Note the emphasis on good.  Note the emphasis on public policy.

Yes, folks, we need good policy people.  Think about the state of security and public policy today:

• We have FISMA which is a law.  Everybody’s whipping boy but it’s exactly where it needs to be to have risk-based management of IT security.
• We have a framework for implementing FISMA.  It’s a pretty good set of process, policy, and standards that have spilled over into the private sector.
• You need a crowbar to get good/smart security people to deal with politics, it takes a death ray to get them to deal with public policy.
• We don’t have high-level policy-makers who understand risk management and they are co-opting the model of compliance.
• Public policy is the upstream neighbor of information security and what public policy people do influences what we do.
• If we want to succeed in security at the operational and tactical level, we need to have the right decisions made at the strategic level, and that includes public policy.
• I’m not just talking about security and the Government, this is also with things like breach laws; compliance frameworks (PCI, HIPAA); and how unpatched and zombified desktops hurt everybody else.

So in true Guerilla CISO style, I’m doing something about it.  Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School.

The more I work with the Masters of Science in Public Policy Management program, the more I’m sold on it.  Basically the students do a year on-campus in Pittsburg, then they have the option of staying there or coming to DC.  The students who come to DC work a 32-hour week (some do more), 2 night classes, and class for most of Friday.  Our information security class fits in as a sector-specific deep-dive, the other one being healthcare (which needs smart public policy people, too).

Which is where we need some help.  It’s a little behind the game, but we’re constantly looking for Government agencies, NGOs/NPOs, and contractors who are interested in taking on interns.  Even better if you have jobs that don’t have a US citizenship requirement.  If you want to be linked up, just drop me a line.

And oh yeah, my blogging has slowed down because I’m working 2 new projects and traveling to Tennessee and teaching Thursday nights and my life just got way busy.  =)

Alexander Hamilton Statue photo by dbking.

• Comments on SCAP 2008
• How to Not Let FISMA Become a Paperwork Exercise
• Next Up in Security Legislation: S3474
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 1
• “Machines Don’t Cause Risk, People Do!”

I was attending a conference at NIST (the National Institute of Standards) concerning the SCAP program (Security Content Automation Protocol; pronounced ESS-cap).  SCAP is focused on providing the Federal government with automated, common,  interoperable security solutions.  Specifically the SCAP program has developed a common set of standards for reporting security vulnerabilities for use in automated security scanners, security appliances and reporting systems.

Well, why do we need SCAP?  If we use the Godfather of all vulnerability management tools, the NESSUS vulnerability scanner as an example, we have seen that industry has produced a number of similar products.  Each has its own strengths and rich feature set.  However, none of them use the same “language” for detecting or describing or reporting a potential vulnerability.  This not only means that these various products can only be used to operate with each other with some measure of difficulty but, trying to aggregate and manage the result of reports from these systems can be tedious.

“Tim Bray at XML 2005” photo by Roland.

As a result of these efforts and vision of the dedicated employees at NIST, industry is already scrambling to get their related products SCAP certified.  And, Federal agencies are also specifying in contracts that products must be SCAP certified in order to be qualified for purchase.  This is real progress and great news for the tax payer who will get real better value for their tax dollar.  But, it is not a revolution — yet.  Where I see the revolution emerging is in six-month to a year time frame when industry takes note of the SCAP program and we begin to see SCAP certified and SCAP interoperable products being ordered.  It will not be long after that that we may see the SCAP protocol used in even consumer-level products like personal firewalls.  This ability to give us all a common language will significantly reduce the cost of building and supporting vulnerability scanners and vulnerability reporting tools.  This cost reduction will allow resources to be freed up to address prevention and mitigation concerns in a more meaningful manner.

For example, industry has tools that enable network and security support professionals to detect a mis-configuration in a desktop machine in their network and correct it.  But, only the largest and most well funded security IT security departments have such tools.  With the advent of SCAP, these kind of services will be much more affordable and supportable and thus more common.  In fact, because much of this can be automated, I can even envision the McAfee, Symantec, and others who are well placed in the vulnerability scanning market to offer support services over the wire to smaller businesses and to consumers.  Moreover, as this technology improves and becomes commoditized, I can see ISP’s offering security scanning and mediation as a service to their customers.

