The 10 CAG-egorically Wrong Ways to Introduce Standards

Posted February 20th, 2009 by

The Consensus Audit Guidelines (CAG) appear, at this point, to be a reasonable set of guidelines for mediating some human threats. I’m looking forward to seeing what CAG offers and have no doubt there will be worthwhile and actionable controls in the document. That said, there are significant reasons approach CAG with skepticism and assess it critically.

The motivation for CAG is described in a set of slides at the Gilligan Group site. It starts with a focus on what CIO’s fear most: attacks, reduced operational capability, public criticism, data loss, etc. Then it rightly questions whether FISMA is adequately addressing those problems. It doesn’t and this is the genesis of the CAG.

Consensus photo by Eirik Newth.

Unfortunately CAG subsequently develops by pairing this first valid premise with a set of false premises.  These propositions are drawn from slides at gilligangroupinc.com, attributed to John Gilligan or Alan Paller:

  1. All that matters are attacks. The central tenet of Bush’s Comprehensive National Cyber Initiative (CNCI) is adopted as the CAG theme: “Defense Must Be Informed by the Offense”. CAG envisions security as defense against penetration attacks. As any seasoned security practitioner knows, attacks are a limited subset of the threats to confidentiality, integrity and availability that information and information systems face.
  2. Security through obscurity. CAG seems to have taken the unspoken CNCI theme to heart too, “The most effective security is not exposed to public criticism.” Since its very public December 11th announcement no drafts have been made publicly available for comment.
  3. False dichotomy. CAG has been promoted as an alternative to the OMB/NIST approach to FISMA. It isn’t. An alternative would target a fuller range of threats to information and information system security. CAG should be considered a complement to NIST guidance, an addendum of security controls focused on defense against penetration by hackers. NIST has even acted on this approach by including some CAG controls into the 800-53 Rev. 3 catalog of controls.
  4. There is too much NIST guidance! This is the implication of one CAG slide that lists 1200 pages of guidance, 15 FIPS docs and the assorted Special Publications not related to FISMA as detriments to security. It’s like complaining that Wikipedia has too many articles to contribute to improved learning. Speaking as someone who scrambled to secure Federal systems before FISMA and NIST’s extensive guidance, having that documentation greatly improves my ability to efficiently and effectively secure systems.
  5. NIST guidance doesn’t tell me how to secure my systems! NIST’s FISMA guidance doesn’t step you through securing your SQL Server. The Chairman of the Joint Chiefs also doesn’t deliver your milk. Why not? It’s not their job. NIST’s FISMA guidance helps you to assess the risks to the system, decide how to secure it, secure it accordingly, check that a minimum of controls are in place and then accept responsibility for operating the system. NIST also provides documents, checklists, repositories, standards, working groups and validation of automated tools that help with the actual security implementation.
  6. Automated security controls negate human errors. With the premise of all threats being attacks this is nearly a plausible premise. But not all security is technical. Not all threats come from the Internet. DHS, NIST, Mitre, and their partners have pursued automated security controls to enforce and audit security controls for years but automated security controls can only go so far. Human errors, glitches, unexpected conflicts and operational requirements will always factor into the implementation of security.
  7. Audit compatibility as a hallmark of good security. There is a conflict of focus at the heart of the CAG, it seeks to both improve its subset of security and improve audit compatibility. For technical controls this is somewhat achievable using automation, something NIST has pursued for years with government and industry partners. For operational and management controls it results in audit checklists. But audits are fundamentally concerned with testing the particular and repeatable, security needs focus on evaluating the whole to ensure the necessary security results. An audit sees if antivirus software is installed, an evaluation sees if the antivirus software is effective.
  8. Metrics, but only these metrics over here. When selecting the current crop of CAG controls decisions on what to include were reportedly based on metrics of the highest threats. Great idea, a quantitative approach often discovers counter-intuitive facts. Only the metrics were cherry picked. Instead of looking at all realized threats or real threat impacts only a count of common penetration attacks were considered.
  9. With a sample of 1. As a basis for determining what security should focus on the whole breadth of the security profession was queried, so long as they were penetration testers. Yes, penetration testers are some very smart and talented people but penetration testing is to security what HUMINT is to intelligence services. Important players, expert practitioners but limited in scope and best used in conjunction with other intelligence assets.
  10. Assessments rely on paper artifacts. The NIST guidance does not require paper artifacts. The first line in the NIST SP 800-53A preface is, “Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits-rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives.” NIST SP 800-37 specifically and repeatedly states, “Security accreditation packages can be submitted in either paper or electronic format.”

