Ref: NSTIC
Ref: On the Internet…

• Realistic NSTIC
• Et Tu, TIC?
• Hackers, Protesters, Iran, Twitter, and Lolcats
• Cyberlolcats Watch the Hackers at DefCon
• LOLCATS and Hackable Coffee Pots

You should have seen Special Publication 800-39 (PDF file, also check out more info on Fismapedia.org) out by now.  Dan Philpott and I just taught a class on understanding the document and how it affects security managers out them doing their job on a daily basis.  While the information is still fresh in my head, I thought I would jot down some notes that might help everybody else.

The Good:

NIST is doing some good stuff here trying to get IT Security and Information Assurance out of the “It’s the CISO’s problem, I have effectively outsourced any responsibility through the org chart” and into more of what DoD calls “mission assurance”.  IE, how do we go from point-in-time vulnerabilities (ie, things that can be scored with CVSS or tested through Security Test and Evaluation) to briefing executives on what the risk is to their organization (Department, Agency, or even business) coming from IT security problems.  It lays out an organization-wide risk management process and a framework (layer cakes within layer cakes) to share information up and down the organizational stack.  This is very good, and getting the mission/business/data/program owners to recognize their responsibilities is an awesome thing.

The Bad:

SP 800-39 is good in philosophy and a general theme of taking ownership of risk by the non-IT “business owners”, when it comes to specifics, it raises more questions than it answers.  For instance, it defines a function known as the Risk Executive.  As practiced today by people who “get stuff done”, the Risk Executive is like a board of the Business Unit owners (possibly as the Authorizing Officials), the CISO, and maybe a Chief Risk Officer or other senior executives.  But without the context and asking around to find out what people are doing to get executive buy-in, the Risk Executive seems fairly non-sequitor.  There are other things like that, but I think the best summary is “Wow, this is great, now how do I take this guidance and execute a plan based on it?”

The Ugly:

I have a pretty simple yardstick for evaluating any kind of standard or guideline: will this be something that my auditor will understand and will it help them help me?  With 800-39, I think that it is written abstractly and that most auditor-folk would have a hard time translating that into something that they could audit for.  This is both a blessing and a curse, and the huge recommendation that I have is that you brief your auditor beforehand on what 800-39 means to them and how you’re going to incorporate the guidance.

• Opportunity Costs and the 20 Critical Security Controls
• 20 Critical Security Controls: What They Did Right and What They Did Wrong
• NIST Cloud Conference Recap
• Ooh, “The Word” is out on S 3474
• Cloud Computing and the Government

Nope, we’re not going to talk about ego trips, hidden agendas, or complete irresponsible transparency.  This blog post is about some of the fallout inside the Government security teams.

The powers that be would like to remind you that downloading classified documents off the Intertubez does not make them unclassified.  An anonymous source that I talked to last week gave me the info that they were busy tracking their users’ browsing behaviors so that if you (the hypothetical you) went to WikiLeaks and downloaded a classified document, the InfoSec goon squad would show up outside your cubicle to shred your hard drive because you had just been responsible for a classified spillage–ie, your unclassified desktop now has classified material on it and as per procedure the only way to deal with the situation is to overwrite your hard drive and reimage it.  I have a couple thoughts about this:

• Where were the InfoSec goons when their users were getting drive-by malware from questionable sites?
• If it’s on TV, it’s not a “secret” anymore.
• Don’t our InfoSec teams have something better they can spend their time doing other than being the WikiLeaks monitor?

And then there’s the Ambulance Chasing Department.  According to a different anonymous source, the vendors have descended upon the State Department hawking their security solutions, including this gem of a webinar.  Not quite sure what the webinar is on, except that they’re targeting you to sell something.

From: Prism Microsystems

Sent: Wednesday, December 01, 2010 10:01 AM

To: user@state.gov

Subject: Webinar: Prevent “WikiLeaks-type” Data Loss

Webinar:  How to Prevent “WikiLeaks-type” Data Loss in Government Networks

Following the most recent publication of classified documents by WikiLeaks, government agencies are reviewing current provisions for protecting classified and top secret data – they are also researching best practices and alternative methods to monitor, prevent, and document data loss.

Attend this webinar to learn:

• how the leaks happened
• telltale signs of a leak
• what you can do to prevent them

Leak picture by jillallyn.

• Transparency in Government: Just Give us the Data!
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• When Standards Aren’t Good Enough
• Preliminary Findings on Cybersecurity Review Now Out
• Federated Vulnerability Management

Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big.  Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).

However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:

• A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
• They already have to consider open source solutions
• They already have to consider in-sourcing
• They already have to consider outsourcing
• “Cloud” more often than not includes private clouds or community clouds
• Isn’t this just another way to say “quit reinventing the wheel”?
• Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
• Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords

• Clouds, FISMA, and the Lawyers
• NIST Cloud Conference Recap
• FedRAMP: It’s Here but Not Yet Here
• Analyzing Fortify’s Plan to “Fix” the Government’s Security Problem
• Wanted: Some SCAP Wranglers

Go check it out.  The project management folks have been jokingly grilled over numerous times for being ~2-3 months late.

However, comments are being accepted until December 2nd.  Do yourselves a favor and submit some comments.

• Reinventing FedRAMP
• Old Saint NIST: Ho Ho Hold on, what’s this?
• NIST Cloud Conference Recap
• A Funny Thing Happened Last Week on Capital Hill
• FedRAMP: It’s Here but Not Yet Here

Catching you up here with some of the Gov 2.0 kids.  Steve Radick wrote an interesting blog post about Government 2.0.  And I’m thinking “damn, right on!”  Now don’t get me wrong here, sometimes I’m critical of the Gov 2.0 crowd because it seems like about half the time they’re throwing technology and data at people seeing what will stick instead of asking the non-IT program managers what information they need to have to do their job right.  But in this case, Steve’s blog post does have relevancy for Government IT security folks.

At this point, you’re probably thinking “But Mr Rybolov, how the heck does this relate to IT security and the Government?” and you’re definitely right to ask.  Well, way back in the halcyon days of last year, I came to a realization that tactical and technical security solutions come from the bottom and that compliance and regulation come from the top.  I even built a model about it.  One of the implied problem areas is that if your management model goes “top-down”, then it gets filtered through bureaucracy.

I was at an AFCEA awards banquet trying to pretend that I wasn’t really a reformed infantryman (think “professional troll”) when Roger Baker gave an awesome talk about “practicing random acts of defiance of the bureaucracy”.  I think there’s a bit of genius in that statement.  It’s one of the reasons why I blog: as a regular Joe not in the Government, I’m reasonably free to talk about the successes and failures of my friends in the Government where they can’t.

Hence my grand unified theory on life, the universe, and everything else: the InfoSec career field is a lot more like soccer or law enforcement than football and the court system–sometimes we depend on the most junior people who are operating semi-autonomously within their assigned sector.  But my point (I know, you’re wondering when I’ll get there) to this whole post is that if we’re going to have a decentralized industry, we also bear the responsibility to train our folks to operate independently and to have the skillset to be well-rounded enough to work in a wide variety of situations.

• An Open Letter to NIST About SP 800-30
• Evolution of Penetration Testing: Part 1
• Database Activity Monitoring for the Government
• Transparency in Government: Just Give us the Data!
• Random Thoughts on “The FISMA Challenge” in eHealthcare