Greetz and shouts out to Rybolov for fixing my spare PC (yet again) and finally allowing me to contribute…

I’m a contractor filling the role of CISO at a Government Agency.  (That’s another story for another time. )  I really try to keep things light, because security can be a pretty dull business, especially if it’s done right.

Lately, I’ve run into my share of prima donnas — like the one in charge of building our whiz-bang operations support system…  Don’t get me wrong, it’s a very important project — so important that the network engineers I depend on to get things done (like design the security environment for the system) have been assimilated. Resistance was futile.  Heaven forbid one of his resources should be diverted from supporting this project to address their primary duties like helping to deal with, oh a network outage, or SECURITY INCIDENT!

Being resourceful (as all good CISOs should be) I found workarounds to all of the roadblocks this guy dropped into my path. Over time, this has really grated on me — the fact that I’m writing about this is all you need to know…

So I did what everyone should do — I vented to my boss! Together, we realized, that this guy (a subcontractor of ours) was on Everyone’s Shiznit List. We actually PAY this guy to do this to us!  Venting turned to commiserating to funny stories to hysterical childlike laughter.

In the midst of this, I uttered the phrase that will be framed in my CISO office, if, and when I leave Cubeville behind…

Vlad’s Rule #1

If you’re going to act like a prima donna in the CISO’s office, you WILL wear a tutu, so I can see you coming.

And when folks break into prima donna mode in a meeting or discussion, I will henceforth utter the following Key Phrase (in my favorite Redneck voice) when they cross the line:

“Lighten up Francis!  You didn’t bring your tutu widjadidja?”    Feel free to use this liberally. (All I ask is a mental footnote.)

Suddenly, things weren’t so bad.

Did I mention I like to keep things light?

• Everything I know about security, I learned from Ghostbusters…
• BSOFH: Memo for My Project Team
• Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive
• Some Thoughts on POA&M Abuse
• The 10 CAG-egorically Wrong Ways to Introduce Standards

Wow, interesting twists abound.  If you’re a geek, into security, and haven’t been following along at home, what’s wrong with you?

Hans Reiser Trial Blog at Wired

Some highlights:

• It all goes back to the Motherland:  Wife dated KGB, mail-order-bride follies, and ties to the mafia
• Father says he warned son of “Techno-Geek S&M Crowd”
• “I do strange things because I’m a geek”
• In retrospect, it’s probably bad to buy books about murder investigations when you might be the subject of one
• Doing suspicious things does not mean that you’re guilty, but it makes it harder to prove that you’re not guilty
• If you can’t find the body, does that mean that a murder has happen?

• Mandatory Reading
• On Vacation
• Election Year Follies
• Blame it all on John Hughes….
• Transparency in Government: Just Give us the Data!

OK, let’s kick it old-sk00l-FISMA-stylie.  Back in the day, there was Special Publication 800-26.  It was part of the first set of guidance to come from NIST on information security (for those of you who can’t count, as of today we’re up to 800-115).  I guess you could say that the original 800-26 was the primordial beginnings of a catalog of controls combined with a self-assessment questionaire.

The cool thing about 800-26 that I liked was the fact that it’s a thinly-disguised version of CMMI:  5 levels of maturity, with level one being “do you have a policy that addresses this” and the plateau level being “have you integrated this control by feeding the results of testing back into all the other levels?”  Hey, sounds like fairly competent engineering and technical management practices (no, I’m not open to debate the merits and warts of CMMI today, tyvm) and is something familiar enough that we can instinctively get the idea of what we’re doing with it.

Now for the bad things:  some of the questions in 800-26 were um… I guess the phrase would be “irrelevant” or “deprecated due to time” or even “worn around the edges”.  The original 800-26 was good for a stop-gap measure, now it’s fallen into the class of “Cute, reminds me of the halcyon days of 2003 when we were so naive in our desire to rid the world of enencrypted telnet sessions”.

Our friends at NIST are going through a revision of 800-26 and have “pulled SP 800-26 off the market” for the time being.  Sometime in the future it will be a questionaire based on SP 800-53, the catalog of controls we all know and love.  The idea being that if you have a low-impact/criticality system, you can do a self-assessment using the new and improved 800-26 and it satisfies quite a few of your security controls requirements.  And hey, we all know that assessment of any IT system begins with self-assessment as some sort of gap assessment:  where are you now, where do you need to be, and how do you bridge the gap between these 2 points.

Of course, the concept of relying on self-assessment for security makes me cringe deep down inside, but keep in mind that this is only for low-criticality systems which means that they do not include PII, financial data, or classified information.  However, if you’re a FISMA-hater, you can always point to 800-26 and say “see, they think that by filling out a questionnaire, they’re making their IT more secure”.

Only here’s the problem:  I still see people on teh Intarweb still referring people to go “Read the Fine Manual” that is 800-26.  I know of at least one agency that requires a completed self-assessment to be submitted as part of their C&A package, and usually as a simple checkbox:  Have you filled one out or not?

The CISO deep down inside of me still wants to know what the value added is.  Sounds to me like we have the typical “Security Wonks Gone Wild” in that we’re so obsessed with filling out checklists and forms that we lost track of what our original intent was.

Now if you know me, you’ll remember that I usually don’t complain about something without having an alternative.  In this case, my alternative is this:  Don’t use 800-26 or recommend it to others and please do point out to people who require you to use 800-26 that its use has been rescinded by NIST and that your organization’s policy should have changed to keep up.

This is the official story from NIST, keep the link handy for the future:

• An Open Letter to NIST About SP 800-30
• New SP 800-60 is Out, Categorize Yerselves Mo Better
• Assessment Cases for 800-53A Are Available
• It’s Not Just for the Feds Anymore
• How to Not Let FISMA Become a Paperwork Exercise

Wow, a book on embracing the joy of zombiness…. The Zen of Zombie.

