Wordpress vulnerability

So, my sister came into town today and she mentioned that she was having a strange problem on her web site.  After discussing the particulars with her, I made the standard suggestions and since I wasn't in front of a computer at that time, waited until I got home to do some more pertinent research on the topic based on our conversation.  (This is a developing article that is actively being used to house my thoughts and research.)  I found this link:  http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ that seems to be the problem.  I will be looking at the site more closely to see if this is indeed the problem.

Linkback: Discussion on Verbophobia

http://verbophobia.blyon.com/wikileaks-whos-really-at-fault/

Repost: Initial Frustrations, a discussion of DoD shortcomings

Background:  I've been in the IT industry for well over 13 years now, and a computer enthusiast since my parents first put a Commodore VIC-20 in my hands as a child.  I avidly watched the industry grow up, mature, and start to diversify.  In my adult life, I continued to learn all I could about computers and their application in life.  Approximately 9 years ago, I got my first "real" IT job.  I had been working in a call center environment for 4 years at that point doing tech support work, but this new job was working for a contractor at a DOE facility.  This proved to be my first taste of what we now call Information Security (IS) or Information Assurance (IA).  I currently work for a DoD organization where my primary job responsibilities are IA.

Over the last 9 years, I became increasingly aware that the IT field was undergoing a split, or had split into two distinct areas, that of administration of computer systems, and securing computer systems.  They were integrated in such a way that it was very difficult to tell the two apart.  About four years ago, a program was implemented where I was working for at the time that led me into the IS field.  While there, I experience how IS should be implemented as far as personnel and policy.

I left that position in 2008 and re-entered the field in 2009 working as an IT Systems administrator for a different government agency.  At this new position, I found that although the regulations and policy were in place, and an implementation strategy was well thought out, that only existed at the root or direct subordinate level.  Below that level, especially for non-centralized sub-organizations, the structure fell apart and was very poorly implemented.

The incumbent in the position I held had been working towards getting the organization up to speed, and I began to assist him in this effort.  One would think that with the regulation in place, and pressure from members internal to the organization, that an effective IA shop would be instituted.  This did not happen.  After the incumbent left, the task fell to me to get this done.  It has now been over two years since this was brought to the attention of all levels of the organization and still, there is not a resolution in sight.

Problem:  The basic problem seems to be that of manpower denying critical billet positions.  That, and procrastination on the part of several parent organizations to dictate how an IA shop should be setup at a remote location.  In addition, there are some specific cases where this policy fails to clarify how an IA shop should be run.

Disclaimer:  In order to maintain some obscurity, I won't name specific organizations or people, but will try to define the problem in sufficient detail so that the community can recognize the problems and hopefully discuss possible solutions.  I ask that anyone posting comments please adhere to these stipulations and do not try to guess at names or organizations involved.

If you are familiar with regulations within the DoD branch specific to IA, you will know that in order to successfully execute a C&A package, you must have, at a minimum, the following roles:

• DAA – Designated Accrediting Authority
• SIAO – Senior Information Assurance Official
• CA – Certifying Authority (or Certifying Agent) (typically the SIAO)
• PM – Program Manager
• IAM/IAO – Information Assurance Manager/Information Assurance Officer
• UR – User Representative

In a typical organization of mid to large size (100+), these roles are very easy to fill, but for a smaller organization, two of these roles become increasingly difficult to fill.  Specifically, the DAA and SIAO/CA roles.  From the US Code down, these must be filled by government civilians or military personnel and both carry heavy responsibility and authority, meaning upper organization management positions.  The DAA is required to be at the GS-15/O-6 level while the SIAO is the single policy maker for the entire IA department.

What I have discovered, and inferred from multiple sources as well as my own experience, is that neither of these individuals would be comfortable signing off on a system that they cannot either virtually or physically see and touch.  This makes perfect sense to me as they are, in essence, assuming the risks and responsibility of any system they approve.

This wouldn't be a problem if a small organization is physically located at or near their parent organizations HQ, but, as is typical for DoD organizations, there are many sub-organizations that are physically separate from their parents.  Most of these sub-organizations are located on military installations where they get their network connectivity from.  While this isn't a problem if they are affiliated in some way to the military base/post/station that they are located at (as they would simply use the DAA/SIAO that services that location), it does pose a problem for MAJCOM organized units.  These units are typically not affiliated with a single branch of military service, therefore, the DAA/SIAO that services that location is not operationally aware of the mission of these outlying units.

In an ideal world, and I acknowledge that DISA is trying to effect this change, the hosting base would simply accept the systems that belong to the MAJCOMs as is, even though they might not be able to fully understand the mission, they can at least see and touch systems attached to their network.  This, at least, I have witnessed, and it seems to work.

There is one type of system though that this cannot work for and it is the hardest system to run through the C&A for.  Standalone Enclave systems are a bear to work with.  Many units ignore these systems, or fail to acknowledge DoD's specific instruction that "All DoD owned systems will be accredited."  The problem is that the only entities that can virtually or physically see and touch these systems exist within the sub-organization itself.  This, by inference, means that all DoD roles must exist within the sub-organization.

Well, I can tell you that simply can't happen for every organization out there.  Some organizations don't even have a GS-15/O-6 to throw a DAA appointment to, much less second position able to take on the SIAO/CA role.  The sticking point is not the DAA, interestingly enough, it is the SIAO/CA role.  This position, given the standalone enclave system, requires a CISSP or equivelent certification per DoD 8570-M. 

I've not found a person in a current position of authority to entertain the idea of obtaining a CISSP certification just to satisfy this requirement.  The most common answer I've gotten is that they are just too busy.  I can understand this stance, as we are talking small shops, and the workload is typically piled on deeper than a larger organization for each person.

So, where does that leave the situation?  A small shop, not co-located with their parent organization with a need to C&A a standalone system is left out in the cold.  DAA's don't want to touch these systems, and the small shop can't requisition the proper billet to get the right IA personnel into the organization to do it in house.

This is my frustration, as I know it needs to be done, but I can't change the minds of the people over my head.