SCAP in Lulz

Posted September 25th, 2008 by

Since it’s SCAP week here inside the beltway, I thought that it would be a fitting theme for today’s IKANHAZFIZMA.

funny pictures


Similar Posts:

Posted in IKANHAZFIZMA | 2 Comments »
Tags:

Comments on SCAP 2008

Posted September 24th, 2008 by

I just got back from the SCAP 2008 conference at NIST HQ, and this is a collection of my thoughts in a somewhat random order:

Presention slides are available at the NVD website

I blogged about SCAP a year ago, and started pushing it in conversations with security managers that I came across.  Really, if you’re managing security of anything and you don’t know what SCAP is, you need to get smart on it really fast, if for no other reason than that you will be pitched it by vendors sporting new certifications.

Introduction to SCAP:  SCAP is a collection of XML schemas/standards that allow technical security information to be exchanged between tools.  It consists of the following standards:

  • Common Platform Enumeration (CPE): A standard to describe a specific hardware, OS, and software configuration.  Asset information, it’s fairly humdrum, but it makes the rest of SCAP possible–think target enumeration and you’re pretty close.
  • Common Vulnerabilities and Exposures (CVE): A definition of publicly-known vulnerabilities and weaknesses.  Should be familiar to most security researches and patch monkies.
  • Common Configuration Enumeration (CCE): Basically, like CVE but specific to misconfigurations.
  • Common Vulnerability Scoring System (CVSS): A standard for determining the characteristics and impact of security vulnerabilities.  Hmmm, sounds suspiciously like standardization of what is a high, medium, and low criticality vulnerability.
  • Open Vulnerability and Assessment Language (OVAL):  Actually, 3 schemas to describe the inventory of a computer, the configuration on that computer, and a report of what vulnerabilites were found on that computer.
  • Extensible Configuration Checklist Description Format (XCCDF): A data set that describes checks for vulnerabilities, benchmarks, or misconfigurations.  Sounds like the updates to your favorite vulnerability scanning tool because it is.

Hall of Standards inside NIST HQ photo by ME!!!

What’s the big deal with SCAP: SCAP allows data exchanges between tools.  So, for example, you can take a technical policy compliance tool, load up the official Government hardening policy in XCCDF for, say, Windows 2003, run a compliance scan, export the data in OVAL, and load the results into a final application that can help your CISO keep track of all the vulnerabilities.  Basically, imagine that you’re DoD and have 1.5 million desktops–how do you manage all of the technical information on those without having tools that can import and export from each other?

And then there was the Federal Desktop Core Configuration (FDCC): OMB and Karen Evans handed SCAP its first trial-by-fire.  FDCC is a configuration standard that is to be rolled out to every Government desktop.  According to responses received by OMB from the departments in the executive branch (see, Karen, I WAS paying attention =)   ), there are roughly 3.5 Million desktops inside the Government.  The only way to manage these desktops is through automation, and SCAP is providing that.

He sings, he dances, that Tony Sager is a great guy: So he’s presented at Black Hat, now SCAP 2008 (.pdf caveat).  Basically, while the NSA has a great red-team (think pen-test) capability, they had a major change of heart and realized, like the rest of the security world (*cough*Ranum*cough*), that while attacking is fun, it isn’t very productive at defending your systems–there is much more work to be done for the defenders, and we need more clueful people doing that.

Vendors are jumping on the bandwagon with both feet: The amount of uptake from the vulnerability and policy compliance vendors is amazing.  I would give numbers of how many are certified, but I literally get a new announcement in my news reader ever week or so.  For vendors, being certified means that you can sell your product to the Government, not being certified means that you get to sit on the bench watching everybody else have all the fun.  The GSA SAIR Smart-Buy Blanket Purchase Agreement sweetens the deal immensely by having your product easily purchasable in massive quantities by the Government.

Where are the rest of the standards: Yes, FDCC is great, but where are the rest of the hardening standards in cute importable XML files, ready to be snarfed into my SCAP-compliant tool?  Truth be told, this is one problem with SCAP right now because everybody has been focusing on FDCC and hasn’t had time yet to look at the other platforms.  Key word is “yet” because it’s happening real soon now, and it’s fairly trivial to convert the already-existing DISA STIGs or CIS Benchmarks into XCCDF.  In fact, Sun was blindsided by somebody who had made some SCAP schemas for their products and they had no idea that anybody was working on it–new content gets added practically daily because of the open-source nature of SCAP.

