 Come on. Defconn, welcome. Mowder. Okay, I'm James Kirk. No, I'm not, but he is. Is James Kirk? So, let's see who's got. Alright, so I am James Kirk. I am the captain. So I'll be giving a talk today on defense industrial base controls. It's basically how classified systems are used in defense contracting companies. So, I have to put this disclaimer in because I've already been catching a little bit of flak. So I'm going to tell you what this presentation is and isn't. There's nothing classified in the presentation. Everything that's in it has been obtained through a Freedom of Information Act request or is publicly available on the Internet. But the FOIA requests do take a long time, so I've done everybody the ease of including everything that I have in this presentation is included in PDFs on the DVD. So you don't have to go hunting or filing your own FOIA requests. I'm also not giving any vital secrets to help the evil terrorists. You know, we don't want Alcoa to get in there. And the data we're talking about is purely collateral classified information. So in the classified world, there's three different types of classified information. There's collateral, which is basic confidential, secret and top secret information. There's also information called SAP, which is a special access program. And that's things like the stealth fighter program, things that are so super secret that there's only a small amount of people that know about them. And those are sometimes exempt from even congressional oversight. So that means that not even Congress knows what these defense contractors are working on. And the last type is SCI. It's special compartmentalized information. And this is mainly intelligence information. So things like that are under the oversight of the department of, or DNI. So none of the security control gaps or deficiencies identified are classified. And, you know, just to clear the air, there's a bunch of different requirements that are out there for protecting collateral information. This is specifically to contractors. In the Department of Defense and the NSA and the different departments throughout the government, it's completely siloed. So in the DOD world, everybody uses Diacap. And, you know, if you go to NSA, there's going to be different requirements there. So this is purely information that's derived from an agency called the Defense Security Service. So a little background on who I am. Well, my name is James Kirk. I'm currently a senior security consultant for Rapid 7. But this talk is solely my own opinion. And it doesn't represent the company at all. I have to put that disclaimer out there, of course. I used to be a special agent for the Defense Security Service. I was with the agency for a year and eight months before I just couldn't take it anymore. So this topic is mainly going to be about the DSS, how they implement controls, how they develop them, and some of the major flaws in their security controls. Now, unfortunately, it's going to take me a little while to get there. So I hope you guys hold out. It's just because I want to give some background. A lot of people are familiar with how classified controls are put in place, how they're developed, and how they're enforced. And, you know, I'm a firm believer that, you know, people should know, I mean, especially if you're a U.S. citizen, and there's a lot of people who aren't in this audience. But if you are, you should really care about how our country protects what they consider, you know, the most secret information. Last day, I want to go through, you know, the structure of the agency and some of the federal standards that are in use in the other agencies. So how are these controls developed, or what enforces them? So there's a group called the NISP, and it's, I don't want to say it's kind of incestuous, but it is. So the NISP is actually, it's run by the U.S. government. It's, that's the National and National Security Program. But the NISPAC are the people who have the influence in it. And so you have multiple agencies, 16 representatives from defense contractor companies, and one representative from the DSS. So you have these 16 guys who are, have invested interest in what these security controls are. So if you're, you know, I'm not going to name names, but if you're one of the biggest defense contractors in the industry, am I going to say I want the toughest security controls in place? That's going to cost me, you know, two billion dollars next year to implement. Or am I going to have the most lax security controls? And, you know, it's not going to cost me anything. So it's, it's very, it's a very invested interest. So, you know, I don't think it's really, I don't think it's a good to have such a, you know, dominance of defense contractors in place when you only have one representative from the DSS. And lastly, the NISPAC and the NISP work together and they develop a document called the NISPOM, which is a National and National Security Program operating manual. And this document is the Bible for how controls are put in place. And the last time this document was updated, it was 2005. So, not really keeping track of changes in security controls. So, starting with the structure of the agency, there's four main directorates, IS, which is industrial security, CI, which is counterintelligence, Disco and CDSE. So if you have worked in the, in the classified world before and you have a security clearance and you're not in the government, you've got your security clearance most likely through Disco. That's what most people know about DSS is that, hey, they got, they did my security clearance, they did my background check. That's who they are. Well, the