• NIST and SCAP; SCAP @ Large Part 2
• Security Automation Developers Conference Slides
• Comments on SCAP 2008
• Save a Kitten, Write SCAP Content
• Federated Vulnerability Management

I toyed for several years about making an infosec hall of shame.  Like seriously, I already had some candidates, you know who most of them are, it’s the same as the Washington Post Front-Page Metric.

Hall of Fame, Hall of Shame photo by leafar.

And my friends and I had some other nummy tidbits from our travels out and about, doing this stuff in the place where theory meets the realities of implementation.

Now if you look around on The Guerilla CISO, you’ll find that I don’t have a Hall of Shame.  I eventually decided not to have one after much deliberation, and the reason is this:  If you have key decision-makers that are removed or abstracted from the impacts of the decisions that they make, it is not fair to publicly humiliate the people who have to live with the implementation of the decisions.

And for better or worse, that’s the way the Government’s security model (and many other things) works.

• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• It’s a Blogiversary
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• Working with Interpreters, a Risk Manager’s Guide
• Federal CIO Council’s Guidelines on Security and Social Media

I’ve spent a couple of days traveling around to agencies to teach.  It was fun but tiring, and the best part of it is that since I’m not teaching pure doctrine, I can include the “here’s how it works in real life” parts and some of the BSOFH parts–what I refer to as the “security management heretic thoughts”.

Some basic statements, the rest of this post will explain:

• C&A is a commodity market
• Security controls assessment is a commodity market
• PCI assessment is a commodity market
• Most MSSP (or rather, Security Device Management Service Providers) services are commodity markets

Now my boss said the first one to me about 4 months ago and it really needed some time for me to grasp the implications.  What we mean by “commodity market” is that since there isn’t really much of a difference between vendors, the vendors have to compete on having the lower price.

Now what the smart people will try to do is to take the commodity service and try to make it more of a boutique service by increasing the value.  Problem is that it only works if the customers play along and figure out how your service is different–usually what happens is you lose in the market simply because now you’re “too expensive”.

Where Boutique Sits by miss_rogue.

Since the security assessment world is a services business, the only way to compete in a commodity market is to pay your people less and try to charge more. But oh yeah, we compete on price, so that only leaves the paychecks as the way to keep the margin up.

Some ways that vendors will try to keep the assessment costs down:

• Hire cheaper people (yes, paper CISSPs)
• Try to reduce the engegement to a formula/methodlogy (ack, a checklist)
• It’s all about billability:  what percentage of your people’s time is not billable to clients? 
• Put people on assessments who have tangential skills just to keep them billable
• Use Cost-Plus-Margin or Time-Plus-Materials so that you can work more hours
• Use Firm-Fixed-Price contracts with highly reduced services ($150 PCI assessments)

Now inside Government contracting, there’s a fact that’s not known outside of the beltway:  your margins are fixed by the Government.  In other words, they only allow you to have around a 13-15% margin.  The way to make money is that the pie is a much bigger pie, even though you only get a small piece of it.  And yes, they do look at your accounting records and yes, there are loopholes, but for the most part, you can only collect this little margin.  If you stop and think about it, the Government almost forces the majority of its contractors into a commodity market.

Then we wonder why C&A engagements go so haywire…

The problem with commodity markets and vulnerability/risk/pen-test assessments is that your results, and by extension your ability to secure your data, are only as good as the skills and creativity of the people that the vendor sends.  Sounds like a problem?  It is.

