CYBR 650 - Blog Post 3 - Blogs vs. Scholarly Publications for Cybersecurity

Even ten years ago the majority of post-high school education was done in-person at brick & motor universities across the country. If someone wanted to major in something as specific as computer security and auditing, they would most likely need to be co-located with that university to participate in the education it provided.  

The Internet changed things.

One report by Babson Survey Research Group indicates that 31.6% of all students now take at least one distance learning (ie online) course as part of their education.  (Babson, n.d.) This same report indicates that between 2012 and 2016 the number of students studying on campus has dropped by over a million students, or 6.4%.  Because of this reliance on distance learning, the reliance of physical books and publications used for resources has also dropped.  The use of online resources such as websites, blogs, digitized books has not only expanded, but is now becoming acceptable reference material for white papers, research reports and dissertations. 

I can attest from personal experience that old school professors did not accept online content as acceptable resources and required all references to be physical books, scholarly articles and empirical research.  (I got an F on a paper in 1995 where I referenced a discussion I had with a fellow student in Australia regarding recreation activities in that country when no other resources were available in my library). 

My term paper for CYBR545 on Business Email Compromise had 16 references in the final paper, 14 of which were from the current year (2019).  Because this was a newly-identified threat, no printed material was available on the topic.  But resources from the FBI, DHS and other reputable information sources provided valuable, near-real time details on this emerging threat. 

It could be argued that the curriculum for technology degrees (such as cybersecurity) is evolving faster than books can be printed.  Many of the books we use are from before 2015, which was when I ventured into Cybersecurity as a career, and much has changed since then.  Bellevue professors have been very accepting of online content as acceptable references, and not enforcing printed books and scholarly articles.  I would argue that technology websites, blogs, vendor websites and technical forums provide credible information pertinent to an advanced degree that should be considered an official resource.  While books from PhDs and peer-reviewed scholarly articles may have additional credibility based on the amount of research and vetting that is done for them, the industry-standard is to acquire cyber information from a multitude of online resources and is considered credible.  Just as Zillow transformed real estate and their Zestimate has become the publicly-acceptable standard for property estimates, the use of online resources has become the go-to place for credible information for cybersecurity news, information and intelligence. 

Websites which offer some high-quality facts, intelligence, topics, technology and commentary include:

-         Krebs on Security

-         Naked Security

-         Dark Reading

-         Hackaday Blog

-         The Hacker News

-         Threat Post

-         Security Week

-         CSO

-         IT Security Guru

-         Schneier on Security

-         Daniel Miessler

-         Google Online Security

-         Wombat Security

-         Errata Security

-         Kaspersky Labs

-         Security Bloggers Network

-         Sophos

-         Security Now podcast

-         Graham Cluley

-         The Security Ledger

-         Paul’s Security Weekly

-         AT&T Cybersecurity

-         Internet Storm Center

The truth is that books and peer-reviewed publications are not able to keep up with the speed of technology and the threats being brought upon our systems, networks and software.  I feel it is absolutely justified to continue to use these web-based sources as long as they are deemed credible by the cybersecurity community and are not biased based on foreign input such Kaspersky or vendor-specific technologies (Vaughan-Nichols, 2017).  Reliance on these sources may be the subject of information warfare, so there may be the need for oversight if disinformation begins to interject itself into the open news sources that open-source intelligence aggregators acquire their products from. 

Websites such as Purdue University’s OWL provides guidance on how to reference websites and other online content (https://owl.purdue.edu/owl/research_and_citation/apa_style/apa_formatting_and_style_guide/general_format.html)  This indicates that online content is worthy of being referenced, but those in academia are still skeptic about non-official publications and websites which may not be as mainstream as other well-known sites.  After going through the course on Information Warfare, I believe it’s important to review the websites for credibility before deciding to reference them in professional work or scholastic endeavors.  Truth be told, many blogs are purely subjective, even if the rationale is well-received.  Being used as a source in higher level education should be carefully done if the author intends to maintain credibility in the discipline. 

Technology is moving at the speed of light, so the ability to find, use and reference credible online resources is imperative to obtaining the most current information on topics pertaining to cybersecurity and information technology. 