funny thing is it's only like a small percentage of what they do. CI is just how it sounds. They do counterintelligence. If a defense contractor gets hacked or if there's a foreign agency that's trying to target that company, a counterintelligence group will go out there and interview them. I've got some slides at the end of the presentation that go over some of the information that has been aggregated from counterintelligence. And industrial security is the primary portion of the agency. And they're the ones that do the inspections of contractors. And so ODAA is a subgroup of industrial security. It's called the Office of Designated Approval Authority. And these are the guys that handle just the computer systems that process classified information. There's four regionally dispersed DAAs. These are designated approving authorities. And these are GS-15s. And if you know anything about military SQ, they're the equivalent of a colonel or a captain in the Navy. And so they're pretty, I mean, they carry a lot of authority. And they're the ones who derive the security controls based upon where your company is in the country. So it's west coast, southern part of the United States, east coast, and then the capital region. The agency is run by a few SESs. And these are senior executives that are pointed by the undersecretary defense. And so the main thing I'm trying to get here is the DSS is ultimately responsible for enforcing everything that's in the NISPOM. And so if you're a defense contractor and you're processing classified information, the DSS is going to have oversight of your company. So how does a company process classified information? It goes through a certification and accreditation program. And so when I worked at the agency, basically what would happen is a contractor would say, okay, we want to stand up based upon our contract, you know, 50 or 100, you know, let's say their secret systems. And so what they do is they fill out this, you know, 15 page document. They click on a couple things and they send the document to me. I have 28 days to review it. I look at it. I mean, I can't tell if they're lying or not because I'm not validating anything. I'm just looking at what they put in there and make sure that they've signed it, that it's correct. And then I send the document up to my boss who approves it. And he doesn't review it, he just makes sure that I have all the appropriate documentation sent to him. So after it's approved, the contractor can then start processing secret information or whatever level they've asked for for up to six months without any oversight, no validation if they have security controls in place. It's just based upon their trustworthiness. Now, and then they can ask for an extension and get another 180 days. But usually we have to look at them between six months and a year. And when I'm working with a company, I'm only working with one person who's been designated as the information system security manager. And this can be, I actually have seen it a few times where this guy graduated with a master's in business, worked at Enterprise Renekar for a year, and now he's been appointed to the ISSM. He has no security experience, doesn't know anything about information security. And he's the person who's ultimately in charge of, in this case, a Fortune 500 company running, you know, thousands of computers are connected doing top secret information. I don't know why, but that's the way it is. I don't get to choose who they pick. But the only thing that stops that is there's a regulation in the NISPOM that says they have to be trained to a level commensurate with the company, or with the level of the information system. And that can be, I mean, that's so ambiguous that you can never really enforce it unless they do something, you know, disastrous. Then we can say, well, you're an idiot, so find someone else. So my role was an ISSP, information system security professional. During that six months period, we schedule an onsite visit with the company. And so, you know, I e-mail back and forth to say, hey, what's a good time? And we go out to do a visit. Now, this is for the accreditation portion. And this is within the six month period, we go out and I spend maybe a couple hours with the company. And we don't have any tools to do the evaluation. We're not allowed to run tools on the contract or systems. So all I can do is ask them to click through things and show me that it's configured correctly. And, you know, it's based on a simple checklist that says our password is in place, our passwords, X characters, et cetera. As for applications, we don't really care what applications are installed in the system. We don't care what patch level the applications are at. And it's a pretty generic accreditation. So after I do that, and then I do some more paperwork again, and I send my boss and he says, hey, they're good to operate for three years. So, okay. Then within the, so these companies, if they're not processing computer systems, they're still subject to an annual inspection. That's where we go out and check, make sure that they have access to classified information in the safes, actually have clearances. So we now add them under as part of their annual inspection. So it might be two months from now, I'll go back out there again and do their annual inspection. And this is a lot different than the accreditation. This is when I go in and we just basically tear apart the company. We open up all the safes, all the drawers. We have basically unfettered access to anybody who might have access to that classified information or the systems. And that's where it was a little more fun because then you go in and