Trout are an indicator species.  You can tell how healthy the stream is by counting the number of trout and the size of trout in a particular section.  Trout need clean water, a certain temperature range of water, protection from predators, unsilted gravel to spawn in, and a food supply like smaller fish and invertebrates.  So absence of trout means absence of these factors, which by extension means an unhealthy stream.

There are even metrics for this: number of trout per mile, pounds of trout per mile, average size of trout.  Biologists do periodic electroshocking surveys to capture the fish, weigh and measure them, then release them back into the current.  All in the interest of gathering metrics.

By extension, a very valuable tool for an information security manager is to be able to gather metrics.  Instead of trout per mile, we are interested in total number of vulnerabilities in our information system.  Instead of pounds of trout per mile, we are interested in the aggregate risk to our enterprise.  And so on.

Enter Certification and Accreditation.  It is not just a paperwork exercise.  There, I said it.  It is, however, risk assessment and the gathering of metrics to determine how well our security program is progressing (or not, as the case may be).

As a whole, the government is spending $FooMillions on certification and accreditation and still losing the battle.  I know one agency that is in the process of getting fleeced year after year by unscrupulous contractors selling C&A solutions.  It seems like everybody I’ve worked with previously on a project who didn’t have the skills to succeed is now being billed to this agency as a subject-matter expert.  For every 30 people the agency hires, they get 5 that are any good, and the 25 bad ones can mess things up faster than the others can fix them.

Why is C&A in such a pathetic state?

Well, this is apparently a little-known secret: C&A is an indicator, not the actual act of providing “adequate security”.  If a security program is in place and effective, then it’s relatively easy to satisfy C&A requirements but not the other way around–it is possible to have a certified and accredited system that does not provide adequate security.

With C&A getting such a high amount of press from the guardians of all things security (NIST, OMB, and GAO), what has happened down among the practitioners is that the focus has switched to the indicators instead of the root cause.  Going back to our trout stream, we’re expecting the pounds of trout per mile to go up based solely on the fact that we keep conducting electroshock surveys.

So how do we succeed at the information security game?  One of the steps is to realize C&A for what it is (a risk assessment and metrics tool for decision-makers, a method to incorporate security into the SDLC) and what it isn’t (a solution to internal agency politics, a comprehensive security program).  The next step is to relearn how to perform risk management, which is where the real intent and purpose of C&A lies.

• Sunday Fish Picture
• Reading Between the Letters G, A, and O
• FISMA Fellows Spring Cohort
• Rebuilding C&A
• Remembering Accreditation

Cute little largemouth bassie I caught on Holmes Run.  It’s a “delayed harvest” trout stream (like put-and-take but they make you wait 3 months before the “take” part) with a nice population of the ubiquitous redbreasted sunfish and the occasional bass.

This particular fish surprised me.  It was in late December and I was getting hits from the occasional stocked trout (hey, it’s close to home and I needed the fix) and the bass hit hard and pulled me around the pool for a little while.

• Friday Flyfish Picture #2
• Falling Springs Branch
• Friday Flyfish Post
• Spring Fever
• Friday Flyfish Post

OK, Sean Wilson cracks me up.  More than you’ve ever wanted to know about Going Commando.  Reminds me of my other life in a different world.

• Trouble Tickets
• Personnel Turnover
• Rebuilding C&A
• AppSec DC Press and Themes
• Got Training?

I can’t believe there is such a market for technical policy compliance tools–I guess they’re all “Risk Management Tools” this year.  Save your money, you can get what you need for free.  It’s all at DISA IASE

Roughly a year ago, I wrote this post to the Security Focus penetration-testing listserv:

The SRR scripts are very good, but keep in mind that what they do is
check the configurations that are specified in the STIGs.

It goes like this:
NSA creates Security Guides
Which begat:
DISA Security Technical Implementation Guides
Which begat:
DISA Manual Checklists
Which begat:
DISA SRR Scripts

What the SRR Scripts are is an automated way to do the checks in the
manual checklists.

A word of caution is that if an OS is configured according to the STIGS,
they will break. The good thing is that it’s a fast tool to check for
vulnerabilities.

The scripts for windows machines use winbatch as the script language.
They take about 15-20 minutes to run once you’ve figured out how to do
it. What we do is go into an office, select a random percentage of
computers to check, load the script, and start it. By the time we’re
done starting the script on the last computer, it’s time to start
retrieving results off the first ones.

When DISA sends their audit team around, they run the SRR Scripts and an
external scan with ISS or Retina.

As for the .mil restriction, last time I looked at them, they allow
anybody to download the STIGS but you need a .mil address to download
the SRR Scripts. There is also the “gold disk” which has all the SRR
Scripts on it.

HTH
–Mike

Anyway, I’ve gotten a ton of mileage out of this fairly simple posting.  Here it is over a year later, and I have people that I work with telling me that they did an Internet search for DISA SRR Scripts and came up with this email, so since I’m a “qualified expert” would I give them a demonstration?

Now the beauty of the technical guidance from DISA is that they have some really good information and tools that you can use in your security program.  Managing my own commercial infrastructure, when somebody asks me what hardening guidance to use, my standard response is “How hard is it to spell DISA STIGs?”  STIGs are probably the most stringent hardening guide you’ll find out there, and very explicit in the “click this widget to off” form that the system administrators want.

All the DISA technical guidance (one exception is the Gold Disks which have all the current vendor patches and can’t be distributed for licensing reasons) is now available to the commercial world to use.  This is good, and I jokingly refer to it as our “peace dividend”.  While some of it is DoD-specific (don’t use the DoD warning banner, and be careful about disabling “bypass traversal checking” for service accounts), it makes a very good start to “roll your own” if you have to harden your IT systems.

The way to use them is that the Security Technical Implementation Guide (STIG) is a hardening guide.  The Manual Checklists are a step-by-step guide to audit a system against the STIG.  The SRR Scripts are automated versions of the checklists.  What you do is run the SRR Script and where necessary, refer back to the STIG if you have any questions on what the tool is giving you as a finding.  There are numbers to provide you with traceability back and forth.  After you’re done STIG-ing your system, hit it over the wire with a Nessus or similar, and you’ve got a hardened building block.

The advantage to using the DISA tools is that you can sit down and in half a day create a standard server/workstation/router/$foo image that can serve as your base for all builds.  With a little bit of Group Policy Object mastery, you can propagate hardening out to a bazillion workstations.

And all it costs is your time, which you would spend anyway using somebody else’s pay-to-play tools.  That’s something neat to think about.

DISA IASE

• The Vendors are Already Jumping on the 07-11 Bandwagon
• DISA SRR Lite CD
• Some Words From a FAR
• Comments on SCAP 2008
• 20 Critical Security Controls: Control-by-Control