What's up with American cybersecurity

Edit: Turns out I can't even say that much.

A lot of misunderstandings in several posts in relation to this breach, WHY it is so big, and HOW it occurred....

Think about this from the perspective of 'Art of War.' In order to take out an enemy, it requires a multi-pronged approach. Finding ALL the "weak points" in their defenses. Not only do you have the government agencies themselves, but you must also remember that most of American society is privately owned. Thus, you also have critical infrastructure.... There are 16 sectors of critical infrastructure as defined by CISA.

If you an infiltrate the government AND critical infrastructure in a manner as to cripple all of it, its game over. That's the target.....

So how did they get there? Well, it doesn't take much to understand that most government agencies are required to bid for contracts and MOST of those contracts either go to lowest bidder OR get "assigned" through No-Bid contracts (Read: they know somebody....). This may be where those "Committee" seats in Congress get very lucrative....

As for the private sector, it is a very similar process. Usually a low bidder, knowing the "right" people, OR the ability for an organization to brag about their clientele in a manner that gives them credibility to potential buyers. SolarWinds had ALL of this going for them....

From an oversight perspective, it should have raised red flags that ONE COMPANY had administrative level access to all of these government agencies. This is a failure of CISA. Not just Krebs, but those before and after him. It was, indeed, a digital Pearl Harbor.....

The US government has SEVERAL Private-Public Partnerships within critical infrastructure to keep a pulse on potential threats that could affect the country the way SW breach has.... However, they do NOT have visibility into whether a potential company....be it Solarwinds, Microsoft, Google, Apple, Amazon, etc....had nearly unilateral access to not only all government systems, but those in critical infrastructure as well.... Why? Because Private Sector companies do not share that information and govt can't ask (at least without cause and/or a warrant....legally speaking). All collaboration between private & public sectors has been REACTIVE.

There has been some attempts in the past 3 years to create a classified PROACTIVE partnership that operates much like a Cyber Fusion Center between the public & private sector, that still has a ways to go.... However, wouldn't surprise me if this trigger events acts like slingshot to move that forward faster.

originally posted by: Willtell
That's the point; these programs aren't thoroughly tested at all and enter these massive enterprise networks connected to powerful corporations, and wham…the whole world might get infected.

On one level, it's not their fault since the software is so generally speaking vulnerable, and one cant test something ad Infinitum…as in the end, no software is 100 percent free from attack.

One of the reasons is ... money.

Being a programmer I have seen that happen in a small way (I work in a small company):
1 - Management wants a new program, and they want if as fast as possible (they usually think that a couple of months is enough);
2 - Nobody knows exactly how the program is supposed to work, they just have an idea of what they want, so lots of time is spent trying to find out what the requirements;
3 - After the first prototype they see that, after all, they want it to be slightly different, so it's back to prototyping a different version
4 - With luck the second prototype is accepted, but then the software should have been already in the test phase, not the developing phase, so some corners have to be cut to try to reach something close to the a realistic deadline (the management deadline is never realistic);
5 - The easiest thing to drop is security, as we just have to say "security is on the client side, not our problem", and we move on as fast as possible with security limited to a minimum;
6 - Then the usual happens: someone uses the program in a way nobody expected and it behaves in an unexpected way, so if it's a program with network/server/Internet access things can get interesting;
7 - After the problem, who was responsible for the fault? Probably the Russians.
It's much easier to blame the people that enter through an open door than the people that thought that locking the door was a waste of time.
The fact is that everyone is to blame:
- the management of the software developer should understand how things work in that industry and make realistic decisions;
- the developers should know that it's not possible to make good software when you go back and forth during the definition phase and try to use the same code;
- the analysts should know that security may be important and management should know that if they can boast about good security it's a plus over the competition;
- the project manager should know that security must be decided at the beginning, not added as an afterthought;
- the sales people should know that, if the software does not have a specific secure way of working they should remember the clients that they need to take security into the equation;
- the client should know that they are buying a tool, and that, like any other tool, it can be used in ways it was not created to work, with unexpected results;
- the client should also know that, again, security should be decided at the beginning, not as an afterthought, so buying a program that, if it fails, can bring big problems, is something you shouldn't do;
- the client should also consider warnings from their peers/competition (in this case, SolarWinds was warned the their FTP server was a weak spot in their system in 2019) and act accordingly.

Will this case be a turning point on how people see cybersecurity? I doubt it.

The US cyber problem is people having different opinions from the narrative.
The solution from the gov is to keep up these fakea$$ threats to justify locking down the internet.

a reply to: ArMaP

A turning point, no. A call to being slightly more proactive with their dollar spend, yes. As someone said earlier a lot of security has been reactive over the years, and like the development lifecycle you mentioned most shops don't take security into account. Application and database security is one of the least mature areas for a lot of businesses I deal with, they have identity and access management solved for the most part, network segmentation, email protections, etc. Yet even with those protections they have to work every single time, whereas a threat actor only has to work a single time.

That's why you have these companies that have Proofpoint (or comparable) email protection, running O365, and yet their people are still getting phished left and right. They put the box (virtual or not) with blinky lights in from X security vendor and think they're good. Very rarely do companies have security requirements and minimum baselines as part of their vendor management programs.

Then again I've always said that if you don't want someone getting in, remove it from any networks. Even then, if someone wants into that system bad enough, they'll find a way. Just look at how Stuxnet was able to get in, Mossad or some bribed Iranian worker took a USB drive in and plugged it in.

Honestly the best method remains social engineering.
Ya’all stupid. That’s the real problem nobody wants to address

a reply to: GreenGunther

The key point of failure in any system is the human component. I had a bumper sticker years back from Dave Kennedy, "Don't click *snip*", it summed up my feelings toward the users I had to deal with.

Will, any nation that has wanted to has been in and our of our government systems for years.

a reply to: Hypntick

I just had (another) example of that at work, when my boss asked me what was the meaning of that page.

The page was an Outlook page saying that the page in the link she had just clicked was suspicious.

Outlook was right, it was a phishing email, pretending to be from a bank.

a reply to: Gryphon66

You're probably right. Particularly the western and Israeli governments

a reply to: Willtell

With the recent Russian cyberattack, we often wonder what's up with American cyber defense?

Whats with the Russia narrative. No report has been done releasing objective information backing up this claim. It reaks of fakenews propaganda.

originally posted by: purplemer
a reply to: Willtell

With the recent Russian cyberattack, we often wonder what's up with American cyber defense?

Whats with the Russia narrative. No report has been done releasing objective information backing up this claim. It reaks of fakenews propaganda.

Maybe. But Russia is certainly willing and capable of doing this. As all sides are to each other.

a reply to: ArMaP

You can train them all you want, you can lock down everything you want, and it makes no difference. As the saying goes, you make something idiot proof and the world builds a better idiot.

a reply to: Willtell

Maybe. But Russia is certainly willing and capable of doing this. As all sides are to each other.

because someone is capable does not by definition make them guilty. You have no evidence to suggest its Russia. So why peddle fakenews?

originally posted by: Hypntick
a reply to: GreenGunther

The key point of failure in any system is the human component. I had a bumper sticker years back from Dave Kennedy, "Don't click *snip*", it summed up my feelings toward the users I had to deal with.

Users in any company need to be educated to a much greater degree, from top to bottom.
Secretaries, janitors, HR to the CEO.

Everyone should get a week off work per annum to attend a course on social engineering.
With tests to pass etc. If everyone knows how to spot an Indian scammer, the world would be a much better place.

a reply to: GreenGunther

OK, IT guys, so you blame just the users? I mean, the decision to move to crappy sw programming languages (Python, Javascript, et al.) throwing into the dustbin fault-tolerant languages, and old good friends (Ada, Fortran, and even Algol, yes, why not?) has no share in all these crappy programs that can be hacked by not so much smart people? Really?

Granted the users have a share, too. Granted the greedy management has a share in this mess, too. But programmers do also have a share, and not a small one. It is easy to move to a programming language where job offers abound (Python, Javacrap, Java#, et al.) rather than guiding your decision according to reliability, redundancy, fault-tolerance, and massive error checking.

Critical systems coded in crappy languages will eventually lead to security breaches. It is not always the user's fault.

originally posted by: AScrubWhoDied
It's not that we are "so vulnerable", it's more of technology evolves on a daily basis. What's unexploited today could be exploited tomorrow. Its a constant game of cat a mouse - and America isnt always the victim.

There are some freakishly talented people out their, and they dont all live in America

And a lot of those freakishly talented people don't work for the government.

a reply to: Direne

The people that can activate the malware are, obviously, the best and most obvious target, and, by far, the most used by the hackers to gain access to private networks, but yes, as I said on a previous post, everybody has a share in this problem.

Edited to add that, even in less secure languages, the programmer can make attempts at making the software as secure as possible, if they think about it. If.

originally posted by: purplemer
a reply to: Willtell

Maybe. But Russia is certainly willing and capable of doing this. As all sides are to each other.

because someone is capable does not by definition make them guilty. You have no evidence to suggest it's Russia. So why peddle fakenews?

Well, some officials quarters say it's Russia. Maybe. I haven't researched that thoroughly enough to have a judgment at this time.

But just crying FAKE NEWS doesn't mean it's FAKE news.

Have you researched this thoroughly to determine to your satisfaction that it is or isn't FAKE NEWS?

I admit I haven't. But the OP isn't about RUSSIA...that's your topic.

But as far as Russia goes, I have commended them for helping Syria and on the other hand, lambasted them for coddling Trump. So I am impartial and call a spade a spade based on evidence. Can you say the same thing?




LINK

Experts believe the attacks are related and perpetrated by a group known as "Cozy Bear," the code name used for the SVR, a wing of Russian intelligence linked to several recent high-profile hacks including the Democratic National Committee in 2016 and the Olympics in 2018.

Although President Trump downplayed the hack and suggested China could be responsible, Secretary of State Mike Pompeo said it's "pretty clear" Russia is the culprit.
"This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity," Pompeo said in an interview on the Mark Levin talk radio program.

On Monday, Attorney General William Barr agreed with Pompeo, stating that it "certainly appears to be the Russians."
Dmitry Peskov, a Kremlin spokesperson, denied Russian involvement in the hack. "Russia is not involved in such attacks, namely this one. We state this officially and firmly," he said, calling the accusations "absolutely baseless" and likely a result of "blind Russophobia.

Believe what you like but the " experts" say it was Russia, they deny it of course, as expected.

Trump says it's China


Which liar do you believe? Considering the fact that even liars sometimes tell the truth, of course, incidentally.... And even a liar can tell you if it's raining or not outside.

a reply to: Direne

I don't necessarily blame the users. I’m not a programmer, just learned a little machine language years ago, when I got a Digital Electronic degree so that’s not my forte. Though have worked with and on major networks and they all get breached now and then despite conventual tools of protection.

I've seen a top IT guy almost erase a server and the panic of the department was palpable, so it's sometimes mistakes by professionals who aren't perfect.

It's just the nature of the software/ hardware beast of cyber and information technology IMO. And there will never be 100 percent other than getting off a network.

It's a thin line between testing and real-world implementation of professional-commercial hardware and software cyber equipment and the research is often scanty, and remember these are commercial products.