In a news article at The Register, the US Government is going to have a standard hardened set of settings of Windows OS’s that they will require vendors to install.

From TFA:

“The purchasing power attached to the $65bn federal IT spending budget means that suppliers will have no choice but to take notice.”

Right on!  I’ve been waiting for this for a long time.  You have the 8000-lb gorilla of IT budgets sitting back, buying all this junk from people and then not doing anything about the poor quality of it.  About a year ago, I started teaching government employees in my classes that they had the power to ask for better software, and I think the idea is starting to sink in.

Now they have to do me proud and not make the settings a watered-down weak version of what they should be.  My one fear is that this will be hardening by committee, where you have all these people who show up out of nowhere to complain that one hardening setting or another breaks the functionality they absolutely need to not harden that part of the OS.  The problem with that is you end up with hardening holes.

• Do You Know What FISMA Is?
• Rebuilding C&A
• Power Outages Do Happen
• And Now for Something Completely Different…
• SCAP for Dummies

In the operations world, if something dies and doesn’t make a ticket, did it really die?

The answer is, of course, “yes”, but there is a caveat:  if it doesn’t make a ticket, it doesn’t get looked at.

This is a simple fact of life in the operations world.  Yes, we have the large screens with network monitoring system dashboards available 24/7, but a red light on a dashboard is not as instantaneous as a trouble ticket.  It’s because people can only do a handful of things at the same time.  They can’t field user calls and at the same time investigate potential problems shown on the big screen because they need undivided attention on the task at hand.

What does this have to do with security?  That’s an interesting question, and an explanation follows.

I’m half toying with the idea of making trouble tickets for vulnerabilities and audit findings, and here’s why:

• Tickets get assigned to the tier-3/4 administrators to fix
• Tickets are unavoidable for the most part
• The ticketing system provides metrics on what is fixed and not fixed
• The operations guys are already accustomed to having tickets introduced as a stimulus
• Our operational staff is rated on the number of tickets that they close
• Ticketing systems support the operational work flow

Notice what I didn’t explicitly say here?  I’m adapting my security mindset to the operational mindset because that is my environment.  It’s strange because I’ve always been more in the engineering world, so I have to wrap my brain around the operations way of doing things.

• Compensating Controls
• Combatting Tool Creep
• Ed Bellis’s Little SCAP Project
• Federated Vulnerability Management
• Guerilla CISO Tip: Get Inside the Data Center

I’ve fried 2 processors in the past 2 weeks.  That’s not a good track record.  Maybe I overheated them with one too many FPS games, but I think the culprit was a bad motherboard.  Since I was running on some older technology, most of it wouldn’t work in any of the newer hardware (I had a socket 478 Pentium 4 with DDR 1 RAM and ATA-166 drives), I knew I was headed for a “forklift upgrade”.

I got a clearance workstation for $400.  Not bad for something with a dual-core (Pentium-D so it’s one generation behind) CPU, 2 GB  RAM, 2 250 GB SATA drives and an Nvidia graphics card.  I probably couldn’t buy the components for that much.

Right now I’m taking the OS (Debian with some special sources) and putting it on the new drives.  Even if you hate software raid, it does give you a solid amount of portability from one drive technology to another, like I am here with the transition from raid on IDE drives to raid on SATA drives.  The operations dweeb in me likes that flexibility.

The point here is that flexibility ~= availability.  That’s why you have a security architecture.  That’s why things such as load balancers, DNS, and redundant SAN fibre switches make sense.

• My System Environment
• Server Upgrades
• Clearances and Economy of Scale
• It’s Still not Too Late
• Lions, Tigers, and VLANs Oh MY!

Notice I haven’t been posting lately?  Well, I’ve been “experimenting” with some games, checking out how well they work in Linux.  Pretty well, actually. =)

• Full Metal Linux
• FIPS and the Linux Kernel
• Jeff Jones and Flameproof Underwear
• Hardware Woes
• NIST and SCAP; SCAP @ Large Part 2

There is both a VMWare appliance for a hard-drive install of backtrack and a CD-boot appliance that you point at a .iso file.

It works flawlessly.  Mike is much happy.

• Backtrack 3 USB Slides
• Internet in the Remote Desert
• Build a Hack Bag
• Is Myspace Satan?
• It’s Wireless Audit Time Again

Some presentations from HD Moore:

Introduction to the Metasploit Framework.

Economics of open-source projects and the future for Metasploit LLC and the Metasploit Fund.

• Learning From the Intelligence World
• Metasploit Videos
• Categories of Security Controls in Outsourcing
• Save a Kitten, Write SCAP Content
• Opportunity Costs and the 20 Critical Security Controls