you just get to sometimes tear apart the company. And so if we find any discrepancies there, then we fail the company or give them the lower rating. I'll go into that. So, and that's kind of out of place here a little bit, but what I'll do is they'll do the security controls first. So these are security controls that are companies are required to implement. And starting with Linux, I kid you not, this is straight. I have the reference here. This is the only requirements that they must implement that are specific to Linux. So if you have experienced Linux, I hope you understand that this is not sufficient. So when I first got to the agency, I knew this was a contractor already. I was kind of on a mission to when I got to the agency I was like, well, there are security controls are crap for Linux at least. And so I'm going to try to work to implement some better controls. So my partner I within the agency, we spent about seven months when I got there developing security controls for Solaris 10 and Red Hat 5. And these were supposed to cover both the Unix and Linux variations. We put some generic remarks in there so that if it was Solaris specific that they could implement it, but it was just basic Unix that could implement it as well. This document ended up being about 156 pages. And it sounds like a lot, but it was mainly like, I mean, like we're talking about enterprise rental car people here. So it's like, click on this button, type this command in. So you have to really baby step people through it because if we ask them to implement something that they can't, our agency gets blamed. So this is, so when I was talking about the NISPOM being the Bible document, that is very true. But as you see the reference is, it says ISL. And so the agency at any time can issue a thing called an industrial security letter. And these clarify sections in the NISPOM. And their attempt to, the NISPOM didn't address anything in Linux at all. And so they came up with this ISL in 2007 saying, we're going to make sure that we protect Linux appropriately. And so here are the really important things you need to protect. You need to turn Audition on. So here we go. And then in 2009 they decided to clarify more. And that will be on the next slide. And in 2009 they came out with another ISL that I thought would cover Linux but instead it just covered Windows. Assuming that, I guess they're assuming that every defense contractor purely uses Windows but that's actually the exact opposite. So I did a quick comparison here. I hope it came out okay on the screens. But DISA, this is another agency in the government. It's called the Defense Information Systems Agency. They're actually come out with controls for like SIPRnet or the NSA net or FBI net. These are really, I think they're pretty secure. I mean as you can see they cover a lot of different things. I've compared, a quick comparison between what the Stigs call for and what the NISPOM and ISLs cover. So we don't cover discretionary access controls at all. We don't care if you use privileged commands. We don't care if you print things. We don't care if you take the system. And we don't care if security personnel do anything either. And so it's kind of funny to me because some of these things are the things that we should care about the most. Because if I'm processing classified information in the company, I'm not caring about some ninja trying to sneak in, break through a secure room. We have locks on all the rooms. We have motion sensors in the rooms. These are all requirements. And I can't recall a time when someone actually broke into a classified room and stole stuff. What we care about is the insider threat, the disgruntled employee or some foreign nation person who's been infiltrating into the company and is on a mission to steal stuff inside. And the only way that's going to happen is if we're tracking and auditing people, printing stuff off or exporting the media. And I'm going to get into it at the end, but this is a perfect example of the WikiLeaks. Whether you're for or against it, this guy was easily able to take a CD and burn stuff all day long. With the WikiLeaks thing, the army did fix the controls and they turned off USB store and they turned off all exporting to media and they audited everything now. But the DSS did not agree with that. They said it would cost the contractors too much money. One second here, sorry. So in 2009, like I said, they came out with Windows baseline standards. This was a similar size to the document I wrote, about 150 pages. It came out with a document called the standardization of baseline technical security configurations. It's a long stupid name, but basically it says this is how you configure Windows. Here's the thing, though. I mean, a lot of companies have fought this because the NISPOM is the only document they have to follow. And the baseline standards clearly in the front of the book says this process manual is not directive in nature. It just says that if you want to get approved in a timely manner, you have to follow the document. But what if I'm a company and I don't want to get approved in a timely manner? But if I just don't give a shit, well, then, you know, you don't have to really follow the document. And then lastly in 2011, they actually worked on a document that modeled NIST 853 standards. And it does pretty good. I mean, NIST is also based on what the STIGs are based on. So I thought they did quite well with that. However, it doesn't matter when these documents came out. If you are approved in 2009, you don't have to update until your next accreditation date, which is three years. So you can still run unsecured for three years, in my