Great article from the Tenable blog about how to use Nessus to do FDCC auditing. As you’ve all heard me say repeatedly, the only way to make FDCC work is to have an automated tool to check large amounts of workstations concurrently.
Nummie goodness. Expect to see similar things from a vendor near you. =)
Posted in Technical, What Works | 
1 Comment »
Are we done with the Federal Desktop Core Configuration yet? Are we compliant with OMB Memo 07-11?? Have we staved off dozens of script-kiddies armed with nmap and some ‘sploits they downloaded from teh Intarweb, all through hardening our desktops to the one true standard?
No? I didn’t think we would. Of course, neither did the CISOs and other security managers out there in the agencies. It’s too much too fast, and the government is too large to turn on a time. Or even a quarter, for that matter. =)
Now get ready for a blamestorm at the end of the month. By that time, all the agencies are supposed to report on their status to OMB. It’s not going to be pretty, but it’s hardly unexpected.
So why haven’t we finished this yet? Inquiring minds want to know.
Well, it all goes back to the big question of “how many directions can today’s government CISO be pulled in?” Think about it: You’ve got IPV6, HSPD-12, all the PII guidance (Memo 06-16 et al), reducing Internet connections down to 50, aligning your IT systems with the Federal Enterprise Architecture, getting your Internet connections monitored by Einstein, and the usual administrative overhead. that’s too many major initiatives all at the same time, and it’s a good way to be torn in too many directions at the same time. In government-speak, these are all what we call “unfunded mandates”, and one is bad enough to cripple your budget, much less a handful of them.
Where we’re at right now with FDCC is that the implementers are finding out what applications are broken, and we’re starting to impact operations–not being able to get the job done. Yes, this is the desired effect, it puts the pressure on the OS vendors and the application vendors, and it’s a good thing, IMO–we won’t buy your software if it doesn’t support our security model, and we’ll take our $75B IT budget with us. Suddenly, it’s the gorilla of market pressure throwing its weight around, and the BSOFH inside me likes this.
Now don’t get me wrong, I’m a big believer in FDCC (for both the Government and with a payoff for the civilian world), and I think it’s security-sound once it’s implemented, but in order for it to work, the following “infrastructure” needs to be in place:
Until you have these things, what OMB is asking for the agencies to get squeezed between a vendor who can’t ship a default-hardened OS, lazy applications vendors who won’t/can’t fix their software, and the 5+ levels of oversight that are watching over the shoulder of the average ISSO at the implementation level. In short, we’re throwing the implementers under the bus and making them do our dirty work because at the national level we have failed to build the right kind of influence over the vendors.
Gosh, it sounds like this would go so much better if we phased in FDCC along with the next tech refresh of our desktops, doesn’t it? That’s how the “sane world” would tackle something like this. Not a sermon, just a thought. =)
Posted in DISA, FISMA, NIST, Rants, Technical, What Doesn't Work, What Works | 1 Comment »
Not that anyone would find themselves in a situation like this: you have a firewall that’s actually a router and you want to fix it. Maybe it’s that you’re replacing a router with a firewall, maybe it’s that you had some doofuses who set up the firewall as a “Default Allow” in the first place.
Hey, we’re not being judgemental here at the Guerilla CISO, we’re all about fixing things. =)
So here is the process to follow:
- Get a logging server. Even better if you point it at something that lets you sort through the data better (Chuvakin, you can chime in with a subtle bit of log evangelizing here =) ). But hey, grep still works, the key here is that we’re logging and we can store a month’s worth of data.
- That “Default Allow” rule at the end of the chain? Set it to log everything that hits it. Keep it as “Allow” for the time being.
- Build and implement a ruleset for your core services that should be “Global” or “Enterprise-Wide”:
- DNS
- Active Directory
- NTP
- SNMP/NMS
- Patching
- Vulnerability Scanners
- Identification and Authentication (TACACS, Radius, etc)
- File Servers
- Any Application-Specific Traffic
- Remote Management/RDP/SSH/$foo
- Wait it out. A month is probably a good sample of network traffic that will show you where the obvious trends are.
- Review the data flows that were logged passing through the last rule. You might have to do some correlation with scan results, server inventory, or network drawrings.
- Add rules for the data flows that you want to keep. There might be some things here that are obviously misconfigured and you need to push them to the server and network guys to fix.
- Do another sample period or if you’re feeling confident/BSOFH-ish, skip it. I can hear a voice in the back of my head saying “It’s an iterative process after all…” but I’ll ignore it for the time being.
- Flip the last rule in the chain to “Deny”.
- ????
- Profit!
Posted in Technical, The Guerilla CISO, What Works | 4 Comments »
“Paranoia” is the name of the server this blog is hosted on. It’s a very “modest” box, probably a dinosaur at this point. Some quick specs:
And yet, it does everything I want it to: mail and web for a handful of domains. =)
A couple of months ago, paranoia hung on me. A quick hardware reboot and it came back up, but I was short a processor.
So last night I swapped out processors, added a new UPS and apcupsd, and while I was physically in the same room, upgraded the kernel.
One last word of advice for older hardware and upgrades: Check out stress, which is a program to put a load on your machine so you can test the processors, RAM, etc.
Posted in Technical, The Guerilla CISO | 2 Comments »
A couple of weekends ago my home ISP took all of its subscribers and moved us from public IP to behind a big 10-dot NAT cloud. Of course, we had a couple small service outages getting there, but at the end of it, we now are on private IPSpace. Probably nobody noticed but me. =)
From what I’ve seen over the past couple of years, typically broadband ISPs have been going the filtering route. Most of them block incoming http, smtp, and maybe all the NetBIOS/AD stuff (at least if they’re smart). Now not only do I have that, but it has become a case of “we can’t get here from there”.
This is a fun one to deal with. I was very used to the public IP way. I had a couple of incoming services available like SSH and IMAP over SSL to get my PDA to work. Now I had to shift it all to my “real” server. I guess that’s the way I should have done it from the start.
Posted in Odds-n-Sods, Technical | No Comments »
Great writeup about a cute piece of malware that uses humans to answer CAPTCHAs in exchange for a striptease. Something about this I think is evilly clever, but I’m just not sure what it is. =)
Posted in Technical, What Works | No Comments »
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email