Changing Government role: This is going to be controversial.  With NVD/CVE, the government became the authoritative source for vulnerabilities.  So far that’s worked pretty well.  With the rest of SCAP, the Government changes roles to be a provider of content and configurations.  If NIST is smart, they’ll stay out of this because they prefer to be in the R&D business and not the operations side of things.  Look for DHS to pick up the role of being a definitions provider.  Government has to be careful here because they could in some instances be competing with companies that sell SCAP-like feed services.  Not a happy spot for either side of the fence.

More information security trickle-down effect: A repeated theme at SCAP 2008 is that the public sector is interested in what Big SCAP can do for them.  The vendors are using SCAP certification as a differentiator for the time being, but expect to see SCAP for security management standards like PCI-DSS, HIPAA, and SOX–to be honest here, though, most of the vendors in this space cut their teeth on these standards, it’s just a matter of legwork to be able to export in SCAP schemas.  Woot, we all win thanks to the magic that is the Government flexing its IT budget dollars!

OS and Applications vendors: these guys are feeling the squeeze of standardization.  On one hand, the smart vendors (Oracle, Microsoft, Sun, Cisco) have people already working with DISA/NSA to help produce the configuration guides, they just have to sit back and let somebody turn the guides into SCAP content.  Some of the applications vendors still haven’t figured out that their software is about to be made obsolete in the Government market because they don’t have the knowledge base to self-certify with FDCC and later OS standards.  With a 3-year lead time required for some of the desktop applications before a feature request (make my junk work with FDCC) makes it into a product release, there had better be some cluebat work going on in the application vendor community.  Adobe, I’m talking to you and Lifecycle ES–if you need help, just call me.

But how about system integrators: Well, for the time being, system integrators have almost a free ride–they just have to deal with FDCC.  There are some of them that have some cool solutions built on the capabilities of SCAP, but for the most part I haven’t seen much movement except for people who do some R&D.  Unfortunately for system integrators, the Federal Acquisition Regulation now requires that anything you sell to the Government be configured IAW the NIST checklists program.  And just how do you think the NIST checklists program will be implemented?  I’ll take SCAP for $5Bazillion, Alex.  Smart sytem integrators will at least keep an eye on SCAP before it blindsides them 6 months from now.

Technical compliance tools are destined to be a commodity: For the longest time, the vulnerability assessment vendors made their reputation by having the best vulnerability signatures.  In order to get true compatibility across products, standardized SCAP feeds means that the pure-play security tools are going to have less things to differentiate themselves from all the other tools and they fall into a commodity market centered on the accuracy of their checks with reduced false positives and negatives.  While it may seem like a joyride for the time being (hey, we just got our ticket to sell to the Gubmint by being SCAP-certified), that will soon turn into frustration as the business model changes and the margins get smaller.  Smart vendors will figure out ways to differentiate themselves and will survive, the others will not.

Which leads me to this: Why is it that SCAP only applies to security tools?  I mean, seriously, guys like BigFix and NetIQ have crossover from technical policy compliance to network management systems–CPE in particular.  What we need is a similar effort applied to network and data center tools.  And don’t point me at SNMP, I’m talking rich data.  =)  On a positive note, expect some of the security pure-play tools to be bought up and incorporated into enterprise suites if they aren’t already.

Side notes:

I love how the many deer (well over 9000 deer on the NIST campus) all have ear tags.  It brings up all sorts of scientific studies ideas.  But apparently the deer are on birth control shots or something….

Former Potomac Forum students:  Whattayaknow, I met some of our former students who are probably reading this right now because I pimped out my blog probably too aggressively.  =)  Hi Shawn, Marc, and Bob!

Old friends:  Wow, I found some of them, too.  Hi Jess, Walid, Chris, and a cast of thousands.

Deer on NIST Gaithersburg Campus photo by Chucka_NC.



Similar Posts:

Posted in DISA, FISMA, NIST, Technical, What Works | 2 Comments »
Tags:

Some Words From a FAR

Posted September 9th, 2008 by

FAR: it’s the Federal Acquisition Regulation, and it covers all the buying that the government does.  For contractors, the FAR is a big deal–violate it and you end up blackballed from Government contracts or having to pay back money to your customer, either of which is a very bad thing.