References:

Higher Education Reports, (n.d.) Babson Survey Research Group.  Retrieved on December 21, 2019 from https://www.onlinelearningsurvey.com/highered.html

Top 40 Cyber Security News Websites for Information Security Pros. (Dec. 16, 2019).  Feedspot.  Retrieved on December 21, 2019 from https://blog.feedspot.com/cyber_security_news_websites

Vaughan-Nichols, S., (2017), Claims resurface that Kaspersky helped Russian intelligence.  ZDNet.  Retrieved on December 21, 2019 from https://www.zdnet.com/article/claims-kaspersky-works-with-russian-intelligence-resurface/

CYBR 650 - Blog Post 2

(Me having lunch with congressmen Tom Cole (left) and Mike Rogers (right))

                I was invited to participate in the Reagan National Defense Forum this past Saturday located at the Ronald Reagan Library in Simi Valley, Ca.  (10 miles from my house).  The forum brings together some of the most significant players and contributors in the world of national defense and security in the nation.  Being on the VIP guest list entitled me personal access to many of these individuals both in person as well as to sit in intimate panel discussions.  For those of us in national defense, it’s surreal to hang out at cocktail hour with 4-star generals, members of congress and chit-chat about everything from security policy to football.  In a single day, I personally saw or talked with include:

-          Dr. Mark Esper (Secretary of Defense)

-          Rob O’Neil (National Security Advisor)

-          Jim Mattis (former Secretary of Defense)

-          Jeff Bezos (Founder, CEO of Amazon.com)

-          Brad Smith (President, Microsoft)

-          Leon Panetta (former Director CIA, former Secretary of Defense)

-          Dana Deazey (DoD CIO)

-          Karl Rove (former deputy White House Chief of Staff, Bush 43)

-          ADM Paul Nakasone (Commander US CyberCOM)

-          ADM Michael Gilday (Chief of Naval Operations CNO)

-          Gen. David Goldfein (Chief of Staff, Air Force)

-          Gen David Berger (Commandant, US Marine Corps)

-          Gen James McConville (Chief of Staff, US Army)

-          Congress (Tammy Duckworth, Adam Smith, Mac Thornberry, Liz Cheney, 20 others)

                Promoted as a forum for national security, I’ve observed the panel discussions this year and last year starting with the topic of security, readiness, lethality and quickly meandering into cybersecurity and nation-state sponsored threats.  This was true for every forum.  Discussing national security at the highest levels now includes cybersecurity and the realization that the cyber threat is just as significant as potential kinetic warfare.  China, Russia, Iran and North Korea were popular topics by all the major players and all panels defaulted to discussing how the cyber threat affects the overall wellbeing and way of life for the United States.

                Sitting through 10 hours of panels, fireside chats and personal discussions with a few of these key individuals, it became apparent that the underlying topic for our national security is nation-state sponsored cyber threats.  Below I highlight some of the significant speakers and presentations.

                Lunch keynote speaker Secretary of Defense Dr. Mark Esper showed fluent knowledge and experience in security and highlighted many cyber-relevant situations which the National Defense Strategy supports defending against.  It was refreshing hearing his take on the NDS and emphasized that continuing resolutions (CRs) will negatively affect the military and encouraged congress (30 of which were in attendance) to pass the budget and help meet the goals set forth in the NDS. 

                Amazon founder and CEO Jeff Bezos had some memorable quotes and advice.

                “To earn trust – do hard things well, over and over and over again” This was in regards to things like stating they would do next day shipping with Amazon Prime, or offering AWS or video services.  It wasn’t easy, but he proved to others they were able to do it, and do it over again.  This builds trust in the brand and enterprise.   He also had advice on decisions indicating there were two types:

1.       Highly-consequential, irreversible, one-way decisions

2.       Normal decisions which can be reversed without dire consequences

Bezos mentioned that we use the hard decision-making process for situations such as #2 causing us to over-think and add too many people to the decision-making process when it’s not necessary.  Understand the situation, use critical thinking, keep the quorum small and make fast decisions if not irreversible and highly-consequential. 

                Mr. Bezos also discussed his ”disagree & commit” methodology which he encourages leaders to adopt as a way of progressing in the decision making process.  (see here:  https://www.inc.com/justin-bariso/it-took-jeff-bezos-only-three-words-to-drop-the-best-advice-youll-hear-today.html)  Also, he highlighted the importance of being robust and nimble which somewhat translates to resilience and agility in the form of program acquisition and decision making.