CAG is a missed opportunity. Of the myriad problems with our current FISMA regime a lot of good could be achieved. The problems with guidance have many causes but can be addressed through cooperative development of best practices outside of NIST. The Assessment Cases for SP 800-53A is an example of how cooperative development can achieve great results and provide clear guidance. Other problems exist and can be addressed with better training and community developments.

My hope is that the Consensus Audit Guidelines will move towards a more open, collaborative development environment. The first release is sure to deliver useful security controls against penetration attacks. As with all good security practices it will likely need to go through a few iterations and lots of critical assessment to mature. An open environment would help foster a more complete consensus.

Consensus photo by mugley.



Similar Posts:

Posted in BSOFH, FISMA, Rants, Technical, What Doesn't Work, What Works | 9 Comments »
Tags:

Beware the Cyber-Katrina!

Posted February 19th, 2009 by

Scenario: American Internet connections are attacked.  In the resulting chaos, the Government fails to respond at all, primarily because of infighting over jurisdiction issues between responders.  Mass hysteria ensues–40 years of darkness, cats sleeping with dogs kind of stuff.

Sounds similar to New Orleans after Hurricane Katrina?  Well, this now has a name: Cyber-Katrina.

At least, this is what Paul Kurtz talked about this week at Black Hat DC.  Now I understand what Kurtz is saying:  that we need to figure out the national-level response while we have time so that when it happens we won’t be frozen with bureaucratic paralysis.  Yes, it works for me, I’ve been saying it ever since I thought I was somebody important last year.  =)

But Paul…. don’t say you want to create a new Cyber-FEMA for the Internet.  That’s where the metaphor you’re using failed–if you carry it too far, what you’re saying is that you want to make a Government organization that will eventually fail when the nation needs it the most.  Saying you want a Cyber-FEMA is just an ugly thing to say after you think about it too long.

What Kurtz really meant to say is that we don’t have a national-level CERT that coordinates between the major players–DoD, DoJ, DHS, state and local governments, and the private sector for large-scale incident response.  What’s Kurtz is really saying if you read between the lines is that US-CERT needs to be a national-level CERT and needs funding, training, people, and connections to do this mission.  In order to fulfill what the administration wants, needs, and is almost promising to the public through their management agenda, US-CERT has to get real big, real fast.

But the trick is, how do you explain this concept to somebody who doesn’t have either the security understanding or the national policy experience to understand the issue?  You resort back to Cyber-Katrina and maybe bank on a little FUD in the process.  Then the press gets all crazy on it–like breaking SSL means Cyber-Katrina Real Soon Now.

Now for those of you who will never be a candidate for Obama’s Cybersecurity Czar job, let me break this down for you big-bird stylie.  Right now there are 3 major candidates vying to get the job.  Since there is no official recommendation (and there probably won’t be until April when the 60 days to develop a strategy is over), the 3 candidates are making their move to prove that they’re the right person to pick.  Think of it as their mini-platforms, just look out for when they start talking about themselves in the 3rd person.

FEMA Disaster Relief photo by Infrogmation. Could a Cyber-FEMA coordinate incident response for a Cyber-Katrina?

And in other news, I3P (with ties to Dartmouth) has issued their National Cyber Security Research and Development Challenges document which um… hashes over the same stuff we’ve seen from the National Strategy to Secure Cyberspace, the Systems and Technology Research and Design Plan, the CSIS Recommendations, and the Obama Agenda.  Only the I3P report has all this weird psychologically-oriented mumbo-jumbo that when I read it my eyes glazed over.

Guys, I’ve said this so many times I feel like a complete cynic: talk is cheap, security isn’t.  It seems like everybody has a plan but nobody’s willing to step up and fix the problem.  Not only that, but they’re taking each others recommendations, throwing them in a blender, and reissuing their own.  Wake me up when somebody actually does something.

It leads me to believe that, once again, those who talk don’t know, and those who know don’t talk.

Therefore, here’s the BSOFH’s guide to protecting the nation from Cyber-Katrina:

  • Designate a Cybersecurity Czar
  • Equip the Cybersecurity Czar with an $100B/year budget
  • Nationalize Microsoft, Cisco, and one of the major all-in-one security companies (Symantec)
  • Integrate all the IT assets you now own and force them to write good software
  • Public execution of any developer who uses strcpy() because who knows what other stupid stuff they’ll do
  • Require code review and vulnerability assessments for any IT product that is sold on the market
  • Regulate all IT installations to follow Government-approved hardening guides
  • Use US-CERT to monitor the military-industrial complex
  • ?????
  • Live in a secure Cyber-World

But hey, that’s not the American way–we’re not socialists, damnit! (well, except for mortgage companies and banks and automakers and um yeah….)  So far all the plans have called for cooperation with the public sector, and that’s worked out just smashingly because of an industry-wide conflict of interest–writing junk software means that you can sell for upgrades or new products later.

