"...the vulnerability was initially identified in 1990..."
STIG scans are automated and the basis for identifying a finding is sometimes a lot different from the name. You have to decode the scanners script and compare the description with the code. In this case it is likely a "medium" finding that an email service is running and may be a risk. "May" and not "is". It requires a manual evaluation to confirm.
My favorite is the vulnerability identified as [redacted] which merely identifies the operating system as Windows. It is a High severity.
I have to run STIGs all the time on 450+ linux systems being a Linux Admin and all. STIGs are a good starting point, however the word guidance is in their acronym for a reason. Other security has to be considered.
At our facility we have a "check box" security department. The entity above us is so concerned about STIG findings and if they are checked of of the list, other vulnerabilities are left to the wayside.
I once got in an argument about outdated embedded versions of java in applications we use. some were up to 7 years old. I advised that we contact vendors, but being an systems admin that was up to the individual application administrators. I was told it didn't show up on scans and to shut up and color (OK they were a little nicer to me than that, same message though).
I can see how places might be lacking in security if they have the same mentality as here.
If WW3 ever starts, nobody will really know what works and what's been hacked. We used to have M.A.D., now we have M.A.H: Mutually assured hacked. WW2 weapons may be the only ones that still work.
Odds are everyone's nukes are poorly secured, not just the U.S.. So even if we manage to improve security, it only takes another side to lose their nukes to a not-so-cool-headed actor..
Nukes are a different beast entirely. Quite a few of their safety systems are physical and non-networked. The only danger are hacking delivery systems such as subs and bombers. But that would only prevent the delivery of a nuke, and not set them off.
As i recall it takes 2 people to physically launch an ICBM from either a bunker or a sub (simultaneous key turns). The other delivery method is a bomber, not sure what is takes to arm those.
ICBMs can also be launched through the Airborne Launch Control System, which sends a radio signal from an aircraft to the silo. ALCS commands have a delay and a time window of a couple of minutes I believe where they can be reversed by the crews in the LCCs, but absent their intervention, nuclear missiles can be hacked.
My understanding is that inside the capsule LCCs, if the ALCS sends a launch order, if they do nothing in two minutes, the missile launches. I believe any of the ten LCCs in the wing can abort the launch. Then there's some arbitration procedure where another LCC can reverse this and decide to launch after all, and then I think the wing commander's LCC can have a final override on that. The intention is that if all of the LCCs are destroyed, the missiles can still be launched, since there would be no one left to abort the launch, but under normal conditions, the ALCS would not be able to launch. The government is currently starting to build a new ALCS replacement system that is IP based, which I think has to be about the worst idea I've ever heard of.
The US military really needs a major upgrade in terms of its THINKING about internet security.
I've spoken to the military trained "cyber warriors" at conferences and it was unsettling. They simply had a worse grasp than some pre-college kids I've met who dabble in security between high school classes.
There's a lot of veneer there and not a whole lot of substance. It is like they're trained to be the world's best script kiddies (e.g. they run provided tools in a given order and expect a predetermined result, they don't REALLY grasp the underlying concepts at a low level).
Now I will say the NSA has some really sharp cookies, and I'm sure some other DoD departments do too. But the people at the top seem to think "cyber" war can be mapped to normal war, and train accordingly. That's a fool's errand.
Hopefully they get it together, but in terms of DoD's own internal politics it seems like a long road with the computer illiterate grey hairs at the top.
At my previous security consulting firm, the leadership team kicked off a massive hiring effort of DoD veterans, driven by the idea that "cyber warfare is similar to real warfare, so veterans are a natural fit for cybersecurity jobs". Blech.
Based on my experience working with those ex-DoD folks, I echo your sentiment. Anyone who was known to be a part of the veteran hiring initiative became a black sheep among the other rank-and-file at my company, because everyone knew that the DoD folks could hardly do anything more complex than a follow a 5-step "how to install metasploit" guide without having their hand held (and even then...). They also had very little familiarity with basic security tools like MFA, IDS, IDM softwares (which makes sense after reading the article).
The worst part still was that they were very cocky about their abilities. I heard way too many times about how "I have experience with 'real war' at the pentagon, I know what I'm talking about", when in reality they certainly did not. If the actual DoD is anything like their ex-infosec employees that I worked with, I can only imagine that this article is just the tip of the iceberg.
