So, what’s the deal?  Have a look through the following articles:

• Cybereye | Has FISMA improved IT security? Maybe:  It is safe to say we are better off than we would have been without it
• Melding Security
• Experts tackle guidance to stop cyberattacks
• Staffer: FISMA bill will pass in the next Congress

And wow, you would think that either the anti-FISMA cabal was on strike this month.  Even Alan Paller’s comments are toned down.  What gives?

But then again, maybe it’s just all part of the transition honeymoon–if you say things enough times, then eventually somebody picks up on it and recommends it to a committee and then it’s true.

My Bike the Transition Bottlerocket photo by Tom Grundy Photo.

Now at this point I start to get cynical, and here is why.  Everybody agrees that cybersecurity (been working with the Government for too long, I don’t even cringe at the word) is this phenomenally important thing that we all should do something about.  But since it’s a cost, for the most part it never actually happens.

In other words, it’s exactly the same problem that CISOs in private enterprise, the banking industry, and insurance has been dealing with for a “long” time: everybody wants security, but they don’t want to pay for it.

And the last article I have to give y’all today is this one from CIO.com.  Programs and ideas are great and all, but the CISO inside me knows that things won’t get done until there is a budget behind it.  That’s why the National Strategy to Secure Cyberspace hasn’t gone much of anywhere until the standup and subsequent funding of the National Cybersecurity Division and the National Infrastructure Protection Plan (yes, you could argue that they need much more funding than they currently have, but you can’t stand up something that big that fast).

Maybe I’ve come back around to the classic argument: talk is cheap, security isn’t.  And when transition fever comes to the Beltway, everybody has something to talk about.  =)

• Introducing the Government’s Great InfoSec Equities Issue
• In Other News, I’m Saying “Nyet” on S.3474
• A Funny Thing Happened Last Week on Capital Hill
• FISMA Report Card News, Formulas, and 3 Myths
• “Machines Don’t Cause Risk, People Do!”

Another pair of client agencies, another pair of clearance forms to fill out….

Want to talk about fraud, waste, and abuse?  I’m in my mid-30’s (not ~85 like Alex and Mortman think I should be) and I’ve gone through the clearance process about 3 times a year since 2002 (and once in 1992 and once in 1996), mostly because each agency insists on having their own clearance requirements.

So let’s look at the economics of managing clearances at the agency level, I figure I’m a pretty average when it comes to this:

• ~2 days of filling out SF-86 and other clearance forms 16 hours x $150 = $800
• ~1 day for fingerprinting and corrections 8 hours x $150 = $400
• Salaries for cleared personnel = +$15K over “market value” (yes, dear readers, that has become the market value)
• 3 clearance runs/year for contractors $1200 billable hours x 3 times/year = 3600/year
• All this times a bazillion contractors supporting the Government
• ~2 months before somebody can actually be given any information that they can actually use to do the job.

The “Who Moved my Personnel Security Cheese?” Problem

This is the real crux of the problem: every agency thinks that they are special–that Commerce has a different level of a need for trustworthy people than Health and Human Services.  We have a phrase for how we’re managing clearances right now: Not Invented Here.

News flash: trustworthy people are trustworthy people and dirtballs are dirtballs.  Honestly, what can the civilian agencies require that trumps  what having a Department of Defense Top Secret clearance can’t?  What we need is an esperanto for clearances.  My opinion is that DoD should trump all, but I’m obviously biased.  =)

Oh, but here’s the keystone to this argument:  all of the clearance processing (forms, background checks, investigations, and fingerprints) is done by the exact same people: Office of Personnel Management (OPM).

Clearance 12 Feet 4 Inches photo by Beige Alert.

Don’t get me wrong, life is not all gloom and doom.  OPM has this wonderful website now with the clearance forms called Electronic Questionnaires for Investigations Processing (e-QIP).  The best part: it remembers your details so you don’t have to fill them out every time.  Clearance paperwork has now become as simple as updating your contact information and job details on a social networking site.  And it does validation of your filing information so that you don’t have a different way of doing things from agency to agency.

Benefits of Centrally-Managed Universal Clearances

Why am I arguing for managing clearances centrally?  Well, I’m both a taxpayer and a contractor.  This is my line of thought:

• Cheaper because of reduces redundancy (object lesson on the Federal Enterprise Architecture)
• Reduces “switch costs” for throwing out one contractor in favor of another. (heh, bring me in instead)
• Quicker onboarding for both govies and contractors
• More career options for cleared personnel
• Unified standard of accep
• Helps us get to one unified Government ID card (ack, HSPD-12)
• It’s just plain smarter Government!

Deus Ex Barry O?

Oh yeah, it’s Presidential transition time.  This means that everybody with an opinion comes out of the woodwork with their expert analysis on what the Government should do.  While we’re throwing ideas around, I would like to throw my hat in the ring with just a couple:

1. Appoint an executive-branch CIO and CISO. (already covered that)
2. Fix the clearance process so that there’s one authoritative set of clearances that apply everywhere.

