The Department of Defense is Still Not Very Secure

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
According to a new report from the Pentagon's Inspector General (PDF Warning), which was spotted by Motherboard, the Department of Defense still has some glaring cybersecurity issues. While the Pentagon has apparently made some great strides since 2017, there are still "266 open cybersecurity-related recommendations, dating as far back as 2008." More specifically, the report claims that "the largest number of weaknesses identified in this year’s summary were related to governance, which allows an organization to inform its management of cybersecurity risk through the policies, procedures, and processes to manage and monitor the organizations regulatory, legal, risk, environmental, and operational requirements." Motherboard pointed out some particularly worrying instances in the report, like big security lapses in ballistic missile defense systems, or " lax security procedures" that make Army patient data easily accessible. The GAO released a similarly worrying report in October of last year.

Without proper governance, the DoD cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.
 
OUR whole country isnt Secure.............9\11 NEVER FORGET............................
 
Securing individual systems is never going to happen in any government installation simply due to the fact that each time you update Windows, you have to perform a full regression suite of tests to insure what settings you providied to secure the system have not been touched by the update and that more security threats were not installed with the update.

There is too much bureaucracy in government installations to keep up with it all. It is one of many reasons most government installations never get updated.

Of course many of the security holes are simply due to inept configurations.
 
I'm willing to bet (just like many organizations out there) is that they won't budge on better cyber security until something drastic happens. Corporate worlds seem to be reactive in this department instead of proactive and even then still don't react properly. The cost for security can be high and I think a lot of businesses risk being hacked before taking precautions or they just lack of understanding of the situation.
 
Securing individual systems is never going to happen in any government installation simply due to the fact that each time you update Windows, you have to perform a full regression suite of tests to insure what settings you providied to secure the system have not been touched by the update and that more security threats were not installed with the update.

There is too much bureaucracy in government installations to keep up with it all. It is one of many reasons most government installations never get updated.

Of course many of the security holes are simply due to inept configurations.

First part is bull (at least about previous settings)... Most solutions to set and enforce settings are not a one time deal... GPO, DSC, SCCM etc have compliance enforcement in most default cases. Even if they do get reset, they will be set back automatically.

New threats, no way around that and can apply to any type of update for practically anything.

The last part I agree with. In most cases it comes it comes down to security vs functionality and the internal struggle of power to get hard decisions made. This is a never ending battle, especially in government where they have a much wider array of software and use cases, many of which are niche software. Lot of cases these vendors don't keep up with best practices and put out fires as they come up just like a lot of IT. One thing about Win10 and forced updates is that I am seeing these smaller vendors actually fix their legacy code/methods

I would also say it goes both ways, I have seen departments cry security and fed compliance to stop progress, without actually knowing the actual requirements. New products and services might actually meet said requirements.
 
Or the IT is run by people that know nothing about computers, networking and IT in general.

I see a lot that. In most cases it is due to the HR department not having anyone on staff who is qualified to hire the IT people. They assume someone who has paid to have a bunch of acronyms attached to their name must be qualifed.

First part is bull (at least about previous settings)... Most solutions to set and enforce settings are not a one time deal... GPO, DSC, SCCM etc have compliance enforcement in most default cases. Even if they do get reset, they will be set back automatically.

New threats, no way around that and can apply to any type of update for practically anything.

The last part I agree with. In most cases it comes it comes down to security vs functionality and the internal struggle of power to get hard decisions made. This is a never ending battle, especially in government where they have a much wider array of software and use cases, many of which are niche software. Lot of cases these vendors don't keep up with best practices and put out fires as they come up just like a lot of IT. One thing about Win10 and forced updates is that I am seeing these smaller vendors actually fix their legacy code/methods

I would also say it goes both ways, I have seen departments cry security and fed compliance to stop progress, without actually knowing the actual requirements. New products and services might actually meet said requirements.

Maybe you know a trick I do not. I have had to resort to creating programs which get run at boot time that insures the settings I had configured the system for are still set as I have had too many instances where a Windows 10 update restored settings back to the default.

All I can say about Windows 10 is it has created a lot more work for me and opened up new business opportunities.
 
Maybe you know a trick I do not. I have had to resort to creating programs which get run at boot time that insures the settings I had configured the system for are still set as I have had too many instances where a Windows 10 update restored settings back to the default.

