Roger writes about his workplace instituting a bag-check on a Friday afternoon. My first though was “Gack, that’s part of the FISMA guidance? Somebody definitely was reading between the lines,” followed by, “I wonder how much miscarriage of security is conducted by people who claim to be the long-lost intellectual progeny of Ron and Marianne (Ron Ross and Marianne Swanson from NIST, work with me here)”. Then I remembered my own security strangeness and laughed….

So a couple of years ago I was in a meeting between my physical security guy and an auditor from the government. I got there a couple of minutes late so I didn’t get introduced. No biggie, my guy had everything in control and had done most of the work with this auditor already. A tip-off should have been that I was the only guy in the room wearing a suit, thereby identifying myself as some kind of manager, but alas for our auditor wasn’t that bright.

But then a problem sprung up: it all revolves around physical access policy and procedure. I had a procedure that said that all employees, contractors, and visitors will badge in EVERY time they enter the building. OK, some of you should be saying a big “DUH!” at this point, and you would be right. Anyway, the auditor didn’t like that. They wanted a specific policy line that says “When you come into the building after a fire drill, you should all badge back in.”

I watched my physical security guy try to rationalize the finding away. “We already say that here in the general procedure,” he said. He drew a Ven diagram on the white board–“See, fire drill is part of ‘every'”. The auditor just wasn’t buying it.

As a last-ditch attempt, I stepped in with the classic contractor phrase: “Where does this requirement come from?” The auditor looked at me and not taking the hint that A) I know what I’m doing, B) I teach this stuff and C) I’m the guy in the suit, you would think I was important in some way; replied “Well, it comes from NIST. You see, they have this book of requirements called 800-53 and it says that you have to have a process to badge back in after a fire drill.”

At that point, I realized the situation. Life had handed me a bozo and it was easier to write a one-line correction than it was to try to educate them on the error of their ways and ask them to show me where it says that in SP 800-53.

So my advice to Roger: One afternoon checking bags (yay, my favorite activity to do in my “spare time”!) is sometimes easier than trying to educate your auditor.

And watch out for bozos. They’ll wear you down to a nub. =)

• Mike’s Guide to Information Security Policy
• Opportunity Costs and the 20 Critical Security Controls
• The Vendors are Already Jumping on the 07-11 Bandwagon
• In Search of a Better Catalog of Controls
• Some Comments on SP 800-39

Disclaimer: I’ve had some very indirect dealings with the OSC this year.

But still, if you’re going to wipe your drive with 7 passes (I think that’s what a “Seven-Level Wipe” means), don’t call Geeks on Call or at least have the common sense to get them to do the invoice “right”. Better yet, ask your 15-year-old neighbor kid how to do it. Or look it up on the Internet, it’s not like somebody’s going to be able to look through your browser history after you’re done with the hard drive. =)

I think the moral of the story is this: Keep black ops black ops by not involving people who generate a paper trail.

• MREs and Bad News
• Clearances and Economy of Scale
• Towards Actionable Metrics
• Personnel Turnover
• Blame it all on John Hughes….

Let’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.

See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.

So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.

Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.

But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”

Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.

Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.

The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.

• And in This Corner, Special Publication 800-60
• Been Off Teaching
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• In This Corner, the Business Reference Model
• Monks, Compliance, Risk, and Government

Repeat after me: “This isn’t a legal contract, you don’t have to include boilerplate for CYA purposes.”

Actually, the boilerplate in  security documents does one of the following:

• Is a bunch of lies because it never gets updated
• Refers to common or shared controls which are written down somewhere else and you should be referring to them instead of including them verbatim
• Is a rehash of NIST/BS7799/PCI-DSS documents or standards that we all know anyway
• Is marketing information or “Ra-Ra” cheerleading
• Is an attempt at “malicious compliance“

None of these are what you really want to do.  So think about it next time you create a template for something.

• Observations on SP 800-37R1
• How to Not Let FISMA Become a Paperwork Exercise
• Response to “What is Information Assurance – The Video”
• Some Thoughts on “Malicious Compliance”
• It’s All About Common Controls!

Ah yes, more vendor spam, only this time, it came in a dead-tree version.

URGENT SECURITY NOTICE FOR $FooCorp:

IDENTIFIED AS SENDING SPAM

Dear Rybolov:

It has recently come to our attention that $FooCorp is sending spam. The end is nigh, we have the solution, send us a big bag of cashola and we’ll look the other way.