opinion. Of course, Linux is still left out. I guess they still think those seven different things are the, you know, and I'll be all of Linux's controls. Some of the major changes in the June 2011 one was they've moved to 14 character passwords finally, which has been a standard and in place for quite a while with NIST. However, NIST POM still overrides that because it says they don't have to use eight character passwords. So we've been, when I worked at the agency, I was fought all the time. They finally addressed patching. So in the past, you never had to patch in your applications. It wasn't required. And so now it just says that if the ISSM, which is your enterprise Renekarp guy, thinks there might be vulnerabilities resulting from software, they have to patch it. Now, it doesn't say, it says expeditiously. But as a special agent going to do an inspection, what does that mean? I mean, how do I hold a company to an expeditious timeline? It's not really fair to the company. And it's definitely not fair to the agency because you can't, you know, that's not an enforceable standard. They also sort of addressed USB drives. They said that they must be tracked and accounted for. What that means, again, is up to interpretation. And they should be disabled if possible. And that is an unenforceable action as well because all the company has to say is, we run USB keyboards. Okay? Well, cool. You don't have to use USB drives. But oddly enough, there's an item called DivNet. And this is for, if a company's been hacked, they report this information through a system called DivNet. If they're a big contractor, no one cares about the small ones. So only if you're a big five, are you part of DivNet? And so if you do have a DivNet console, you are required to have USB storage disabled. Now, why that matters between a system on DivNet and not? There's no, there doesn't seem to be anybody who can tell me the answer to why. From a wrist standpoint, I'd like to know why, I do know why. It's DC3 and they do care why they don't want people using USB storage devices on their system. So. And the last one, oh yeah, the things that are major changes are successful log-ons, et cetera. They kind of went into more what auditing capabilities are. The last one is security seals. And I kind of find this funny because of the big tamper evident contests every year. They have to be approved tamper proof seals that are pre-numbered. Now, I can tell you internally, there is no approved list. So when an approved tamper proof seal is, I don't know. We just go out there and if there's a number on it, I've seen people put marker number on it. Cool. Works for me. And there, it's, so when you process, you're supposed to make sure no one's put a, you know, key logger in your keyboard. And then you just look for the tamper seal. Okay, so how do these controls even get developed? I mean, who says that, you know, they have to expeditiously patch systems? Well, I can tell you, there's a GS14 who works at the agency headquarters who used to work for a defense contractor. And he, I would say he's, he's quite intelligent and he's a GS14. But he just thinks, shit up. Like, that sounds cool. So he puts in the document and sends it out for 24 different federal agencies and they either give it a yes or no. And if they don't answer, it's approved. And then they issue this document out and here we go. So I mentioned earlier that my friend and I, we developed this document. We sent this guy and we also sent it to, as a GS15, the head of the ODA. And the answer was thanks but no thanks. Like they just didn't, they didn't want it. They didn't want to deal with it. They said that they had sent out a previous document that was, I kid you not, it was a copy and paste from Oracle on how to implement Solaris. And it was just a copy and paste from their implementation guide. And the 24 federal agencies, this is, now this is an honest thing. If you, if you know Linux really well and you want to work for the government, you will get hired. Because within the entire agency I worked there, there was only four guys who could do an Linux inspection at a company that has primary Linux systems. And so when we set this document out, two of the four guys were the only ones who could review it. So it didn't get reviewed. They sent to the agencies and the agency said, we don't understand what to do with this and so we're not going to say yes or no. So the agency that I worked for said, we're just going to pass. So there's going to be no Linux standards yet. Okay, so when we were, when they're developing the security controls and they're saying, well, how do we test these before we say a defense contractor has to use them? I mean, how do we know that we're not going to break their systems, you know, just by thinking shut up? Well, we use a lab environment which consists of a laptop from 2006, a hub, and another laptop from 2006. And, well, when I first got this lab environment, it had windows on it and I didn't have access to the BIOS and I couldn't install Linux unless, well, we just pop them, board out and reset it. But that's basically, that's what they have headquarters as well. So honestly, the test resources are limited and one of the biggest complaints about the agency is that the controls aren't developed. So back in 2009 when they first came out this huge document on how to implement windows, they did and basically the people who actually follow the document line by line ended up locking their systems out. Because it makes them turn a shut down, shut down of an unable audit which is a good setting except that they turn an auditing feature on that logs like 10,000 audits in like two minutes. So