I had a friend, Mr Vlad the Impaler of blog comment fame, who sent me this article: 10 Pieces of Lousy Security Advice.
Numbers 1 and 4 (IIRC) are my favorite whipping-boy, c*mpliance. Yes, it’s lightweight reporting and fairly obvious to security dweebs, but it brings a tear to my eyes. =)
Posted in Rants, The Guerilla CISO | 
3 Comments »
Yes, I think I got Rob Newby hooked on saying the “C-Word”. Now if he says in on the BBC and I get a recorded version of it in my email, I’ll die happy.
I would like to think I was the first person in the world to use this phrase, but then again, I like to think I started the whole “Long Tail of Security” that people have been talking about this week thanks to Mark Curphey.
Another phrase that I want to popularize in addition to the “C-Word” is “C*mpliance” as in how it’s a dirty little word to say around me. This isn’t entirely my idea, I got it from the Hashers who use the word “r*nner” to describe those daffy people who think that if they don’t go faster, the beer will be gone before they get there.
It’s the little things that make me happy sometimes. Having people start talking like me is one of them. =)
Posted in Odds-n-Sods, The Guerilla CISO | 10 Comments »
AC-23 Self-Destructing Mobile Devices
Control:
The organization equips all mobile devices with self-igniting devices so that they are destroyed upon command.
Supplemental Guidance:
Contrary to what Adam Shostack believes, data breaches are not good for the US Government. Therefore, it is of the utmost importance that we not allow a data breach ala VA, TSA, and others.
Control Enhancements:
(1) The organization configures mobile devices to be destroyed when they are outside of a government facility. (2) The organization configures mobile devices to be destroyed when they are outside of arms reach of the registered owner. (3) The organization configures mobile devices to be destroyed at random to discourage users from putting data on them.
Low: PS-9 Moderate: PS-9(1)(2) High: PS-9(1)(2)(3)
Posted in FISMA, Odds-n-Sods, The Guerilla CISO | 4 Comments »
Earlier this week, I got a 3-year-old System Security Plan (SSP) in the mail from one of my customers wanting me to update parts. My first response was “cute, we don’t really do that free-form style of document munging anymore,” followed up with “how do you expect me to discuss that ‘during an earthquake the building might have more load on it than it is designed to hold'” and then “What value do we get out of this exercise?” The translation into non-government speak is the following:
For its time and place, the SSP was correct, but it seems so quaint 3 years later. Naturally, this got me thinking about maturity of information security standards. What I’ve seen is that for any kind of a standard, there is a cycle:
Now the trick here is to be one of The Intermediaries because they get to come in and help define the standard. If you make the standard, then you automagically have achieved “compliance”. I think the big difference between being an Early Adopter and an Intermediary is how much time and effort you have to spend to teach the enforcers of the standard what your “Level of Pain” is and where you’re having problems doing what it is they’re asking you to do.
In the case of my aforementioned SSP, it bordered on Early Adopter and Intermediary. but how do you conform to a standard that’s still being written? It’s an interesting conundrum, and one of the contradictions of security in the government that we discuss when I teach.
Strangely enough, this cycle applies to just about any technology or standard, underlining my core belief that security is no different. My thought for today is this: if life imitates art, and security imitates life, then does security imitate a subset of art?
Jokingly, I think it’s more like the Kübler-Ross Grief Cycle (copied from changingminds.org):
Shock stage: Initial paralysis at hearing the bad news. “They want us to do what?”
Denial stage: Trying to avoid the inevitable. “This doesn’t really apply to us, we just make Frobulators, not Thingamajigs.”
Anger stage: Frustrated outpouring of bottled-up emotion. “No fscking way are we going to do it, you can’t penalize us enough to compensate for us not doing it.”
Bargaining stage: Seeking in vain for a way out. “How about if we give you a SAS-70 instead?”
Depression stage: Final realization of the inevitable. “How are we going to get this done, it’s too much, too expensive, the end is NEAR!!!”
Testing stage: Seeking realistic solutions. “So what level of compensating controls can we discuss?”
Acceptance stage: Finally finding the way forward. “OK, we might as well get a project started.”
Posted in FISMA, Odds-n-Sods, The Guerilla CISO | No Comments »
I’ve been sitting in some vendor presentations lately–I think they invite me along so I can be the resident curmudgeon–and I’m starting to get a good feel for what both the government and myself want in a product.
I want to know how a tool fits into my IA framework. That framework for me is NIST SP 800-53. One side effect of 800-53 is that I can’t justify a product “just because”–I have to state how this tool or service will help me attain “compliance” with the minimum baseline of security controls. It’s not enough anymore to just say “hey, our product helps you with SP 800-53 controls, have some magic FISMA Fairy Dust“.
Advice for vendors: take the day of effort to provide a traceability matrix for me. What I have is a Plan of Actions and Milestones (POA&M) that requires me to implement the following controls:
Now what I want is for your product to say the following:
If your product doesn’t do a control, don’t mention it. But by all means get somebody who routinely works with the catalog of controls to determine if you meet the control objective: there’s nothing I hate more than trying to understand how somebody stretched their interpretation of control objectives that I now have to turn around and rationalize to an auditor. It’s OK if your product doesn’t do everything as long as it does the right things.
Now the reason I bring all this up is that I, too, am a vendor–a services/outsourcing vendor. I’m taking the time this week to do my own traceability matrix that says something like this:
The whole idea is to delineate the responsibilities for pre-sales work so that when somebody contracts with us, they know the Government’s responsibilities, our Project Management Office’s (PMO’s) responsibilities, and my operations group’s responsibilities. It’s going back to the nature of outsourcing and the fact that transparency is key.
Posted in FISMA, NIST, Outsourcing, The Guerilla CISO | 3 Comments »
I helped give our auditors from the Defense Contract Audit Agency (DCAA) some education on how managed services work. We did the usual presentation–who the building tenants are, what takes place in the various floors, and what services we offer.
In case you’re not familiar with DCAA, the basic rundown is that they are the financial auditors for government contracts. They look at your numbers and try to detect how and where you are committing financial fraud. In our case, we have distinct service descriptions and a set of financial and operational metrics to support the numbers (ie, each server requires 1 hour per month on average to do patching and fix outages, so the cost to us is $100, add your markup and that’s the cost per month to monitor and manage a device).
This is risk management through education for us. When you have auditors who don’t understand why an IT operations shop would need 13K gallons of diesel fuel (I thought you did IT?), the least you can do is to educate them.
Posted in Risk Management, The Guerilla CISO | 2 Comments »
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email