We’ve got another good US Government Security Certification and Accreditation (C&A) Seminar/Workshop coming up at the end of March with Potomac Forum.

Graydon McKee (Ascension Risk Management and associated blog) and Dan Philpott (Fismapedia Mastermind and Guerilla-CISO Contributor) are going to the core of the instruction, with a couple others thrown in to round it all out.  I might stop by if I have the time.

What we promise:

• An opportunity to hear NIST’s version of events and what they’re trying to accomplish
• An opportunity to ask as many questions as you possibly can in 2 days
• Good materials put together
• An update on some of the recent security initiatives
• An opportunity to commiserate with security folks from other agencies and contractors
• No sales pitches and no products

See you all there!

• C&A Seminar, October 15th and 16th
• Building A Modern Security Policy For Social Media and Government
• Some Comments on SP 800-39
• C&A Seminar in August, Instructor-to-Coolness Ratio Goes Up!
• NIST Framework for FISMA Dates Announced

(Well maybe not everything…)
I’ve been the defacto security officer at a government agency going on two years now; it’s been quite a challenge. Without getting too deeply into how this happened (since I’m a contractor), I’d like to share some of the insights, horror stories, tips, and interesting anecdotes I’ve gathered over the past 22+ months.

If nothing else, many of my “preconceived notions” about managing an effective security program at a federal agency have been confirmed. Many others have been changed in ways I would never have suspected. I’m going to attempt to explain these in what I hope is an insightful, if not humorous way.

Ghostbusters works for me… At the time (1984), it was, hands-down, the funniest movie I had ever seen–it left its mark. It sure beats “Dude Where’s My Car?” for quotes that can be applied to security. But then some may say I’ve either set the bar a bit low, or I need to expand my movie viewing habits. Hey, work with me on this one people!!!

So, here are several quotes from the movie and their application to my philosophy on information security. I hope you enjoy it!

Ecto-1 photo by chad davis.

I’m from security, and I’m ready to believe you.
Listen. Foster discussion. Then, draw upon your experience and make your decision. Do not enter into a discussion with a mandate (unless from above). Mandates do not foster discussions, especially in areas where policy is absent or maybe not-so-explicit. Most importantly, this is an invitation for the person you’re talking to begin their side of their story.
Important Safety Tip: As the security professional, remember – this is the time for you to begin listening!

“Next time, if <someone> asks whether you’re a GOD, you say YES!”
Face it. Many of us security folks are humble. We all may even know what it is we don’t know. We might be a little gun-shy in our first few weeks on the job. However, don’t let your humility or shyness overcome you…

Like it or not, you are your organization’s security expert. “The Shell Answer Man,” the “Pro from Dover,” the “Go-to Guy/Gal.” While you may not have committed the processes contained within the IKE negotiation phases to memory, and may not be able to quote RFC 3514 off the top of your head, you probably DO know where to find the information… “I don’t know,” should never roll off your lips.

When you’re hired as the subject matter expert on security, you need to be confident–whether you’re knocking a soft-toss out of the park, but especially when you tell folks that you’ll research the topic and get back to them. Come back with the facts, and your credibility will be strengthened.

Likewise, when you have reservations about a particular situation, let folks know why you’re not jumping on board their crazy train. Invite discussion. State your case plainly and propose solutions, or if you can’t suggest an alternative, discuss it offline in another meeting focused on solutions. While your mission is to guard the organization’s interests, you can’t do so at the expense of the organization’s mission. Working closely with client service or engineering teams shows that security can be an integral part of solution development, and not an impediment. Think of this as guiding others to the solution – without telling them the “right” answer. This allows others to “own” the solution – their help may be valuable, if not necessary to help you socialize a potentially contentious (or expensive) solution.

“Don’t cross the streams…”
I love this one. I get to use this at least twice a day while speaking to engineering, operations, management or other folks at my agency. It’s gotten so that people have heard it so many times, they’re using it. Best part is, they are using the phrase correctly!

