As much effort as we put into badge readers, smart cards, and access controls systems, it’s a dirty little secret that they are easy to overcome if you know what you are doing, and the only way to keep you from cheating is to put a “meatgrinder” in your way.

Techniques for getting past card reader systems:

• The Big Box: Hold a box that’s big enough and bulky enough that you need two hands to hold it. Ask a cleared employee to hold the door open for you.
• The Mad Dash: Hide just out of reach of the door. Wait for a cleared person to go inside, then make a “mad dash” to grab the door right before it closes. If you practice, you don’t even have to run to get the door, you use your sense of timing.
• The New Employee: “Hi, I’m new here and they told me it would be a week until I got my badge. Can you let me in?”
• The Clipboard: Hold a clipboard and act like an auditor who is dismayed that they couldn’t get into the area that they need to inspect.
• The Visitor: Ask somebody to sign in so you can legitimately get access to the area. After that, it’s a simple deal to shed your escort.

The commonality to all this is that you’re preying on peoples’ sense of either being a team player or giving other people some common hospitality. You can teach people to not let anybody else in, but our brains just won’t let us slam the door in somebody else’s face.

Come to think of it, it’s suspiciously like trying to teach your kids not to talk to strangers.

• Mike’s Guide to Information Security Policy
• The BSOFH On Dorky, Auditor-Friendly Policies
• Clearances and Economy of Scale
• FISMA Report Card News, Formulas, and 3 Myths
• The “Off The Record” Track

Let me be one of the first to congratulate you. Whether your title is CISO, ISSO, Manager, or Consultant, being a security manager is an accomplishment.

Now for the bad news:   You need to go into the job knowing that you will always be short on people, time, and money.  Good people are hard to come by, and as soon as you get them trained up, they’ll change jobs because they outgrew what you hired them to do.  Time is critical because effective security requires cooperation with all the other business disciplines which takes time and effort.  Security is seen as a cost center, so any good business will try to limit security spending in order to maximize their profit.

My friends at ISM-Community have developed an Information Security Management Top 10 document with some very solid practical advice for how to survive in today’s security environment.  Think of it as a list of meta-themes that all successful security managers and programs have in common.

The ISM Top 10 doesn’t solve all of your people, time, and money problems, but it can help you to recognize trends and set a long-term strategy to winning.

• Where For Art Thou, 60-Day Review
• It’s All About Common Controls!
• An Open Letter to the Next President of the United States
• An Open Letter to NIST About SP 800-30
• A Niche to a Niche is Still Hard to Staff

I just posted my most recent update to my CISO’s “Book of Death” as a file on ISM-Community. It’s just a collection of spreadsheets I’ve used over the past year or so.

As usual, you can throw me questions, comments, or war stories. I especially like to hear where and how you’re using any of the spreadsheets or what doesn’t work for you, and I added a front sheet in this version with contact information for me so you could reach me.

Original “Book of Death” is here.

• My System Environment
• ISM-Community DC Chapter
• CISO’s Book of Death
• The Guerilla CISO
• My Blog is Dead, Long Live My Blog!

…or at least that’s how Yahoo has Pipes to process blog feeds. I’m working on a combined feed for ISM-Community. This has to be the easiest point-n-click programming I’ve done in years.

Right now I have the following feeds:

• ISM-Community Blogs (one for each focus area)
• Guerilla-CISO (This guy is a genius!) =)
• Mark Curphey
• SecurityBullshit.com (Curphey Cartoons)
• Mano Paul
• Alex Hutton
• Jason Bevis

Most of these are low-volume for reasons that any security person who isn’t busy all the time probably isn’t worth hiring or hearing what they have to say.

There are probably more that I don’t know about–it’s not that I selectively left anybody out just yet. The feed should be considered “Beta” quality and shortly (well, when we get around to doing it), we’ll add it to the ISM-Community site.

Drop me a line if you’re an ISM-Community groupie and want your feed added.