                I was very impressed with Ellen Lord, Under Secretary of Defense for Acquisition and Sustainment.  Unlike some high level officials, Secretary Lord is very familiar with new technologies and recent policy and while responsible for all DoD acquisition, encouraged the group to “fail small, fail fast and move forward”.  She said readiness and modernization should be hardware enabled and software defined and the laborious acquisition process the DoD is stifled by will need to be revamped to compete with our foreign advisories in the 21^st century.  She is also familiar with the Cybersecurity Maturity Model Certification (CMMC) and indicated that 1^st tier contractors (Lockheed, Northrup, GD, Boeing, etc) will need to help support lower tier contractors become compliant with this standard.  We should expect to see more news of it within by March 2020. 

                I had a chance to briefly chat with DoD CIO Dana Deazey and asked him if he noticed that all the panel discussions started off discussing high-level defense readiness and acquisition but ultimately included discussions about cybersecurity.  I asked him if perhaps the next Reagan National Defense Forum could include a panel specific to cyber threats and readiness in the DoD and he said, “that’s a good idea.  I’ll bring it up to them.”  Not sure if that was sincere or not, but since he said it was his first time at the NDF, I indicated this was the case for most of the panel discussions. 

                During the happy hour the night before, I had a chance to speak with General Mattis about how the cyber threat has increased since his time in the military.  He indicated how the DoD has been aware of cyber threats for a while, but only really seeing it posing a national security threat the past decade, and much more in the past few years.  He then reiterated that position later on in the day while discussing a variety of topics with Leon Panetta.  Both very wise.

                There was a panel discussion that filled the house – the Chief of staff of the Air Force and Army along with the Commandant of the Marine Corps and the Chief of Naval Operations held a panel to discuss national security and how each of the forces were supporting it.  All were fluent in how the cybersecurity threat is now a top tier concern for all these leaders and they indicated more support and direct involvement in making sure each service was baking cybersecurity into their acquisition, product line and culture. 

                National Security Adviser Rob O’Neil was also there, but his canned 15-minute speech was a partisan tribute to Donald Trump.  Many of the comments he made pushed republican agenda items and perpetuated the false narrative of a successful presidency, contradicting many of the positions previous speakers took.  Very disappointing and the snickering from the audience was very noticeable and his statement made many people uncomfortable. 

                Overall the 2019 RNDF was very successful and the folks at the Reagan Presidential Library did a fantastic job coordinating the speakers, the guests, security, food and refreshments and media.  I look forward to being there next year. 

Full videos of all panels can be located here:  https://www.youtube.com/playlist?list=PLHNOi2zcxo7tPPwgTEaF421osdMepdJKk

CYBR650 - Blog 1 - Stop Chasing Cyber Buzzwords

BLUF - Buzzwords in the cybersecurity and technical fields attempt to capture innovative concepts which temp leaders to quickly adopt, regardless if the solutions they provide support their mission needs.


Leadership loves to lead and management is there to manage, but the one thing they should not be doing is providing solutions to cybersecurity professionals.  On a weekly basis leaders, supervisors, c-suite officers love to chase buzzwords and insist we adopt the latest technology or concept.  "GO TO THE CLOUD!" is a favorite one, or "we need to establish a DevSecOps environment" is yet another.  These are terms passed down from others in pursuit of being on the forefront of technology, but more importantly, bragging to others that they're incorporating the buzzwords they're hearing.j

The spread of buzzwords can be from many origins.  Trade shows, conferences, news and blogs, vendor marketing advertisements, or even casual conversation and emails can all spread these catchy terms that refer to a term or practice that most likely already exists.  But because technology accelerates so quickly, buzzwords are used to capture progress even if nothing new has been created.

According to CSO Magazine, the top buzzwords for Cybersecurity for 2019 are:

Cyber - meaning anything with computers or internet
AI - artificial intelligence, but meaning "robots making decisions"
APT - Advanced Persistent Threat, but meaning any outside attacker
Threat Intelligence - information about threats, but meaning super secret info about threats
Next-generation - anything new
Cloud - someone else's computer or network
Data-driven - making decisions based on data; been doing this for years
Real-time - as opposed to needing extra time to consider a decision or action
Thought Leader - someone with a brain making decisions

(https://www.csoonline.com/article/3258551/10-security-buzzwords-that-need-to-be-put-to-rest.html)

Add to that mix these as well:

Blockchain, Chaos Engineering, BYOD (Bring Your Own Device), Big Data, DevSecOps, Behavior Analytics, Human Firewall, CI/CD, Orchestration, Quantum Computing, NOC/SOC, Zero Trust Security, Automation.