as soon as they turn it on, it shuts down the system. Hey man, it's the federal government, what can I say? I'm not, I'm sorry, I'm not trying to make this into a bash thing for the federal government. I mean, the whole point of this is to, I mean, I just want them to adapt. I mean, there's great security controls out there. You know, if they just used them it would work fine. So how does enforcement get done? It's through a credentialed special agent, it's through a 0080 which is the guys that do with the physical security and there's also 2210s which is what I was, IT specialist. So when you get onboarded, they do a phone interview and they say you're hired. And the phone interview was about 10 questions. The one question that referenced Linux was how do I show running processes? And then I was a certified Linux guy. And so, you know, not to offend the guys that are other, you know, actual real special agents. These special agents, they don't carry guns, they have no law enforcement authority, they just carry a badge and the most we can do is throw it at somebody. So it's kind of, the only cool thing was I got an undercover car when you get pulled over. It's registered to the attorney general of state of Texas, so it's kind of fun. So for training, they onboard you and they send you to the DSS academy. And you're like sweet, I'm a special agent, I'm going to go to the academy and go run around with the FBI. Cause it is on Quantico. But you get there and it's a two week course and they teach you how to do an inspection. Which is basically getting on a ladder and looking around in the ceiling to make sure no one's hiding up there. And I'm like, okay, so when are we getting to the computer side? I mean I'm an IT guy, I'm not here to do physical security inspections. Like oh, it's coming, it's coming next week. Okay, so go through the first week, cool. I'm now certified to do physical inspections. Second week they're like okay, so here's how to do a computer inspection. They put a Windows PC connected to a hub with another Windows PC and they give us a checklist that checks to make sure that you can log in and that there's password and now I'm certified to do PC inspections. They call them peer to peer lands. And so I brought the question because I used to work for one of the big defense contractors. I said well what about like a 5000 node WAN? I mean we had that at my company. Oh well, you know that's just OJT. So well I work in Texas in an office by myself, so how much does it get OJT? Now I already knew how to do the work. You know, rhetorical questions to see what their answer was. And they don't have one. And that's the extent of the training. And the thing is that this training is to encompass either 0's or 8 0's and 22 10's. So you have these guys who have never touched a computer to do inspection. These people that are actually physical security specialists that are now doing computer inspections. They're the experts out there certifying systems. And so this is a job requirements you have to be to be a GS13 in the agency. Which is actually a quite high and highly highly paid position. There is no Linux requirements you can see that. I'm stuck on this Linux thing because it gets under my skin. But you don't have to have much experience at all. And the people that are interviewing for these positions, basically if you have a CISSP you're hired. Because the people within the agency have such a hard time getting terminated. So if you have your CISSP you're golden. Because it's a 8570 IA level 3 position. Alright, so what happens during an inspection? I kind of went over a little bit. If we go in it's depending on the size of the company there's a few different sizes. There's double A's which would be like a company that makes airplanes. And they have a huge, I mean they're building strike fighters. Well I'm not going to name names but these are big facilities. So we have like seven guys that do IT inspections there. And it's, you know sometimes it's complex. They put the guys with the best skill sets to do the portions of the inspections that they're good at. I always get stuck doing Linux and network controls like firewalls. So, partners with industry. So this is kind of a new term that happened since I got there. Now, if you remember with the oil rig out in the Gulf of Mexico the mineral management agency was responsible for doing the inspections of these oil rigs. But they're kind of incestuous as well with the oil companies. It was very lax oversight. Not very strict controls. Sometimes they didn't do the inspections. And they were partnering with them because we want to make sure that they make money. And so that's the same thing. When I got to the agency before it was always, they're a compliance oversight agency. We have to hold, you know, the company to a standard. Well, when I got there there was a lot of complaints that defense contractors thought we were being too hard on them and we're not letting them make enough money. So, we had to partner with them now. And so what does partnering with mean? It has, it's another ambiguous term. All I know is that I had a GS-15 inspection at a big organization and before we could give them the daily findings that we found, we had to review them with a GS-15. And I had two different findings, just an example of auditing not being done. They have to audits weekly. And passwords weren't complex enough. And he's like, well, why can't we combine those findings in the same one? So, well, they're not the same thing. But because the inspections are done by them, and if they get 15 findings, for example, then they might fail. So, if we only give them 10, then they're