01
Dec 15

DHS Giving Firms Free Penetration Tests

The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).

Organizations participating in DHS's "Cyber Hygiene" vulnerability scans. Source: DHS

Organizations participating in DHS’s “Cyber Hygiene” vulnerability scans. Source: DHS

KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.

DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokesperson Sy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

Among the findings in that report, which drew information from more than 100 engagements last year:

-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);

-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).

-RVA phishing emails resulted in a click rate of 25 percent.

Data from NCATS FY 2014 Report.

Data from NCATS FY 2014 Report.

 ANALYSIS

I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries — with the latter typically at regional or smaller institutions such as credit unions.

DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of the agency’s past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.

I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.

cyberhygiene

Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program to learn about real-world vulnerabilities in critical infrastructure companies.

“DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.”

Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.

“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.”

As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the acceptance letter (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The rules of engagement letter from DHS further lays out ground rules and specifics of the NCATS testing services.

Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.

But what about previously unknown vulnerabilities found by DHS examiners?

“This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.

And then there are potential legal issues with the government competing with private industry.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training group, isn’t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.

“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”

According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.

“Mostly they do architectural assessments and traffic analysis,” he said. “They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).”

Paller said the sort of network architecture review offered by DHS’s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.

“In general the architectural reviews are done by younger folks with little real world experience,” Paller said. “The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.”

Does your organization have experience with NCATS assessments? Are you part of a critical infrastructure company that might use these services? Would you? Sound off in the comments below.

Tags: , , , , , , , ,

75 comments

  1. What makes anyone think that NCATS will not keep some important security flaws to themselves, you know, just so that they can break in any time they want…. exactly like certain other government agencies are doing who are falsely claiming to be helping? (cough, CERT and TOR)

    • I dunno, don’t hens enjoy it when the foxes guard the hen house anyway? They sure seem to in this country. Oh Mr President, please make sure we don’t get a hangnail, never mind if you keep amputating to make sure of that…

  2. Hi, I’m from the government and I’m here to penetrate you… 😉

  3. DHS / ICS-CERT reports how many and what type of assessments they perform in ICS world in the ICS-CERT Monitor newsletter. For example in Sept/Oct they performed 6 Design Architecture Reviews (DAR) and 5 Network Architecture Verification and Validation (NAVV) assessments.

    They even break it down by sector.

    • I’m with Paller on this – besides the fact that so many embarrassing breaches happen to the US government, that they need to clean up their own neighborhood before professing to help US firms.

  4. Last May, the Bank of England (BoE) launched something called CBEST to assist financial institutions in discovering network weaknesses.

    The difference is it’s neither free or cheap, and private companies perform the tasks.

    I can’t see any of the banks not participating since they all answer to BoE in some way.

  5. I work for a community sized bank in the midwest and have been having them scan my network since July. Weekly they are providing me a report of what they are detecting. We are also scanning our network as well as have other 3rd parties doing it as well.

    I look at it as another set of eyes looking at my network. I know I have various criminals scanning my network daily, and I have a limited staff, so someone telling me what they find weekly, helps me keep our customers money safer.

    Is it perfect, no. It’s just one more tool I am using.

    [Tinfoil hat On]
    And honestly do you not think they are already doing it already?
    [Tinfoil hat off]

    • Dennis – How long did it take from your initial inquiry to your first engagement?
      As someone said, its one more way to identify and check what you have. It may not be a perfect concept but for many of us I am sure the extra help is beneficial.

      And thank you Brian for the article as well.

      • They did a presentation to the community banks/credit unions of the FS-ISAC and I emailed them right afterwards. I had my 1st report in 3-4 weeks from the initial conversation.

        • I would have thought you could buy a UTM service for a fairly cheap price that would give you almost the same information, with monthly reports in your inbox. That is how our local bank does it – however they don’t always know what to do with the information, as they have no IT security staff. They were going to hire me, but since I don’t bank with them, they dropped the offer. I have a feeling this is typical of many home town banks.

        • I inquired and had information in my hand by end of day. Very quick turn around on this, thank you.

  6. On the competition with government issue, these are assessments only. The public sector can followup with security fixes as needed.

