off users and techs.
Real security doesn't come with an installer.
-
December 31st, 2008, 01:18 AM
#18
It should have been done alot sooner.
While they are very convenient, they pose a tremendous risk to both the OPSEC and CIA of a network.
The previous incidents in both Iraq and Afghanistan should have outlined to DoD the tremendous risk that they posed to both OPSEC and CIA.
At the time of those incidents, their main concern was an OPSEC one - controlling the spillage of classified matterial and PHI that were leaked to outside sources. They were too nearsighted to see the other risks to CIA.
In the years since those incidents, there have been numerous exploits and proof of concept attacks demonstrated at both BlackHat and DEFCON concerning these devices.
The blame rests with the agency CIO's and DAA's who did not formulate effective countermeasures when conducting their risk analysis.
It also rests with the IA managers, department managers, and commanders at every level for not ensuring that the end-users had the proper training needed to mitigate the risk.
Unfortunately, there is no patch for human stupidity.
Last edited by 576869746568617; December 31st, 2008 at 02:22 AM.
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
December 31st, 2008, 01:55 AM
#19
Originally Posted by 576869746568617
It should have been done alot sooner.
While they are very convient, they pose a tremendous risk to both the OPSEC and CIA of a network.
The previous incidents in both Iraq and Afghanistan should have outlined to DoD the tremendous risk that they posed to both OPSEC and CIA.
At the time of those incidents, their main concern was an OPSEC one - controlling the spillage of classified matterial and PHI that were leaked to outside sources. They were too nearsighted to see the other risks to CIA.
In the years since those incidents, there have been numerous exploits and proof of concept attacks demonstrated at both BlackHat and DEFCON concerning these devices.
The blame rests with the agency CIO's and DAA's who did not formulate effective countermeasures when conducting their risk analysis.
It also rests with the IA managers, department managers, and commanders at every level for not ensuring that the end-users had the proper training needed to mitigate the risk.
Unfortunately, there is no patch for human stupidity.
Without pointing at any specific individuals, I have met numerous Information Security Officers, both within the Federal sector, and many private sector corporations. None have really impressed me. Most seem to lack any technical aptitude at all.
Real security doesn't come with an installer.
-
December 31st, 2008, 02:18 AM
#20
Unfortunately, that seems to be a very common occurance. It's both funny and disturbing how most commands treat duty positions like the IASO/ISSO.
Most that I have seen view it as an inconvience...just another appointment memo that has to be filled out for inspection purposes. They just arbitrarily put a name on a memo, and that's it. They don't even think about the individual's qualification to actually perform the job.
Hopefully, with the latest revision of DoD Directive 8570.1, some of this will change. Finally, they are requiring that all personnel in any IA related position complete not just DoD and component specific training, but also obtain an industry standard certification such as CompTIA's Security+ or ISC2's CISSP.
Not only do they have to get certified, but they are also now required to maintain the certification through continuing education and re-certification if needed.
While this is not a cure-all, it is definately a step in the right direction.
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
Similar Threads
-
By SDK in forum General Programming Questions
Replies: 0
Last Post: March 31st, 2005, 12:19 AM
-
By netspyder in forum Miscellaneous Security Discussions
Replies: 5
Last Post: May 23rd, 2004, 01:17 AM
-
By phishphreek in forum AntiOnline's General Chit Chat
Replies: 4
Last Post: January 9th, 2004, 02:58 PM
-
By thuongtamnhan in forum AntiOnline's General Chit Chat
Replies: 3
Last Post: November 1st, 2003, 03:45 PM
-
By morfius in forum Other Tutorials Forum
Replies: 8
Last Post: June 7th, 2002, 01:48 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|