Saturday, November 21, 2009

The SANS Institute sez: NSA Helping to Harden Operating Systems

I'm kind of surprised to read this blurb from the latest edition of the SANS NewsBites newsletter (Vol. 11 Num 92):
--NSA Helping to Harden Operating Systems

(November 7, 18 & 19, 2009)

In testimony before the Senate Subcommittee on Terrorism and Homeland Security, National Security Agency (NSA) information assurance director Richard Schaeffer said that his agency helped Microsoft harden Windows 7 and that it is also helping Apple, Sun Microsystems, and Red Hat with similar endeavors. The NSA's involvement in the development process has led to speculation that backdoors will be built into the software to allow communications monitoring and interception. The NSA refutes those claims and says it is helping develop security guidelines and checklists. Schaeffer also said that agencies can protect their systems against 80 percent of known cyber attacks by following three steps: implementing best security practices, configuring networks properly, and monitoring networks effectively.

[Editor's Note (Pescatore): Ah, conspiracy theories. NSA and other government agencies have been involved in developing "gold" configuration definitions for standard software and network hardware products for a long time, along with the IT industry. Hardening in this case means better configuration and minimization of unneeded services.]

You can subscribe to the SANS newsletters HERE.

My concern about this news:

If the NSA is so good at hardening operating system security, and good at protecting their systems from 80% of known cyber attacks, how come the US federal government computer system has been PWNed by China and other countries every year since 1998, including 2009?

Read THIS list from the Center for Strategic & International Studies and have a heart attack. Included on the list are:

February 2009 - US Federal Aviation Administration hacked.

March 2009 - US federal computer containing plans for the new presidential helicopter hacked.

April 2009 - The revelation that the US power grid had been hacked.

May 2009 - US Homeland Security Information Network hacked.

So where was the NSA during all this? And the NSA has what skills to offer Microsoft, Apple, Sun and Red Hat? Just asking.

More likely the NSA is supplying their experiences in security FAILure, such as sharing what hacking methods were successful against federal computers during their watch. Just saying.

You know I'm itching to point out that switching to a proven secure operating system is always helpful. For example, why are the feds still using Windows?! It boggles my mind. Windows is dead last on the list of secure operating systems. The top 3 are still:

- OpenBSD
- FreeBSD
- Mac OS X (which incorporates BSD Unix)

But I'm just some laymen guy with a few science degrees and some decades of computer experience who rants about the ridiculous state of computer security in my country.