>the government's approach to cybersecurity has been 100% offense.
I also read your other comment that you posted in the comment
>This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.
I agree. Yes its embarrassing and they keep claiming "Do more Penetration Testing, more Vulnerability Scanning, more Risk assessment" Nobody even knows what the hell that even means and we're still getting breached! The biggest mistake we've made is to claim, "a great offense is always the best defense."
We should be doing Security Compliance aka Defense in Depth! But everybody seems to think Defense in Depth is somehow different from Security Compliance.
>Defense in Depth is when multiple layers of security controls are placed throughout a critical environment. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
If they actually went through the diligence of conforming with the security controls (ISO 27002, FEDRAMP, NIST 800-53) that they defined (much like financial compliance conforms to policies, standards, or laws), they'd be in a much more comprehensive shape. Even PCI-DSS...just replace the word cardholder data with sensitive data and you have more defense than whatever snake-oil Security Risk Plan is out there.
"Defense in Depth" is always important. The article I linked to above[2] about how it's incredibly stupid to try an enumerate badness (aka "default permit") has in it's list other stupid excuses we hear all the time:
"We don't need a firewall, we have good host security"
"We don't need host security, we have a good firewall"
I bet the people that say that kind of nonsense have a lock on their server room door even after hiring a guard that watches the building's main entrance.
This kind of practical defense isn't the only thing we've been skipping. We need a lot more basic research into how to secure modern technology. We need a design culture that isn't building features that require insecurity.
It is limiting top think of this problem as a "cybesecurity" problem. These same technologies will create problems in all areas of life, so we need a lot more education about what capabilities exist how they can be used. We need to be teaching people - from a very young age - what happens to your {meta,}data in a world with permanent data storage and powerful machine learning analysis. We need this education "yesterday", as these problems are not theoretical anymore[5].
We're working on something in this vein -- https://www.trycryptomove.com -- our technology does security via continuous concealment. Actively defends against insider attacks and catastrophic breaches, because the attacker can't even identify the data.
We've gotten two types of reactions: (1) we get it, layered security, defense in depth; (2) solution in search of a problem, we have good host security, we have a good firewall, legacy data-at-rest security is good enough. Thankfully far more of #1 than #2, but it's telling about an organization's approach to security.
I also read your other comment that you posted in the comment >This is a serious problem, not only from the problems intelligence angies with many powers and poor oversight; ignoring defense is going to bite a lot of people in bad ways. We are already seeing the beginnings of this with the escalating impact computer-based attacks are having on their victims.
I agree. Yes its embarrassing and they keep claiming "Do more Penetration Testing, more Vulnerability Scanning, more Risk assessment" Nobody even knows what the hell that even means and we're still getting breached! The biggest mistake we've made is to claim, "a great offense is always the best defense."
We should be doing Security Compliance aka Defense in Depth! But everybody seems to think Defense in Depth is somehow different from Security Compliance.
>Defense in Depth is when multiple layers of security controls are placed throughout a critical environment. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive approach to information and electronic security.
If they actually went through the diligence of conforming with the security controls (ISO 27002, FEDRAMP, NIST 800-53) that they defined (much like financial compliance conforms to policies, standards, or laws), they'd be in a much more comprehensive shape. Even PCI-DSS...just replace the word cardholder data with sensitive data and you have more defense than whatever snake-oil Security Risk Plan is out there.
I champion for compliance =).