good. And we don't want to fail one of the big five contractors. And so, if you're not compliant, and I've actually done a few failures, then we it's noted in the security log, they get enough findings, then we give them a marginal or an unsat rating. A marginal just means they have to do a reinspection. And if they fail it again, then would they go unsat. And if they're unsat, they get two inspections to fix it. And if they don't, then they're, I think their contracts get suspended for a certain amount of time. All I know is that I went to a location and they had a top secret. It's called CINWIDI, critical nuclear weapons data. It was a document that contained basically all of the missile silos that are hidden, that are secret in the United States. And it was a filing cabinet. And so, we're like, okay. So, we take the document and move it to the Air Force base and secure it in a skiff. And the director of that company had already called the director of my agency and was pissed off about it. I guess they thought a filing cabinet was appropriate storage for a top secret document. And by the, I mean, if you're not familiar with it, top secret documents that be stored in a room, within a safe, and the safe has to be alarmed. So, here are some common vulnerabilities that are actually pulled from the ISS website that are found. Not auditing is the top one, which is kind of funny. Not reporting classified compromises. That's great. Poor safe combination, security, processing on under credit. This is great. We go to a company and they have systems that are just like, you know, fuck it, let's process classified on it. And we go there and it used to be we would shut them down. We would take the hard drives and put them in the safe and make sure they didn't use them. It's a good thing to submit that document. Can't tell them when they have to submit it, but they should submit a document for accreditation as soon as possible. Okay, so an overview of some of the inadequate controls that are in windows. Patching, like I said, it's very ambiguous. And I mean, we can't, I mean, if the document's not patched, I can't tell them to patch it. I mean, I just have to tell them that they should expeditiously patch the system. Okay. USB, that's how stuff gets taken off the system. Virtual environments. If you're running VMware or, you know, any other virtual system, excuse me, there are no security requirements for it. Do whatever you want. UAC, you know, with Windows 7 and Vista, not addressed at all. Classified data is not audited. That's another thing that bugs me. I mean, I don't care if you click on, you know, I don't know, I don't care about the system. I just care if you're taking classified data off the system. Training is another one that bugs me, is that we're not required to have these guys, you know, sufficiently trained. I think that there should be a firm training requirement for the ISSMs, and it shouldn't be a person-firm enterprise. So for Linux, honestly, there's just too many to list. I kind of did an overview here. The problem is there's a lack of expertise in the government. You know, if you drive down I-35 in Texas, you'll see signs everywhere. It says, no Linux. We'll hire you. This is a good thing to learn, if you're not familiar with Linux or you don't feel comfortable with it, there's job opportunities out there all over the United States. This is the bottom one. It's kind of funny. I went to a company and they didn't have user finding. They fought me on it, and I was told that nowhere in the documentation does it say that they have to have the audit.rules file configured. So they don't have to have any auditing flags. So they're not going to audit anything, and it's not a requirement. So same issues that affect Windows as Linux, patching, USB, virtual environments, and tamper controls. Like I said, there are no approved tamper controls. So there are no approved tamper seals. So they can use whatever they want. I've seen people use, like, not tape, but like kind of laminated stuff, and then they put a number on it, and that works. Okay, so kind of moving through this pretty quick here. So the whole point I think is if you do work in this world, you know, I'm not trying to bash the companies. I'm not trying to bash the agencies. But the point is that I think there should be a partnership. There shouldn't be this term of partnering with industry. There should be a real partnership with if the government won't come out with controls, you need to not stick your head in the sand and have an ostrich effect. You shouldn't say, well, they didn't tell us that we had to have 14 character passwords on Linux systems, so we're not going to implement it. Well, that's just a crap answer. I mean, if you really are implementing the security controls and you have the experience, I think it's your responsibility to make sure in the absence of security controls. And, you know, with the government, you know, help them sorry to say, you have to help them develop the controls. Me giving this talk is not going to make them come out with a Linux document tomorrow. It'd be nice if it did, but I don't think it's going to happen. So, why does this talk matter? So whether you believe it or not, there are real governments out there, nation states and even people that are targeting the U.S. technologies. And so I've actually taken, this is the counterintelligence group within the agency is fantastic. And the only downside to counterintelligence agency is that now if the NSA detects that your company's been hacked, the counterintelligence agency or counterintelligence group will go out there and talk to you about it. And so will a representative that