January 16, 2014
We stand as one. Change INFOSEC now.
Written by
David Kennedy
Leadership
Today, as you read this, I am testifying in front of Congress to discuss the security issues not only related to healthcare.gov but also in the federal and state government. My purpose for this talk is not to promote TrustedSec or myself, or to drive a political agenda. It's to communicate concerns that a number of us in the security community have around the future of the INFOSEC community in the government. In November of last year, I testified on the glaring security issues around healthcare.gov, not as a hacker but someone who studies security exposures and works for some of the largest companies in the world to better their security. Today, nothing has changed and it's business as usual on the healthcare.gov site. Out of the issues identified last go around, there has been a half of a vulnerability closed out of the 17 previously disclosed and since my last appearance, other security researchers have also identified an additional 20+ exposures on the site.
A question that will be asked, I can almost guarantee it is how do I know that the website is insecure if I didn't hack it. What I would say to that is if I had 12 years of experience as a mechanic. A car drives past me leaking oil, making clanking sounds from the engine, and big clouds of blue smoke coming from the muffler, can I make a reasonable assumption that there is something problematic with the engine and should be looked at further? My opinion on healthcare.gov isn't because of any form of hacking, or attempting to breach it's security, it comes from years of working on the exact same flaws for companies that experience large-scale breaches or organizations that want to understand what types of exposures they have, and these are symptomatic of a much larger problem.
I'm not alone. This time around, I wanted to engage some of our many highly talented folks in the INFOSEC community to derive their own opinion completely by themselves and without influence or bias. I asked for help, and the community answered in a big and epic way. I engaged Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson to share the research of others as well as myself and Scott White from TrustedSec what we had. I have a high respect for these individuals not only for their expertise, but also the amount of talent they have at understanding technical security issues. I worked with each of them and signed a mutual NDA to not disclose the exposures that have already been reported. I asked that they simply give their professional opinion on what they thought of the exposures and if they think best practices were followed on the healthcare.gov website. The results were unanimous and unified - its bad.
You can download a signed copy of each of their statements here
I want to thank the folks that helped and all of the others who share the view, and those that don't. The purpose here isn't to just single out healthcare.gov. This is a much larger problem in the federal and state levels of the government. We need broad and sweeping changes right now, this day, this time to make a difference. A government that focuses on security will inherently provide a much better service while protecting the information that needs protecting. I'm proposing multiple changes, one is a federal level breach disclosure law that tackles all areas of the federal government. If a breach occurs of PII, the United States should know about it. The second, focus on better security integration in contractors and within the federal government. End-to-end testing, continual improvements and monitoring. </p>
<p>Next, a blurb from Alex Hutton, a government entity that focuses on a more governance structure on protecting its own. A CDC for INFOSEC. These types of changes must be widespread in the government and work as a collective in doing things with security in mind. We have the ability now to change it, and the backing of the community to do things the right way. Help support us, help support the initiative, and lets make some changes.
You can download my full written testimony here.
A special thanks to Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson for their time, effort, and noble cause. There are so many other talented individuals in this industry, I wish I could have included everyone.
A question that will be asked, I can almost guarantee it is how do I know that the website is insecure if I didn't hack it. What I would say to that is if I had 12 years of experience as a mechanic. A car drives past me leaking oil, making clanking sounds from the engine, and big clouds of blue smoke coming from the muffler, can I make a reasonable assumption that there is something problematic with the engine and should be looked at further? My opinion on healthcare.gov isn't because of any form of hacking, or attempting to breach it's security, it comes from years of working on the exact same flaws for companies that experience large-scale breaches or organizations that want to understand what types of exposures they have, and these are symptomatic of a much larger problem.
I'm not alone. This time around, I wanted to engage some of our many highly talented folks in the INFOSEC community to derive their own opinion completely by themselves and without influence or bias. I asked for help, and the community answered in a big and epic way. I engaged Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson to share the research of others as well as myself and Scott White from TrustedSec what we had. I have a high respect for these individuals not only for their expertise, but also the amount of talent they have at understanding technical security issues. I worked with each of them and signed a mutual NDA to not disclose the exposures that have already been reported. I asked that they simply give their professional opinion on what they thought of the exposures and if they think best practices were followed on the healthcare.gov website. The results were unanimous and unified - its bad.
You can download a signed copy of each of their statements here
I want to thank the folks that helped and all of the others who share the view, and those that don't. The purpose here isn't to just single out healthcare.gov. This is a much larger problem in the federal and state levels of the government. We need broad and sweeping changes right now, this day, this time to make a difference. A government that focuses on security will inherently provide a much better service while protecting the information that needs protecting. I'm proposing multiple changes, one is a federal level breach disclosure law that tackles all areas of the federal government. If a breach occurs of PII, the United States should know about it. The second, focus on better security integration in contractors and within the federal government. End-to-end testing, continual improvements and monitoring. </p>
<p>Next, a blurb from Alex Hutton, a government entity that focuses on a more governance structure on protecting its own. A CDC for INFOSEC. These types of changes must be widespread in the government and work as a collective in doing things with security in mind. We have the ability now to change it, and the backing of the community to do things the right way. Help support us, help support the initiative, and lets make some changes.
You can download my full written testimony here.
A special thanks to Ed Skoudis, Kevin Mitnick, Chris Nickerson, Eric Smith, Chris Gates, John Strand, and Kevin Johnson for their time, effort, and noble cause. There are so many other talented individuals in this industry, I wish I could have included everyone.