Going back through my email makes me laugh.  As crazy as I probably seem to my blog readers, there are things that I can’t really share with the world.  This is not one of them, but it could be offensive to some people, so rest assured I’m joking, people.   =)

PS-9 Stalinistic Purge of the IT Department
Control:
The organization: (i) conducts periodic arrests and interrogations on any member of its staff deemed to have “significant security responsibility”; and (ii) asks personnel being interrogated to name three (3) of their accomplices.

Supplemental Guidance:
Geeks are like peasant-workers.  You have to intimidate them at periodic intervals so that they don’t think they can take over the business functions of your organization.

Control Enhancements:
(1) The organization establishes a “show trial” system to publicly humiliate personnel being interrogated as a deterrent to other personnel who might be considering challenging the management structure.
(2) The organization hoists the heads of those found guilty of “crimes against the organization” on a pike at the entrance to the organizations headquarters or data center.

Low: PS-9  Moderate: PS-9(1)  High: PS-9(1)(2)

• Guerilla CISO Tip: Get Inside the Data Center
• How I Do the “FISMA Thang”
• More Security Controls You Won’t See in SP 800-53
• Yet More Security Controls You Won’t See in SP 800-53
• How Much Security Should the Outsourcer Do?

So I got “roped into” another vendor presentation yesterday. I should have done a little bit of research beforehand because then I would know that the product they pitch is Yet Another Technical Policy Compliance Tool (YATPCT)(tm) and I could have safely skipped it.

From my standpoint, this market is getting crowded, but the nature of the beast is that it’s low sales volume but high cost. Ie, it’s a market that will forever be make-or-break. Not a good place to be as a vendor, and I have a feeling that the majority of them will die a horrendous death but to the business leadership one sale looks pretty good.

One thing that I did see is that the typical YATPCT has now evolved. Most of them have incorporated workflow now so they’re aiming for “security team in a box”.

Now for people who know what they are doing, the people that I refer to as “clueful”, these tools are pretty good at keeping you on track. The problem is that there is a shortage of clueful people, so they’re buying tools to compensate for the lack of skill. The end result of this game is that you end up broke with no adequate security–not exactly what I would call “effective security”.

One of these days I’ll find a vendor who “gets it” and is worth my time to teach them how to do the last 5% of what they need to work for me. God knows I’ve taken hours to explain it to anyone that wanted to hear. This is what I want to see:

• Grouping assets together
• Determining a criticality for the group based on the Business Reference Model (SP 800-60)
• Yes, a baseline of controls from 800-53 but the ability to add my own controls and do tailoring because I have to distill the control into an exact requirement that people can build to
• The ability to extract a complete System Security Plan to hand to an auditor
• An engine to build a test plan and record results
• Workflow for Plan of Action and Milestones so I can get funding from Congress and actually get things fixed. Exhibit 300 format would be highly superb.

The problem is that a tool adds to the effort involved, not detracts from it–you still have to use the thing in addition to all the people-power. If you still need the people with the wetware to use the tool, what has the tool effectively saved you? Probably not much. In fact, I ask the basic question: what does automation really provide for something that is perpetually a one-off system? You only get efficiency when you optimize the parts of a process that are repeated–ask any programmer about it. Yet at the same time, if you have a set of systems that habitually have a large amount of shared controls between them, why aren’t they lumped together into the same system already?

In the meantime, all I see are SoX technical compliance solutions kluged into FISMA compliance solutions. We think differently here inside the beltway. I don’t assign dollar values to individual servers, and I don’t care about ALE calculations. To be bluntfully honest, I don’t really care about compliance, I care about risk management (both security risk and project risk), so at the end of this exercise, no matter what the scope of it is, I want to know what the residual risk is and if we should do one of the following:

• Leave it as-is
• Pump more money into it
• Kill it or at least investigate feasible alternatives
• Beat people about the head with the giant foam cluebat until they fix a small subset of problems
• Fire the staff
• Fire the evaluation staff
• Go fishing (trick answer, I was going to do that anyway) =)

• The Vendors are Already Jumping on the 07-11 Bandwagon
• You Didn’t Outsource Your Responsibilities
• Remembering Accreditation
• What the Government Looks for in a Product
• Alternative Uses for System Security Plans

Disclaimer up front: I’ve worked with DHS as a contractor. I have friends in DHS. I have DHS as a client agency. I’ve felt some of their growing pains. I’m also a taxpayer and a wannabe civil libertarian when it suits me. =)

Background: Last week, Scott Charbo, DHS CIO, was given a pretty good grilling by the House Committee on Homeland Security. Responses have ranged anywhere from apathy to outrage, with the mainstream media wondering why DHS is doing so poorly at security of their systems.