So what does this mean exactly? Generally/normally, the following things should never be directly connected to one another:

• Classified and Unclassified Networks
• The Internet and a Classified Network
• Networks classified at different levels
• Development, Test, and Production Networks/Environments
• Accredited/trusted networks / less trusted
• Management and Production Networks

“Wait! I thought you said crossing the streams was BAD?!”
So, what does this Ghostbusters quote mean to we security folk?
Every policy, however rigidly enforced, needs a waiver process.

So what do I really mean? When you understand and can quantify the risk of a particular practice or a particular action, you can develop compensating controls to make otherwise unthinkable practices (e.g., connecting unclassified networks to classified networks) less risky. In this example, it can be done using one-way guard technology, or some other similar trusted, manual process.

Face it, jumping off a bridge can be dangerous, if not suicidal. However, when the jumper attaches themselves to a bungee cord or uses a parasail, the act of jumping off a bridge can be reduced from a Darwin-qualifying stunt to thrilling fun or awesome opening movie scene (like the opening of the first XXX movie starring Vin Diesel as Xander Cage). It may not be for everyone – but, given the right safety equipment, some of us might even consider taking the leap.

There’s an even better example. Let’s say your network security policy forbids use of USB memory devices. Anyone seen with one is given a stern talking-to, if not killed outright. Well, maybe not killed… the first time. Let’s say a virus or worm gets into your network. Hey – it happens. As a precautionary measure, your response to this type of incident requires you to sever your network connections to your business partners as well as the Internet. So… How do you get the new virus definition file and virus engine from your Platinum Support Provider and install it on your server? It just so happens that in this case, you downloaded a copy using your uninfected laptop via your home internet connection… onto a USB memory stick. So, how do you reconcile what needs to be done against your policy? Obviously, an exception to the policy needs to be made.

As a matter of fact, every organization needs a policy that allows exceptions to be made to existing policy. This may sound like doublespeak, and the above may not be the best example, but it certainly does illustrate the point.

“What about the Twinkie?  Tell him about the Twinkie?!”
Never hide stuff from superiors. They don’t like surprises.
Never hide stuff from auditors. They have less of a sense of humor than your superiors.

“Human sacrifice, dogs and cats living together… MASS HYSTERIA.”
FUD doesn’t work. Don’t try it!

I hope these good-natured examples have gotten you to laugh (minimally), or possibly gotten the aspiring CISOs among you to think about how you might use humor in your day-to-day existence. I’d like to leave you with one more thought:
If you’re not having fun, you’re doing it wrong!

Cheers,
Vlad

FUD Fighter photo by cote.

• Beware the Cyber-Katrina!
• The 10 CAG-egorically Wrong Ways to Introduce Standards
• Your Security “Requirements” are Teh Suxxorz
• Everybody Else Is Doing It So Why Can’t We?
• Some Thoughts on POA&M Abuse

So rybolov asked for another guest blog and a hot topic on my mind recently is training. Training in the IT world is kind of like the chicken before the egg argument – every employer whats you to have the latest Security F00$ training but they never want to pay for it. What is an IT professional to do?

So why are the majority of employers hesitant to train their IT staff? Are they afraid they are going to bring new skills to your resume and then you will jump ship to the next “jump and bump opportunity”? Or do they really have funding shortfalls and budget cuts to to prevent you from taking that 7 day Bahamas IT training cruise you wanted wanted to take this winter? My take is that it is probably a little bit of both.

Let’s think about this for a minute. You are a cash-strapped IT Manager at $your_organization_name_here and have limited funding for a never-ending list of training requests. In your attempt to balance training with the rest of your budget, you eventually have to cut training to the bare minimum. If you do splurge and spend the money to send an employee to the latest security F00$ training, the next time he/she is unhappy they might leave. But chances are you have program requirements that dictate some level of yearly training that is required. This situation can also be double whammy if you are in a consulting or contracting role where opportunity costs also means you are not billable during your time in training.