I assume you are not working with domains then as the vast majority of settings can be controlled by group policies and enforced \ re-applied at login by the domain controller. I see the problem you are talking about frequently on home user pcs \ small businesses, but never on a properly configured domain.
 
I assume you are not working with domains then as the vast majority of settings can be controlled by group policies and enforced \ re-applied at login by the domain controller. I see the problem you are talking about frequently on home user pcs \ small businesses, but never on a properly configured domain.

Yes, I work mostly with small to medium businesses where a domain controller is a bit overkill. The budget is usually pretty tight.
 
Or the IT is run by people that know nothing about computers(server admin), networking and IT in general.

These are separate skilled fields and often an organization / company will amalgamate them all into one generic sys admin role.. the results are typical.

I see a lot that. In most cases it is due to the HR department not having anyone on staff who is qualified to hire the IT people. They assume someone who has paid to have a bunch of acronyms attached to their name must be qualifed.

QFT.

That alongside old guard 'been there forever' & nepotism.
 
Last edited:
I'm willing to bet (just like many organizations out there) is that they won't budge on better cyber security until something drastic happens. Corporate worlds seem to be reactive in this department instead of proactive and even then still don't react properly. The cost for security can be high and I think a lot of businesses risk being hacked before taking precautions or they just lack of understanding of the situation.


Well, no, actually DoD has made great strides in many things. But it suffers in four significant areas. The first, when you lump everything under the title DoD, well that's a huge freaking organization and it's way beyond just Enterprise systems. This report is covering issues with launch systems, tactical aircraft systems, other weapons systems, tactical gear fielded rapidly during the war where getting the capability to the battle was more important than securing that capability at the time. Take any single vulnerability in our networks, now triple it, or more because there is an unclassified network, a secret network, a top secret network, etc. It's not just one set, it's multiple versions, plus all the systems that are "special" but still need to be secured like Blue Force Tracker, (look it up).

Then there is the issue of creating and managing policy. Nothing is ever easy. Take my organization as an example, we need a data management policy and a data manager as well. The policy has sort of been written, hasn't been signed off on, because really we need a data manager to help implement the policy and to become a point of authority behind the policy, but we don't have one. One needs to be hired, as in a contractor, because there was a government guy who was supposed to be the data manager but he never actually did any of that stuff. Now when we try to pin the government down to who is going to wear the mantel and actually perform the job they all point fingers and no one gets to be the donkey. They'll waste a couple of years trying to stick someone with the responsibility or getting someone hired as a contractor. In the mean time, the Systems Admins like myself will do what we can but if we need to try and enforce a policy, well we don't really have one to enforce so....

Another issue is that while DISA has created some entirely logical policies the effects of actually trying to implement them and make them work is still an act of exploration and discovery. In other words, saying and doing are two very different things and in testimony I can offer that essentially, under DISA's Risk Management Framework, I have never heard of any organization yet that has actually passed accreditation under the new rules, and in fact, they are changing the rules as they go along as they come accrossed those things that become apparently un-do-able.

The DoD's cyber security landscape is massive and few people can really get it in their minds how massive that is, and just what that really means. Nothing else anywhere really compares that I can think of. I don't think all of the universities in the USA combines are even close in comparison. Add all the hospitals, all State government networks, all emergency service and law enforcement vehicle systems as well and you might be getting into the ball park. But size alone is certainly not the only obstacle.

I spoke about issues regarding security, that the multiple networks by classification more than triple the burden. Imagine patching Linux systems on a classified network. Everyone else can just point to someone's YUM server, but on these networks, we have a guy that has to log into an unclassified system, download the YUM updates every week, burn them to disk, copy them from disk to a home owned YUM Server on three other networks, then update the YUM servers themselves, and the other LINUX systems on those three networks. And he can only do it from the lowest classification up because you can't take media from higher down. If your updates are larger than what a DVD will hold and you need to use a spinning hard drive, first, it can't be USB, it can be eSATA. Next, the data is put on the drive, copied off from Unclass, to the Secret, and finally the Top Secret, at which point, the hard drive can never ever be used for anything but Top Secret again, it's a one way trip. We can't use removable flash media at all. Well we can, but it takes paper work and signatures, etc to get authorization and a dozen explanations of why you must use a thumb drive and you can't get it done any other way. Simple IT tasks become burdensome chores and if one is busy making the job as hard as possible, how much time can he devote to other tasks like proper documentation, which is also required for cyber security compliance.