I think the problem is fixable, but I predict these are the conditions for it to happen:

  • Massive failure of some infrastructure component due to IT security issues
  • Massive ownage of Government IT systems that actually gets publicized
  • Deaths caused by massive IT Security fail
  • Osama Bin Laden starts writing exploit code
  • Citizen outrage to the point where my grandmother writes a letter to the President

Until then, security issues will be always be a second-fiddle to wars, the economy, presidential impeachments, and a host of a bazillion other things.  Because of this, security conditions will get much, much worse before they get better.

And then the cynic in me can’t help but think that, deep down inside, what the nation needs is precisely an IT Security Fail along the lines of 9-11/Katrina/Pearl Harbor/Dien Bien Fu/Task Force Smith.



Similar Posts:

Posted in BSOFH, Public Policy, Rants | 6 Comments »
Tags:

Everything I know about security, I learned from Ghostbusters…

Posted February 17th, 2009 by

(Well maybe not everything…)
I’ve been the defacto security officer at a government agency going on two years now; it’s been quite a challenge. Without getting too deeply into how this happened (since I’m a contractor), I’d like to share some of the insights, horror stories, tips, and interesting anecdotes I’ve gathered over the past 22+ months.

If nothing else, many of my “preconceived notions” about managing an effective security program at a federal agency have been confirmed. Many others have been changed in ways I would never have suspected. I’m going to attempt to explain these in what I hope is an insightful, if not humorous way.

Ghostbusters works for me… At the time (1984), it was, hands-down, the funniest movie I had ever seen–it left its mark. It sure beats “Dude Where’s My Car?” for quotes that can be applied to security. But then some may say I’ve either set the bar a bit low, or I need to expand my movie viewing habits. Hey, work with me on this one people!!!

So, here are several quotes from the movie and their application to my philosophy on information security. I hope you enjoy it!


Ecto-1 photo by chad davis.

I’m from security, and I’m ready to believe you.
Listen. Foster discussion. Then, draw upon your experience and make your decision. Do not enter into a discussion with a mandate (unless from above). Mandates do not foster discussions, especially in areas where policy is absent or maybe not-so-explicit. Most importantly, this is an invitation for the person you’re talking to begin their side of their story.
Important Safety Tip: As the security professional, remember – this is the time for you to begin listening!

“Next time, if <someone> asks whether you’re a GOD, you say YES!”
Face it. Many of us security folks are humble. We all may even know what it is we don’t know. We might be a little gun-shy in our first few weeks on the job. However, don’t let your humility or shyness overcome you…

Like it or not, you are your organization’s security expert. “The Shell Answer Man,” the “Pro from Dover,” the “Go-to Guy/Gal.” While you may not have committed the processes contained within the IKE negotiation phases to memory, and may not be able to quote RFC 3514 off the top of your head, you probably DO know where to find the information… “I don’t know,” should never roll off your lips.

When you’re hired as the subject matter expert on security, you need to be confident–whether you’re knocking a soft-toss out of the park, but especially when you tell folks that you’ll research the topic and get back to them. Come back with the facts, and your credibility will be strengthened.

Likewise, when you have reservations about a particular situation, let folks know why you’re not jumping on board their crazy train. Invite discussion. State your case plainly and propose solutions, or if you can’t suggest an alternative, discuss it offline in another meeting focused on solutions. While your mission is to guard the organization’s interests, you can’t do so at the expense of the organization’s mission. Working closely with client service or engineering teams shows that security can be an integral part of solution development, and not an impediment. Think of this as guiding others to the solution – without telling them the “right” answer. This allows others to “own” the solution – their help may be valuable, if not necessary to help you socialize a potentially contentious (or expensive) solution.

“Don’t cross the streams…”
I love this one. I get to use this at least twice a day while speaking to engineering, operations, management or other folks at my agency. It’s gotten so that people have heard it so many times, they’re using it. Best part is, they are using the phrase correctly!