Problem as I see it is that left to their own devices, the agencies have to “roll their own” because as downstream consumers of OPM, they don’t have a unifying standard.  As much as I hate getting mandates from OMB, this might be one that I’m willing to support.  And yes, I probably crossed some sort of political threshold somewhere along the line….

• Clearances and Economy of Scale
• It’s a Problem of Scale!
• Security Assessment Economics
• Cloud Computing and the Government
• The CyberArmy You Have…

I’ve always wondered why I have yet to meet anyone in the Government using Database Activity Monitoring (DAM) solutions, and yet the Government has some of the largest, most sensitive databases around.  I’m going to try to lay out why I think it’s a great idea for Government to court the DAM vendors.

Volume of PII: The Government owns huge databases that are usually authoritative sources.  While the private sector laments the leaks of Social Security Numbers, let’s stop and think for a minute.  There is A database inside the Social Security Administration that holds everybody’s number and is THE database where SSNs are assigned.  DAM can help here by flagging queries that retrieve large sets of data.

Targetted Privacy Information:  Remember the news reports about people looking at the presidential candidate’s passport information?  Because of the depth of PII that the Government holds about any one individual, it provides a phenomenal opportunity for invation of someone’s privacy.  DAM can help here by flagging VIPs and sending an alert anytime one of them is searched for. (DHS guys, there’s an opportunity for you to host the list under LoB)

Sensitive Information: Some Government databases come from classified sources.  If you were to look at all that information in aggregate, you could determing the classified version of events.  And then there are the classified databases themselves.  Think about Robert Hanssen attacking the Automated Case System at the FBI–a proper DAM implementation would have noticed the activity.  One interesting DAM rule here:  queries where the user is also the subject of the query.

Financial Data:  The Government moves huge amounts of money, well into $Trillions.  We’re not just talking internal purchasing controls, it’s usually programs where the Government buys something or… I dunno… “loans” $700B to the financial industry to stay solvent.  All that data is stored in databases.

HR Data:  Being one of the largest employers in the world, the Government is sitting on one of the largest repository of employee data anywhere.  That’s in a database, DAM can help.

Guys, DAM in the Government just makes sense.

Problems with the Government adopting/using DAM solutions:

DAM not in catalog of controls: I’ve mentioned this before, it’s the dual-edge nature of a catalog of controls in that it’s hard to justify any kind of security that isn’t explicitly stated in the catalog.

Newness of DAM:  If it’s new, I can’t justify it to my management and my auditors.  This will get fixed in time, let the hype cycle run itself out.

Historical DAM Customer Base:  It’s the “Look, I’m not a friggin’ bank” problem again.  DAM vendors don’t actively pursue/understand Government clients–they’re usually looking for customers needing help with SOX and PCI-DSS controls.

London is in Our Database photo by Roger Lancefield.

• Civilians Ask “What’s With All the Privacy Act Kerfluffle?”
• Transparency in Government: Just Give us the Data!
• Selling Water to People in the Desert
• Cloud Computing and the Government
• Web 2.0 and Social Media Threats for Government

Paraben is a leading vendor for digital forensics products (http://www.paraben.com/). However, within this huge international market, Paraben specializes in digital forensic products for mobile devices such as PDA and phones. Paraben just recently released a very nice product called the Cell Seizure Investigator (CSI) Stick (http://www.csistick.com/index.html).

Aside from the overly-dramatic marketing embedded in the name of the product, this seems to be another solid addition to the Paraben product line. The device is designed to make a forensically correct copy of the data on your mobile phone–including call records, address books, and text messages. The devices look basically like a USB flash memory drive with the addition of an adapter/interface unit.

The copying process is largely automatic and the CSI Stick is quite reasonably priced at $99 -199, depending on the software bundle. The market reaction to this product is also quite positive. My friends in the industry who have used the device consider it an indispensable time-saving device. I can hardly wait until I get my have on one myself. In the past when, I was tasked to recover such data it was much more time consuming and hardware intensive process.

Equally fascinating, is the release (if you can call it that) of a product with a similar form-factor from Microsoft. The product is released on a flash drive and is called COFEE (Computer Online Forensic Evidence Extractor — http://www.microsoft.com/presspass/features/2008/apr08/04-28crantonqa.mspx).  Microsoft indicates that COFEE contains 150 commands that facilitate the collection of digital evidence from computers that it is physically connected to. In addition, COFEE can decrypt passwords, and collect information on a computer’s Internet activity, as well as data stored in the computer. Microsoft has indicated that COFEE has been made available to law-enforcement agencies only. And, according to one report, law-enforcement agencies in 15 nations have been provided with the device.

My initial reaction to this news was that it was not an unexpected development and that the announcement would be greeted with inevitable jokes about the need for Microsoft to also release a companion product called DONUTS. In fact, the reaction of the technical press has been largely negative and suspicious. Most of the concerns seem to center on privacy and individual rights. However, there isn’t a single capability associated with COFEE that I have been able to confirm, that doesn’t exist in some other commercial or open-source product. I do wish that I could get my hands on a trial or lender copy of COFFEE so that I could confirm this position.

Locksmith Sign photo by Meanest Indian.