Many of these buzzwords are associated with a technology or concept which can be very useful in an organization's architecture or security enterprise IF it's applicable and of value. But the problem we're seeing is leaders direct teams to implement solutions without knowing if they are required to meet mission goals.

Instead, leaders need to be able to accurately describe the requirements instead of the solution.

"We need to connect this network to this network with these latency requirements"
"Our developers need a collaborative environment with the following tools"
"Our customer needs to transfer data up to 30GB to us in under 10 minutes"
"I need to make a decision on this contract based on previous statistics"
"We need to secure our web server from attacks on unmanaged ports and protocols"
"The requirement is to meet the following standard, policy or guidance"
"I need proof that implementing this widget/upgrade will not affect our production servers"

These are requirements.

With statements like this, IT and cybersecurity professionals can suggest a variety of solutions.  The lead would then create courses of action (COA) based on cost, schedule and performance and the leader will choose based on those factors.

As an example, recently I've been told our program needs to "go to the cloud" in order to collaborate.  So when I started I asked the program manager, "Just what are we being asked to do?  What is the requirement?"  His reply, "That's why we hired you."  It's a simple process of associating a solution with a requirement, but when the requirement is to utilize a solution withing knowing the details of what success looks like, we find ourselves chasing our tail.

A better requirement would be something on the order of, "We need to establish a zero-client environment between office X, Customer Y and end users located at Z by March 2020 so they can share these files and utilize a Git source code repository on Bitbucket and deploying images to a private resource at Customer Y's CM server.  Users will have token cards for 2-factor authentication and limited to specific parts of this environment, but not all of it"  With something specific like this, we are able to determine vendors, specific locations and establish the security and IT requirements.  At this point, we're able to offer solutions such as hybrid clouds, type 1 hypervisors, on-site SANS solution and multi-factor accounts based on a Kerberos authentication server in a RBAC model.

The exception to this is when you have a General or CEO saying for political reasons, "We must do X" or "Implement the following technology'"  While we love to be subject matter experts and make recommendations for technologies, we need to also learn when the boss is making a solution the requirement.

In either case, cybersecurity professionals need to be fluent in these terms and technically competition in their pros and cons and which situations they benefit.  This is a fast moving field and wrong answers can cost jobs, if not lives.

Week 8 - I love my Spouse(ware)

Our nature is to trust our spouse.  We marry them with the expectation they will be truthful and not devious.  BUT, sometimes people do things which reduce our level of trust and we feel the need to ensure their truthfulness. 

One of the first evidence of a new app for smart phones to track our loved ones being referred to as Spouseware was from this article in 2007 (http://www.informit.com/articles/article.aspx?p=1077909).  Ironic because the very first iPhone was released in 2007, so not far after that did people start thinking of ways to track people with them.  Spouseware is a type of Spyware which can remotely track an individual.

Spyware is typically done by unknown persons/entities (hackers, foreign actors) compared to Spouseware which is an app that is installed physically and willingly through an authenticated and authenticated account, but by something else masquerading for nefarious reasons. 

Here are a list of tell-tale signs if your phone is compromised:

Your partner frequently asks to see your computer or cell phone, or takes it.

Your partner demands passwords to your computer or cell phone.

Your partner wants login information for your email, banking, shopping, or social media accounts.

Your partner is known to be "good with computers" and handles your computer tasks.

Your partner gives you devices that they've set-up for you.

Your partner spends a significant amount of time on their computer and is unusually secretive about it.

Your partner makes vague references to activities or conversations they were not present for.

Your partner gets unexpectedly angry towards a person you've recently communicated with.

Your partner threatens to reveal embarrassing information about you.

(source - https://hackblossom.org/domestic-violence/threats/monitoring.html)

So if your spouse has this kind of access to your phone, then I'm guessing your relationship is good enough to not worry about hiding photos, texts, etc. 