So what does this mean exactly? Generally/normally, the following things should never be directly connected to one another:

  • Classified and Unclassified Networks
  • The Internet and a Classified Network
  • Networks classified at different levels
  • Development, Test, and Production Networks/Environments
  • Accredited/trusted networks / less trusted
  • Management and Production Networks

“Wait! I thought you said crossing the streams was BAD?!”
So, what does this Ghostbusters quote mean to we security folk?
Every policy, however rigidly enforced, needs a waiver process.

So what do I really mean? When you understand and can quantify the risk of a particular practice or a particular action, you can develop compensating controls to make otherwise unthinkable practices (e.g., connecting unclassified networks to classified networks) less risky. In this example, it can be done using one-way guard technology, or some other similar trusted, manual process.

Face it, jumping off a bridge can be dangerous, if not suicidal. However, when the jumper attaches themselves to a bungee cord or uses a parasail, the act of jumping off a bridge can be reduced from a Darwin-qualifying stunt to thrilling fun or awesome opening movie scene (like the opening of the first XXX movie starring Vin Diesel as Xander Cage). It may not be for everyone – but, given the right safety equipment, some of us might even consider taking the leap.

There’s an even better example. Let’s say your network security policy forbids use of USB memory devices. Anyone seen with one is given a stern talking-to, if not killed outright. Well, maybe not killed… the first time. Let’s say a virus or worm gets into your network. Hey – it happens. As a precautionary measure, your response to this type of incident requires you to sever your network connections to your business partners as well as the Internet. So… How do you get the new virus definition file and virus engine from your Platinum Support Provider and install it on your server? It just so happens that in this case, you downloaded a copy using your uninfected laptop via your home internet connection… onto a USB memory stick. So, how do you reconcile what needs to be done against your policy? Obviously, an exception to the policy needs to be made.

As a matter of fact, every organization needs a policy that allows exceptions to be made to existing policy. This may sound like doublespeak, and the above may not be the best example, but it certainly does illustrate the point.

“What about the Twinkie?  Tell him about the Twinkie?!”
Never hide stuff from superiors. They don’t like surprises.
Never hide stuff from auditors. They have less of a sense of humor than your superiors.

“Human sacrifice, dogs and cats living together… MASS HYSTERIA.”
FUD doesn’t work. Don’t try it!

I hope these good-natured examples have gotten you to laugh (minimally), or possibly gotten the aspiring CISOs among you to think about how you might use humor in your day-to-day existence. I’d like to leave you with one more thought:
If you’re not having fun, you’re doing it wrong!

Cheers,
Vlad

FUD Fighter photo by cote.



Similar Posts:

Posted in BSOFH | 4 Comments »
Tags:

Everybody Else Is Doing It So Why Can’t We?

Posted May 8th, 2008 by

I’ve sat in on too many presentations lately.  After a couple of them, you start to think “Hey, I can do way better than that!”  And so I’ve been collecting my thoughts to get some presentations down and rehearsed.

Anyway, some sample topics I’ve thought up, hope you like them:

  • Security curmudgeon 101:  It all starts with electric shock and goes downhill rapidly
  • Contractors Never Go for Broke: how I learned to stop fearing unclear guidance and made a ton of moolah in the process
  • Who Moved My InfoSec Cheese:  What to do when the great big SOX cow in the sky dries up
  • Leadership Secrets of Attila the CISO: throwing dead bodies and the problem does create a solution!
  • $Racial_Slur in the Wire:  why your perimeter is massive pwnage once they get past it
  • The “S” in “SIEM” stands for “Suck”: learning how to deal with the limitations of security tools
  • Lessons from Language School: how I embraced the language and culture of our sworn enemies so that we could more effectively kill them in a bout of mutually assured destruction and why it seems so quaint in the new millenium
  • DAM Solutions: more than just the punch-line to analyst jokes
  • Data Reduction for Dummies: since the classification follows the data, if we get rid of it all, we don’t need to secure it
  • Physical and Environmental Protection for Packet Monkeys: learning why there’s a big red button on the wall of the data center next to the switches and what really happens when you push it

And, lo and behold, I am available to speak, always have been.  If you like an idea that I’ve put out there, put 3 squirrels on a park bench and I’ll give them a presentation.



Similar Posts:

Posted in BSOFH, Speaking, The Guerilla CISO | 5 Comments »
Tags:

Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive

Posted March 17th, 2008 by

Heh, sensationalist title, but you get the point.  There are two worlds out there contained in two reports that came out last week.  And yet, they seem to contradict each other.

