While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.
The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases. People are naturally more sensitive about their personal secrets than something thats shared across the company/group
The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.
This strikes me as so wrong, I wonder if I’m misreading your comment. For instance, team password managers are a thing. And IT teams at many large corporations are not passing around an unsecured CSV files full of passwords.
None of this is true at the federal level, or at least wasn’t before the current administration. There are standards for all of this, and if you haven’t read them most are quite reasonable — I keep the NIST 800-63 reference handy anytime someone tries to say password expirations are a good idea — and there are people who are paid full time to enforce them.
Having a password list or static AWS credentials is not only a direct policy violation but also implies a number of other failures, from monitoring GitHub repo administration and secret scanning to failure to enforce policies against sharing credentials (part of everyone’s standard training), require use of phishing-proof authentication, failure to use short-term credentials, etc. One mistake can be an individual but this is a multiple-manager failure going up to the executive level.
The error and omission of not enforcing mandatory security training covering posting plaintext passwords to public sites for CISA contractors is itself an act of gross negligence.
So much so the contracting company’s insurer would cite it as the reason why the claim is not covered by their policy.
He worked for CISA. Surely there is either a security clearance with indoctrination and training, or at the very least, some sort of mandatory training/onboarding for all contractor staff?
> While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.
This isn’t a grocery store or something it’s CISA. This is like a gun going off in a cop’s holster while he’s texting and driving without a seatbelt. Yeah he’s a contractor but that doesn’t suddenly allow for such incompetence.
> shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.
What do you mean by this? There are password managers and more enterprise-oriented secrets managers, and application platforms typically have integration with them. Individuals shouldn't be using shared secrets. This is a completely solved problem and it's not difficult to set up properly, especially in a cloud environment like AWS, where you can use services like AWS Secrets Manager.
Yeah, but the words gross negligence is legal for you're going to be sued for a whole lot of money.
While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.
The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases. People are naturally more sensitive about their personal secrets than something thats shared across the company/group
The real story here is a big gap in existing implementations where shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.
This strikes me as so wrong, I wonder if I’m misreading your comment. For instance, team password managers are a thing. And IT teams at many large corporations are not passing around an unsecured CSV files full of passwords.
12 replies →
None of this is true at the federal level, or at least wasn’t before the current administration. There are standards for all of this, and if you haven’t read them most are quite reasonable — I keep the NIST 800-63 reference handy anytime someone tries to say password expirations are a good idea — and there are people who are paid full time to enforce them.
Having a password list or static AWS credentials is not only a direct policy violation but also implies a number of other failures, from monitoring GitHub repo administration and secret scanning to failure to enforce policies against sharing credentials (part of everyone’s standard training), require use of phishing-proof authentication, failure to use short-term credentials, etc. One mistake can be an individual but this is a multiple-manager failure going up to the executive level.
The error and omission of not enforcing mandatory security training covering posting plaintext passwords to public sites for CISA contractors is itself an act of gross negligence.
So much so the contracting company’s insurer would cite it as the reason why the claim is not covered by their policy.
He worked for CISA. Surely there is either a security clearance with indoctrination and training, or at the very least, some sort of mandatory training/onboarding for all contractor staff?
> While I agree that it should not have happened, at the same time its probably true that most people are never formally trained on security.
This isn’t a grocery store or something it’s CISA. This is like a gun going off in a cop’s holster while he’s texting and driving without a seatbelt. Yeah he’s a contractor but that doesn’t suddenly allow for such incompetence.
2 replies →
> shared credentials are needed and used pretty much across all the systems but there are no good solutions for managing such use cases.
What do you mean by this? There are password managers and more enterprise-oriented secrets managers, and application platforms typically have integration with them. Individuals shouldn't be using shared secrets. This is a completely solved problem and it's not difficult to set up properly, especially in a cloud environment like AWS, where you can use services like AWS Secrets Manager.
1 reply →