So knowing this, how can you as the client get the most out of your service providers? This is a quick list:

• Every year (or every other), get an assessment from somebody who has a good reputation for being thorough (ie, a boutique)
• Be willing to pay more for services than the bottom of the market but be sure that you get quality people to go along with it, otherwise you’ve just added to the vendor’s margin with no real improvements to yourself
• Get assessments from multiple vendors across the span of a year or two–more eyes means different checklists
• Provide the assessors with your own checklists so you can steer them (tip from Dave Mortman)
• Self-identify vulnerabilities when appropriate (especially with vulnerabilities from previous assessments)
• Typical contracting fixes such as scope management, reviewing resumes of key personnel, etc
• Get lucky when the vendor hires really good people who don’t know how much they’re really worth (that was me 5 years ago)
• More than I’m sure will end up in the comments to this post  =)

And the final technique is that it’s all about what you do with the assessment results.  If you feed them into a mitigation plan (goviespeak: POA&M) and improve your security, it’s a win.

• Engagement Economics and Security Assessments
• Categories of Security Controls in Outsourcing
• Splunk Goes After the FISMA Lucre, They’re not Alone
• When the Feds Come Calling
• Split-Horizon Assessments and the Oversight Effect

I have a very disturbing trend with comments to my blog:  I don’t get any comments on the serious stories–only the “fun” posts.

This leads me to believe one of the following is at play:

• I write succinctly and with authority and never make mistakes. (at least it helps to hope…)
• Nobody knows the subjects that I talk about because it’s a niche to a niche.
• I don’t sensationalize the news enough to make people want to comment.  Note that this is a radical departure from the mainstream media when it comes to security and government, where FUD-mongering is the norm.
• People are scared of me because they think I’m intellectually and emotionally unstable and that I’m going to trash them if they comment.  =)
• Government employees are afraid to put anything critical of their leadership in writing.
• Like they say about the classified world, “Those who know don’t talk, those who talk don’t know”. (side note:  what am I saying about myself here?)
• The First Rule of FISMA Club is that YOU DO NOT TALK ABOUT FISMA CLUB!!!111oneoneone
• If it’s your first comment, you have to fight.

Blog Explanation in French by Stephanie Booth

Now the problem for me is that in order to make security in the government work, we need to change the culture of the people doing it.  IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment.  The only way we can do that is if I’m not the only voice preaching in the wilderness–I really do want people to tell me I’m full of it and give a good rationale.  =)

In the spirit of helping, this is the Guerilla’s Guide to Commenting on http://www.guerilla-ciso.com/

• Everything in Moderation:  No big surprise–I moderate comments.  This is pretty much so I can keep the spam out.  I’ve only had one legitimate post that I deleted because it was personal in nature from a person who knew me in “a past life”.
• Email is Semi-Anonymous:  If you post a comment using a bogus email address, I’m happy with it as long as the content is relevant and doesn’t look like spam.  The email address is really only so wordpress can track you and automagically approve your next post as long as the name and email match up.
• Thou Shalt Remember the Chatham House Rule:  I do not repeat anything that was told to me in confidence.  Neither should you.  Yes, there are things I won’t write on here, like the conversation I had with [censored] from [censored] who confirmed that [censored]-[censored] is not yet final because [censored].
• I’m Neither a Crook Nor a Cop:  I have yet to receive any kind of subpoena asking for subscriber or commenter information, nor do I send you stupid spam jokes because I know who you are.

I’ll end with one of my favorite army jokes:  “What’s the difference between a war story and a fairy tale?  A fairy tale begins with ‘Once upon a time’, war stories begin with ‘No sh*t, there I was'”.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• My Blog is Dead, Long Live My Blog!
• On Why I Blog… FUD is the Reason for the Writin’
• A Funny Thing Happened Last Week on Capital Hill

A couple of weeks ago, Martin McKeay was in town and recorded an interview with me.  I wax poetically on my typical things–FISMA, risk assessment, anti-compliance.

The funny thing is, weeks later, I listened to myself and I actually sound like I know something…. Who woulda thunk it?  =)

• Security Assessments as Fraud, Waste, and Abuse
• No, FISMA Doesn’t Require That, Silly Product Pushers
• I’m on the OWASP Podcast
• How to Not Let FISMA Become a Paperwork Exercise
• On Why I Blog… FUD is the Reason for the Writin’