Ok, so I paraphrased. Actually, I was so amused I took it home to show my wife. =)

And as “evidence”, they enclosed a printout of IP addresses that are spambots. That’s cool and all, but none of those match $FooCorp’s IP range. Hmmm… could it be that these are spambots that are sending email from compromised machines outside of anything that $FooCorp controls? I think that’s the case…

But wait, they sell a “reputation guarantee service” that I can buy to be whitelisted because all these spammers using my domain for a return address have sullied my brand name. Wow, I don’t know why I didn’t think of it before. Oh yeah, it’s because it sounds like a protection racket: “You got a really nice SMTP relay there, I wonder what would happen to you if it became ‘unuseable'”. =)

Maybe I should set up a business doing the following (slashdot-stylie business model):

• Build email filter list (easy, just throw some grep and sed action at my spam box and I’ll have a good start)
• Sell the blacklist to people who want to block spam
• Sell the ability to be whitelisted to people who want to send email and end up on the wrong side of the list
• ???
• Profit

Now I know these guys, they make solid stuff and have a good reputation out there in the market. But they need to understand something: I find it offensive that that they think I don’t know my own IPSpace, and I don’t buy products from people with a marketing department that uses scare tactics like this.

• Targeted Spam
• My Stalking Spammers
• Some Thoughts on Comments to My Blog…
• Once Again, I’m not a Bank!
• On Why I Blog… FUD is the Reason for the Writin’

Oooh, there is a committee formed by some notables to provide suggestions to the new President. My thoughts are mixed on this one.

Then Richard Bejtlich gets involved, suggesting Jacquith’s Security Metrics. Yes, that’s part of it.

This is the world according to rybolov and some responses to the various people:

1. What exactly are you trying to measure? When it comes to the FISMA scores, what are we doing except for “Security management through shame?” Metrics are not effective unless they produce something that is actionable. The metrics should be aimed at questions like “Are we getting the kind of security we would expect for as much as we are spending” or “Is our amount of security spending correct for the level of risk that we have” or even “As a nation, where do we need to be putting in additional controls for high-risk activities?”
2. You need a catalog of controls. It’s that simple, not everyone is a rocket scientist when it comes to enterprise risk management, so you need a set of rules to justify the budget. Yes, there is too much time spent doing that thanks to the 5 layers of oversight on where the money is going.
3. Today’s government CIO and CISO serve in an advisory role with Congress micromanaging their budget. Let’s just say that out of all the criteria for selecting representation in Congress, understanding security budgeting isn’t even on the map. Now how do you expect to win in that environment? You can’t continue to beat up the CIOs and CISOs in the executive branch because of decisions made by the legislative branch. You also can’t expect some things that work in the private sector to work in government because the money trail is very different.
4. You will not accomplish anything with the same people doing the same things. Do you think that with the same people doing $FooFramework instead of a FISMA framework you will still be able to succeed? Basic problem is that we have a higher demand for security people than we have clueful people to fill the gaps. As a result, you have to deal with a high percentage of also-rans and charlatans.
5. How do we get the people trained to where they need to be? We have a significant gap in abilities v/s our needs for security people. I’ve talked about this before. http://www.guerilla-ciso.com/archives/270
6. Network Security Monitoring (NSM) practitioners need to figure out how to market to these people as “yes, I’m a Subject Matter Expert and here’s how I fit into your catalog of controls”. In other words, make it easier for people to justify hiring you guys. A *good* FISMA person could sit down in the course of a couple of hours and give you something to trace you back to 800-53 controls and how you satisfy them. In other words, I think Bejtlich has some phenomenal ideas and I’m fairly sold on NSM, but how do I get people to “buy in” when they have all these other ideas competing for people, time, and money?
7. NSM guys need to make contacts with the people who write the framework and convince them that what they do has merit and that the framework should be changed to include the parts of NSM that aren’t already there. Remember my audience is Congress, how do I justify the money to get NSM implemented? Well, I get it added to the rules or I tell people how NSM is implied in the rules.

• Ack! With the Mandates!
• It’s All About Common Controls!
• Do You “Do It” or Do You “Get It”?
• An Open Letter to NIST About SP 800-30
• Core Belief #4 — Compliance is a Dead-End