    However, it’s a good point that you get what you pay for. Some charges might be advisable.

  7. I have been encouraging the water sector to conduct the DHS CSET analysis, followed up by this program within our state for some time now. Many vulnerabilities within ICS/SCADA.

    I would encourage anyone within the 16 critical infrastructure sectors to contact the DHS Protective Security Advisor for their state and begin a dialogue about having a physical security survey inspection, then take advantage of the cyber protection services available through the CSET and this program.

    The DHS CSET tool is free to download.

    • Off-Topic, but IMO the SCADA / ICS security issue is unfix-able, but fully mitigate-able, it is only because there is no real way to monetize attacks on these systems that they aren’t bigger targets outside of terror type groups and /some/ corp espionage. The problem is that all of those systems were designed and many built, LONG before security was a concern, and were always designed to be closed systems without any external access. The biggest failure is that these systems have not been properly segmented from other networks. You can have all the benefits of bringing these systems into your network, and still secure them by sealing them off and putting in extra controls to gain access to that segment of the network. Unfortunately, I don’t think security in these systems is going to become priority until AFTER a major attack – just like credit card security and payment systems has only become such a focus since the Target and other attacks.

  8. I was the primary lawyer that oversaw the major program expansion and the private sector launch for this. I wrote the Rules of Engagement, substantially redrafted the Services Catalogue, and substantially redrafted the Cyber Hygiene Letter. During Heartbleed, we went from 47 participants to 120+ practically overnight, thanks to Secretary Johnson’s leadership. NCATS has continued to expand at a rapid rate since then, held back only because of limited funding for personnel and resources. DHS leadership and Congress have been looking at how to ensure availability of this service for important national security reasons, not because it is intended in any way to compete with private sector offerings.

    Dave Aitel’s comments are wrong-headed and reflect his commercial interest – local water treatment plants typically can’t afford his company’s services, but the cybersecurity of such critical infrastructure still has a national security impact that the NCATS team is helping to support. The services aren’t available only based on need, but this is a consideration. Section 9 list entities are also a major focus. And, during incidents, NCATS is often deployed before federal government incident response/hunt teams to survey the network landscape and better plan a rapid and thorough response to a cyber attack. This is a capacity that must be maintained.

    NCATS isn’t turning zero-day finds over to the NSA. Cyber Hygiene is a basic service that scans public-facing IP space remotely for the top ten KNOWN critical vulnerabilities, which by definition, are not zero-days. For many if not most Risk and Vulnerability Assessments under the Rules of Engagement, NCATS keeps raw data on-site and destroys it at the end of the engagement. De-identified findings get rolled up into the annual report cited in the article. Privacy and security are taken very seriously at every step of the process, and at all levels of leadership.

    Paller misses the mark as well. It’s not a “get out of jail free” card. It’s a way for the government to be involved in improving private sector cybersecurity in a narrowly focused way that is not heavy-handed regulation, which the private sector has vigorously opposed. Reports explicitly clarify exactly what was and what was not assessed, which is entirely the choice of the voluntary program participants. Where necessary and appropriate, NCATS involves ICS-CERT or others for additional expertise.

    The NCATS team fills a critical niche that is needed for national security reasons. This article does well to highlight their efforts, but additional background research would have provided a more informed and balanced view of this DHS cybersecurity program.

    • Thanks for sharing your perspective, Allison.

    • I have no doubt that you believe every thing you stated, and that all of it was true in the spirit of starting the program, but if our government has proven anything, it is that they can’t keep their grubby hands out of new data streams and providing “services” for covert reasons. That /may/ not be the case, but IMO, that is a when, not an if.

      But the koolaid does sound yummy!! 🙂

  9. The big fact is the “mafia” in on top of everything in control of the Internet, and the Pres. protects them nationally! You won’t see an arrest.

    Constitutional restraints fails our ability to seek out computer threats to most things that protects us.

    Sincerely

    RPB

  10. As, some of the others have said, huh? The government doing something for its customers? Don’t tell the republicans, it will be shorted and defunded out of existence. And, like someone previously said, they are doing it anyway. Yes, they are in competition, with Googled, and Microsoft, on collection of data. But with all the bots and spiders on the web, who isn’t? But a report on your vulnerabilities? Incomplete. But interesting. But companies competing against best practices espoused by the IT guys? Sounds as if some more seminars are needed after colleges graduations for further specialization.

