Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov's website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security "expert".
While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform any type of security testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.
Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:
In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:
UPDATE: David Kennedy has posted his response to this article in the comments section. I encourage readers to read the comments in their entirety and join in the debate if you so choose.
UPDATE #2 (11/21/13): David Kennedy has maintained that neither he nor his company did anything unethical. I'm not saying that they did. I'm arguing that what was done by Kennedy and his firm raises questions in my mind about what is currently considered to be ethical in the security field, and that those standards need to be challenged, discussed and debated. That's what I'm trying to do with this article.
Add to Cart
While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform any type of security testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.
Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:
“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”In my opinion, this raises serious ethical questions. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to "out" the vulnerabilities found on a client's website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined "passive" vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he'd be sued.
In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:
“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”What a concept. Do a proper investigation and then provide an informed opinion based upon facts.
UPDATE: David Kennedy has posted his response to this article in the comments section. I encourage readers to read the comments in their entirety and join in the debate if you so choose.
UPDATE #2 (11/21/13): David Kennedy has maintained that neither he nor his company did anything unethical. I'm not saying that they did. I'm arguing that what was done by Kennedy and his firm raises questions in my mind about what is currently considered to be ethical in the security field, and that those standards need to be challenged, discussed and debated. That's what I'm trying to do with this article.
0 komentar:
Posting Komentar