Posted on Mar 18, 2016
Does/should the military reward SM's/Veterans money for finding vulnerabilities in a network?
4.6K
2
10
1
1
0
Most enterprise companies have a bug bounty program, paying non-employees to attempt to gather "non public" info to test system security. Should the DoD be doing the same thing, or do you think this would be a terrible idea?
These tests are a more cost effective way to find any holes in the system that could end up really bad if not found by a "White hat".
These tests are a more cost effective way to find any holes in the system that could end up really bad if not found by a "White hat".
Posted in these groups: 
17C: Cyber Operations Specialist
INFOSEC
25D: Cyber Network Defender
Hacking
17C: Cyber Operations Specialist INFOSEC 25D: Cyber Network Defender Hacking
Posted >1 y ago
Responses: 4
1
1
0
This would be a great idea IF we spent time and money fixing the problems we already know about. since we do not, this would just make more issues more commonly known and still leave them unaddressed.
(1)
(0)
Maj Kevin "Mac" McLaughlin
Some fix actions require removing mission capability (availability). There is a balance and the know how to mitigate the problems through other means which sometimes are not financially feasible.
(0)
(0)
SPC(P) (Join to see)
That is a very good point, having a big bounty program would be enacted when we think everything, or for the most part everything is "secured"
(0)
(0)
0
0
0
SANS Critical Security Control # 20: Penetration Tests and Red Team Exercises
If we won't conduct it ourselves we should pay someone else but not make it a wild, wild, West where we have no idea where/when/how the attacks are conducted. Nothing wrong with discovering vulnerabilities but we need know when testing is happening.
Also, how would you keep an insider from gaming the system like the recruiters did when making tens of thousands using the G-RAP program?
If we won't conduct it ourselves we should pay someone else but not make it a wild, wild, West where we have no idea where/when/how the attacks are conducted. Nothing wrong with discovering vulnerabilities but we need know when testing is happening.
Also, how would you keep an insider from gaming the system like the recruiters did when making tens of thousands using the G-RAP program?
(0)
(0)
SPC(P) (Join to see)
Hey sir, so I was watching a video from Facebook and the Director of InfoSec with them said (not verbatim) (since we knew people are going to be poking at our systems and possibly sell anything they find on the black market, we want to capture that info. In 48 hours of offering a bounty, we discovered more holes in our system than our team has found in a year... More brains, more issues solved)... There has to be people poking around, and the last thing we need is for someone to find something, and sell the vulnerability on the black market
(0)
(0)
CW5 (Join to see)
So if our own official Cyber warriors cannot pound on our network legally, do we allow others to do so? How do we know what may have been compromised when they discovered the vulnerability? Yes, NIPR is unclass but it may contain FOUO or SBU that we don't want anyone getting at.
We don't need hackers getting paid by us while on the side they obfuscate their exfil of data to sell to others or put on wikileaks.
The correct action is to own the team and invite other governmental organizations to also join in but to open it up to all comers (civilian) is inviting a legal nightmare.
Better yet lets get rid of the idea of NIPR and stay within a Type 1 protected enclave. I never heard of a Node Center being hacked. Maybe a jammed V3 freq but never hacked.
We don't need hackers getting paid by us while on the side they obfuscate their exfil of data to sell to others or put on wikileaks.
The correct action is to own the team and invite other governmental organizations to also join in but to open it up to all comers (civilian) is inviting a legal nightmare.
Better yet lets get rid of the idea of NIPR and stay within a Type 1 protected enclave. I never heard of a Node Center being hacked. Maybe a jammed V3 freq but never hacked.
(0)
(0)
0
0
0
We are not a profit making company. I do not want untrained and unqualified people running security tests on our military networks. This is what we're forming the Cyber Ops Squadrons.
(0)
(0)
SPC(P) (Join to see)
Hey Sir, while we are not a company, our InfoSec should be the best of the best. Watch this video (http://youtu.be/IDTm2I8FeAY)... Like they said, there's already going to be poking at your system, might as well capture and pay them for any legitimate hole they find
(0)
(0)
Maj Kevin "Mac" McLaughlin
Cyber Security requires a significant knowledge base to correctly identify an advanced persistent threat or malicious presence in general. Our military network are further challenged with domains which fall into the highest classifications levels. We simply cannot afford to build a team of volunteer security specialists when we're already forming entire units to do this job. The video you posted speaks of hundreds of people THEY can trust, but getting on a military network is a much bigger deal.
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google