My suggestion is to strike some kind of balance to make both the employee and IT management happy. If you are in the role of government management, consider the possibility of allowing your contracting/consulting staff to bill their training hours to the program instead of going on company overhead. Another possibility to consider is if you involved in IT management in the  consulting/private/commercial sector, consider offering a reasonable allowance each year towards training. It does not have to be huge amount of money to pay for an expensive 10 day conference out of town but enough to pay the tuition for a week long training class. This will show the employee that you are serious about keeping them current in their career field but at the same time put some effort on them to be reasonable with their training requests. Depending on your geographic location, you can usually find job related training locally, especially if you are located anywhere near the beltway.

I was recently faced with this dilemma in my current position. We were told training funding was not available this year and that we would have to wait until next year. After thinking about this for a while, I approached my manager with an idea they bought into. I identified an area within my field that I have really wanted to get into the last few years but the opportunity never presented itself. Since we have the need for this skill and the organization was planning on investing in this area in 2009, I offered to pay my own tuition to attend this training if they would allow me use PTO for the classes. They agreed and I purchased a one-year training package that will allow me to attend an unlimited number of classes from the vendor over the next year. When training funding becomes available again next year, we are planning on putting my training allowance towards travel costs.  In the end, I was able to turn the situation into a win-win for both my employer and my skills set. In a world of shrinking IT budgets, a little creativity can go a long way in meeting your training goals.

Football Training photo by melyviz

• Introducing the Government’s Great InfoSec Equities Issue
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• NIST’S FISMA Pase II–Who Certifies Those who Certify the Certifiers?
• “Machines Don’t Cause Risk, People Do!”
• Split-Horizon Assessments and the Oversight Effect

I’ve seen the scenario about a dozen times in the last 2 months–contractors and service providers of all sorts responding to the Government’s security requirements in the middle of a contract.  It’s almost reached the stage where I have it programmed as a “battle drill” ala the infantryman’s Battle Drill 1A, and I’m here to share the secret of negotiating these things.

Let’s see, without naming names, let’s look at where I’ve seen this come up:

• Non-Government Organizations that assist the Government with para-Government services to the citizens
• Companies doing research and development funded by the Government–health care and military
• Universities who do joint research with the Government
• Anybody who runs something that the Government has designated as “critical infrastructure”
• State and local governments who use Federal Government data for their social plans (unemployment system, food stamps, and ) and homeland security-esque activities (law enforcement, disaster response)
• Health Care Providers who service Government insurance plans

For the purposes of this blog post, I’ll refer to all of these groups as contractors or service providers.  Yes, I’m mixing analogies, making huge generalizations, and I’m not precise at all.  However, these groups should all have the same goals and the approach is the same, so bear with me while I lump them all together.

Really, guys, you need to understand both sides of the story because this a cause for negotiations.  I’ll explain why in a minute.

On the Government side:  Well, we have some people we share data with.  It’s not a lot, and it’s sanitized so the value of it is minimal except for the Washington Post Front Page Metric.  Even so, the data is PII that we’ve taken an anonymizer to so that it’s just statistical data that doesn’t directly identify anybody.  We’ve got a pretty good handle on our own IT systems over the past 2 years, so our CISO and IG want us to focus on data that goes outside of our boundaries.  Now I don’t expect/want to “own” the contractor’s IT systems because they provide us a service, not an IT system.  My core problem is that I’m trying to take an existing contract and add security requirements retroactively to it and I’m not sure exactly how to do that.

Our Goals:

• Accomplishing the goals of the program that we provided data to support
• Protection of the data outside of our boundaries
• Proving due-diligence to our 5 layers of oversight that we are doing the best we can to protect the data
• Translating what we need into something the contractor understands
• Being able to provide for the security of Government-owned data at little to no additional cost to the program

On the contractor/service provider side:  We took some data from the Government and now they’re coming out of the blue saying that we need to be FISMA-compliant.  Now I don’t want to sound whiney, but this FISMA thing is a huge undertaking and I’ve heard that for a small business such as ourselves, it can cripple us financially.  While I still want to help the Government add security to our project, I need to at least break even on the security support.  Our core problem is to keep security from impacting our project’s profitability.