I was just explaining what it takes to do things on our development networks, that are not even connected to any other network outside of this building. Nothing, they are completely isolated. So there are three dev networks all isolated, then there are five connected networks which we have almost no rights or elevated privileges to manage. Although we get called first by everyone in the building, most of the time all we can do is tell them to drop in a ticket with the Army Help Desk, AESD. Doesn't stop them all from coming back to ask if we can help or what their problem might be. If this is what it's like for us, and we just do software development for a single Military Intelligence system, how many other activities like ours are out there for all the other systems across all of DoD?

And when the GAO does some all inclusive report on cybersecurity readiness, what's it likely to look like?
 
Or the IT is run by people that know nothing about computers, networking and IT in general.


Well, yes, in simple terms this is damned common in DoD because frequently it's organized in the following way. Contractors fill the worker roles, Sysads, Network and storage guys, and the company management positions because the companies have to be able to report every week what they are accomplishing for the contract to the customer, who is the government. "This is how many patches we applied, etc"

But the actual management positions all must be government people and I'll give you a perfect example of what happens. My Lab Manager who is responsible for our Lab and all three development networks in that lab, is a developer, not an Enterprise guy. We guide him, we show him what's what, all the time. He's in charge but he doesn't have the experience for the position. It's a terribly common thing in the government. When a company losses a Lab Manager, they hire a new Lab Manager who has experience, or someone in house has shown he's very capable and that person applies for the position. But not the government, the government either moves someone else over who is already a government employee, or they may hire against it. But the moves happen too often to count and the impact is predictable.
 
You could look into DSC... Not sure exactly the hurdles for a local only implementation but it might be helpful but rolling your own is certainly a viable option...

https://docs.microsoft.com/en-us/powershell/dsc/overview/overview

I have played with that, but decided to do my own thing as it allows me to do thigns like log reboots, logins, and other data to my local server. Makes for predicitng when I need to allocate time to a client easier. Thank you though, I had completely forgotten about it.
 
Did you miss the part where the issue is the recommendations are getting ignored? Or what?


Recommendations do get ignored when a Commander deems it is not going to happen.

So a lot of people don't get this because they simply have no experience with it. Take the system our developers support. There are multiple versions of the software out there that we are currently forced to support because the Commanders refuse to have their systems loaded with the new versions. We can't force them, and mostly, no one can force them, because if they are in active combat environments their combat readiness far outweighs the importance of being on the latest version or even being up to a given patch level. And that is entirely the Commander's call, it's his ass on the line, he gets to choose what he will risk and what he will not risk.

He may not take his Drones off mission for a software update because he may not have an alternative system to fill in for it, or he may be concerned that it'll get messed up, or he may have been told that while the update fixes one thing, it beaks a more important thing.

So for that reason alone, you may very well hear that a recommendation from a pencil pusher in the GAO is being ignored. It doesn't mean the world is going to end. And sometimes, the very real world situation is such that the risk is truly minimal. It's why they pay that General the big bucks.
 
I'm sure there are plenty of $500/hour consultants that can fix them right up.
 
I'm sure there are plenty of $500/hour consultants that can fix them right up.


Perhaps, but as long as they keep trying to get by with crap salaries, they'll keep getting crap people.

For instance, I'm older right, 59 is me looking really hard at retirement. I am not all that interested in chasing the latest tech, I sort of stopped when they added the "Hyper" to HCI because frankly, our converged infrastructure will be all we use for the next few years anyway. By the time this customer gets around to actually buying a full HCI setup, I'll be sipping Margaritas on my back porch watching the young skirts hitting golf balls off the 7th hole.

But I digress, the point being, I take this shitty salary because I'm old, almost retired, I'm not moving, etc. If I were young and mobile I wouldn't work for these chumps, not for under $80K a year as a storage admin with 20 years experience, certs, a TS Security Clearance. I could chase down $130 easy, $200+ on the beltway.

But these guys just keep limping along relying on old bastards like myself while they keep hiring new retired military who only stay long enough to find something better, usually a government spot and they're gone. Six months tops on average, usually we never even get any good work out of them before they are gone again.
 
Yes, I work mostly with small to medium businesses where a domain controller is a bit overkill. The budget is usually pretty tight.

That is the problem with your take on this. You are not dealing with nearly the same landscape and cheap small business experience is nothing like what happens in the .gov and enterprise sphere.
 
That is the problem with your take on this. You are not dealing with nearly the same landscape and cheap small business experience is nothing like what happens in the .gov and enterprise sphere.

