Just a quick slideshow I threw together for a class on making a Backtrack 3 bootable USB drive. I sanitized it for public use, but I figure there’s some reusable content that somebody will thank me for later.
Posted in Odds-n-Sods, Technical, What Works | 
1 Comment »
Tags: backtrack • pen-test
Not to turn my blog into a place for twitter-short posts, but check out this announcement by Cisco WebEx about their security management, audits, and SAS-70 stukas.
Fruck, it’s almost like somebody’s reading my posts on cloud computing and the Government. This is good as long as WebEx can execute. =)
Posted in Outsourcing, Uncategorized, What Works | No Comments »
Tags: auditor • government • management • security
FAR: it’s the Federal Acquisition Regulation, and it covers all the buying that the government does. For contractors, the FAR is a big deal–violate it and you end up blackballed from Government contracts or having to pay back money to your customer, either of which is a very bad thing.
In early August, OMB issued Memo 08-22 (standard .pdf caveat blah blah blah) which gave some of the administratrivia about how they want to manage FDCC–how to report it in your FISMA report, what is and isn’t a desktop, and a rough outline on how to validate your level of compliance.
Now I have mixed feelings about FDCC, you all should know that by now, but I think the Government actually did a decent thing here–they added FDCC (and any other NIST secure configuration checklists) to the FAR.
Check this section of 800-22 out:
On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *
(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.
Translated into English, what this means is that the NIST configurations checklists are coded into law for Government IT purchases.
This carries a HUGE impact to both the Government and contractors. For the Government, they just outsourced part of their security to Dell and HP, whether they know it or not. For the desktop manufacturers, they just signed up to learn how FDCC works if they want some of the Government’s money.
Remember back in the halcyon days of FDCC when I predicted that one of the critical keys to success for FDCC was to be able to buy OEM desktops with the FDCC images on them. It’s slowly becoming a reality.
Oh what’s that, you don’t sell desktops? Well, this applies to all NIST configuration checklists, so as NIST adds to the intellectual property in the checklists program, you get to play too. Looking at the DISA STIGs as a model, you might end up with a checklist for literally everything.
So as somebody who has no relation to the US Federal Government, you must be asking by now how you can ride the FDCC wave? Here’s Rybolov’s plan for secure desktop world domination:
And the Government security trickle-down effect keeps rolling on….
Cynically, you could say that the OMB memos as of late (FDCC, DNSSEC) are very well coached and that OMB doesn’t know anything about IT, much less IT security. You probably would be right, but seriously, OMB doesn’t get paid to know IT, they get paid to manage and budget, and in this case I see some sound public policy by asking the people who do know what they’re talking about.
While we have on our cynical hats, we might as well give a nod to those FISMA naysayers who have been complaining for years that the law wasn’t technical/specific enough. Now we have very static checklists and the power to decide what a secure configuration should be has been taken out of the hands of the techies who would know and given to research organizations and bureaucratic organizations who have no vested interest in making your gear work.
Lighthouse From AFAR photo by Kamoteus.
Posted in FISMA, NIST, What Doesn't Work, What Works | 8 Comments »
Tags: cashcows • collusion • compliance • fdcc • fisma • government • infosec • management • omb • pwnage • scap • security
I like SmartBuy, I’ve talked about it before, it’s a software bulk-purchase program sponsored by GSA. The more types of software products they buy, the better for the people who need to depend on this stuff.
So I’m doing my usual beginning-of-the-week upcoming contracts perusal and something interesting caught my eye: GSA is looking for “Situational Awareness and Incident Response” (SAIR) software to do a blanket purchase agreement for SmartBuy.
What they mean by SAIR (according to the pre-RFP information) is the following:
Really, think something along the lines of FDCC/SCAP-aware tools to manage IT assets. Not sure how the incident response piece fits in, but OK, I’ll go along with you here. Makes sense if you stop and think about it–we have a FDCC mandate from OMB, and now we’re looking for the tools to help with it–I mentioned that FDCC without automation was futile almost 9000 years ago.