was like me. Except we can't tell you who hacked you. We can't tell you what they hacked it. You've just been hacked. Sweet. So, here's some actual real data of what this is for East Asia and Pacific. If this was a classified briefing, I could give you the real countries, but it's not. So we have to be generic here. Just, you know, put it on a map. This was for FY09. So from October 2009 to October 2010. And seeing as a direct request, these are people who are like, hey, send me some classified shit. Doesn't work so well. But solicitation is seeking employment. Now this is only 6%. And I think it goes up in the next slide. But what they're doing is they're sending these resumes out and they're like, well I'd like a job and work in a classified world. And sometimes you have the HR people who are like, well I don't know where they're from. Excuse me. So I hire them on. They do a background check. And hopefully DSS sees that they're from China and that they're not using China's. I'm using China's again. But it can be anywhere, you know, where they have people that work for part of the PLA or work for the Kremlin and they're being paid to infiltrate a company and steal the classified information. And so that's what the seeking employment is. Suspicious Internet activity? I honestly don't know what that is. But I guess it's probing the network outside network. So now it's great that it's a suspicious network activity I guess is going up. It's where they're actually massively targeting the company. I guess seeking employment did go down. I think that's because a lot of the times when they do get hired on Disco does a pretty good job of weaning out potential infiltrators and they just deny them clearance. Conference and trade shows. There's a lot of there's a lot of defense contractor trade shows where they fly to France and they try to steal airplanes. And so there's a lot of foreign nations that go out there and target these. So this is for Near East and this is FY09. So employment's quite large there. Direct requests and then here employment's gone down academic solicitation. This is interesting where we've gotten a lot of suspicious reports where a there's a professor. We used to do inspections at we do inspections at big like universities do a lot of research for the government. It's actually pretty cutting edge and so you have guys that are like, hey I'd like to come to your school or I'd like to do a research project with you and they miss Billy Guy's name. It's like a Nigerian email scam sometimes. But they're trying to work with this guy who's working on a classified project. This is for Europe and Eurasia and then this is FY10. And then this is South and Central Asia and then FY10 as well. So South and Central Asia they have a higher percentage for solicitation to seek employment. Now when I first did this talk I didn't think I'd be in track one so I actually brought the book with me to share because there's more information in it but it's actually quite a large room so if afterwards you would like to see some more information on it I'll be in the QA room and I can actually let you take a look at the document where this is derived from. So wrap up and I hopefully have some time for questions in here as well. So why the talk, right? So like I said the talk's not meant to bash the agency, it's not meant to bash the companies but I think honestly the federal government's been kind of not necessarily federal government, I'll say the DSS has been remiss in developing appropriate security controls to protect classified information in multiple areas and I don't want to say that it's primarily because of money but it really is and what happens is when we when we start developing new documents like the new NISPOM is coming out I believe in 2013 is you have 16 representatives from different contractor companies that are they're the ones who get to you know they're the ones who get to help draft this NISPOM and so it's you know like I said in the beginning is it their best interest to develop the most hardened security controls that are going to cost them most money and hire the most technical people to implement or are they going to go for lax controls that allows them to just be willing to with implementation and hiring people from enterprise so you know that's I think that's why I mean this is my personal opinion too so you know you can think whatever you want of it and I also think like I said in the beginning that it's important if you are a citizen to know how they're implemented and I mean because ultimately this is your data right I mean the federal government should work for us not the other way around and you know I have to put some buzzwords out there too so stuck set in flame right so these are malware that we now know that have been developed by the U.S. government with in conjunction of other countries and how are those how are those put in place well I mean you have to have like these systems are not available on the internet they're not but you have to have an insider that puts this malware on the systems and I mean what's stopping that from happening here there's nothing there's absolutely nothing stopping people from coming in an insider and putting you know malicious malware on our systems and harvesting data now I'm not saying that security controls will stop it but at least at least to help audit it it'll tell us what happened or it'll slow them down and you know we can stop you know we can stop you know like I said you know either forward against it I think that some of the information that's been released is good but you know a lot of the information is I mean it's classified for a reason so I think sometimes