While I admit that I have always been concerned about the safeguarding individual’s civil liberties, I am largely puzzled at the negative reactions. One element of the outcry that I do understand is an emotional one and that centers on the concept that a company that is paid to protect your secrets should not also be selling the tools and techniques to compromise those secrets. On an emotional level this makes sense.

However, the real world is very different. For example, every major automobile manufacturer cooperates with locksmiths to insure that there are low-cost and non-destructive means to circumvent you car locks in the event that you lock you keys in your cars or just loose you car key outright. Without getting into the details of defeating car locks, may automobile manufactures even provide specialized equipment and technical materials directly to locksmiths to facilitate this process.

If there are concerns that Microsoft my be caught in a ethical conflict of interest, we need to look at similar conflicts in other industries, and that’s food for thought.

• A Perspective on the History of Digital Forensics
• Evolution of Penetration Testing: Part 1
• Transparency in Government: Just Give us the Data!
• Inside the Obama Administration’s Cyber Security Agenda
• Database Activity Monitoring for the Government

In part 1 on this blog I outlined the fact penetration testing evolved from a grey-art practiced by hackers into a more formal process.  This evolution has created a bifurcation within “boutique” penetration test service providers.

On the one hand tools-oriented budget firms offer little value added beyond simply running simple vulnerability scans.  On the other more profession and experienced firms offer the same tests and scans but also offer analysis that can be offered as direct actionable input into an organization’s existing security governance structure. 

The fly in the ointment is that not all security consumers or security organizations are created equally.  Some IT security organizations can be characterized a compliance-based.  That is to say that they establish and follow a set of rule that they believe will put them on the road to IT security.

On the other hand, most IT security organizations are risk-based and technically oriented.  They also follow a formal structure but, addressing risk with the appropriate application of process, procedures, and technology.  In  graphical terms the situation would appear to line-up as depicted in table 1.  Table quadrant 1 representing a weak security organization supported by, “Tool-boys” is noted in red because the risks associated with this coupling.  Quadrants 2 and 3 are noted in yellow because of the risks associated with either a weak security organization or weak testing input.  

Table 1

However, in the real world the table should look more like Table 2. With the increasing acceptance of Compliance-based security models, a set of independently administered vulnerability scans suffices to “check the box” for the requirements for a penetration test.  This is good news for these budget “boutique” firms. 

Table 2

However, as might be expected, it is bad news for IT security in general since all networks live in the same security ecosystem.   Market drivers that encourage poor security practices hurt us all.

Hacker Store photo by LatinSuD.

• Evolution of Penetration Testing: Part 1
• NIST and SCAP; SCAP @ Large Part 2
• Comments on SCAP 2008
• An Open Letter to NIST About SP 800-30
• Core Belief #4 — Compliance is a Dead-End

Penetration testing is a controversial topic with an interesting history. It is made all that much more controversial and perplexing because of an common disconnect between the service provider and the consumer.

Penetration started as a grey-art that was often practiced/delivered in an unstructured and undisciplined manner by reformed or semi-reformed hackers. Penetration testers used their own techniques and either their own home-grown tools or tools borrowed or traded with close associates. There was little reproducibility or consistency of results or reporting. As a result, the services were hard to integrate into a security program.

As the art evolved it became more structure and disciplined and tools, techniques, and reporting became more standardized. This evolution was driven by papers, articles, technical notes that were both formally published and informally distributed. In the end, a standardized methodology emerged that was largely based on the disciplined approach used by the most successful hackers.

Hakker Kitteh photo by blmurch.

At about the same time open-source, government and commercial tools began to emerge that automated many of the steps of the standardized methodology. These tools had two divergent impacts on the art of penetration testing. As these tools were refined and constantly improved they reinforced the standard methodology, provided more consistent and reproducible results and improved and standardized penetration reporting. All of this made penetration testing easier for the consumer to absorb and integrate into security programs. As a result, regulations and security protocols emerged that required penetration and security assessments. Nmap and Nessus are excellent examples of the kind of tools that help shape and push this evolution. And, because of their utility they are still indispensable tools today.

However, Nessus also helped to automate both data collection and analysis, it has lowered the bar for the skills and experience needed to conduct portions of the penetration testing methodology. This lowered the cost of penetration testing and made them much more broadly available. Thus, giving rise to so-called “boutique firms.” The problem with penetration testing “boutique firms” is that they fall into two broad categories; specialized highly professional firms led by experienced and technical security professionals who can translate automated tool output into root-cause analysis of vulnerabilities, and security program flaws. The second category of firm consists of opportunist firms with just enough knowledge to run automated tools and cut and paste the tool output into client reports. The later firms are some times called “tool-firms” and their employees “tool-boys.”

The later flourish for two reasons. The first is that they can offer their services at rock bottom prices. The second reason is that security organizations are often so ill-informed of the intricacies of the penetration testing process that can’t make a meaningful distinction between the professional firms and the tool-boys except on the basis of costs.

• Evolution of Penetration Testing: Part 2
• NIST and SCAP; Busting a cap on intruders Part 1
• Comments on SCAP 2008
• The 10 CAG-egorically Wrong Ways to Introduce Standards
• 20 Critical Security Controls: Control-by-Control