Re: [Fed-Talk] DoD consensus security configuration
Re: [Fed-Talk] DoD consensus security configuration
- Subject: Re: [Fed-Talk] DoD consensus security configuration
- From: James Alcasid <email@hidden>
- Date: Mon, 19 Apr 2010 09:48:54 -0400
- Thread-topic: [Fed-Talk] DoD consensus security configuration
Probably a question for Shawn Gheddis to answer as he would know the real
answer. The only people I know of that have or had active documentation on
this was NETCOM before Dr Harding left and NSA with the conception of a SDCC
but that concerned 10.5 at the time.
--
James Alcasíd | VeriSolv Technologies
Department of Veterans Affairs | Enterprise Infrastructure Engineering
470 L¹Enfant Plaza SW Suite 3100, Washington DC 20024
Office (202) 245-4573, Mobile (202) 340-8930
Note:
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mis-transmission. If
you receive this message in error, immediately delete it and all copies of
it from your system, destroy any hard copies of it and notify the sender.
You must not, directly or indirectly, use, disclose, distribute, print, or
copy any part of this message if you are not the intended recipient. Any
views expressed in this message are those of the individual sender, except
where the message states otherwise and the sender is authorized to state
them to be the views of any such entity.
P Save Paper Do you really need to print this e-mail?
13:3
> From: Michael Kluskens <email@hidden>
> Date: Mon, 19 Apr 2010 09:30:54 -0400
> To: Fed Talk <email@hidden>
> Subject: Re: [Fed-Talk] DoD consensus security configuration
>
>
> On April 17, 2010 9:29:10 PM EDT, Peter Link wrote:
>>
>> Was anyone on this list involved in this project? If so, are you also working
>> on an automated process for checking the status of the configuration?
>>
>> From the looks of it, this checklist would be for a classified system or at
>> least a heavily restricted one (no external media writing).
>
> If you read carefully you see that is this for a general unclassified system,
> specifically line 50 in the Excel file "set the time server to either a valid
> federal government NTP server" as well as others later on.
>
>> Checklist Details for DoD Consensus Security Configuration Checklist for
>> Apple Mac OS 10.5 (Leopard) 1.0
>> Published on 4-9-10.
>>
>> <http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=293>
>>
>> <http://nvd.nist.gov/ncp/Apple_Mac_OS_10.5_DoD_Recommended_Settings.xls>
>>
>> I know a group is "real" close to finishing the Snow Leopard configuration
>> guide but the last I heard, SCAP content was a ways off. Is work being done
>> to meet the consensus guide instead?
>
> Definitely for heavily restricted machines where they know ahead of time which
> applications a user needs to run and no terminal access. Definitely not for
> users doing code development or needing X11 for Matlab or Crossover. Most of
> the configuration you can cut and paste from the scripts in the Leopard
> Security configuration guide testing of course to make sure it does not break
> the machine in your environment.
>
> I see that the powers that be have not learned yet that rapid password changes
> reduce security, as has been shown in studies repeatedly for the last five
> years. I can look at it one of two ways, either I have to change a 14
> character password every 6 days or a 140 character password every 60 days,
> assuming I have access to only ten different classes of work systems, which is
> a low estimate given I admin 20+ user machines and 30+ servers in various
> configurations, some clustered, some not. First thing I would change is that
> since it is for DoD that to configure for CAC login unless that is impossible.
>
> Of course all those restrictions are useless to stop the primary threat,
> viruses/worms/malware that are undetectable by the AV software on the email
> firewall, the email server, and the user local machine. The last PDF file I
> dealt with was undetectable by 60% of AV software three months after the user
> received it and only after those three months had passed was Norton Antivirus
> for OS X able to detect it and even then McAfee Security Center couldn't see
> it. And the user was expecting a PDF file from exactly the category of person
> that email claimed to be from (response to a BAA announcement in a narrow
> subject area, spot-on social engineering). More recently I received a zip
> file with a similar detection profile and almost as good social engineering
> (DHL delivery notice) and in that case Norton AntiVirus was unable to detect
> it. In every case the AV was up-to-date and the updaters rerun to confirm
> the failure of the AV software. On top of that an email with forged from
> address just sailed through our email firewall even though that should not be
> possible. Combine undetectable malware with good social engineering plus any
> of the unpatched holes and you have the perfect storm. Meanwhile no one I
> have contact with besides Apple and my branch email server admin buys into the
> idea of turning TLS on on the email servers let alone making it required.
>
> As was explained to me by the only IT guy at a company that sells millions of
> dollars of goods per year, "would you buy or recommend waders that hold out
> 80% of the water." Well would you?
>
> After a serious exploit was discovered in Apache, I asked him what web server
> they used, he said "IIS -- we have _proprietary_ bugs."
>
> One of the more humorous quotes " in September, from a couple of guys fresh
> from Black Hat. They were doing a session on network infrastructure hacks,
> and demoing exploits of Cisco switches. One mentioned that the some of the
> exploits should work on D-Link routers, but he never tried it out because it
> would be like hiring a safecracker to open the front door of someone's house."
>
> Sort of summarizes the state of IT today. Deckchairs come to mind (as in the
> Titanic for the humor impaired).
>
> Of course the worst of it was:
>
> "At the one conference I go to each year, a prof working with the NSA talked
> at length in the about China's government-sponsored hacking (using all public
> documents, of course), and then in a later session, our local FBI agent (who
> specializes in cybercrime -- probably because there isn't that much going on
> in ....) talked about the notion like it was the purvey of
> conspiracy-theorists. I couldn't figure that out."
>
> And you expect your coworkers to understand the threat when FBI agents are
> giving lectures claiming it does not exist.
>
> Michael
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden