I had a friend, Mr Vlad the Impaler of blog comment fame, who sent me this article: 10 Pieces of Lousy Security Advice.
Numbers 1 and 4 (IIRC) are my favorite whipping-boy, c*mpliance. Yes, it’s lightweight reporting and fairly obvious to security dweebs, but it brings a tear to my eyes. =)
Posted in Rants, The Guerilla CISO | 
3 Comments »
I had dinner with Joe last night, and I thought I would add a little bit of fuel on his personal vendetta to rid the world of the concept of “SBU”–Sensitive But Unclassified. Let’s just say that I’m an anti-SBU sympathizer. =)
“SBU” is a pseudo-classification used by the government to say that a bit of information is unclassified but still needs to be protected.
The biggest question is, does the US Government have any data that is unsensitive in any way? Usually not. I’m trying to think of something, and I am drawing a complete blank, unless we want to talk about orders for new black Skilcraft ballpoints and Simple Green. But then again, there’s probably a purchase order involved which probably is sensitive in some way. You could even extrapolate a traffic analysis attack using the quantity of pens ordered to determine how many people work at a specific place (not as effective as using the volume of pizza ordered by the Pentagon during planning for a troop surge as an indicator of pending missions), but when I start to go down that road I put on the tinfoil hat and the thoughts go away. =)
DODD 8500.1 defines SBU as “A term commonly and inappropriately used within the Department of Defense as a synonym for Sensitive Information, which is the preferred term.” Then there is a lengthy definition for Sensitive Information which you can go look up yourself.
Seriously, though, the last thing we need is for people to be making up their own classifications without official limits on what you can and can’t do with it. If you can’t mark it on a document and have people know what the marking means, then it’s not an effective classification. I think SBU meets this description, and that’s why it must die.
We have a classification, it’s called “For Official Use Only”. Use it, folks! =)
Posted in Rants, What Doesn't Work | 4 Comments »
It seems like every product or service that somebody is trying to sell me has the words “bank” or “financial institution” attached to it. The cynic in me would say that either the SOX cash cow is drying up and the vendors are trying to glom onto FISMA, or the only past performance that these small-fry vendors have is with a bank that bought their solution once.
Part of me also wants to know if banks will buy whatever junk I throw at them. =)
So is the secret to selling a product to the government a cleverly crafted Unix shell command like the following:
cat marketing.literature.sox.txt \
| sed ‘s/SOX/FISMA/’ \
| sed ‘s/bank/government agency/’ \
> marketing.literature.fisma.txt
You would think so based on the spam I get nowadays. It’s so obviously retreaded that I keep wondering “Do you guys even believe your own literature and hyperbole about what you’re trying to sell?” I don’t expect sales people to be the experts at my business, but how can you offer me a solution to my problems if you don’t understand the gist of what my problems are? If you don’t know that bank security is primarily modeled on integrity and that government security is primarily modeled on confidentiality, then we don’t really have a common language.
My vendor spam for today is below. “Compliance as a Service” makes my head explode. I think somehow I should be building a list of security spammers as a “Wall of Shame” to help out the people who would actually buy from these vendors. If anything, I’ll know who not to buy from–the list is getting large enough so that I need to write it down to keep track of.
Dear Rybolov,
The need for automated Security Review processes had already made developments in risk tracking one of the areas of greatest interest (and concern) to CIOs, CSOs, and Security Managers worldwide. Now, with the news of Google’s acquisition of Postini, many enterprise organizations are looking even more closely at risk management and compliance as a service.
Many companies lack a repeatable, automated security risk assessment process, and <redacted> would like to offer you a case study that provides an overview of how a leading global financial service provider was able to take advantage of compliance as a service to address risk management and compliance issues while improving business performance.
The specialists at <redacted> are pleased to offer you this case study in an effort to reduce the background noise surrounding this issue and help you focus on the aspects of the process that matter most.
To download this case study at no cost and with no obligation, simply visit: <redacted>
Posted in FISMA, Rants, What Doesn't Work | 6 Comments »
There are a ton of kooks out on the internet. We all know this. Hey, for all I know, you might think I’m one as well. =)
But um…. what does HSPD-20 have to do with President Bush serving a 3rd term? This one threw me for a loop. Even the part of me that loves a good conspiracy theory has problems equating “National Continuity Policy” with “4 more years”. You could maybe say that this lays the ground to declare a national emergency and forgo an election, but I just don’t see it.
But then again, I’ve been known to be wrong on very rare occasions.
Posted in Rants | 2 Comments »
Rational Security/Chris Hoff with his take on the NAC Forum.
What I was thinking, only without the boots and hats. =) That’s about as irreverent as something I would write.
Posted in Odds-n-Sods, Rants | No Comments »
We used to call it “shelfware”–the documents that people write once and throw up on a shelf where nobody touches it until the next audit.
I humbly propose a new linguistic creation: “Liarware”. This is the documentation that has no grounding in reality because it was written by people who were paid to create documentation to check a box that the document exists.
Posted in Rants | 7 Comments »
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email