Schools are pretty bad, too, who are strongly enforced by federal security policies.
Recently I had an fMRI done as part of a research program at North Western and had to sign a bunch of paperwork where it was said that my data would be secured with a best effort.
Well, fast forward to last night where I was curious if their psych department had any webservers exposed to the internet, which it shouldn't. I found sip servers, printers with admin rights, routers, personal computers, etc etc etc. HIPAA hell. And that was only on three subnets and only 80/443.
I sent their heads of technology an email to see if they could look into it, since I'd prefer that my data not be stolen by anyone who knows how to run wget. They closed the ticket with this:
bpchaps, I believe you do have good intentions. That being said, we are already performing regular scans of our systems. If you do stumble upon anything significant, please do contact us again.
UMD has a great class where their cyber security students do pentesting on the school network for credit, simultaneously securing the network and providing a great education.
Nothing to get a network admin to close a hole like an annoying undergrad stopping by your office every day, trying to get his extra credit before the semester is over.
I'm a UMD student, and I had no idea this existed!
I've been hesitant about reporting holes/vulnerabilities in the school's infrastructure until now, but it's reassuring to see that there are official channels for doing so.
Don't think this was around when I went there, but I'm super excited that it is.
I did take a Software Engineering course while I was there that directly interacted with real-world clients and had to ship customer ready software at the end of the semester. It was intense and a fantastic learning experience. I'm biased, but they do it right at UMD. Go Terps!
I'd file a complaint with their bosses. Your privacy is important. If the tech staff won't take HIPAA seriously, their bosses better or they'll lose their job. Don't let this go, please, be proactive.
The first response was civil. I'd go straight to the HIPAA complaint now. They had their chance. Being overly polite is a waste of your time. For all you know you're being filtered by a moron covering his own ass.
My only concern with that, from personal experience, is that groups like HIPAA tend to be about as dismissive, but often significantly more. But you're right. If I don't get a decent response by tomorrow mid-afternoon, I'll raise the issue higher and follow through. My lawyer is very good with these sorts of issues, so I can go to him if needed, too.
Oh, the rabbit holes...
Edit: also, for what it's worth, I wasn't polite at the end - far from it.
I helped build a learning management tool for our med school, even set up SSO with their AD. They scanned the hell out of us. And we had flaws. But when the dean said he wanted it on the school's domain, on their server, IT did as told.
I don't know the answer. If you do interesting things, there will be bugs. And a university is full of people doing interesting things. If IT locks everything down you end up hamstrung, like the DoD often is. Another kind of pain I know all too well.
Oh trust me, I get it. There's definitely a middle ground, though.
If you want to know locked down, my last place locked down icmp between vlans for security reasons. Ironically, it's what got me to learn nmap. It was also hell. :)
Careful, people have been prosecuted for running unauthorised portscans before. It's probably easier for them to report you to the police than it is for them to fix the problems.
My uncle had surgery in a very well regarded hospital in the Northeast US. I visited him in one of their buildings and they were absolutely in a shambles from an IT perspective. Someone with bad intentions and a USB drive of almost any description could probably wreak havoc there.
I know of a local clinic where I live that has decided to stay on Windows XP and just told their staff "not to surf" as their way of dealing with security issues. While in the waiting room when I took my sister in for an appointment I discovered you could look around pretty much anywhere, it has no network security and the doctors computers are on the same LAN as the public unencrypted wifi.
I'm not really sure what the problem is with that. I feel like the broader infosec situation is bad enough that having them debate encryption would be like arguing over what lock to put on your cardboard door.
The commission is going to have to talk about encryption if they're to address information security. It might not be the same debate as the iPhone case, but encryption is central to cybersecurity. So, to say they won't talk about encryption is a non sequitur.
If they can't consider "issues related to encryption" then that shows how superficial the committee is. Encryption is the foundation of IT security, without it, there is no such thing. It's like making a band-aid committee for people with gunshot wounds.
I think part of this stems from the nuttiness that is government contracting and the massive organizational sprawl inherent in our current governmental structure.
Looking at some of the details it seems some agencies are somewhat better than others, it would be interesting to see the whole report and see which agencies do better and which really suck (NASA seems to have done quite poorly).
Given that the security needs for the EPA may quite different than those for the DoD, not to mention countless other agencies, it's easy to understand how standards and enforcement could quickly fragment. A lot of these agencies will hire contractors to do the work, they'll hire different contractors, who are themselves drawn from a limited pool of authorized contractors and soon enough you have Healthcare.gov version 1 again.
Additionally, if FB or Google have a breach, there's a clear line of responsibility that ends up at the CEO. While in theory that's true in government, in practice you have both the executive branch and congress that muck about in the operations of an agency, so although you may get security person X to resign, it's far less easy to get at the people who are actually responsible (Which congressperson? How do you vote them out of a gerrymandered district? Should the president fire his cabinet secretary? How does he get a new one past congress)
Probably procurement processes weed out all but the most patient of candidates, along with their pay schedule. But their process can take months before final approval, so by then the candidate is gone.
They need to streamline the hiring process and offer competitive pay.
It's not just about patience, there are a lot of guidelines and hurdles to jump through to be eligible for certain contracts. Some of this is for good reason, there have been plenty of cases of contractors bilking the government out of millions with little or no accountability. But it makes the process too complicated for real competition to occur, so perversely although the government turns to the private sector for more competitive prices and cutting edge solutions, it ends up with inferior products.
Also, it's not as though the contractors themselves offer poor compensation. A lot of them actually offer at least market rate, and in some cases higher pay. It's not so easy to figure out how much something is going to cost over the lifetime of a contract. This, combined with the general opacity and bureaucratic hurdles of government contracting makes it so makes it so the government doesn't get the best deal over the lifetime of the contract despite picking what may look to be a good idea at the onset. Of course this is all ignoring political considerations and lobbying issues.
The US Government is the largest corporation in the world, I think the US Defense Department is alone the largest corporation in the world. And none of it is subject to the free market (in many ways for good reason). It's very difficult to do things efficiently at that scale, and its even harder to do it with external political influences of all sorts.
There's organizational pressure to cut costs in the government, but nothing like the market's bonuses to excite people into excelling.
With the only serious motivator being to cut costs, most agencies will contract their project into the ground.
Add on to that the fact it's nearly impossible to hire because most tech people's heads are packed with dystopian scifi nonsense, and you have a perfect storm.
I don't think the OP was suggesting that Obama has done nothing, but rather the opposite. Obama has definitely talked about the importance of cyber security in the past so it's a bit weird to say that it's a focus just this year.
If anyone wants to help fix the problem, I suggest the newly formed USDS. There are a lot of ex-Google people involved trying to help clean up and secure IT infrastructure in the Government. I spoke with someone who did a short stint with them and it sounds like they're actually being empowered to fix things.
https://www.whitehouse.gov/digital/united-states-digital-ser...
Mike Dickerson gave a really good in-depth talk at Google about his work cleaning up the healthcare.gov project. The Time article lacks many of the technical details but is still pretty good.
Sorry, all I can find is a link to the PDF.
https://blog.newrelic.com/wp-content/uploads/80893.pdf
From talking to people who've worked in the USDS, the problem doesn't appear to be lack of capable people, or lack of funds. The problem seems to be in the structure of how projects are bid and executed. The bad news is the problem is universal. The good news it's fixable ... it's just going to take a lot of work by a lot of smart and determined people.
As a exemplary symptom of the toxic IT culture in many aspects of government and defence, the US Navy paid $9M for continued support of Windows XP last year [0]. They definitely aren't the only government agency which is doing this and it's indicative of systemic problems in business support and procurement.
Spending millions on support for an operating system which is well out of life is indicative of poor IT procurement and lifespan management. Business interruption was a valid excuse about 5 years ago, to continue to argue that is a farce.
Information services, construction, food and technology were the top performing industries in this test.
Info services and Technology seem like common sense answers, and maybe food includes fast food which has to defend against the underground's hunger for credit cards, but why does construction earn a top place?
Construction and food are run by good old boys, who aren't going to waste a bunch of money going to IBM for their tech, when they can go to the local company which charges half as much. In so doing, they accidentally hired better tech, because the big companies are bureaucratic nightmares.
This is unsurprising. From what I gathered from @da_667 (former NSA TAO), the pay was terrible. Why work for the government when you can get a job making 2-3 times as much with the same responsibilities?
That doesn't preclude government contracting this kind of work out to professional infosec consultancies. Budgets are usually more complex than a single bucket and the heightened requirement for accountability in government practically guarantees that.
Except that the heightened accountability is part of what causes this whole problem. Contractor bill rates are strictly regulated by non-technical proposal reviewers who live in fear not of a contractor not performing (what are you gonna do, contractors, amiright) but of OMB asking why they didn't select the firm with the slightly cheaper bill rates. The concept of the man-month is alive and well among government proposal reviewers.
Add to that all of the rules that require you to be an expert in government proposals (Google "8a", "BPA", and "USG far") and you're virtually guaranteed anyone who's good and wants to be paid what they're worth will roll out.
You'd have to have your head examined for willingly working in government IT. The dysfunction is legendary, the pay is abismal and there are no free massages or vending machines. If you had the skills to secure computer systems why would you work for the government? What possible reason?
I been associated with (Australian) Government projects and whilst I don't know much about what their own staff got paid, I can tell you not one person there had ever still been in the office by 5:01pm. Managers didn't even have mobile phone numbers of their staff even if they wanted to contact them after hours. People were told not to come to work for things like "multicultural awareness day" and a dozen other special days that never considered a holiday at any business group.
Several of them lamented that every department had "slackers" who'd probably be fired from any real business, but basically couldn't get sacked if they tried due to Government policies.
It's not my thing, but there are reasons people choose these places.
>Several of them lamented that every department had "slackers" who'd probably be fired from any real business, but basically couldn't get sacked if they tried due to Government policies.
Seems like the end result would be a really nasty dead sea effect.
Some people are motivated by things other than money and massages. Those people might say that anyone taking megabucks and massages over securing government systems which contain all of our sensitive data might need their heads examined.
This is a paraphrase of a good answer from bugcrowd's CEO when asked about why people report bugs for thousands when they could sell them for hundreds of thousands. He answered "not everyone wants to be a drug dealer".
Indeed. And not merely for the dysfunction and pay, but also the fact that you're willingly building the machinery of your own oppression and servitude.
Time to just outsource USG data and services to Zuckerberg.
He's possibly handling more data, providing more services and doing it with what...10K engineers?
We are just going to see more and more Sony type hacks, Manning/Snowden type events. Just look at what happened with Bangladesh's Central Bank and Philippines voter records.
Going forward I just don't see Govt IT coping on their own. Things are just moving too fast and they have my sympathies.
Recently I had an fMRI done as part of a research program at North Western and had to sign a bunch of paperwork where it was said that my data would be secured with a best effort.
Well, fast forward to last night where I was curious if their psych department had any webservers exposed to the internet, which it shouldn't. I found sip servers, printers with admin rights, routers, personal computers, etc etc etc. HIPAA hell. And that was only on three subnets and only 80/443.
I sent their heads of technology an email to see if they could look into it, since I'd prefer that my data not be stolen by anyone who knows how to run wget. They closed the ticket with this:
bpchaps, I believe you do have good intentions. That being said, we are already performing regular scans of our systems. If you do stumble upon anything significant, please do contact us again.
:(