Posted May 21st, 2007 by
rybolov
Two months ago, OMB released Memorandum 07-11 which established the authority for government-wide hardening standards for Windows products. It’s a very good thing in my opinion.
However, I’m beginning to see the start of the side effects. I have vendors already that are beating down my door trying to sell me compliance solutions that will help me meet this “oh-so-very-important standard”. I think they missed the other things I’ve had to say about compliance. The one worry that I have is that people will hit their systems with whatever technical policy compliance tool and think that they don’t have to do anything else. I think really that’s the one big problem I have with this entire class of products–they present themselves as the cure-all for all the security problems that an organization could have.
Knowing the people from NIST, it’s the classic problem that they have: They issue guidance and people blindly follow it even though it’s contradictory and not smart security. The best part is when people offer “NIST-Compliant” solutions (I take that out of our marketing material whenever I find it and then take the time to educate people on why it’s wrong) which are at best, “Our interpretation of the guidelines with numerous assumptions” and think that this is all that an organization should do security-wise. Well, the catch is that NIST, compliance frameworks, and vendors can’t anticipate every situation, so at the most what they’re offering is a 75% solution. If you go back to both NIST and OMB, they will tell you to make a decision based on a cost-benefit-risk comparison.
My friend Art Chantker from The Potomac Forum has an executive breakfast on the 24th with a good host of speakers–OMB, NIST, MicroSoft, and US Air Force. I’ll be there, just for the simple fact that I can refute claims later when somebody offers me yet another compliance solution. =)
This whole unified standard business was started by the US Air Force who very simply decreed that you wouldn’t connect a windows system to the network until it met the technical standards. Hmmm, wonder where they got the idea for a technical standard? This isn’t new, DoD has been doing it for years. I guess finally the clueful people got together and decided to make the migration to Vista a chance to get STIGs implemented in the civilian agencies.
Similar Posts:
Posted in FISMA, NIST, Rants, Technical | 3 Comments »
Posted May 19th, 2007 by
rybolov
In order to get all my content spidered, I’m setting the blog pages and RSS feed up to be big this weekend. I’ll trim them back on Monday.
I also added a row of social networking bookmark widgets to each post in a shameless attempt to get a bit more traffic coming in. =)
Similar Posts:
Posted in Odds-n-Sods | No Comments »
Posted May 18th, 2007 by
rybolov
Attached are some pictures from the C&O Canal in Maryland. It’s a nice warmwater fishery and although I have yet to catch the huge bass that live in it, I have seen them up-close on 2 occasions–they made my heart stop, they were so big.
Where the Bluegills Live
Looking Down the Canal
Baby Bassie
Similar Posts:
Posted in Flyfish | No Comments »
Posted May 16th, 2007 by
rybolov
Somebody in SE Virginia has been spreading my name around, and now it feels like I have a new fan club down there.
We have a couple data centers and projects in the Hampton Roads area (Norfolk, Chesapeake, Hampton) . They got my name from another one of our data centers that I interact with regularly.
Now I’m getting emails from people I’ve never met before looking for help with this FISMA thing or help with a DR/COOP proposal. I even fielded one call about clearances while I was looking for bits of fur at the local flyshop. I think the more I help them out, the more calls I get from that area.
Which brings up my personal consulting policy. If it takes up less than 30 minutes or so of my time, I’m always free for a call or email. Any amount of time over that, you need dedicated help and probably need to contract somebody to do it.
I still get the occasional call from people I taught a year ago asking for help with a particularly tricky problem. It’s nice to feel needed from time to time. =)
Similar Posts:
Posted in The Guerilla CISO | 1 Comment »
Posted May 16th, 2007 by
rybolov
Message to vendors: If you want to break into the Managed Service Provider market, there is one thing extra that you need to do.
Enterprise-class products are reasonably good at being able to support a 3-tier model. That way you can abstract out everything into whatever architectural model you want. Need more database oomph, add some more power at the database tier. Need to support a remote site, put a data collector out there on the management LAN and just send events back to the central collectors. This stuff is great.
But when it comes down to MSPs, there is one thing that we need above and beyond what enterprise-class products have. We need to be able to flag data as belonging to a certain customer. That way, once events have trickled up to the Single Pane of Glass (TM) that the NOC operators use, we still can tell which environment the event came from. That requires tagging and the simple ability to have multiple devices on one IP address when clients have address collisions (everybody using 10.0.0.0 comes to mind).
Similar Posts:
Posted in Outsourcing, Technical, What Doesn't Work, What Works | 2 Comments »
Posted May 15th, 2007 by
rybolov
Personnel turnover has to be the bane of life as a contractor in the DC area. As soon as you get somebody hired and trained, they’re out the door, taking the life of the project that they started with them. I think the average is less than a year.
I’m really rare. I’ve worked with the same company for 4.5 years. That’s an eternity in the environment I’m in. Granted I took a “little vacation” to “someplace sunny” in 1994, but still, I came back.
There are a couple of reasons that we have such a high turnover rate in the area:
- The demand is high and the supply of good security people is low. That means that the salaries are going up just as fast.
- Because salaries are so high, there is a very sizeable gap between entry-level positions and the top positions. HR raise formulas don’t compensate for this, so the only way to get a good salary increase year after year is to job-hop.
- Key personnel change at your company? No problem, you can very easily land somewhere more friendly. There isn’t much encouragement to stick around and work out your differences.
Like I say all the time, there are 2 job markets for me as a security professional: DC and the rest of the world.
As for why I’ve been at the same place for over 4 years, well, I hop around from project to project and site to site inside the company. In some ways, I’m letting the staffing burn rate make opportunities for me.
Similar Posts:
Posted in Rants, The Guerilla CISO | 1 Comment »