But what's the solution to this? At the end of the day the Fed Gov has become an incredibly successful jobs program for vets. (see vets preference and all sorts of affirmative action there) Obviously, one can make the argument that perhaps the skill-set and drive that encourages one to join the military is probably, in a majority of cases, orthogonal to what makes someone good at cybersecurity.
But who would ever argue that? It's political suicide, "how dare you hate the troops", etc. It's fun to see how toxic it can get -- I'd recommend looking at a few of the USAJobs message boards that have advice on how to get hired. Every now and then you'll see a thread about how the veteran preference is unfair, and, well, I won't spoil it. :)
17 comments
[ 3.3 ms ] story [ 44.5 ms ] threadSTIG scans are automated and the basis for identifying a finding is sometimes a lot different from the name. You have to decode the scanners script and compare the description with the code. In this case it is likely a "medium" finding that an email service is running and may be a risk. "May" and not "is". It requires a manual evaluation to confirm.
My favorite is the vulnerability identified as [redacted] which merely identifies the operating system as Windows. It is a High severity.
At our facility we have a "check box" security department. The entity above us is so concerned about STIG findings and if they are checked of of the list, other vulnerabilities are left to the wayside.
I once got in an argument about outdated embedded versions of java in applications we use. some were up to 7 years old. I advised that we contact vendors, but being an systems admin that was up to the individual application administrators. I was told it didn't show up on scans and to shut up and color (OK they were a little nicer to me than that, same message though).
I can see how places might be lacking in security if they have the same mentality as here.
* Update: Never mind, I stand corrected. You are correct. https://en.wikipedia.org/wiki/Airborne_Launch_Control_System...
My understanding is that inside the capsule LCCs, if the ALCS sends a launch order, if they do nothing in two minutes, the missile launches. I believe any of the ten LCCs in the wing can abort the launch. Then there's some arbitration procedure where another LCC can reverse this and decide to launch after all, and then I think the wing commander's LCC can have a final override on that. The intention is that if all of the LCCs are destroyed, the missiles can still be launched, since there would be no one left to abort the launch, but under normal conditions, the ALCS would not be able to launch. The government is currently starting to build a new ALCS replacement system that is IP based, which I think has to be about the worst idea I've ever heard of.
I've spoken to the military trained "cyber warriors" at conferences and it was unsettling. They simply had a worse grasp than some pre-college kids I've met who dabble in security between high school classes.
There's a lot of veneer there and not a whole lot of substance. It is like they're trained to be the world's best script kiddies (e.g. they run provided tools in a given order and expect a predetermined result, they don't REALLY grasp the underlying concepts at a low level).
Now I will say the NSA has some really sharp cookies, and I'm sure some other DoD departments do too. But the people at the top seem to think "cyber" war can be mapped to normal war, and train accordingly. That's a fool's errand.
Hopefully they get it together, but in terms of DoD's own internal politics it seems like a long road with the computer illiterate grey hairs at the top.
Based on my experience working with those ex-DoD folks, I echo your sentiment. Anyone who was known to be a part of the veteran hiring initiative became a black sheep among the other rank-and-file at my company, because everyone knew that the DoD folks could hardly do anything more complex than a follow a 5-step "how to install metasploit" guide without having their hand held (and even then...). They also had very little familiarity with basic security tools like MFA, IDS, IDM softwares (which makes sense after reading the article).
The worst part still was that they were very cocky about their abilities. I heard way too many times about how "I have experience with 'real war' at the pentagon, I know what I'm talking about", when in reality they certainly did not. If the actual DoD is anything like their ex-infosec employees that I worked with, I can only imagine that this article is just the tip of the iceberg.
But who would ever argue that? It's political suicide, "how dare you hate the troops", etc. It's fun to see how toxic it can get -- I'd recommend looking at a few of the USAJobs message boards that have advice on how to get hired. Every now and then you'll see a thread about how the veteran preference is unfair, and, well, I won't spoil it. :)
It won't change until it has to change.
The conflation of two totally different categories of products decreases the credibility of the entire article.
With that said, the subject matter is tragic.. almost terrifying. Did we learn nothing from stuxnet?