WingNews logo WingNews
top | item 37042666

(no title)

ievans | 2 years ago

I'm surprised there are so many negative comments on this release, which I suppose is timed for discussion at Blackhat/Defcon.

The report's identifies its audience as four groups of stakeholders: (1) federal civilian executive branch agencies (2) target rich, resource poor entities where federal assistance and support is most needed, including SLTT partners and our nation’s election infrastructure; (3) organizations that are uniquely critical to providing or sustaining National Critical Function (4) technology and cybersecurity companies with capability and visibility to drive security at scale

The overlap with the HN audience is probably primarily under the last category, where they have 5 objectives listed in the report (increasing threat modeling, secure software development frameworks, accurate CVE data, secure-by-design roadmaps, and publishing stats like MFA adoption and % of customers using unsupported product version). These all seem like good priorities for an agency like CISA and I've been impressed by their level of direct industry interaction even in our company's corner of the security (appsec) space.

discuss

order

rawgabbit|2 years ago

Looking at the details of the plan to secure America's IT infrastructure, it leads me to Secure Software Development Framework which then leads me to an Excel spreadsheet which then leads me to a tick the box exercise I can get from any generic consultant.

https://csrc.nist.gov/files/pubs/sp/800/218/final/docs/nist....

This is how big corp rubberstamps their security "review". As an American, I was hoping for the government to come up with a real solution. Like telling the big tech companies, that if America goes down the toilet, so do you. So stop with nonsensical security theater, and come up with real solutions. Like how to identify who is doing what. Real identity authentication and real logging. No more VPN/TOR/I can use any IP address I want then spoof a federal employee. No more I can arbitrarily change any setting/value because MSFT/UNIX doesn't believe in auditing.

unethical_ban|2 years ago

You're doing a lot of hand-waving. As someone who has managed remote access to... Internal networks, I'll say it isn't as easy as shoulder surfing at a coffee shop anymore to get into a secure network.

And if that isn't known, I do consulting!

logicallee|2 years ago

I’m a “target rich, resource poor” entity which is where federal assistance would most be needed, so I read the report eagerly. I didn’t like it and it doesn’t seem to contain any useful plans or roadmap.

tptacek|2 years ago

Are you a federal agency? That's most of the target of CISA's strategic work.