It seems like every product or service that somebody is trying to sell me has the words “bank” or “financial institution” attached to it. The cynic in me would say that either the SOX cash cow is drying up and the vendors are trying to glom onto FISMA, or the only past performance that these small-fry vendors have is with a bank that bought their solution once.

Part of me also wants to know if banks will buy whatever junk I throw at them. =)

So is the secret to selling a product to the government a cleverly crafted Unix shell command like the following:

cat marketing.literature.sox.txt \

| sed ‘s/SOX/FISMA/’ \

| sed ‘s/bank/government agency/’ \

> marketing.literature.fisma.txt

You would think so based on the spam I get nowadays. It’s so obviously retreaded that I keep wondering “Do you guys even believe your own literature and hyperbole about what you’re trying to sell?” I don’t expect sales people to be the experts at my business, but how can you offer me a solution to my problems if you don’t understand the gist of what my problems are? If you don’t know that bank security is primarily modeled on integrity and that government security is primarily modeled on confidentiality, then we don’t really have a common language.

My vendor spam for today is below. “Compliance as a Service” makes my head explode. I think somehow I should be building a list of security spammers as a “Wall of Shame” to help out the people who would actually buy from these vendors. If anything, I’ll know who not to buy from–the list is getting large enough so that I need to write it down to keep track of.

 

Dear Rybolov,

The need for automated Security Review processes had already made developments in risk tracking one of the areas of greatest interest (and concern) to CIOs, CSOs, and Security Managers worldwide. Now, with the news of Google’s acquisition of Postini, many enterprise organizations are looking even more closely at risk management and compliance as a service.

Many companies lack a repeatable, automated security risk assessment process, and <redacted> would like to offer you a case study that provides an overview of how a leading global financial service provider was able to take advantage of compliance as a service to address risk management and compliance issues while improving business performance.

The specialists at <redacted> are pleased to offer you this case study in an effort to reduce the background noise surrounding this issue and help you focus on the aspects of the process that matter most.

To download this case study at no cost and with no obligation, simply visit: <redacted>

• On Why I Blog… FUD is the Reason for the Writin’
• Database Activity Monitoring for the Government
• More Vendor Craziness
• The Vendors are Already Jumping on the 07-11 Bandwagon
• Ack! With the Mandates!

As much effort as we put into badge readers, smart cards, and access controls systems, it’s a dirty little secret that they are easy to overcome if you know what you are doing, and the only way to keep you from cheating is to put a “meatgrinder” in your way.

Techniques for getting past card reader systems:

• The Big Box: Hold a box that’s big enough and bulky enough that you need two hands to hold it. Ask a cleared employee to hold the door open for you.
• The Mad Dash: Hide just out of reach of the door. Wait for a cleared person to go inside, then make a “mad dash” to grab the door right before it closes. If you practice, you don’t even have to run to get the door, you use your sense of timing.
• The New Employee: “Hi, I’m new here and they told me it would be a week until I got my badge. Can you let me in?”
• The Clipboard: Hold a clipboard and act like an auditor who is dismayed that they couldn’t get into the area that they need to inspect.
• The Visitor: Ask somebody to sign in so you can legitimately get access to the area. After that, it’s a simple deal to shed your escort.

The commonality to all this is that you’re preying on peoples’ sense of either being a team player or giving other people some common hospitality. You can teach people to not let anybody else in, but our brains just won’t let us slam the door in somebody else’s face.

Come to think of it, it’s suspiciously like trying to teach your kids not to talk to strangers.

• Mike’s Guide to Information Security Policy
• The BSOFH On Dorky, Auditor-Friendly Policies
• Clearances and Economy of Scale
• FISMA Report Card News, Formulas, and 3 Myths
• The “Off The Record” Track

Very interesting article on keyloggers and the AV companies.

I’m sitting here trying to think about the problem, the scenario goes something like this:

• I’m the police/$favorite_member_of_NIC and need to keylog somebody
• I need to get the keylogger to the target and their computer
• I need the anti-malware detector on the target computer to not find my product so I can both get a foothold and continue to collect evidence.

So putting on my thinking cap, this is a fairly complicated attack. Yes, malware vendors do it all the time, but they aren’t selective usually in what their target is–they’re throwing what they have at a bajillion targets and taking what sticks.

In order to do this attack right, I would need to know which type of AV/endpoint security the target uses or I need a technique that none of the vendors know about or how to detect. In order to find out the AV that the target uses, I can either break in, hire a snitch, or use a wiretap to wait for the software to phone home for a signature update.  Once I know what exactly the target uses for protection, I can plan the attack.

Of course, this assumes that AV is 100% effective, which we all know isn’t true. =)

• Sir Bruce Mentions FDCC, World Goes Nuts
• Digital Forensics: Who should make the keys?
• DDoS Vocabulary and Mathematics
• My Lunchtime Hobby: Collecting Badges
• Keeping Up With the DDoS Kids

N.C.-M.C.s Featuring Sizzle Stixxx in “When Zombies Attack”

• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post–The Zombies
• Wednesday Zombie Post–Ethical Zombies
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Federal Vampire and Zombie Agency

There are a ton of kooks out on the internet.  We all know this.  Hey, for all I know, you might think I’m one as well. =)

But um…. what does HSPD-20 have to do with President Bush serving a 3rd term?  This one threw me for a loop.  Even the part of me that loves a good conspiracy theory has problems equating “National Continuity Policy” with “4 more years”.  You could maybe say that this lays the ground to declare a national emergency and forgo an election, but I just don’t see it.
But then again, I’ve been known to be wrong on very rare occasions.

• Inside the Obama Administration’s Cyber Security Agenda
• Cyber Security coming to a boil
• Government Can’t Turn on a Dime, News at 11
• Learning GovieSpeak: The Plum Book
• The World Asks: is S.773 Censorship?

“…so that I can tell you which security things you do not have to do.”

There are so many rules that security people deal with on a daily basis, the best part about taking a risk-based approach to security is that you know where you can ignore/cheat/circumvent/write “N/A” on it. That’s why I like the engineers to let me know when they’re starting a big project.

If you’re stuck at denying projects at the last point possible–at the point of implementation–then you’re way too late. Security involvement in projects should be before they even get funded (ie, during feasibility studies and requirements definition) so that we can get in our abbreviated list of needs and requirements.

Just like salmon, good security managers know how to “swim upstream to spawn”.

• When Acceptable Risk is Not Acceptable
• Core Belief #4 — Compliance is a Dead-End
• SP 800-53A Now Finally Final
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security