    • This is my personal opinion but if it originates with the obama regime there is probably an ulterior motive. They are evil personified and no good came come of their “help”. Buyer Beware!

  11. I know the team at the NCATS and they have several security experts with several decades of security behind them. I also know they do provide active penetration tests, using exploits and elevate to gain Domain Admin and other rights on the business networks. I am not sure where AP became such an expert on a program he doesn’t know about.

  12. I work for a community credit union and recently learned of the DHS program. I will be signing up for the NCATs assessment service soon.

    I think like Dennis – another set of eyes on my network isn’t a bad thing. I’ve also been in this business long enough to realize that you get what you pay for and results from a “free” assessment may be limited.

    Finally, I would never dream of using NCATs as our only tool for pen testing. We utilize a decent mix of third party testing and audits, internal tools and a MSSP.

  13. I have a real problem with the government using tax payer money to help out multi-million or billion dollar companies.

  14. We were offered an engagement but we did not accept it due to the agreement that we would have to sign that said the results would be shared. We did not want to share this data with anyone we did not have an NDA with. The program was intensive and involved an onsite engagement, it looked pretty thorough to me.

    The funny thing about the article is the guy from SANS, they have been living off the government for years. The cost of their training has increased to a ridiculous amount given the fact that it is outdated the day you take it. They resemble a scam company, check out Mr Hawaii and his wife who run it. Several colleagues “worked” for SANS and received a voucher to sit in on training developed by yet other “workers” who sit in on other sessions. The class materials while useful are priced at a cost only tax payers can afford to subsidize. Lots of government employees take these classes each year.

    Sorry could not resist the temptation to point out the clear irony.

  15. “Good enough for government work” likely holds true here. As a person who does pentests and security assessments daily across all verticals I would warn people that they get what they pay for. I would suggest the government get their own stuff under control before they start offering free vulnerability assessments. How did that work out for Office of Personnel Management?

    • “Good enough for government work” used to be words of praise, given for the very best work. Times seem to have changed, so that it refers to work that barely clears a rather low bar.

      • Words of praise Mike? How many decades ago was that? I was in the Navy in the early 90’s and we were already using the phrase to describe half-assed work that barely met the requirements. But thanks for the good laugh 😉

        • Being currently involved in govt contracts I can tell you that lowest price technically acceptable (“LPTA”) type of bids are only going to lower the quality of the goverment and military in the US. God forbid we get what’s Best but rather the cheapest.

    • Well, DHS has 2 programs, 1 is a basic Nessus scan of your public facing IP addresses. This is what I have them do for us. I use it to determine if someone in IT makes changes I didn’t approve or in a new vulnerability is detected, so we can address. We do not have the people/time to do this weekly ourselves. I personally do this type of scan monthly, and we have a true pen test done at least annually by a 3rd party.

      They also have more of a pen test where they bring folks onsite for a week or 2, and you can pick and choose what you have them do. Because of resources, it is limited the number of engagements they do annually.

      Personally I do not see the 1st program as replacing any 3rd party, just filling in some of the gaps between 3rd party engagements.

      If someone is thinking they can do this instead of hiring you and your firm, they will be sadly disappointed. These programs, to me, is an ON TOP OF a security engagement, and not a replacement.

  16. Great clarification of the word free!
    You acknowledged that it’s on the taxpayer’s dime!
    …Seriously, thanks for pointing it out, no one does these days.

  17. itsmeitsmeitsddp

    Very informative article. Three of the links all point to the Acceptance letter pdf and not the intended links I think.

  18. It’s actually a great opportunity for small businesses.

    First, you start with the DH S program, which indicates a number of mild vulnerabilities, common miss configurations, and a whole bunch of other stuff a highschooler could probably find. Then you fix all that stuff.

    Then, you hire a real security outfit to come in and do a real penetration test. That allows you to pay your high-priced security company for detailed work and analysis, instead of paying them $1000 an hour to copy CVA reports from their Nessus scans into your final report.

