Hot on the heels of Security Assessments as Fraud, Waste, and Abuse comes this heartwarming lolcat.
Posted in IKANHAZFIZMA | 
No Comments »
Tags: auditor • compliance • fisma • government • infosec • itsatrap • lolcats • management • moneymoneymoney • scalability • security
I’m going to put on my Government Security Heretic Hat for awhile here, bear me out. By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.
What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.
The way to avoid this redundancy is the concept of common/shared controls. The whole idea is that you take whatever security controls you have across the board and put them into one bucket. You test that bucket once and then whenever something shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.
So, what makes a security assessment not fraud, waste, and abuse? It’s a good assessment if it does the following:
Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.
The Solution? Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.
What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives. Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls. This is one of the beefs I have with 800-53A in the hands of less-than-clueful people: they will test until exhaustion.
There isn’t a whole lot of difference between ST&E and an audit, just the purpose. Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured. ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.
The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library
Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »
Tags: auditor • cashcows • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • moneymoneymoney • risk • scalability • security
You were thinking this was part of the rainbow series, along with the orange book, the red book, and the fuchsia book, weren’t you?
Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.
The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees. Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.
In fact, you can see the last edition here. Caveat: it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.
Plum Pickin photo by Secret Tenerife
Now why do we care about the Plum Book? Well, that’s a good question. Have a look at some of the staffing plans in the plum book, and you’ll see something missing: Agency CISOs.
Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers. Once again, we’ve crippled our security staffs like the old-school way of doing things.
On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s. So what’s the difference?
Well, political appointees (SES) are appointed by the President. They make a better target because they have much more visibility from the higher-ups they are more political in nature.
GS-scale employees are civil service careerists. Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.
Which is better? Well, if you want survivability, then GS-scale is the way to go. If you want to make the most difference, SES is the ticket.
Most of us will never get the choice. =)
Posted in Odds-n-Sods, Rants | 3 Comments »
Tags: fisma • government • infosec • management • scalability • security
I’ve touched on this about a bazillion times, let me start today with a very simple statement: due to the scale of the US Government, we cannot find enough skilled security people.
Part of the problem is that good security people need to know the following skills:
Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.” Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors. =)
Sound complicated? Yes, it is, and it’s hard to find people who can do all this. IT is an employment niche, IT security is a niche to a niche. And there isn’t enough people who have the experience to do it.
So how do we mitigate the staffing shortage? Here is what we are doing today in the Government:
Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution. In order to support the Government, we need to create more people. Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.
Do we need Security Awareness and Training? Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline. Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people. Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.
Posted in FISMA, What Doesn't Work, What Works | 8 Comments »
Tags: accounting • auditor • cybercorps • government • infosec • infosharing • management • scalability • security
Check out this slideshow and this workshop paper from 2006 on some ideas that NIST and a fairly large advisory panel have put together about certification of C&A service providers. I’ve heard about this for several years now, and it’s been fairly much on a hiatus since 2006, but it’s starting to get some eartime lately.
The interesting thing to me is the big question of certifying companies v/s individuals. I think the endgame will involve doing both because you certify companies for methodology and you certify people for skills.
This is the problem with certification and accreditation services as I see it today:
So what we’re looking at with this blog post is how would a program to certify the C&A service providers look like. NIST has 3 viable options:
Now just like DoD 8570.1M, I’m torn on this issue. On one hand, it means that you’ll get a higher caliber of person performing services because they have to meet some kind of minimum standard. On the other hand, introducing scarcity means that there will be even less people available to do the job. But the big problem that I have is that if you introduce higher requirements on commodity services, you’re squeezing the market severely: costs as a customer go up for basic services, vendors get even less of a margin on services, more charlatans show up because you’ve tipped over into higher-priced boutique services, and mayhem ensues.
Guys, I’m not really a rocket scientist on this, but really after all this effort, it seems to me that the #1 problem that the Government has is a lack of skilled people. Yes, certifying people is a good thing because it helps weed out the dirtballs with a very rough sieve, but I get the feeling that maybe what we should be doing instead is trying to create more people with the skills we need. Alas, that’s a future blog post….
However, the last thing that I want to see happen is a meta-game of what’s going on with certifications right now–who certifies those who certify? I think it’s a vicious cycle of cross-certification that will end up with the entire Government security industry becoming one huge self-licking ice cream cone. =)
Posted in FISMA, NIST, What Doesn't Work, What Works | 3 Comments »
Tags: accounting • auditor • cashcows • compliance • fisma • government • infosec • management • moneymoneymoney • risk • scalability • security
Well, this is a little bit of a departure from my usual random digital scribblings that I call a blog: I partnered up with Vlad the Impaler and we created a slideshow complete with notes about why you should care about security and the Government and what you can learn from watching the Government succeed or fail.
The .pdf of the presentation is here. Feel free to share with your friends, coworkers, and co-conspirators.
Posted in FISMA, Speaking | 4 Comments »
Tags: accounting • auditor • collusion • compliance • fisma • government • infosec • infosharing • management • moneymoneymoney • omb • pii • scalability • scap • security • stategovernment
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email