What I'm more interested in is the ability to remotely install apps without physical access.  Spouseware is obviously a form of spyware which can remotely track communications, location, activity, etc.  The risk to our nation is very low as it pertains to tracking each others spouses, but could be very high if this kind of spyware can be remotely installed to other high-value targets such as senior intelligence officials, leaders of industry, politicians, or perhaps even nation-state spies working covertly.

Spouseware can be installed many different ways, but based on the articles above typically requires physical access to the device.  Malwarebytes also can be disguised as antivirus as reported here:  https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/

Motherboard lists popular Spouseware apps and how to discover if your phone has them installed here:  https://motherboard.vice.com/en_us/article/bjepkm/how-to-tell-if-partner-is-spying-on-your-phone-stalkerware

Probably the best way to identify Spouseware is to backup your data and reinstall your operating system.  But if you are really that suspicious if spouseware is installed on your mobile device, perhaps you should be focusing more on your marriage than defending your privacy against them. 

Week 7 - The Wall of Cybersecurity

The concept of Security has been around for centuries.  One of the oldest concepts of physical denial of access is building a wall.  A physical barrier that acts as a prevention and deterrent for restricting access by those not permitted to gain entry.  Examples include the Great Wall of China, the Berlin Wall, the Israeli West Bank Barrier Wall, and Sacayhuaman in Peru.  The majority of these walls protected against unauthorized entry for that period of time. But a single boundary defense such as a wall is not adequate in modern times because of the advanced tactics and technologies used by those wishing unwarranted entry. 

In a computing environment, a using only a wall for defense would be the equivalent of only using a username/password for complete protection.  Thus a modern physical defense utilizes defense in depth, which too is not a modern concept. 

Even the phrase, "Guards, Gates & Guns" shows how different physical controls can be used to prevent entry.  Again, these are both preventative and deterrent controls which can be used in conjunction with a physical wall to limit access.  Here are a few other security controls which could be added to a wall to add defense in depth to a stationary barrier:

Motion sensors
Electrified fences
Additional patrols
Air Surveillance via plane or satellite

When there is a large threat vector (such as a 500 mile border) then a physical barrier in addition to other natural deterrents provides the best total security solution. 

In reality the use of a wall as a single physical security control is about as ridiculous as expecting to have the enemy pay for it's installation. 

The other option would be to allow entry but then control access once inside.  So not everything inside a network is attractive to the enemy, so knowing how to be selective about how to protect critical data and configurations may be a better defense than a single external boundary defense. 

The moral of this post is that using archaic security controls to deter and protect against external entry is wasteful and ineffective.  A smart approach would be embracing defense in depth by utilizing physical, technical and administrative controls specific to the threat landscape and attack vectors, resulting in a controlled managed risk environment. 

If you're thinking this could be applied to non-IT-related current events, you're right. 

Week 6 - Who are the real heros here?

Organizations pay a large percent of their overhead to fund cybersecurity programs.  This is done at the federal, state, private, public, and all other levels and in every industry.  Millions are spent to protect and defend our privacy and personal data in addition to the critical information our businesses and governments need to keep internal and available to those who need it.  There are paths for certifying, assessing and authorizing IT systems in an effort to build confidence that they are protected to the highest standard.

Based on the NIST Risk Management Framework as well as other security models such as ISO 27001 and COBIT, the majority of the security controls put in place are to defend against malicious hackers (previously called crackers) whose nefarious intentions were to steal valuable information.

A few years ago there emerged a trend where vulnerability identification was outsourced using third-party persons and organizations, commonly referred to as Bug Bounty programs.  Essentially these are hackers who decided to come out from the darkness to legally hack various organizations to discover vulnerabilities for profit.  One of the largest bounty-for-hire companies, HackerOne, provided some interesting statistics in their annual report (HackerOne 2018):

- Over 90% of hackers are under the age of 35
- 8% of hackers are under the age of 18
- 58% of hackers are self-taught
- At 78%, Burp Suite is by far the most popular set of hacking tools
- 31.3% of techniques are learned through reading other hackers blogs on their results and tactics.
- at 78%, websites are the most valued target of hackers
- The most popular countries participating in Bug Bounties are India and the United States
- Fun, to be challenged and to learn are all bigger motivators than earning money from hacking.
- Cross-site scripting and SQL injections are the most popular attack vectors, followed by fuzzing.