The testimony is online at the following url: http://homeland.house.gov/hearings/index.asp?ID=65

First of all, at the bottom there is a link that takes you to the movie. You have to watch this before you read the transcripts. Caution: this is a good 1.5 hours of viewing. http://boss.streamos.com/wmedia/homeland/chs/cyberjune.wvx

My first comment is something along the lines of what the public is saying. If you’re responsibly for cybersecurity (not my preferred title, btw) for the nation, how can you honestly stand in front of us as the Government’s cybersecurity leader when you’re failing at securing your own house?

Scott Charbo gave an excellent answer, one that the public needs to seriously think about. There are 2 information security groups inside DHS. One is the Assistant Secretary for Cybersecurity and Telecommunications who works with the rest of the government and industry to help secure the infrastructure. The other is the DHS Chief Information Security Officer who works under the CIO to security DHS-internal systems. What this means is that the 2 topics are divorced both on an organizational chart and in funding sources. It’s still a PR problem, but there is a specific reason why this problem exists.

The Q&A Session Led by Chairman Langevin:

• Titan Rain–Everybody doing IT in the government should know about Titan Rain. As a CIO to say that you haven’t heard about it, it’s a red flag. This doesn’t bode well for the agency that has been charged with cybersecurity for the rest of the agencies.
• Ingress and Egress filtering on workstations–This is usually too noisy, so what you do is filtering on the aggregate data flow from multiple machines. Otherwise, you end up with a NMCI problem where every workstation had a HID on it. It’s expensive and probably rates lower on the scale of priorities than other security spending. Maybe in the future when endpoint security is an all-in-one, it will make much more sense, and the technology is starting to get to that point.
• Nationwide Risk Assessment–yes, it’s a fantastic idea. The question is, how do you eat this elephant? Really it takes an ongoing campaign of assessing individual parts (bite-sized pieces, pun intended) and then addressing and prioritizing them as a whole. Some of that is taken care of ala GAO reporting. Some of that (SCADA systems, commercial telecoms, anything we have a dependency on) needs to be discovered and assessed. You have to be careful when trying to boil the ocean.
• Classified Spillage–it’s one of the “dirty little secrets” (pun intended) of the classified world. Short of context-filtering on the non-classified side (cheap pitch for Verdasys here), there is nothing that you can do technically to prevent a user from manually typing classified data into a non-classified system. But then again, you can’t prevent a user from talking about classified data on a metro train.
• Contractor Laptops–note to self: if you are testifying in front of congress, never answer a question with only a “No.” Are contractors plugging into government IT systems? Yes, and DHS isn’t the only one. It depends on the facility. If you go into a classified facility, then plugging into a classified network is bad. If you go into a development environment to upload code that you built on your laptop, then most people would say that’s OK. Somewhere in there is a spectrum of activity that needs to be decided on whether it’s allowed or not.
• Budgeting–The role of CIO pretty much is in an advisory role when it comes to budget. Inside DHS (and all the other agencies), Congress manages the budget down to the sub-agency level. Mr Charbo can request funds (and if he got the message, he should request more security funding next year), but holding him responsible for the budget that is given to him by Congress hardly seems fair or really what I would call responsible governing. However, a good point was made by Mr Etheridge about the fact that DHS is a very young organizations and that they most likely need to be spending more than the average on security. But then again, they are spending quite a bit of money on building IT systems, so a smaller percentage is to be expected (ie, the size of the pot got bigger, so you have a smaller percent of that pot).
• Auditing Telcos–You cannot audit the carrier clouds. You use compensating controls to limit your risk. I’ve talked about this before. However, why is the telco managing the agency’s firewall? It sounds like somebody was doing routing on the firewall or doing some kind of logical segregation on their switches (ie, untrusted and trusted on the same switch using VLANs), which shouldn’t be happening for your main edge. Here, GAO is pointing at one system where they were allowed to audit a MPLS cloud and saying that they should be able to audit a DHS MPLS cloud. It just doesn’t work that way. You might be able to do a partial edit or you pay the vendor more to implement specific controls that you need, but that’s the extent of it.
• Einstein–Link for those of you who are interested, and a blog post from Richard Bejtlich about it. It’s a monitoring system used by quite a few agencies.
• Interconnectivity Between Classified and Non-Classified Systems: GAO points to the fact that DHS did not have a valid system inventory or established interconnects. While I agree with some of the concept, I guess I just don’t like the presentation layer of that statement, like we’re confusing security and compliance again.

