TaoSecurity Blog

Over the last two weeks I listened to and watched all of the hearings related to the OPM breach. During the exchanges between the witnesses and legislators, I noticed several themes. One presented the situation facing OPM (and other Federal agencies) as confronting the following choice: You can either 1) "secure your network," which is very difficult and going to "take years," due to "years of insufficient investment," or 2) suffer intrusions and breaches, which is what happened to OPM. This struck me as an odd dichotomy. The reasoning appeared to be that because OPM did not make "sufficient investment" in security, a breach was the result. In other words, if OPM had "sufficiently invested" in security, they would not have suffered a breach. I do not see the situation in this way, for two main reasons. First, there is a difference between an "intrusion" and a "breach." An intrusion is unauthorized access

We've known for about a year that Tom Cruise is returning to his iconic "Maverick" role from Top Gun, and that drone warfare would be involved. A few days ago we heard a few more details in this Collider story: [Producer David Ellison]: There is an amazing role for Maverick in the movie and there is no Top Gun without Maverick, and it is going to be Maverick playing Maverick. It is I don’t think what people are going to expect, and we are very, very hopeful that we get to make the movie very soon. But like all things, it all comes down to the script, and Justin is writing as we speak. [Interviewer]; You’re gonna do what a lot of sequels have been doing now which is incorporate real use of time from the first one to now. ELLISON and DANA GOLDBERG: Absolutely... ELLISON:  As everyone knows with Tom, he is 100% going to want to be in those airplanes shooting it practically. When you look at the world of dogfighting, what’s interesting about it is that it’s not a w

This post is a follow up to this post on CDM . Since that post I have been watching hearings on the OPM breach. On Wednesday 24 June a Subcommittee of the House Committee on Homeland Security held a hearing titled  DHS’ Efforts to Secure .Gov . A second panel (starts in the Webcast around 2 hours 20 minutes) featured Dr. Daniel M. Gerstein, a former DHS official now with RAND, as its sole witness. During his opening statement, and in his written testimony , he made the following comments: "The two foundational programs of DHS’s cybersecurity program are EINSTEIN (also called  EINSTEIN 3A) and CDM. These two systems are designed to work in tandem, with EINSTEIN  focusing on keeping threats out of federal networks and CDM identifying them when they are  inside government networks. EINSTEIN provides a perimeter around federal (or .gov) users, as well as select users in the .com  space that have responsibility for critical infrastructure. EINSTEIN functions by installing

Last week I Tweeted about the Bloomberg "code" issue . I said I didn't know how to think about it. The issue is a 28,000+ word document, enough to qualify as a book, that's been covered by news outlets like the Huffington Post . I approached the document with an open mind. When I opened my mail box last week, I didn't expect to get a 112 page magazine devoted to explaining the importance of software to non-technical people. It was a welcome surprise. This morning I decided to try to read some of the issue. (It's been a busy week.) I opened the table of contents, shown at left. It took me a moment, but I realized none of the article titles mentioned security. Next I visited the online edition, which contains the entire print version and adds additional content. I searched the text for the word "security." These are the results: Security research specialists love to party. I have been asked if I was physical security (despite security we

I just read  Firewall 5s are history: Quotas for top ratings announced in Air Force Times. It describes an effort to eliminate the so-called "firewall 5" policy with a new "forced distribution" approach: The Air Force's old enlisted promotion system was heavily criticized by airmen for out-of-control grade inflation that came with its five-point numerical rating system. There were no limits on how many airmen could get the maximum: five out of five points [aka "firewall 5"]. As a result nearly everyone got a 5 rating. As more and more raters gave their airmen 5s on their EPR [ Enlisted Performance Report], the firewall 5 became a common occurrence received by some 90 percent of airmen. And this meant the old EPR was effectively useless at trying to differentiate between levels of performance... Under the new system, [Brig. Gen. Brian Kelly, director of military force management policy] said in a June 12 interview at the Pentagon, the numerica

For too long, the definition of "breach recovery" has focused on returning information systems to a trustworthy state. The purpose of an incident response operation was to scope the extent of a compromise, remove the intruder if still present, and return the business information systems to pre-breach status. This is completely acceptable from the point of view of the computing architecture. During the last ten years we have witnessed an evolution in thinking about the likelihood of breaches. When I published my first book in 2004, critics complained that my "assumption of breach" paradigm was defeatist and unrealistic. "Of course you could keep intruders out of the network, if you combined the right controls and technology," they claimed. A decade of massive breaches have demonstrated that preventing all intrusions is impossible, given the right combination of adversary skill and persistence, and lack of proper defensive strategy and operations. We n

In the wake of recent intrusions into government systems, multiple parties have been asking for my recommended courses of action. In 2007, following public reporting on the 2006 State Department breach, I blogged When FISMA Bites ,  Initial Thoughts on Digital Security Hearing . and What Should the Feds Do . These posts captured my thoughts on the government's response to the State Department intrusion. The situation then mirrors the current one well: outrage over an intrusion affecting government systems, China suspected as the culprit, and questions regarding why the government's approach to security does not seem to be working. Following that breach, the State Department hired a new CISO who pioneered the "continuous monitoring" program, now called "Continuous Diagnostic Monitoring" (CDM). That CISO eventually left State for DHS, and brought CDM to the rest of the Federal government. He is now retired from Federal service, but CDM remains. Years l

There is a dangerous misconception coloring the digital security debate in the Federal government. During the last week, in the wake of the breach at the Office of Personnel Management (OPM), I have been discussing countermeasures with many parties. Concerned officials, staffers, and media have asked me about the Einstein and  Continuous Diagnostic Monitoring  (CDM) programs. It has become abundantly clear to me that there is a fundamental misunderstanding about the nature of CDM. This post seeks to remedy that problem. The story  Federal cyber protection knocked as outdated, behind schedule by Cory Bennett unfortunately encapsulates the misunderstanding about Einstein and CDM: The main system used by the federal government to protect sensitive data from hacks has been plagued by delays and criticism that it is already outdated — months before it is even fully implemented. The Einstein system is intended to repel cyberattacks like the one revealed last week by the Office