Re: [Fed-Talk] DoD consensus security configuration
Re: [Fed-Talk] DoD consensus security configuration
- Subject: Re: [Fed-Talk] DoD consensus security configuration
- From: Michael Kluskens <email@hidden>
- Date: Mon, 19 Apr 2010 09:30:54 -0400
On April 17, 2010 9:29:10 PM EDT, Peter Link wrote:
>
> Was anyone on this list involved in this project? If so, are you also working on an automated process for checking the status of the configuration?
>
> From the looks of it, this checklist would be for a classified system or at least a heavily restricted one (no external media writing).
If you read carefully you see that is this for a general unclassified system, specifically line 50 in the Excel file "set the time server to either a valid federal government NTP server" as well as others later on.
> Checklist Details for DoD Consensus Security Configuration Checklist for Apple Mac OS 10.5 (Leopard) 1.0
> Published on 4-9-10.
>
> <http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=293>
>
> <http://nvd.nist.gov/ncp/Apple_Mac_OS_10.5_DoD_Recommended_Settings.xls>
>
> I know a group is "real" close to finishing the Snow Leopard configuration guide but the last I heard, SCAP content was a ways off. Is work being done to meet the consensus guide instead?
Definitely for heavily restricted machines where they know ahead of time which applications a user needs to run and no terminal access. Definitely not for users doing code development or needing X11 for Matlab or Crossover. Most of the configuration you can cut and paste from the scripts in the Leopard Security configuration guide testing of course to make sure it does not break the machine in your environment.
I see that the powers that be have not learned yet that rapid password changes reduce security, as has been shown in studies repeatedly for the last five years. I can look at it one of two ways, either I have to change a 14 character password every 6 days or a 140 character password every 60 days, assuming I have access to only ten different classes of work systems, which is a low estimate given I admin 20+ user machines and 30+ servers in various configurations, some clustered, some not. First thing I would change is that since it is for DoD that to configure for CAC login unless that is impossible.
Of course all those restrictions are useless to stop the primary threat, viruses/worms/malware that are undetectable by the AV software on the email firewall, the email server, and the user local machine. The last PDF file I dealt with was undetectable by 60% of AV software three months after the user received it and only after those three months had passed was Norton Antivirus for OS X able to detect it and even then McAfee Security Center couldn't see it. And the user was expecting a PDF file from exactly the category of person that email claimed to be from (response to a BAA announcement in a narrow subject area, spot-on social engineering). More recently I received a zip file with a similar detection profile and almost as good social engineering (DHL delivery notice) and in that case Norton AntiVirus was unable to detect it. In every case the AV was up-to-date and the updaters rerun to confirm the failure of the AV software. On top of that an email with forged from address just sailed through our email firewall even though that should not be possible. Combine undetectable malware with good social engineering plus any of the unpatched holes and you have the perfect storm. Meanwhile no one I have contact with besides Apple and my branch email server admin buys into the idea of turning TLS on on the email servers let alone making it required.
As was explained to me by the only IT guy at a company that sells millions of dollars of goods per year, "would you buy or recommend waders that hold out 80% of the water." Well would you?
After a serious exploit was discovered in Apache, I asked him what web server they used, he said "IIS -- we have _proprietary_ bugs."
One of the more humorous quotes " in September, from a couple of guys fresh from Black Hat. They were doing a session on network infrastructure hacks, and demoing exploits of Cisco switches. One mentioned that the some of the exploits should work on D-Link routers, but he never tried it out because it would be like hiring a safecracker to open the front door of someone's house."
Sort of summarizes the state of IT today. Deckchairs come to mind (as in the Titanic for the humor impaired).
Of course the worst of it was:
"At the one conference I go to each year, a prof working with the NSA talked at length in the about China's government-sponsored hacking (using all public documents, of course), and then in a later session, our local FBI agent (who specializes in cybercrime -- probably because there isn't that much going on in ....) talked about the notion like it was the purvey of conspiracy-theorists. I couldn't figure that out."
And you expect your coworkers to understand the threat when FBI agents are giving lectures claiming it does not exist.
Michael
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden