Comments on: Cyber Attacks on Supply Chain Systems

By: The Cenobyte

The Cenobyte — Fri, 17 Apr 2009 13:11:08 +0000

Ptsfp is the only guy here that really hit the nail on the head with security issues. Most security issues are internal. Either employees hacking or giving information to those that will (either via social eng or with knowledge what they are doing is wrong). I am not going to say that the company I work for never has issues, it’s just that as far as we can tell none of our network security issues have ever come from the outside. Remember that the only server completely safe from network attacks is the one you left unplugged.
Now if what you are saying is the the rest of the world is not spending the time and money on security and I have my head in a hole with my ‘huge’ budget then let me applogize (I have been here a very long time), but I can tell you from my point of view, the people we work with, the companies we have merged with have always been pretty good about security.
As to the company I work for, we made money last year, and will make money again this year, and as much as I would like to take credit for that, I keep the NOC and DMZ secure not run the bank.

By: Oblat

Oblat — Fri, 17 Apr 2009 12:22:26 +0000

Now the sharks are just searching for new markets to peddle their fear, because
the utility industry is just laughing at them. So it’s on to supply chain management.
The reality is that people aren’t dying, money isn’t vanishing and wars aren’t being lost because
of cyber anything. Where are the facts on the damage being done ? Lets see a single death, a
single bank taken down by cyber attack a single battle lost due to cyber attack.
There are none — because this is just trying to create a market using fear uncertainty and doubt.
It’s the oldest scam in the consultants book it’s just that now the snake oil salesmen are trying to
wrap it up as a national security issue. That the DoD gives air time to these people just shows how
rotten the system is
Meanwhile ordinary credit card fraud is going through the roof, but hey you don’t want to fix that problem
thats a real problem that requires real solutions. Snake oil dosent work on real problems.

By: Ptsfp

Ptsfp — Fri, 17 Apr 2009 03:16:09 +0000

Yeah, the arrogance of large system server guys is brain numbing.
The arrogance is like the politicians who are pro gun control, when they live in large cities with a complete security system in their home, armed body guards, and where police are just 30 seconds away if something happens. They just can’t understand why the average Joe who lives out in the country, 30 minutes away from police would want a gun for home protection.
There are so many holes in a network that it is very hard to close them all. Just pick up a server 2003 how-to book, it has more pages than a Bible, and fewer pictures too.
As I have said before, security guys usually secure systems with check lists, group policies and auto patching software. They are very linear thinkers, if the box has been checked, rarely do they go back and double check it. Hackers on the other hand think out of the box.
As the size of the network grows, so do the holes. Also, I have seen lazy admins use simple administrator passwords in a secure corporate facility. Penetration testers rapidly took over several boxes because people used “password” or “P@ssw0rd” as the admin password.
Our arrogance is our biggest downfall…

By: nash

nash — Thu, 16 Apr 2009 23:30:18 +0000

Fred

By: Fred

Fred — Thu, 16 Apr 2009 22:39:59 +0000

Cenobyte
Well You my friend struck out!!!
I am not a security consultant. I work as a consultant in Supply Chain! The government should not spend more they should spend smarter!!! I think a call to DLA will prove you are way wrong about the level of integration and how far along they are moving to paperless. Yes DLA is a client as well. In total we have consulted to organization with supply chain spend totaling nearly $100 billion annually. In addition, your comment about a direct connection to SAP clearly shows you are misinformed about the current state of system compromise.
You really need to come up-to-speed before you make the comments you made.

By: The Cenobyte

The Cenobyte — Thu, 16 Apr 2009 19:17:52 +0000

Peter, you my friend have picked up on the only thing that could be an issue in this ‘report’. Thankfully the military logistics system isn’t even that close to integrated and supply personal at the company level still keep paper records (Although from my experience not as well as they used too), I can’t tell you about above that. Add to it that you would need a physical connection to the SAP and I think you have come up with a fairly difficult assignment. First you have to get to a place where there is a physical connection (I don’t know the newish DOD supply chain software works so don’t quote me on this) and then you have to get past the basic network security. (ID cards are required to connect to most systems via encryption making man in the middle attacks very difficult).
If the govt wanted to spend more money on security for their systems, I am all for it. I just find it difficult to believe that much more than what is already being spent needs to be spent for private enterprise. If so no other reason that cost of implementation is way higher than being compromised.

By: The Cenobyte

The Cenobyte — Thu, 16 Apr 2009 19:06:34 +0000

Well crap Fred thanks for opening my eyes. I guess I should quit VP job here at this tiny little bank (third largest in US), turn down all my future network security seminars and consulting gigs and go dig myself a hole somewhere to live in cause obviously I don’t know what I am talking about. I mean with great arguments like ‘Get a clue’ how could I ever even look at myself in the mirror again.
Fred let me guess, you are an IT security consultant for a mid to large size firm that makes all its money from selling services and systems to protect the world from this up and coming threat. You spend most of you days trying to convince guys just like me that we need your new multi-million dollar gizmo that will protect us from the terrorist on the internet.
I understand that important for guys like that to make a living and fear is your huge selling point. But just because you want it to be true doesn’t make it true.

By: FRED

FRED — Thu, 16 Apr 2009 17:36:38 +0000

Cenobyte GET A CLUE!!! I am a consultant that worked on those systems and know how tightly integrated that are. You people think you know it all and you are not in the game or even in the arena.

By: The Cenobyte

The Cenobyte — Thu, 16 Apr 2009 17:09:47 +0000

Fred, I hate to tell you but the term integration doesn’t mean crap. It’s a corp. buzz word used only to mean that they have a system for making two systems talk to each other. As often as not this ‘system’ used for integration still requires huge amount of manual intervention. When it does not it’s because someone somewhere wrote a third bit of software that makes info from one system, translates it and then pushes it to another because the two systems they are ‘integrating’ don’t know how to speak to each other, hell they were likely built to be used by a person not another machine at all. (You would be shocked at home many banking transactions in the world are completed by a PC running a bit of screen scraping software against a mainframe emulator, parsed by custom in house built filters and dumped into a DB somewhere).
But let

By: Fred

Fred — Thu, 16 Apr 2009 16:06:58 +0000

I have to say you many of you need to update your data. Major corporations ARE fully integrated with their suppliers and have been for years. One $68 billion company is integrated back thru vendors to the component producer. One $20 billion utility is integrated thru to the point where the product supplier/producer can access their products to conduct maintenance and troubleshoot. Is this the case across the board NO. But there is a huge community of large corporations and organizations that are fully integrated with their top suppliers. It would be nice if the posters on here would update their knowledge before they spout off and post outdated data!