Our Goals:

• Accomplishing the goals of the program that we were provided data to support
• Protection of the data given to us to keep the Government happy and continuing to fund us (the spice must flow!)
• Giving something to the Government so that they can demonstrate due-diligence to their auditors and IG
• Translating what we do into something the Government understands
• Keeping the cost of security to an absolute minimum or at least funded for what we do add because it wasn’t scoped into the SOW

Hmm, looks like these goals are very much in alignment with each other.  About the only thing we need to figure out is scope and cost, which sounds very much like a negotiation.

Hardcore Negotiation Skills photo by shinosan.

Little-known facts that might help in our scenario here:

• Section 2.4 of SP 800-53 discusses the use of compensating controls for contractor and service-provider systems.
• One of the concepts in security and the Government is that agencies are to provide “adequate security” for their information and information systems.  Have a look at FISMA and OMB Circular A-130.
• Repeat after me:  “The endstate is to provide a level of protection for the data equivalent or superior to what the Government would provide for that data.”
• Appendix G in SP 800-53 has a traceability matrix through different standards that can serve as a “Rosetta Stone” for understanding each other.  Note to NIST:  let’s throw in PCI-DSS, Sarbanes-Oxley,  and change ISO 17799 to 27001.

So what’s a security geek to do?  Well, this, dear readers, is Rybolov’s 5-fold path to Government/contractor nirvana:

1. Contractor and Government have a kickoff session to meet each other and build raport, starting from a common ground such as how you both have similar goals.  The problem really is one of managing each others’ expectations.
2. Both Government and Contractor perform internal risk assessment to determine what kind of outcome they want to negotiate.
3. Contractor and Government meet a week later to negotiate on security.
4. Contractor provides documentation on what security controls they have in place.  This might be as minimal as a contract with the guard force company at their major sites, or it might be just employee background checks and
5. Contractor and Government negotiate for a 6-month plan-of-action.  For most organizations considering ISO 27001, this is a good time to make a promise to get it done.  For smaller organizations or data , we may not even

Assumptions and dependencies:

• The data we’re talking about is low-criticality or even moderate-criticality.
• This isn’t an outsourced IT system that could be considered government-owned, contractor-operated (GO-CO)

• Imagine that, System Integrators Doing Security Jointly with DoD
• How to Not Let FISMA Become a Paperwork Exercise
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• “Machines Don’t Cause Risk, People Do!”
• Introducing the Government’s Great InfoSec Equities Issue

Let’s talk about TIC today, dear readers, for I smell a conspiracy theory brewing.

For those of you who missed the quick brief, TIC is short for “Trusted Internet Connections” and is an architecture model/mandate/$foo to take all of the Internet connections in the Government (srsly, nobody knows how many of them really exist, but it’s somewhere in the 2,000-10,000 range) and consolidate them into 50.  These connections will then be monitored by DHS’s Einstein program.

No, Not That Kind of TIC photo by m.prinke.

Bringing you all up to date, you’ll need to do some homework:

• OMB Memo 08-05, “Implementation of Trusted Internet Connections (TIC)”
• Planning Guidance for Trusted Internet Connections (TIC)
• Final Trusted Internet Connections (TIC) Initiative Statement of Capability Evaluation Report, dated June 4, 2008
• OMB Memo 08-27 Guidance for Trusted Internet Connection (TIC) Compliance

Now having read all of this, some things become fairly obvious:

• If you have the following people needing connections:
  • 24 agencies, plus
  • DoD with 2 points of presence, plus
  • Intelligence agencies with a handful of Internet connections, means that:
• That basically, everybody gets one Internet connection.  This is not good, it’s all single point-of-DOS.
• Agencies have been designated as Internet providers for other agencies.  Sounds like LoB in action.
• Given the amount of traffic going through the TIC access points, it most likely is going to take a significant amount of hardware to monitor all these connections–maybe you saved 50% of the monitoring hardware by reducing the footprint, but it’s still hardware-intensive.
• TIC is closely tied with the Networx contract.
• In order to share Internet connections, there needs to be a network core between all of the agencies so that an agency without a TIC access point can route through multiple TIC service provider agencies.