No offense, but your statement reads like you think small to medium size businesses are the problem.

I worked with an EPA office for a number of years. The problems there stemmed from no money in the budget to fix things correctly, to flat out incompetence inhibiting every step taken to try and secure the network (the local director, for the office, wanted to play Java games on the computer....just to start with...). They were running Windows 7 Pro and usng OIffice 365, with no firewall, no domain controller, every system being configured by the individuals, logging in as admins, and running with full operating system defaults. It was a nightmare. I finally quit dealing with them. They actually drove me to the small and medium businesses as they are much easier to work with.

Yes small business has budget constraints, but that just imposes a different challenge. At least it is not a flat out rejection of every requisition.

Just FYI. I have been doing network security before Microsoft existed and have worked with every size company there is. Keeping pace with all the changes in the landscape has been fun and rewarding. Although, as I have gotten older, I have come to enjoy the quicker paced entrepreneurial companies.
 
Last edited:
No offense, but your statement reads like you think small to medium size businesses are the problem.

I worked with an EPA office for a number of years. The problems there stemmed from no money in the budget to fix things correctly, to flat out incompetence inhibiting every step taken to try and secure the network (the local director, for the office, wanted to play Java games on the computer....just to start with...). They were running Windows 7 Pro and usng OIffice 365, with no firewall, no domain controller, every system being configured by the individuals, logging in as admins, and running with full operating system defaults. It was a nightmare. I finally quit dealing with them. They actually drove me to the small and medium businesses as they are much easier to work with.

Yes small business has budget constraints, but that just imposes a different challenge. At least it is not a flat out rejection of every requisition.

Just FYI. I have been doing network security before Microsoft existed and have worked with every size company there is. Keeping pace with all the changes in the landscape has been fun and rewarding. Although, as I have gotten older, I have come to enjoy the quicker paced entrepreneurial companies.


I am happy for you, that it sounds like it's rewarding for you is good to hear.

I'm just hoping one of my kids will have a kid so Momma will reorder her priorities and we can drop the yoke. I'm tired and more than willing to let someone else wear mine.
 
No offense, but your statement reads like you think small to medium size businesses are the problem.

I worked with an EPA office for a number of years. The problems there stemmed from no money in the budget to fix things correctly, to flat out incompetence inhibiting every step taken to try and secure the network (the local director, for the office, wanted to play Java games on the computer....just to start with...). They were running Windows 7 Pro and usng OIffice 365, with no firewall, no domain controller, every system being configured by the individuals, logging in as admins, and running with full operating system defaults. It was a nightmare. I finally quit dealing with them. They actually drove me to the small and medium businesses as they are much easier to work with.

Yes small business has budget constraints, but that just imposes a different challenge. At least it is not a flat out rejection of every requisition.

Just FYI. I have been doing network security before Microsoft existed and have worked with every size company there is. Keeping pace with all the changes in the landscape has been fun and rewarding. Although, as I have gotten older, I have come to enjoy the quicker paced entrepreneurial companies.

No my response reads exactly like it was written. Your take is off because cheap small business security is nothing like .gov and enterprise spheres. It is very simple. Experience small business is not applicable here.
 
I did not like my original response so here is another attempt.

You think I am not qualified to comment on this topic. That is your opinion and I can see where you might get that. You have no idea what I have done in my 40+ year career or who I have done work for.

I am nearing the tail end of my career and made the choice to stick with small to medium business. They are fun and challenging to work with.

The one thing constant in my career has been the evolving landscape presenting challenges often enough to keep it interesting. A constant learning curve, to be sure.

Along the way I learned a very valuable lesson. There is always someone smarter than you around the corner. Earlier I asked one of the posters if he had a better idea I would like to hear it. His answer was something I already knew about, but you never know until you ask.

My response in this thread was from a culmination of efforts ranging from Fortune 100, to government to mom-and-pop shops. It is my opinion and I stand by it.

I am happy for you, that it sounds like it's rewarding for you is good to hear.

I'm just hoping one of my kids will have a kid so Momma will reorder her priorities and we can drop the yoke. I'm tired and more than willing to let someone else wear mine.

Thanks and LOL! I know what you mean.

I got lucky. Momma got a big promotion and raise a few years back and she came home and told me, "You need to think retirement, because I ain't hanging with no worn out old fart! Get some rest, you earned it.".

Yeah, life's good.
 
Last edited:
Back
Top