I still contend that if another agency the size of DHS is not reporting as many incidents as DHS is, then they’re either not monitoring or they don’t have the same criteria as to what an incident is. I think DHS got banged on first because they provided transparency and fairly valid metrics on what is going on with their networks. Playing the role of “Armchair CIO”, I would turn it back on the other agencies and ask why they didn’t have the same level of incidents to report.

I give DHS quite a bit of credit for avoiding the urge to present a “zero defects” picture to GAO, OMB, Congress, and the public.

Best quote of the day is from Keith A. Rhodes who is the Chief Technologist and Director of the Center for Technology and Engineering at the Government Accountability Office.

“The risk assessment that you’re talking about, risk is a function of threat, vulnerability, and impact, so all three pieces have to be done. Yes, there has to be a threat assessment. There also has to be a realization of vulnerability, and there has to be an understanding of impact. No one, certainly not I, certainly not my colleague, Mr Wilshusen, is going to say ‘Secure everything, lock everything down.’ That’s impossible. It’s also impossible to have perfect security, but we have to drive toward zero tolerance on key systems.”

By this time, you’re all thinking “What will it take to get DHS to winning in IT security?”

There are some people who believe that DHS will never make it. “It’s too large, the Department is too new.”

Realistically, I think the earliest realistic timeframe for DHS is 5-10 years and 3 CIOs down the road. Scott Charbo will build as much as he can until he meets serious resistance, then it’s time to bring in a new face to push the ball forward just because the newness can get things done.

Once again leading me to my point that security is all about personnel management.

While DHS has overcome quite a few hurdles, I think it’s amazing that they managed to score any more than an “F”.

What I didn’t hear in this hearing is something along the lines of “Mr Chairman, we only have a limited amount of personnel, time, and budget. As an agency, we are forced to make decisions on what is more important to us: to migrate all the organizational elements to OneNet and build a NOC, SOC, and redundant data centers, or to maintain legacy major applications and put HIDs on all of our workstations. While you might disagree somewhat with our priorities, I doubt that anybody would chose a path that is radically different from where we have gone and are going.” That’s the message that the country needs to hear in order to understand the conflicts between operations, budget, and security that today’s CIO has to manage, and why the indicators at times might provide the impression that the government is not concerned about security.

But then again, I’m a little bit more confrontational because I can afford to be, not being in charge of the IT assets for a huge agency. =)

• Looking for the Charbo Testimony
• Ack! With the Mandates!
• GAO’s 5 Steps to “Fix” FISMA
• Effective Inventory Management
• HR 5983–DHS Now Responsible for Contractor Security

Post-Postscript: My response is up at the following url: http://www.guerilla-ciso.com/archives/175

Postscript: Darren Couch provided the URL, sans Q&A: http://homeland.house.gov/hearings/index.asp?ID=65

OK, so DHS CIO, Scott Charbo, got grilled by congress. I can’t find the transcript anywhere, only second-hand information on how it was a beating. If anybody has the actual testimony with the Q&A session, I would love to read it.

