The latest report on Einstein from GAO was badly needed. This boondoggle of a program has been the biggest waste of security money I can remember. Mother Jones, which I seldom read or source, has an article on it in their 29 January issue [http://m.motherjones.com/politics/2016/01/governments-expensive-cybersecurity-system-disaster-says-new-report] claiming it is a $6 billion program (they never spent close to that amount) that doesn't work. The latter part of it is probably accurate. I posted a previous article on David Perera's report about a delay in the implementation of Einstein 3.
[ http://www.politico.com/story/2014/11/federal-cybersecurity-plan-stalls-113044.html] which has had more delays than any computer security project in recent years. Putting DHS in charge of anything computer related is always an interesting experience, but their inability to get capability from money is probably the most telling.
If you ever wanted to know what Einstein 3 was, you need only look at the publicly posted Privacy Impact Statement at [http://www.dhs.gov/sites/default/files/publications/privacy/PIAs/PIA%20NPPD%20E3A%2020130419%20FINAL%20signed.pdf] They should never have posted so much for the public (and every hacker around the world) to read.
Mother Jones points to the GAO's latest report at http://www.gao.gov/assets/680/674829.pdf which is not very flattering, but if you are a security professional, it is worth reading. Just these items from the summary will give you an idea of why it is worth reading:
The Department of Homeland Security’s (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:
• Intrusion detection: NCPS provides DHS with a limited ability to detect
potentially malicious activity entering and exiting computer networks at
federal agencies. Specifically, NCPS compares network traffic to known
patterns of malicious data, or “signatures,” but does not detect deviations
from predefined baselines of normal network behavior. In addition, NCPS
does not monitor several types of network traffic and its “signatures” do not
address threats that exploit many common security vulnerabilities and thus
may be less effective.
• Intrusion prevention: The capability of NCPS to prevent intrusions (e.g.,
blocking an e-mail determined to be malicious) is limited to the types of
network traffic that it monitors. For example, the intrusion prevention function
monitors and blocks e-mail. However, it does not address malicious content
within web traffic, although DHS plans to deliver this capability in 2016.
• Analytics: NCPS supports a variety of data analytical tools, including a
centralized platform for aggregating data and a capability for analyzing the
characteristics of malicious code. In addition, DHS has further enhancements
to this capability planned through 2018.
• Information sharing: DHS has yet to develop most of the planned
functionality for NCPS’s information-sharing capability, and requirements
were only recently approved. Moreover, agencies and DHS did not always
agree about whether notifications of potentially malicious activity had been
sent or received, and agencies had mixed views about the usefulness of
these notifications. Further, DHS did not always solicit—and agencies did not
always provide—feedback on them.
GAO is usually language neutral in describing how a system actually looks, compared to what it is supposed to do. They would never say things like "These guys have managed to build weak functionality for large sums of money" even though they must want to at times like this. Hooray for Congress requesting this report. While OPM touted Einstein as the reason they detected the Chinese intrusion into our security clearance records, nobody believed them. If you read this report, you know why.
No comments:
Post a Comment