Steele and Arnold: Cyber Security Hand Waving
December 15, 2020
On December 14, 2020, Robert David Steele, a former CIA professional, and I discussed security hand waving. You can view the short video at this link. My principal contribution was the identification of three types of organizations which have institutionalized security vulnerabilities. These are:
- Colleges and universities hiring instructors and other faculty without probing their backgrounds. No peer reviewed papers and a recommendation from a friend are not enough.
- University exchange programs in which students participate in multi-national research activities. Many of these programs include on campus visits, international travel, and significant information access. No significant vetting of these participants is conducted. Theses programs flourish near some interesting US government facilities; for example, Oak Ridge National Labs in Tennessee.
- Intern programs in the US government, although some state governments have similar set ups. These interns are pressed into duty for Web page maintenance, programming, and fixing broken software. Security checks do take place, but are these sufficiently rigorous when an intern is allegedly updating a Web page at the Railway Retirement Board or similar entity?
Bad actors can easily gain access to useful information. There’s more in the video. I do mention FireEye’s recent security issue, but my interpretation is quite different from the marketing and legal rah rah about the tiny little glitch. Take a peek because I continue to question the efficacy of the in-place security in many organizations. How easy is it to penetrate an organization? I provide three examples of methods which are popular despite the sharp increase in companies selling solutions to lock down unauthorized access.
Stephen E Arnold, December 15, 2020