Really, so they’ve had some incidents that they found and then corrected. I would be worried about an agency of that size that didn’t have anything happen–obviously they’re not monitoring what’s going on. It’s that anything that is associated with DHS makes people (the press, civil libertarians, congress, etc) freak out.

Not that DHS doesn’t have its problems. As a new agency, they keep building isolated pockets of brilliance but the whole is very much in flux, so as soon as one good thing happens, they shift to another posture which means that they need to rework the old stuff.

Then again, if you hire thousands of people in a couple of years, you’re bound to take the cruft from the other agencies–it’s like the old saying that all the people looking for jobs are the ones you don’t want to hire. =)

At any rate, if somebody locates the transcript with the Q&A, I’ll dedicate my next flyfish or zombie post to you–your pick which one it is.

• My Analysis of the DHS Congressional Testimony
• More GAO Testimony
• No, FISMA Doesn’t Require That, Silly Product Pushers
• GAO’s 5 Steps to “Fix” FISMA
• Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive

Movie from George Mason professor Paul Strassman on Information Assurance which was digitized and shared forever thanks to Google Movies.

My response to the movie:

This presentation has many problems.

FISMA is not that large of a law.  You can get the text from the NIST website at the following url:
http://csrc.nist.gov/policies/FISMA-final.pdf (16 pages long)

FISMA does not require SP 800-53.  It charges NIST with creating standards for information security.  FIPS 200 dictates that an agency use 800-53 as their baseline security controls.  Once again, we’re confusing the law with the implementation.

The security plan is a vehicle to get people to agree on what the security controls should be, not a post-fact documentation on what security controls that exist.

DIACAP is not the first time that systems have had to be certified.  Prior to this, there was DITSCAP, NIACAP, FIPS 102, and SP 800-37.  I also wonder how we got from SP 800-53 to DIACAP since they are different flavors–civilian agencies v/s DoD.

In certification, you do not certify compliance.  You certify that the controls meet the needs of the business owners.  Those needs might be considerably more relaxed than you think.  For example:  completely air-gapped systems in a SCIF don’t need a sizeable chunk of the control in 800-53.  Compliance is costly because you don’t have the ability to not do something that doesn’t make sense.

The “Hamster Wheel of Pain” that is shown as the DIACAP process is detached from other SDLC activities, which is rapidly becoming one of my pet peeves.  If you do DIACAP divorced from the SDLC, you are creating liarware.

“The DIACAP activities, the certification of the system, is a very involved, complicated, time-consuming, laborious process that nobody has as yet completed.”  It’s so wrong I can’t even begin to explain.

The DAA is not responsible for DIACAP.  The DAA is only a key decision maker.

The DAA does not sign a statement saying that you are secure, they sign a statement saying that the level of risk to the system and to the mission is of an acceptable level.

The CIO does not usually go to the DAA.  The CIO is more likely to be *the* DAA than just about anybody else.

The second half of the movie is general security information, not really IA-specific.

If this is what they teach in the universities around the beltway, no wonder we have an IA constituency who don’t “get it“.

• Some Random Thoughts on C&A SOPs
• Rebuilding C&A
• Feds to Embrace SaaS, End is Nigh for Security!
• Observations on SP 800-37R1
• Mike’s Guide to Information Security Policy

My friends and I will be teaching the NIST Framework for FISMA with the Potomac Forum from July 13th to August 10 in 5 Friday segments.  This is a small (limited to 35) class and is restricted to government employees only because we go down into frightening detail. =)

I always love this series.  The students start out being quiet and expecting us to force-feed them powerpoint slides in the beginning, but by the end, they know the entire IA framework and are very vocal about defending their position on why a certain risk should be accepted or not.  I get all choked up inside to hear people talk about making a cost-benefit-risk decision and giving a system a conditional ATO.

As a side note, I wrote most of the exercises and tell everybody that the actual answer you gave isn’t as important as the logic you used to get there, but really what you should do is pick one answer and be ready to argue. =)

• Always Behind
• FISMA Report Card News, Formulas, and 3 Myths
• FISMA Fellows Spring Cohort
• The Vendors are Already Jumping on the 07-11 Bandwagon
• How I Spent Friday