And this is where my conspiracy theory comes in:  TIC is more about making a grand unified Government network than it is monitoring events–Einstein is just an intermediate goal.   If you think about it, this is where the Government is headed.

We were headed this way back in ought-two with a wonderful name: GovNet.  To be honest, the groundwork wasn’t there and the idea was way ahead of its time and died a horrible death, but it’s gradually starting to happen, thanks to TIC, FDCC, and Einstein. 

More fun links:

• Wired GovNet Article
• FCW GovNet Article
• Gartner Email Analysis on GOVNET (Note this gem: “Enterprises and government agencies should assume that a long-term solution to Internet security will arise elsewhere and should proceed to buy denial-of-service protection and other managed security services from commercial providers.”)

If you want to get a reaction out of the OMB folks, mention GovNet and watch them backpedal and cringe,–I think the pain factor was very high for them on GovNet. So I think that we should, as a cadre of information security folks, start calling TIC what it really is:  Govnet 2.0!  =)

• Comments on SCAP 2008
• The 10 CAG-egorically Wrong Ways to Introduce Standards
• In Response to “Cyber Security Coming to a Boil” Comments….
• Federated Vulnerability Management
• How I Became the Owner of Two Rogue WiFi APs

There is another challenge that SCAP addresses without it being officially on the SCAP program’s agenda.  With the advent of SCAP we now have a common reporting criteria by which we can now judge SCAP certified products.  If you have ever used an automated vulnerability scanner as part of a penetration test or security audit, you know that not all vulnerability scanners are created equal.  Some have much lower false positive alert and reporting rates than others.  Likewise, it is known that false negative alert and reporting rates vary.  And, because of the various technical approaches taken by the scanners, some provide much more consistent results. The challenge has been that without a common criteria to test against, it is difficult for a small or even fairly large security organization to find the resources to effectively test these products in a fair apples to apples test.

This is where NIST has a real opportunity on its hands.  With the release of the SCAP protocol, we have the criteria by which performance comparisons can be made.  What we are lacking is a common test environment.

Benchmark photo by bzo.

Let me veer off-topic for a moment to provide some background.  In the last few years the Linux community has created various “live distributions” for various specialized requirements.  What live distributions are, are CD, DVD or Flash-media-based operating systems that are executed upon boot.  That is to say that they boot and run directly from CD or DVD.  So, by using a Linux live distribution, you can run Linux off of you home Windows-based laptop without ever installing Linux to your hard disk.  This has opened up a world of specialized possibilities for this community.  One of them is the standardized training environment.  For example, security testers have created DVL (damn vulnerable Linux http://www.damnvulnerablelinux.org/).  DVL is a live distribution that with well documented security vulnerabilities, this distribution is used as a training aid for teaching vulnerability assessment and mitigation. There are other similar efforts created with the same intent such as the excellent DE-ICE training targets (http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks).

NIST could follow-up on the release of the SCAP protocol by also building and releasing a common testing environment based perhaps on live distribution technology. Such an environment with well documented vulnerabilities would allow for the creation of objective benchmarks to be created to rate the accuracy, reproducibility, completeness of the results of SCAP certified vulnerability testing and reporting products.  This would aid government agencies, businesses and even individuals in their purchasing decisions.  It would also allow provide vendors with an objective and common test environment in which they can test and improve their products.  I admit this would be a significant undertaking for NIST.  However, I would suggest that such a test environment could be designed in such a manner that it could be built and released as a series of inter-operable modules based on live distribution technology.  The initial release might only offer a relatively modest set of tests but with the release of each module building on the results of previous releases, a highly demanding and sophisticated test environment could soon be realized.  Because of the importance and utility of such a project, industry and outside security experts might want to participate in and contribute to such an endeavor.

• NIST and SCAP; Busting a cap on intruders Part 1
• Ed Bellis’s Little SCAP Project
• Comments on SCAP 2008
• Federated Vulnerability Management
• How to Not Let FISMA Become a Paperwork Exercise