I know I have blog readers who make similar software, drop me a message if you need more details.
And for my daily dose of snarkiness: it’s good to see how GSA has come such a long way in my life from being just the provider of skillcraft pens and simple green. =)
Posted in FISMA, What Works | 5 Comments »
Tags: compliance • fdcc • government • infosec • security • smartbuy • tools
Ever feel lost and lonely when staring at the business end of an ST&E? Confounded and confused considering Configuration controls? Perplexed and Puzzled at Planning procedures? Anxious or amazed at Audit and Accountability assessments? Annoyed at aimless alliteration?
NIST has heard your muttered curses and answered them! (Except the annoying alliteration, which is my fault.)
Now available are the Assessment Cases for Special Publication 800-53A. The Assessment Cases offer supplemental guidance on assessing security controls found in the recently released SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems (PDF Warning). These documents are in their Initial Public Draft so be sure to give them a look and provide some feedback.
The Assessment Cases contain consensus recommendations from the Assessment Cases Project on specific actions to perform when assessing security controls. These specific actions are intended to complement the assessment procedures documented in NIST SP 800-53A. Yes, you heard that right, Specific Actions. Less time spent pondering how to “Examine: … other relevant documents or records”.
The Assessment Cases Project is an inter-agency workgroup headed by DoJ with members including NIST, DoE, DoT and ODNI-CIO. Many thanks for the hard work of this workgroup’s membership. You may not be able to hear it but I am applauding on this side of the keyboard. And a big thanks to Patrick O’Reilly for pointing me to this wonderful resource.
Posted in FISMA, NIST, What Works | 1 Comment »
Tags: 800-53A • auditor • catalogofcontrols • fisma • gao • genius • government • infosec • tailoring
Post summary: We’re not ready yet culturally.
What spurred this blog post into being is this announcement from ServerVault and Apptis about a Federal Computing Cloud. I think it’s a pretty ballsy move, and I’ll be watching to see if it works out.
Disclaimer being that at one time I managed security for something similar in a managed services world, only it was built by account with everything being a one-off. And yeah, we didn’t start our organization the right way, so we had a ton of legacy concepts that we could never shake off, more than anything else about our commercial background and ways of doing things.
Current Theory on Cloud Computing photo by cote.
The way you make money in the managed services world is on standardization and economy-of-scale. To us mere mortals, it means the following:
The last 2 were our downfall. Always eager to please our clients, our senior leadership would agree to whatever one-offs that they felt were necessary for client relationship purposes but without regard to the increased costs and inefficiency when it came time to implement.
Now for those of you out in the non-Government world, let me bring you to the conundrum of the managed services world: shared services only works in limited amounts. Yes, you can manage your infrastructure better than the Government does, but they’ll still not like most of it because culturally, they expect a custom-built solution that they own. Yes, it’s as simple as managing the client’s expectations of ownership v/s their cost savings, and I don’t think we’re over that hurdle yet.
And this is the reason: when it comes to security and cloud computing, the problem is that you’re only as technically literate as your auditors are. If they don’t understand what the solution is and what the controls are around it, you do not have a viable solution for the public sector.
A “long time ago” (9000 years at least), I created the 2 golden rules for shared infrastructure:
And the side-rules for shared infrastructure in the public sector:
So, are ServerVault and Apptis able to win in their cloud computing venture? Honestly, I don’t know. I do think that when somebody finally figures out how to do cloud computing with the Federal Government, it will pay off nicely.
I think Apptis might be spreading themselves fairly thin at this point, rumor has it they were having some problems last year. I think ServerVault is in their comfort space and didn’t have to do too much for this service offering.
I can’t help but think that there’s something missing in all of this, and that something is a partnering with the a sponsoring agency on a Line of Business. FEA comes to mind.
Posted in What Doesn't Work, What Works | 1 Comment »
Tags: auditor • catalogofcontrols • cloudcomputing • compliance • datacentric • fisma • government • infosec • management • risk • scalability • security
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email