Let’s see our combatants, shall we:

In this corner we have GAO.  GAO issued THEIR report as a prepared testimony to Congress.  They’ve delivered it numerous times to various committees, and I dare say that Mr Wilshusen is getting some milage with this report.  Basic summary:  numbers are getting better, but 21 out of 24 agencies do not have a complete information security program.

And in this corner we have OMB.  OMB issued THEIR report as a formal report to Congress.  This is a one-shot annual deal, although afterwords there is bound to be some hearings on it.  Basic summary:  we’re doing pretty well and we’re working to police up the odds and ends even more efficiently.

Now keep in mind these two simple facts:  GAO works for Congress (Legislative Branch), OMB works for the President (Executive Branch).  This is critical to remember, so file it away.

The funniest thing for me as an outside observer to look at is that if you look at the numbers that they report, they’re identical.  A view behind the inner workings of the government:  both groups are working off exactly the same sets of data.

In preparing for this testimony, GAO analyzed agency, IG, Office of Management and Budget (OMB), and GAO reports on information security and reviewed OMB FISMA reporting instructions, information technology security guidance, and information on reported security incidents.   –GAO Report

In other words, GAO used exactly what was reported to OMB but came up with different conclusions.  Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

I didn’t catch this with the GAO report, but I noticed it with the OMB report:  229 systems are not categorized, but 94% of these are certified and accredited.  Say what?  How can you tell if the security controls are implemented and the residual risk of the system is at an acceptable level when you have not determined what protection needs you have, much less your requirements?  This is akin to saying that a piece of software has passed through user acceptance testing when the user population doesn’t know what their needs or requirements are.  Now occasionally you don’t know how to classify a system because it breaks our model:  a low-criticality network that serves as the backbone for one highly-critical application, a legacy application that it’s just not worth it to classify because we’re in the process of decommissioning it, etc.

Now as much as I want to stand up and tell you that the agencies have been doing outstanding C&As, I just don’t believe the IGs whey they say that some of them have “satisfactory” C&A processes.  Maybe I’m just a little bit cynical, but that’s the way I call it.  I know some of these agencies, no way would I say “satisfactory” for some of them.

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we?  The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year.  You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

And that, dear readers, is the difference between the two reports.

So in the end of all this, which report is the one true report because the other one is full of lies, damn lies, and statistics?  Well, they’re both just as accurate (they came from the same source data, remember), only from different angles.

The cynic/BSOFH in me says that you need to pull out the OMB report most of the time, especially when it’s time for your annual review, and pull out the GAO report when you need to justify your IT security budget.  But no, none of the CISOs or CIOs I know in the government would do that, would they?   =)



Similar Posts:

Posted in BSOFH, FISMA | 5 Comments »

Vlad’s Rules to Live By…

Posted March 12th, 2008 by

Greetz and shouts out to Rybolov for fixing my spare PC (yet again) and finally allowing me to contribute…

I’m a contractor filling the role of CISO at a Government Agency.  (That’s another story for another time. )  I really try to keep things light, because security can be a pretty dull business, especially if it’s done right.

Lately, I’ve run into my share of prima donnas — like the one in charge of building our whiz-bang operations support system…  Don’t get me wrong, it’s a very important project — so important that the network engineers I depend on to get things done (like design the security environment for the system) have been assimilated. Resistance was futile.  Heaven forbid one of his resources should be diverted from supporting this project to address their primary duties like helping to deal with, oh a network outage, or SECURITY INCIDENT!

Being resourceful (as all good CISOs should be) I found workarounds to all of the roadblocks this guy dropped into my path. Over time, this has really grated on me — the fact that I’m writing about this is all you need to know…

So I did what everyone should do — I vented to my boss! Together, we realized, that this guy (a subcontractor of ours) was on Everyone’s Shiznit List. We actually PAY this guy to do this to us!  Venting turned to commiserating to funny stories to hysterical childlike laughter.

In the midst of this, I uttered the phrase that will be framed in my CISO office, if, and when I leave Cubeville behind…

Vlad’s Rule #1

If you’re going to act like a prima donna in the CISO’s office, you WILL wear a tutu, so I can see you coming.

And when folks break into prima donna mode in a meeting or discussion, I will henceforth utter the following Key Phrase (in my favorite Redneck voice) when they cross the line:

“Lighten up Francis!  You didn’t bring your tutu widjadidja?”    Feel free to use this liberally. (All I ask is a mental footnote.)

Suddenly, things weren’t so bad.

Did I mention I like to keep things light?



Similar Posts:

Posted in BSOFH | 4 Comments »

« Previous Entries Next Entries »


Visitor Geolocationing Widget: