I’m an engineer at heart. I love technology and I love to build. I can’t really understand the operational mindset, which is a weakness I have to work around at times, considering I’m managing security for an operational division.

Back in November, I spent a month building $3Million worth of equipment. The reason? It was the biggest risk to my organization at the time–failure to meet a delivery deadline.  As a side benefit, I know what each and every device does.

In fact, if I haven’t done anything techie in a week, I start to get antsy. I go home and rearrange my linux partitioning scheme just to move data around.

There’s a lesson in there: Get out of the office and into the Data Center at least once a week, even if you’re a total wonk.

Common sense, right? But you would be surprised how many security people don’t get out of their cubicle and go see the technology. One of the critical failings of how we do security in DC is that because there is a shortage of people with hard skills, we send in the people with soft skills such as financial auditors, technical writers, and quality assurance. Don’t get me wrong, there is a place for these people in security as long as they adopt a security mindset, but overall your security staff need to have some sort of technical background.

Question is, how do you get your non-technical staff into the technology?  Believing in practical solutions and advice, I have a couple tactics, techniques, and procedures for you:

• Give them the responsibility to do a data center walkthrough every week
• Assign them as direct support to a smaller project
• Turn them into a mobile vulnerability scanning and reporting team
• Send them to investigate the security implications of a specialized technology like a SAN
• Give them a cubicle next to the system administrators and encourage them to socialize

Of course, none of this is really a new idea, it’s basic career development activities for a junior security staff member.  I guess that’s the topic for a later post. =)

• Trouble Tickets
• More Security Controls You Won’t See in SP 800-53
• NIST and SCAP; Busting a cap on intruders Part 1
• And in This Corner, Special Publication 800-60
• How I Do the “FISMA Thang”

I’ve been a bad little CISO. I should know better. But hey, how can I maintain my BOFH credentials if I don’t do something bad from time to time?

Anyway, let me explain it all.

Inside my area of responsibility (aka my job scope) there are several networks. One is a closed network that we use for management and monitoring of our customers. Another is our corporate network. A third is our guest network where all you can do is access the outside world.

So what we wanted to do was to add a wireless access point to the guest network. That way our guys can stay connected between meetings. Not all too uncommon of a use-case.

Corporate IT has a solution they roll out everywhere. If I give them a cost center, they would give us a completely wide-open WiFi AP with a essid of “guest”. It’s the only solution that they would support.

I have 20 or so customers. They have varying levels of security savvy depending on how mature the organization is. Some of them believe in “Security Through Level of Pain”–in other words, they make it so hard to ask for permission that nothing ever gets done.

Now, with some of these clients, they think that they own my building. That’s not necessarily a bad thing, but if I have a wide-open “guest” AP in my building, then they all think that I have broken their security policy which says “no WiFi”. Even though eventually I can explain how the wireless is not connected physically, logically, or even tangentially to their network, their gut reaction is to make me take it down. I have yet to lose a disagreement over things like this, but 20 customers later, they’ll wear me down to the point where I need to go home and sleep. That’s very much in the spirit of “Security Though Level of Pain”.

If I have WiFi in the building, it has to be WPA2, no questions asked. I can justify that to the government, it makes my life oh-so-much easier. I ran a waiver through my boss and his boss that documented the security controls around how I wanted the design to be.

I talked to the guy from Corporate IT. I explained to him who I was and what I wanted to do. I explained the waiver and what the risks are. His answer was that he needed approval through management. However, he wouldn’t tell me who “the management” was. The only saving grace in this conversation was the fact that he didn’t remember my name. =)

I got a forwarded email a couple of days later from the Corporate IT guy asking our data center manager who could authorize a wireless connection (I had already authorized it with a waiver, remember?). I had a quick conversation with the data center manager that went along the lines of “Yeah I know about that, it was me.”

Rather than pull teeth, I bought 2 Linksys SoHo APs and wired them to the guest network. It’s not perfect (if you go from one side of the building to the other, you lose your association and have to do stuff like reconnect via VPN), but I set it up with WPA2 and it’s on the guest network where all you can do is get to the Internet. One sits in my office, the other sits in a closet between two conference rooms. Everybody who needs to use the APs knows how to do it.

Hi, my name is “Mike” and I’m the owner of two rogue wireless access points.

I’m also a Guerilla CISO.

• CISO Trick: Know the Hiding Places
• Ah, I Remember the Fun of Being an Assessor
• It’s Wireless Audit Time Again
• Debian and WPA
• How I Do the “FISMA Thang”

Two months ago, OMB released Memorandum 07-11 which established the authority for government-wide hardening standards for Windows products. It’s a very good thing in my opinion.

However, I’m beginning to see the start of the side effects. I have vendors already that are beating down my door trying to sell me compliance solutions that will help me meet this “oh-so-very-important standard”. I think they missed the other things I’ve had to say about compliance. The one worry that I have is that people will hit their systems with whatever technical policy compliance tool and think that they don’t have to do anything else. I think really that’s the one big problem I have with this entire class of products–they present themselves as the cure-all for all the security problems that an organization could have.

Knowing the people from NIST, it’s the classic problem that they have: They issue guidance and people blindly follow it even though it’s contradictory and not smart security. The best part is when people offer “NIST-Compliant” solutions (I take that out of our marketing material whenever I find it and then take the time to educate people on why it’s wrong) which are at best, “Our interpretation of the guidelines with numerous assumptions” and think that this is all that an organization should do security-wise. Well, the catch is that NIST, compliance frameworks, and vendors can’t anticipate every situation, so at the most what they’re offering is a 75% solution. If you go back to both NIST and OMB, they will tell you to make a decision based on a cost-benefit-risk comparison.

My friend Art Chantker from The Potomac Forum has an executive breakfast on the 24th with a good host of speakers–OMB, NIST, MicroSoft, and US Air Force. I’ll be there, just for the simple fact that I can refute claims later when somebody offers me yet another compliance solution. =)

This whole unified standard business was started by the US Air Force who very simply decreed that you wouldn’t connect a windows system to the network until it met the technical standards. Hmmm, wonder where they got the idea for a technical standard? This isn’t new, DoD has been doing it for years. I guess finally the clueful people got together and decided to make the migration to Vista a chance to get STIGs implemented in the civilian agencies.

• Some Comments on SP 800-39
• Speaking in July/August
• Core Belief #4 — Compliance is a Dead-End
• Special Publication 800-53 Revision 3 Workshop
• Opportunity Costs and the 20 Critical Security Controls

Message to vendors:  If you want to break into the Managed Service Provider market, there is one thing extra that you need to do.

Enterprise-class products are reasonably good at being able to support a 3-tier model.  That way you can abstract out everything into  whatever architectural model you want.  Need more database oomph, add some more power at the database tier.  Need to support a remote site, put a data collector out there on the management LAN and just send events back to the central collectors.  This stuff is great.

But when it comes down to MSPs, there is one thing that we need above and beyond what enterprise-class products have.  We need to be able to flag data as belonging to a certain customer.  That way, once events have trickled up to the Single Pane of Glass (TM) that the NOC operators use, we still can tell which environment the event came from.  That requires tagging and the simple ability to have multiple devices on one IP address when clients have address collisions (everybody using 10.0.0.0 comes to mind).

• In This Corner, the Business Reference Model
• Sprinkling on the Magic FISMA Fairy Dust
• A Little Story About a Tool Named #RefRef
• Compensating Controls
• Database Activity Monitoring for the Government

Sounds like a neat idea.

DC Demo Camp 2

• Et Tu, TIC?
• Privacy Camp DC–April 17th
• My System Environment
• Volunteer to be Tracked
• Hack Disaster Relief

I think the picture speaks for itself.

• Oh Hey, Secure DNS now Mandatory
• Sir Bruce Mentions FDCC, World Goes Nuts