the government overclassifies stuff but you know anyways I do have all my references in the document too available on the CD or the DVD and you know I guess if anybody has any questions I'd definitely like to answer some uh oh do we have one here I'll give it a shot sweet so I've worked on government projects of various sorts and one of the things that's frustrated me is that between the NIST guidance and the DISA guidance and the NIST Palm stuff not only are the guidance for auditing kind of not great the tools suck and there's no decent way of creating a good build a known good build do you think there's a lot of room for that do you think that the industry would respond if you said alright here's a kickstart for Red Hat Linux 5 or 6 that that builds it secure and go with that well I can definitely answer that so back in actually about two years ago they came out with this it's called a NIST tool and it's supposed to work quite well it configures your system for you and you're good to go but it only works on windows of course but that's another tangent but anyways what happened was we went to I didn't go but it was part of another inspection at a large defense contractor and the guy accidentally hit configure instead of verify like the DSS guy this is when they let us use tools on systems to automate and help our inspection process so hit configure instead of you know inspect and so reconfigured their system and totally destroyed it and so that was the last time we were ever allowed to use tools or put them out so the answer to that is I don't work with the agency anymore so I'm not sure but I would say no thanks so have you heard so have you seen difference between different security systems security agencies between levels of security as example like at least in the middle of the picture between like someone like CIA versus FBI okay so um it's so the to be honest the FBI is like they don't like to play well with others like they do their own thing so they have their own requirements now DISA and the NSA do work together on items called STIGs and so you can just google DISA STIG and it has configuration requirements configuration settings for almost any device any system any operating system these guys have a huge well I know yeah I don't to some extent they use generics but they uh like they've done they've done a lot of testing with them they work really well the problem with is that they just they're afraid to use DISA STIGs because they're really harsh requirements we say they like the agency is the DSS okay and the actual their official answer is that we are we're using the national industrial security program operating manual we are not the Department of Defense so we're talking about like the corporations so they're a national entity not a federal entity so I think it's a crap answer thank you hey thanks for coming out here and giving us talk I totally appreciate it so your recruiting speech has been amazing knowing that their bar for employment is so low and their pay is so high I had a couple of questions related to that taking a look at the job listings first off are they hiring in the bay area are they paying and third off how much actual experience do they have because I have a friend who's not technical at all that ran out of a job they could use one so it's kind of a self centered question so that's pretty much what I'm asking well I applied so I applied to a company I applied to the DSS in February I never heard anything back so I applied to another defense contractor and got hired on in almost nine months later I finally got back and I said okay whatever so actually for GS13 the starting pay is 81 or actually it's probably 82,000 now which I mean I'm saying high so I mean this is for government position pretty good benefits in the bay area it's probably going to pay around 95 and you just got about like six to nine month lead time but I'm sure they're hiring actually when I checked the job postings yesterday before I updated my slides they didn't have any positions opening but the 2210s are considered critical fill so they're they're going to be hiring all over the agency I guess excellent thank you very much yeah go for it yes what well I told them I wasn't going to move unless they paid for it so they paid for me but most of them are no PCS so I was going to say feel your pain I know it's like starting the support group for people like us meets in the bar after all the talks I'm in but I just want to comment you know the diet cap process is written by and for bureaucrats a lot of times you know it's just paper drill and they say oh well we'll accept all these risk because we just want to make it work and you know see it time and time again and CNA packages really are nothing more than telling adversaries how to get into your system I know and so DSS their answer to taking the CNA packages off they took them off the internet because they said well we don't want our adversaries to know about them then why the hell can I request them through a FOIA request an adversary who really wants to get into an agency into a company is not going to do a FOIA request well let's just ignore it you got one yeah actually I just wanted to say I can't believe you just dropped the bomb that is a feel the pain oh my gosh that's amazing talk I just want to say I couldn't help but get the feeling here are you trying to ask DEF CON to do something for you is there a hidden message or something you know I was told there might be some guys from the agency here so I mean if they are in the audience it's not like I said it's not a bash on you but you got to do something about it I mean it's shit thanks everybody for coming