Anyone who follows information security news is probably wondering this week: “What in the hell is up with security in this country”. At least for those of us living in the United States, this should of been the statement of choice. In case you don’t follow security news, here are some of the headlines: “North Korean hackers may have stolen US war plans” , “Hacker Exposes Unfixed Security Flaws In Pentagon Website” , “Predator drones hacked in Iraq operations” , “Stolen laptop contains data of 42,000 military family members” . These are solely the headlines from this week alone.
In the case of the North Korean attack we have to clarify what occurred. It wasn’t necessarily the U.S. government’s fault. While the headline may inspire thoughts of Kim Jong Il supporters striking away at their keyboards using tools like Metasploit , the reality is a bit different. According to the article: “The highly sensitive information, codenamed Oplan 5027, may have found its way into hostile hands last month after a South Korean officer used an unsecured USB memory stick to download it.” This is a big difference from the interpretation anyone would infer according to the headline. Why not label the article: “South Korea fumbles – Loses Sensitive Security Information.” Perhaps the title isn’t inspiring enough to read.
Whatever the reason behind the title in the article, we are told that “information may have been stolen” which leads us to question whether it was or was not. For argument’s sake, let’s ignore this for a moment and put this into a different context. I’ll use an analogy to explain the gist of it all.
Best Bar Widgets has a product or an idea concerning widget making. The company has invested time and effort into collaborating with Janes Widget LLC on a plan to defend against a potential marketing war being led by the Acme Foo Widget Corporation. He carefully strategizes against their every move in order to defend himself. Acme Foo Widget Corporation is located right next door to his factory and they have been known to send industrial spies posing as factory workers trying to get a foothold on everything under the sun. In this analogy what protections can Best Bar Widgets take to defend themselves from data loss? How much does this cost and how long does it take to get running from concept to production?
We can now look at the free route or the pay for play route. Let’s select the free route first. In order to defend against data loss via a laptop theft, loss of data from a stolen or lost disk, one can use True Crypt  which is a free program. Cost: Time to download. Because they’ve never used the program, they’ll have to read through the manual. Cost: Amount of time multiplied by salary. If we assume the user configuring and learning the program earns $500,000.00 (US) as a salary, we can specify an assumed cost here. Let’s us suppose it took a worker at Acme Widgets one month to download, install, configure and learn this program, we can state the cost of implementing this solution cost $41,666.67 – $500,000.00 divided by 12 months for those wondering where this number ($41k comes from). To be fair, we’d also want to assume that Janes Widget LLC will need to have their employees download, install, configure and learn this program as well. We’ll assume the employee at Janes also makes $500,000.00 in salary as well. It took Janes Widget’s employee the same amount of time to go through the motions which allows us to obtain a baseline (an insanely high baseline) on the cost: $83,333.30 to get this operational. Both companies can now use the program.
“Wait!” said the enterprise architect: “this does not include the fact that 3,000 employees at Acme and 3,000 employees at Janes Widget need to be trained. Your figures are way off!” To this statement we tack on $4,000.00 for a video camera, another month of salary ($41,666.67) and we create a video explaining the usage of True Crypt. We mandate that all drives will be encrypted from here on out and teach employees on why they need to follow policy – we also notify employees that if they break the policy, they will be terminated. We make sure this is not an empty threat as well. We also do the same for everyone at both companies and install GNUPG  (OpenPGP). This allows us to encrypt data being sent, back and forth. The odds of them breaking the encryption are the same odds of me walking to the coffee machine and disappearing into thin air only to re-appear on the planet Mars. To be fair here, we’ll double the total cost we’ve amassed and place the install and training for Acme and Jane as well as include the video training and even throw in a DLP system. How does $250,000.00 sound so far? $83,333.30 for both companies to have PGP and True Crypt installed as well as have a video training created. We also added DLP in each company at the whopping price of 83,333.30 per device. See what I’m getting to? The cost of protection is always lower than the cost of an incident. Even if I stated a $5,000,000.00 price tag for my scenario, it would still come cheap considering Heartland settled for a 3.6 million payment to ONE company (AMEX). 
Moving away from the Korean solution described above, what about the other blunder “Hacker Exposes Unfixed Security Flaws in Pentagon Website.” Well, the same applies. However, I decided to be even more obnoxious about this solution. Here we hire an independent Red Team on a quarterly basis to perform penetration testing on the webservers. The team would use a variety of tools and tactics against the webservers – not social engineering, not physical testing, strictly pentesting. Purchase them all known tools Core Impact, HP Webinspect, Cenzic Hailstorm, Accunetix. Name all the common used tools and tactics and add up the pricing. I can round this off to about $300,000.00 per year in tools, another $500,000.00 per year in salaries. Let’s be REALLY obnoxious about it and round off this cost to $10,000,000.00
$10,000,000.00 for a Red Team to perform nothing more than webserver security testing against all DoD webspace. Looking for vulnerabilities and then locking down those webservers from exploitable vulnerabilities. Is the cost too high for this program? I’d certainly think not considering it could potentially cost billions if an attacker downloaded sensitive information. War plans, strategy guides, information on weaponry, think about the costs associated with having to re-invent a strategy, losing technology or secrets. I’m sure $10,000,000.00 is peanuts to the Department of Defense. The real world cost to implement a strong security program pales in comparison with the financial losses of not having a security program. Now to be fair to those in government already performing some of these roles (Red Teaming), I am aware of “our hands being tied!” statements. Governmental regulations and bureaucracy prohibit certain events from occurring, collaboration, screening for proper authorization, access. Something needs to give. I know some seriously talented individuals who work in government agencies and I know factually that these guys can penetrate high level, layered security systems let alone a simple webserver. Yet why aren’t they locking down these webservers? You ask. If you’ve worked for government, you’d know the left hand never knows what the right hand is doing. Its how the government operates.
Moving along (again), we have the following comment: “Iraqi insurgents have reportedly intercepted live video feeds from the U.S. military’s Predator drones using a $25.95 Windows application that allows them to track the pilotless aircraft undetected.” … I wouldn’t even know where to begin on that one. This is one of those “they did what!” An instance where one is at a loss for words. Maybe someone in government can give me a call (888) XPLOITD so that I can help create an effective pentesting security program for them. It would be cost effective, efficient and certainly take care of many of these baffling breaches in security. In fact we’d do it at a fraction of the $10,000,000.00 price tag.