The irony of this concept it laughable.  These organizations no doubt spend millions to protect their data from the same people hired to discover vulnerabilities against them.  But equally as disappointing is the fact that the effort going into securing and accrediting these systems is upended by the very people being hired to protect them.  The belief that systems are protected because someone gives their seal of approval is being proven incorrect and that further vulnerability analysis is necessary.  In fact, one could say perhaps the white hat hacking should be done first so identify the largest gaps in security, and then the expected protocol defense added after the easily exploitable has been patched.

The goal is always mitigating the risk to a level acceptable by the organization.  Until a few years ago, hackers were all bad. Perhaps the better way of looking at cyber security is to include these offensive hacking partners into the total solution to achieve a better overall risk posture.



2018 Hacker Report, HackerOne, 2018.  Retrieved from:  https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf

Week 5 - This Means War!

It's no secret, those who work in cyber security in the DoD are accused of being a low-value administrative requirement fed mostly by fear and pressure from leadership based on gregarious stories in the news. The reputation cyber professionals have is that they slow progress, impede the mission and generally operate on rules that continually change.

First, let's address the rumor of cyber requirements always changing.  The answer is,  yes, cyber requirements do change all the time.  Policy changes because threats change.  Techniques change from criminals.  Technologies emerge and then get exploited.  Insiders get better, or perhaps lazier.  All these changes need to be addressed by changing the way cybersecurity is performed.

The other issue with cybersecurity is that it ends up taking too long to implement and approve.  Typically the organization is held to the standards of an outside standards body or approver and needs to meet the mark in terms of required compliance checklists, vulnerability assessments.  There are so many rules, policies, guidelines, best practices and expectations that to address EVERY possible security control would take months if not years.  And then, when you think you've addressed them all, you need to start over because the threats have changed, the policies have been updated and what you addressed in the beginning is outdated.  A vicious circle that can never been completed.

But it this really the best way?  Perhaps we're trying too hard?  Are all these checks really necessary if we're ultimately postponing the delivery of a capability to our company or organization?


Another perspective:

In the early 1940s when America was jumping into WWII, the entire country took enormous sacrifices to support the warfighter.  Women took jobs, factories previously making iron parts changed to making bombs (my grandfather was one of them) and the ability to field capabilities and products to those on the front line was streamlined without mission-essential checks.

Let's present this perspective another way:

Your wife is pregnant, 40 weeks.  It's 2am and she screams hat her water broke.  Your job is to get to the hospital right away.  But, if you were to do things the RIGHT way, this is what it would look like:

1. You get out of bed.
2. You make your bed.
3. Brush your teeth
4. Put on fresh clothes.  Perhaps dress in layers.
5. Before leaving, adjust the thermostat so not to waste energy while not there.
6. Ensure all the doors are locked, windows closed, major appliances not running.
7. Both of you get in the garage.
8. Inspect car to ensure all tires are properly inflated
9. Once inside the car, adjust the mirrors to make sure proper field of vision is required, especially in blind spots.
10. Make sure wife is buckled in, perhaps get her some bottled water.
11. Turn on car, and let it warm up (remember back in the 80s)
12. Find a radio station that is soothing to your wife.  Adjust the temperature control.
13. Back out, but go slowly to look for neighbors, dogs, etc.
14. Program the hospital in Waze and select the most efficient route.
15. Drive conservatively since it is late night, your senses are muted and the darkness could obscure a cute raccoon or other furry animal.
16. Pull into the hospital and find a good parking spot in a well-lit area, in proximity to security cameras.


I think you get the point.

In real life, ALL those checks go out the window, and it's a mad dash to the hospital with little regard for how your breath smells, what you're wearing, or  proper road etiquette.  Laws be damned, this baby is coming out!

In real life, if we were under physical attack by our advisaries and bombs were being dropped in our cities, boats were coming ashore and bad guys were taking over our cities and terrorists were using chemical weapons aimed at our schools and government centers, you know for a FACT that cybersecurity would be limited to:

1. Network defense

So while we are not currently under attack, we are under attack by digital enemies who are looking to beat our networks and steal our military and technological secrets. A rapid model like this won't work in the DoD or any other organization, but how could we develop a model where  a system could undergo an appropriate level of review, validation and risk assessment but without putting the data or people at risk?  I'm thinking, like two weeks.

Like most everyone else, we are at the mercy of the approving official.  I don't have an answer for this.  I can't control those who are pulling my strings, but perhaps I can find a way to cut them.