‘But what can I learn from zombies?’ you are asking yourself. The answer: plenty. In The Zen of Zombie you’ll learn some interesting skills, such as:

• How to adapt to anything life (or the living) throws at you
• How to slow down
• How to remove prejudice from your life (a brain is a brain is a brain)
• How to find strength in numbers (zombie Horde, anyone?)
• How to stop negotiating and start demanding what you want (zombies don’t settle for a nose – they want the brain)
• How to make each word count (zombies want brains, zombies say “brains”)
• and much, much more!

• Wednesday Zombie Post–The Federal Vampire and Zombie Agency
• Wednesday Zombie Post–Zombie Survival
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–Ethical Zombies
• Wednesday Zombie Post–The Last Stand

Ah yes, our favorite part of FISMA:  the ongoing reporting of metrics to OMB.  Last year’s guidance on what to report is in OMB Memo 07-19.  It’s worth the time to read, and you probably won’t follow with the rest of this blog post if you don’t at least skim it to find out what kind of items get reported.

 Still haven’t read it?  Fer chrissakes, just look at pages 24-28, it’s a fast read.

If you look through the data that OMB wants, there are 2 recurring themes:  What is the scope/extent/size of your IT systems, and how well are you doing what we told you to do to protect them?  In other words, how effectively are you, Mr CISO, executing at the operational level?

We’re missing one crucial bit of process here–what are we actually going to do with scoping metrics and operational performance metrics at the national, strategic level?  What we are collecting and reporting are primarily operational-level metrics that any good CISO should at least know or be able to guess at to do their job, but it’s not really the type of metrics that we need to be collecting at levels above the CISO unless our sole purpose is to watch over their shoulder.

As our metrics gurus will point out, the following are characteristics of good metrics:

• Easy to collect:  I think the metrics that OMB is asking for are fairly easy to collect now that people know what to expect.  Originally, they were not.
• Objective:  Um, I’ll intentionally side-step this one.  Suffice it to say that I’ve heard from several people a story where the punch line goes something like “Your security can’t be this good, we’ve already decided that you’re getting a “D”.
• Consistent:  Our consistency is inconsistent.  Look at how many times the FISMA grading scale has changed, and we still wonder why people think it’s not rooted in any kind of reality.  And yes, I’m advocating yet another change, so I’m probably more an accomplice than not.
• Relevant:  We do a fairly good job at this.  Scoping and performance metrics are fairly relevant.  I have some questions about if our metrics are relevant at the appropriate level, but I’ve already mentioned that.
• Actionable:  This is where I think we fall apart because we’re collecting metrics that we’re not really using for anything.  More on this later….

Now, as Dan Geer says in his outstanding metrics tutorial, the key to metrics is to start measuring anything you can (caveat, 6-MB PDF).  The line of though goes that if you can collect a preliminary set of data and do some analysis on it, it will tell you where you really need to be collecting metrics.

The techie version of this is that the first server install you do, you will blow it away in 6 months because you now know better how you operate and what you need the configuration really to be.

Now ain’t that special?  =)

So the question I pose is this:  after 6 years, have we reached the watershed point where we’ve outgrown our initial set of metrics and are ready to tailor our metrics based on what we now know?

I think the answer is yes, and applying our criteria for good metrics, what we need to answer is a good set of questions:

• What national-level programs can reduce the aggregate risk to the government?
• What additional support do the agencies need and how do we translate that into policy?
• As an executive branch, are we spending too much or too little on security?  Yes, I know what the analysts say, but their model is for companies, not the Government.
• What additional threats are there to government information and missions?  Yes, I’m talking about state-sponsored hacking and some of the other things specific to the government.  Is it cost-effective to blackhole IP ranges for some countries for some services?
• Is it more cost-effective to convert all the agencies to one single NSM/SIEM/$foo ala Einstein or is it better to do it on a per-agency basis?
• What is the cost of implementing FDCC, and is it more cost-effective and risk-effective to do it immediately or to wait until the next tech refresh on desktops as we migrate to Vista or upgrade Vista to the next major service pack?
• What is the cost-benefit-risk comparison for the Trusted Internet Connections initiative, and why did we come up with 50 as a number v/s 10 or 100?
• Is there a common theme in unmitigated vulnerabilities (long-term, recurring POA&Ms) across all the agencies that can be “fixed” with policy and funding at the national level?  Say, for example, the fact that many systems don’t have a decent backup site, so why not a federal-level DR “Hotel”?
• Many more that are above and beyond my ability to generate today…

In other words, I want to see metrics that produce action or at least steer us to where we need to be.  I’ve said it before, I’ll say it again:  metrics without actionability means that what we’ve ended up doing is performing information security management through public shame.  Yes, some of that is necessary to serve as a catalyst to generate public support which generates Congressional support which gets the laws on the books to initiate action, but do we still need it now that we have those pieces in place?

If I had my druthers, this is what I would like to see happen, maybe one day I’ll get somebody’s attention:

• OMB and GAO directly engage Mr Jacquith to help them build a national-level metrics program.
• We produce metrics that are actionable.
• We find a way to say what our problems are without overreacting.  I don’t know if this can happen because of cultural issues.
• We share the metrics and the corresponding results with the information security management world because we’ve just generated the largest-scale metrics program ever. 

And oh yeah, while I’m making wishes, I want a friggin’ pony for Christmas! =)

• Ack! With the Mandates!
• In Which Our Protagonist Discovers We Need More Good Public Policy People Who Understand Security
• Managing Security in Large Organizations
• CSIS and Recommendations
• Been Off Teaching