[url=http://meincmagazine.com/civis/viewtopic.php?p=30191559#p30191559:1y79h634 said:
Tiernoc[/url]":1y79h634]
FWIW there's a LOT of good tech available that helps secure networks and locks down traffic and plugs vulnerabilities (DISA creates guides for this, called
Security Technical Implementation Guides (STIGs) that helps immensely in preventing the hardware / software vulnerabilities' being exploited.
Unfortunately, US Government security guidance is frequently hamstrung by their inability to recruit and retain competent staff as public servants. As a consequence, much of the work is being done by contractors. Contractors who work at the companies that run testing and certification labs, or charge the government money to "secure" or "audit" systems.
Essentially you have people writing & approving the standards from the organisations that generate a revenue stream from the implementation and testing of those implementations.
In some countries that would be considered somewhere between a conflict of interest and outright corruption.
The US is largely oblivious to this - the military-industrial complex mind set is too well entrenched.
Perversely, I've more confidence in the NSA's guidance than DISA's (lies and information operations not withstanding) - the NSA seems to grasp the relationship between risk and action far better than DISA , who by contrast seem to be concentrating on creating revenue generating opportunities for external parties.
Its a classic example of outsourcing deskilling an organisation to the point where its functionally incompetent in what you'd otherwise think was a core function.