And remember, folks, it’s not a big truck. =)

• And Now for Something Completely Different…
• A Day in the Life of the Feedmaster
• Being a PR Wonk is Hard
• Rebuilding C&A
• Get Yer Feeds Here

I’m once again the pusher for the ISM-Community Risk Assessment Methodology and I’m looking for a few good geeks.

I figured I would send out the call here, too, since if I don’t advertise enough for volunteers, the whole thing falls on my shoulders. =)

• Rebuilding C&A
• Busy Days
• It’s Not Just for the Feds Anymore
• Making Press Releases
• An Open Letter to NIST About SP 800-30

After commenting on Mike Rothman’s Security Incite and Alex Hutton’s riskanalysis.is, I’m about ready to explain how C&A works and doesn’t work.

Let’s roleplay, shall we?

You’re the US government. You have an IT budget of $65 ba-ba-ba-ba-billion (stuttering added for additional effect) every year (2007 budget). If you wanted to, you might be able to make an offer to buy Microsoft based on one year’s worth of budget.

So how do you manage security risks associated with such a huge amount of cash? Same way you would manage those IT systems in the non-security world:

• Break it all down into bite-sized pieces
• Have some sort of methodology to manage the pieces effectively
• Delegate responsibility for each piece to somebody
• Use metrics to track where you are going
• Focus on risks to the business and the financial investment
• Provide oversight on all of the pieces that you delegated
• Evaluate each piece to see how well it is doing

Hmm, sounds exactly like what the government has done so far. It’s exactly like an agency’s investment (system) inventory/portfolio, OMB budget process, and the GAO metrics.

Now how would you manage each bite-sized piece? This is roughly the way a systems engineer would do it:

• Define needs
• Define requirements
• Build a tentative design
• Design review
• Build the system
• Test that the requirements are met
• Flip the switch to take it live
• Support anything that breaks

Hmm, that’s suspiciously like a system development life-cycle, isn’t it? There’s a reason we use project management and SDLC–in order to get from here to there, you need to have a plan or methodology to follow, and SDLC makes sense.

So then let’s do the same exercise and add in the security pieces of the puzzle.

• Define needs: Determine how much thesystem and the information is worth–categorization (FIPS-199 and NIST SP 800-60)
• Define requirements (FIPS-200 andNIST SP 800-53 along with a ton of tailoring)
• Build a tentative design (first security plan draft)
• Design review (security plan approval)
• Build the system
• Test that the needs and requirements are met (security test and evaluation)
• Flip the switch to take it live (accreditation decision)
• Support anything that breaks (continuous monitoring)

Guess what? That’s C&A in a nutshell. All this other junk is just that–junk. If you’re not managing security risk throughout the SDLC, what are you doing except for posturing for the other security people to see and arguing about triviata?

This picture (blatantly stolen from NIST SP 800-64, Security Considerations in the Information System Development Life Cycle) shows you how the core components of C&A fit in with the rest of the SDLC:

My theory is that the majority of systems have already been built and are in O&M phase of their SDLC. What that means is that we are trying to do C&A for these systems too late to really change anything. It also means that for the most part we will be trying to do C&A on systems that have already been built, so, just like how people confused war communism with pure communism, we confuse the emergency state of C&A post-facto with the pure state of C&A.

Now let’s look at where C&A typically falls apart:

• Confusing compliance (check the box) with risk management (are we providing “adequate security”?)
• Focusing too much on the certification statement and accreditation decision, which should be a gate instead of the entire process
• Not hiring smart people
• Failure to associate technical and system-specific risks with the business case
• Disassociation from the rest of the SDLC
• Disassociation from reality (liarware)
• Trying to certify and accredit systems in the implementation phase of the SDLC
• Risk-adverse decision-making
• Using C&A as quality assurance

Keys to success at this game follow roughly along what ISM-Community has proposed as an ISM Top 10. Those ISM guys, they’re pretty smart. =)

• Some Random Thoughts on C&A SOPs
• Effective Inventory Management
• Blow-By-Blow Commentary
• 20 Critical Security Controls: What They Did Right and What They Did Wrong
• It’s All About Common Controls!