Gods, where to start.
Anything important is on a SCADA network. Little critical infrastructure is on Internet accessible networks. The most critical stuff is only monitored by SCADA networks but cannot be given commands over SCADA. Yes, SCADA networks need to be updated to keep in line with advances made in network defense that internet facing networks almost always have.
The NSA and DISA publish good white papers and specifications for securing OS’s, network devices, some applications, etc. They also cooperate with private sector manufacturers and software publishers to promote Information Assurance concepts and resources. They have a good reputation, remain strictly neutral, and usually only advise. DISA is responsible for the overwhelming amount of US military networks, and a surprising number of general government networks. DISA handles the bulk of the hands on information security on defense and national security networks. A lot of server stuff too. NSA does some stuff, but not as much hands on stuff as you’d think. Probably for the best.
I’m not convinced that the USAF’s Cyber Command is little more than a money sink. What can they do that the NSA or DISA is not doing? I suspect their primary mission will be to suck up funds and maybe protect a very few number of networks. On the plus side, maybe they will do some improvements on embedded networks specific to the USAF. That’d be nice. But not critical to the security of the US infrastructure, as they run only more or less internal networks. They turn over more and more of those networks to DISA each year.
While there is a lot of improvement needed in the information security field, it’s not catastrophically bad. Consumers need better security. That’s the biggest threat at the moment. Millions of ordinary desktops and laptops. Infrastructure and corporate wise, infosec is getting better. Govt always needs to get better, but is good enough by and large. The only advice I can give that crosses private and public sector is, more applicable user training. Not the boring CYA legal-ese crap, but short good information. Put your written passwords in your wallet, don’t share them, shred papers you don’t need, if in doubt ask IT, don’t click on stuff you think is off, if something sounds odd ask your security department, etc etc.
IT and IT Security departments need to expand beyond technical issues and also regularly interface with the users. Yes, I bloody well know how problematic this can be. But most users don’t want to work around standard procedures, they just want to do their job in a way that isn’t too painstaking. IT personnel should try to make their user solutions as streamlined as possible.
Some folks in the Obama administration and Congress kicked around kind of national computer security agency to ‘own’ all the networks and make them safe.
A centralized body governing network security is such a bad idea I’m not sure I can make a proper analogy. “You might as well shoot yourself in the head to save time” would be the closest I can come to explaining how bad of an idea it is. Any hypercentralized NSOC (Network Security Operations Center) with legal powers to control every network in the US would be the worst security threat I can imagine. If you find a way into such a NSOC, you can take down everything. As it stands now, if somehow you could take down… say a specific hospital, that didn’t mean you could automatically also take down a nuclear power plant, a jet liner or a Mom’n'Pop small business network. Decentralization means you have a wide variety of different environments. The more diverse and decentralized you make the entire US IT infrastructure, the less likely any one attack vector can do damage to a bunch of different networks using the same trick.
If you wanted to do the same thing in a somewhat secure manner, which is a bad idea, give the central telecoms a right to blacklist IP traffic without legal repercussion and the ability to void their obligation to completing contracts at their leisure but still get paid anyways. The idea is major telecommunication companies could cut off clients that are infected or attacking other networks. Also, legally make the client liable for the costs of the downtime so that the telecommunication company does not have a financial incentive to ignore the attacks. Sounds like a bad idea? It is. But it’s much more secure than the hypercentralized NSOC idea.
Some folks commented that Conficker was a really nasty worm and the media played it up like it was Ragnarök. Also, IT folks were running scared.
Really? Must be a different part of the IT community than I regularly communicate with. Oh sure, we’re all very concerned with users installing malware. Any one worm? Not so much. If you patch your systems regularly, have a good AV solution and hopefully a half decent firewall, there isn’t a worm made yet that the IT community is overly concerned over. Never confuse secondary effects (rush to patch an exploit, or dealing with an upsurge in spam traffic) with the worm or malware itself.
Hell, I was amazed at how much the media was playing up Conficker. The persons that designed Conficker were either really stupid, or didn’t care. If you upgrade to nmap 4.85Beta7 and run the command ” nmap -PN -d -p 445 –script=smb-check-vulns –script-args=safe=1 126.96.36.199 “, you can determine if the host is infected or not. (188.8.131.52 being the target IP, and obviously removing the quotes.) Why? NetpwPathCanonicalize() gives a nonstandard answer to queries. So you ask the worm if it has infected a host, and it accurately says “Yes, I did.”
I’ll grant you, worms are becoming more sophisticated. Storm was designed by someone with a glancing knowledge of secure programming. Not a professional level, of course. Almost, but not quite, respectable. Conficker is worrisome not because it was well written or well designed, but rather because it exploited a nasty hole in all relevant versions of Windows (See MS08-067), which is a hole that gives system level access with no authentication over a network. That’s as bad as an security hole gets. If you’re patched, no problem. If you’re running an AV, somewhat no problem.
Instead of saying “ZOMG! Killer worm! All the geeks are in a panic and predict end of the world”, the media should say “Yo, a routine worm is making it around the internet exploiting a hole patched on Oct 8th, 2008. If you haven’t patched your desktop in SIX MONTHS, please do so. Go to whatever.com for details on how to do so.”
As we all know, rational dissemination of information ain’t the media’s strong point.
Disclosure: I formerly worked for the US Army and DISA.