Yep, I was quiet last week on the blog front. I moved from my not-so-wonderful abode in Falls Church to part of the “tech ghetto” along the Dulles Toll Road.  Let’s just say it’s a good upgrade and leave it at that.

However, I’m back at blogging after a week’s hiatus.

• Core Beliefs Series
• Me and Mr Suitcase
• Hello World
• Upgrading
• Tie Down the Livestock, Twister’s a Comin’!

Yes, I think I got Rob Newby hooked on saying the “C-Word”.  Now if he says  in on the BBC and I get a recorded version of it in my email, I’ll die happy.

I would like to think I was the first person in the world to use this phrase, but then again, I like to think I started the whole “Long Tail of Security” that people have been talking about this week thanks to Mark Curphey.

Another phrase that I want to popularize in addition to the “C-Word” is “C*mpliance” as in how it’s a dirty little word to say around me.  This isn’t entirely my idea, I got it from the Hashers who use the word “r*nner” to describe those daffy people who think that if they don’t go faster, the beer will be gone before they get there.

It’s the little things that make me happy sometimes.  Having people start talking like me is one of them.  =)

• The Guerilla CISO
• Create Your Own Apple Rumors
• Some Thoughts on Comments to My Blog…
• A Day in the Life of the Feedmaster
• Blog Statistics and Search Strings

AC-23 Self-Destructing Mobile Devices
Control:
The organization equips all mobile devices with self-igniting devices so that they are destroyed upon command.

Supplemental Guidance:
Contrary to what Adam Shostack believes, data breaches are not good for the US Government. Therefore, it is of the utmost importance that we not allow a data breach ala VA, TSA, and others.

Control Enhancements:
(1) The organization configures mobile devices to be destroyed when they are outside of a government facility. (2) The organization configures mobile devices to be destroyed when they are outside of arms reach of the registered owner. (3) The organization configures mobile devices to be destroyed at random to discourage users from putting data on them.

Low: PS-9 Moderate: PS-9(1)(2) High: PS-9(1)(2)(3)

• Yet More Security Controls You Won’t See in SP 800-53
• Security Controls You Won’t See in SP 800-53
• Super Secret Security Control You Were Never Meant To See
• Life in a Zero Defects World
• Core Belief #4 — Compliance is a Dead-End

Earlier this week, I got a 3-year-old System Security Plan (SSP) in the mail from one of my customers wanting me to update parts. My first response was “cute, we don’t really do that free-form style of document munging anymore,” followed up with “how do you expect me to discuss that ‘during an earthquake the building might have more load on it than it is designed to hold'” and then “What value do we get out of this exercise?” The translation into non-government speak is the following:

• The format is free-text
• The SSP was a rehash of contractual requirements and how they were satisfied (not a bad idea for a start, but it doesn’t answer the rest of what we need)
• The SSP was written before we had a catalog of controls (SP 800-53)
• Most people nowadays use the catalog of controls as the outline for most of the SSP

For its time and place, the SSP was correct, but it seems so quaint 3 years later. Naturally, this got me thinking about maturity of information security standards. What I’ve seen is that for any kind of a standard, there is a cycle:

• Initial Release: Standard is published, everybody has a look at it.
• Early Adopters: Something nobody wants to be. These people waste tons of effort because once they go in a direction, the standard will change. Bottom line is lost time, effort, and money to be an early adopter. Reminds me of the old saying “How can you identify the true pioneers? They’re the ones with the arrows sticking out of their backs.”
• The Intermediaries: These people get to help write the implementation guidance for the standard. They are similar to the Early Adopters except they are more careful and don’t commit to large changes unless they have them adopted into the guidance.
• The Hoi-Polloi: Once the standard is mature (or perceived to be mature), the rest of the masses will commit to the standard.

Now the trick here is to be one of The Intermediaries because they get to come in and help define the standard. If you make the standard, then you automagically have achieved “compliance”. I think the big difference between being an Early Adopter and an Intermediary is how much time and effort you have to spend to teach the enforcers of the standard what your “Level of Pain” is and where you’re having problems doing what it is they’re asking you to do.

In the case of my aforementioned SSP, it bordered on Early Adopter and Intermediary. but how do you conform to a standard that’s still being written? It’s an interesting conundrum, and one of the contradictions of security in the government that we discuss when I teach.

Strangely enough, this cycle applies to just about any technology or standard, underlining my core belief that security is no different. My thought for today is this: if life imitates art, and security imitates life, then does security imitate a subset of art?

Jokingly, I think it’s more like the Kübler-Ross Grief Cycle (copied from changingminds.org):

• Shock stage: Initial paralysis at hearing the bad news. “They want us to do what?”

• Denial stage: Trying to avoid the inevitable. “This doesn’t really apply to us, we just make Frobulators, not Thingamajigs.”

• Anger stage: Frustrated outpouring of bottled-up emotion. “No fscking way are we going to do it, you can’t penalize us enough to compensate for us not doing it.”

• Bargaining stage: Seeking in vain for a way out. “How about if we give you a SAS-70 instead?”

• Depression stage: Final realization of the inevitable. “How are we going to get this done, it’s too much, too expensive, the end is NEAR!!!”

• Testing stage: Seeking realistic solutions. “So what level of compensating controls can we discuss?”

• Acceptance stage: Finally finding the way forward. “OK, we might as well get a project started.”

• It’s All About Common Controls!
• Selling Water to People in the Desert
• An Open Letter to NIST About SP 800-30
• Guerilla CISO Tip–Avoid “Boilerplate”
• In Search of a Better Catalog of Controls

Article from AP/MSNBC about “E-toll devices used to prove cheaters ‘took the off-ramp to adultery'”. Sensationalist subtitle aside, the metric they give are the following:

• Illinois: ~30 subpoenas or court orders the first half of this year, ~50% for divorce cases
• 4 states only provide information in criminal cases

It’s hardly what I would call a serious problem, but still a problem if it’s your records that they want to get their hands on.

Now the simple lesson is this: If you’re a cheating heart, use a tinfoil hat for your E-ZPass or take the back roads. =)

• Famous Quotes: George H
• More Security Controls You Won’t See in SP 800-53
• Election Year Follies
• Friday Subversive Music–Nina Hagen
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs

So far I’ve been avoiding mentioning his now-infamous Vista 6-Month Vulnerability Report blog posting because well, it doesn’t really matter to me what he thinks, and any boss that makes a decision solely on this study needs to have a visit from the giant foam cluebat.   =)

But it’s been over a month–the post was published June 21st–and he’s still getting half a dozen comments per day.  I have to respect anybody that can harness that much hate in such a short period of time and still keep coming to work every day.

• Introducing the NoVa InfoSec Portal
• Friday Subversive Music–Nina Hagen
• Does Good, Cheap Colocation Still Exist?
• Targeted Spam
• Turning Routers into Firewalls