  19. Sorry but I totally agree with Alan Paller and Dave Aitel about this program. Just another huge government intrusion and expansion operation before 2016 rolls around.

    1) Companies are compelled to do nothing with the results leading to a false sense of security and waste of taxpayer dollars.
    2) Payed with taxpayer dollars = not “free”
    3) Free/”Free” services cannot compete with paid services that have a vested interested in performance, customer service and reputation at stake.
    4) Blatant expansion of government into private sector.
    5) Blatant expansion of DHS into areas I’m not even going to go into.

  20. Fair article. Krebs missed the DHS program to begin with…. Duh, yes, best use of tax payer dollars with regard to cyber. How many states offer a similar program for local governments who maintain plenty of PII / HIPAA data but don’t employee a CISO, let alone have the funds available to pay for annual risk assessments?

    DHS has figured out a way to provide a much needed service without Federal regulations or the unhelpful hand of a badly broken down congress. That is the use of a magic wand I don’t see very often but I like it. I like the concept and as a beneficiary of the program I like that too!

    I appreciated the thoughtful comments. But, the critiques can go pound sand. OH, that would be hard to do since they already have their heads buried in it!

  21. Run NESSUS against yourself. Cost = free.
    Run metasploit framework against yourself. Cost = free.
    Get educated about yourself. Cost = priceless.

    • That’s easy advice to give, not so easy if you don’t have a dedicated security person. Even if a small biz designated someone as a security officer, what confidence would you have in their ability to run a nessus scan, or metasploit, with no prior experience?

      None.

      • Love it when people respond with the stupid “download and use Nessus and scan yourself and get educated” … all well and fine if you 1. Know what you’re looking at, 2. Have the time to tweak and work with Nessus to filter out F/Ps, 3. Have time to pull yourself away from your other business requirements. Nessus is just as much an art form as it is a tech tool – mom and pops ILIT and financial operations may be great crunching numbers in Excel, keeping up with regulations and texting on their iPhones, but go blank eye when Nessus tells them they have cross-site scripting issues due to a temporary scrap hash file their web portal’s SFTP module generates.

  22. This program strikes me as corporate welfare for a select subset of privileged campaign donors.

  23. These assessments are part of an overall strategy to help critical infrastructure holders understand their vulnerabilities and work to mitigate them. Their front line job is to provide a service to our citizens, water, electricity, transportation — and their budgets are not infinite.
    I cannot thank Allison Bender enough for speaking up. The biggest issue for our supply chain are those who are not taking the cyber threats seriously — this includes the front-line worker to the senior executives. Executives don’t want to spend the money and workers don’t realize what clicking on that link to buy shoes on sale will do for the intruders. The other challenge is that “cyber security” simply means constant vigilance — there is no “state of secure” and if you are targeted by hackers, they most likely will get in. They’ve done it at Lockheed, Raytheon, you name it, and those are some of the firms that have spent the most money on “cyber security” out there. How are smaller enterprises supposed to manage that?

    InfraGard’s purpose is to share information so others in critical infrastructure sectors can share information on everything from cyber intrusions to that weirdo in the parking lot so they are not the victims of the next mass shooting or that their facility is not compromised cutting off a critical lifeline in our society. We work closely with DHS and the network of Protective Service Advisors http://www.dhs.gov/protective-security-advisors that work with their communities to help share information and help businesses and citizens protect themselves and their communities. Only through building trusted relationships and working together will we mitigate and build our immunity to the consequences of these attacks.

    • Ha ha great comment, reminds me of the guy in our parking lot from Infragard/FBI who “tested” our wifi for us, He was dating the IT security gal. Later they got married. Gotta love Infragard and those great FBI guys…..

  24. Fantastic article Brian. Judging by the comments it seems alot of small businesses are taking advantage of this service (which only identifies vulnerabilities it seems) and often they still do private industry afterwards.

    Considering how owned our companies are here in the U.S. and how bad it would be for someone to do more than just grab credit card numbers…this seems like a good voluntary program small businesses can make use of. JMHO….

  25. Jacob, Veteran and Cyber Security Guy

    I have worked in the military, with the FBI and for the Air Force and can say with 100% certainty that the people who take up the mantle of protecting our counrty take their job very seriously. The Government believe it or not has the Nation’s best interests in mind, so the fact that they are offering this service to try and better secure our corporations and infrastructure suppliers makes sense. The taxpayer pays taxes in the hopes that they will be used for making the country better or keeping it running, and this is an absolutley great way to do both. Thank you Allison and Kristina for providing sane and informed opinions on this topic, and thank you Brian for bringing this type of program to people’s attention.

    The missteps the Government sometimes makes are almost always because they are rushing to try and solve a problem. We the people demand immediate action from them and without proper planning we can sometimes make miscalculations or fail to identify the real problem. An initiative like this allows the Government to gather statistical and useful data on our nation’s cyber-readiness and allows them to make planned and well-thought out decisions in the future. It also has the benefit of educating and aiding the recipients of the free services which in turn helps all of us. Other countries can force their businesses and infrastructure to comply, but here our Government is providing assistance and training and hoping that we will be smart enough to use it. Love it.

    • I have to admit, it is the best thing I’ve heard of from the government every since they said they were going to install a “Cyber-security Czar” – If that ever happened.

      So despite my skepticism, I’m glad they are doing SOMETHING abut the problem!(finally) – even a half baked effort is more that 100% what WAS getting done!

  26. Good article. A suggestion: Present the comments to a well-regarded PhD program so the nutcases can be appropriately tracked down and correctly categorized. The density of apparently serious nutcases and their effect on our national interests needs genuine understanding – not shouting and invective.

  27. Brian,

    I know your reluctance to wade into this area of reporting, and your reasons are sound. That said, if we ask CEOs to elevate infosec to c-level importance, it will fall on deaf ears if we don’t address public policy as well.

    Some observations:

    Infosec folks who start with an ideological basis, are doing themselves a disservice, as they limit their solutions to those that fit their bias. Allison Bender addresses this in a less pointed way (understandable given constraints). I will remind folks again that an event’s likelihood and consequences does not depend on our ideology. If we all decide the sun rises in the west, that does not make the sun rise in the west. So i caution the ideology folks that their compass needle is stuck.

    Economically, one thing to look at is whether displacement is happening. That is, is government crowding out private industry. Given the growth seen, on the surface it does not appear so. It is worth to note that various agencies have long provided similar services. For example, The US Coast guard has a program for courtesy inspections. Yet marine surveyors, and tow services seem do do really well, particularly as they can focus on profitable areas.

    This brings us back to ideology…specifically whether free market works for cyber security. First, those that are min government argue that free market does a better job..in other words they subscribe to the efficient market hypothesis (perhaps without realizing it). However it is well established that markets go up, and down, often outside of fundamentals. And some components just do not respond to free market supply demand equilibrium particularly when the risks and rewards are moved from the primary participants. For example, hacker gains, grandma loses, and at worst company goes bankrupt vs company gains, grandma is exploited by company instead of hacker, and company ceo retires rich

  28. (continued)

    Thus those that are projecting a solution based on their ideology are not allowing for solutions that may work.

    Now, a critical note about ncats. To the extent companies protect their assets, all is fine, however in the aggregate, it pushes event risk to customers. For example, a bank that sends a monthly “your statement is ready” email with a link is setting up grandma for phishing. Thus, unless ncats also address the shift to the soft targets, we are not simply scattering the haystacks and distributing risk, we are also increasing risk. Eg. Put money from safe with good lock to two safes but with cheesy lock. And this becomes troublesome because the more homogenous systems become (all standard os, etc) the more those supposedly scattered haystacks end up in one virtual pile. Scattering haystacks is the right idea, scattering haystacks to softer targets a bad idea.

    And lastly, it must be noted that unless testing looks at unnecessary data, it can at best only address half the problem. Here we risk seeming to endorse collecting unnecessary data and storing it forever. I would love to see scale/size be part of the infosec mindset. Otherwise we simply push events to be less frequent but larger. Too many companies still ignore that a small chance on an infinite timelime is certain to occur.

    In my opinion, when we ignore time and size we limit what security can accomplish.

  29. Brian, some excellent comments, but I think you should sub out the moderating task.

  30. Hear are attacks worldwide.

    http://map.norsecorp.com/