In early August, OMB issued Memo 08-22 (standard .pdf caveat blah blah blah) which gave some of the administratrivia about how they want to manage FDCC–how to report it in your FISMA report, what is and isn’t a desktop, and a rough outline on how to validate your level of compliance.

Now I have mixed feelings about FDCC, you all should know that by now, but I think the Government actually did a decent thing here–they added FDCC (and any other NIST secure configuration checklists) to the FAR.

Check this section of 800-22 out:

On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *

(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST’s website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.

Translated into English, what this means is that the NIST configurations checklists are coded into law for Government IT purchases.

This carries a HUGE impact to both the Government and contractors.  For the Government, they just outsourced part of their security to Dell and HP, whether they know it or not.  For the desktop manufacturers, they just signed up to learn how FDCC works if they want some of the Government’s money. 

Remember back in the halcyon days of FDCC when I predicted that one of the critical keys to success for FDCC was to be able to buy OEM desktops with the FDCC images on them.  It’s slowly becoming a reality.

Oh what’s that, you don’t sell desktops?  Well, this applies to all NIST configuration checklists, so as NIST adds to the intellectual property in the checklists program, you get to play too.  Looking at the DISA STIGs as a model, you might end up with a checklist for literally everything.

So as somebody who has no relation to the US Federal Government, you must be asking by now how you can ride the FDCC wave?  Here’s Rybolov’s plan for secure desktop world domination:

  • Wait for the government to attain 60-80% FDCC implementation
  • Wait for desktops to have an FDCC option for installed OS
  • Review your core applications on the FDCC compatibility list
  • Adopt FDCC as your desktop hardening standard
  • Buy your desktop hardware with the image pre-loaded
  • The FDCC configuration rolls uphill to be the default OS that they sell
  • ?????
  • Profit!

And the Government security trickle-down effect keeps rolling on….

Cynically, you could say that the OMB memos as of late (FDCC, DNSSEC) are very well coached and that OMB doesn’t know anything about IT, much less IT security.  You probably would be right, but seriously, OMB doesn’t get paid to know IT, they get paid to manage and budget, and in this case I see some sound public policy by asking the people who do know what they’re talking about.

While we have on our cynical hats, we might as well give a nod to those FISMA naysayers who have been complaining for years that the law wasn’t technical/specific enough.   Now we have very static checklists and the power to decide what a secure configuration should be has been taken out of the hands of the techies who would know and given to research organizations and bureaucratic organizations who have no vested interest in making your gear work.

Lighthouse From Afar

Lighthouse From AFAR photo by Kamoteus.



Similar Posts:

Posted in FISMA, NIST, What Doesn't Work, What Works | 8 Comments »
Tags:

Get Yer SCAP on with NIST

Posted September 5th, 2008 by

Our friends at NIST are hosting a SCAP conference and workshop from the 22 to the 25th of September.  Go check it out here.  Registration runs until the 16th.



Similar Posts:

Posted in NIST | 2 Comments »
Tags:

Why You Should Care About Security and the Government

Posted June 3rd, 2008 by

Well, this is a little bit of a departure from my usual random digital scribblings that I call a blog:  I partnered up with Vlad the Impaler and we created a slideshow complete with notes about why you should care about security and the Government and what you can learn from watching the Government succeed or fail.

The .pdf of the presentation is here.  Feel free to share with your friends, coworkers, and co-conspirators.



Similar Posts:

Posted in FISMA, Speaking | 4 Comments »
Tags:

Current Government Security Initiatives

Posted May 5th, 2008 by

In building slides for our ongoing NIST Framework for FISMA class, I put together a deck of the ongoing Government security initiatives.  It’s plenty of stuff to keep you busy.

Government Security System

“Government Security System” Photo by Kahala

These are some of the more interesting initiatives and a brief description of them:

President’s Management Agenda Scorecard:  This is a quarterly red-yellow-green (hmm, wonder why nobody but the military uses black-red-yellow-green) scorecard on the various aspects of the agenda.  Security is represented as some of the values behind the E-Government score.  More specifically, OMB calls out the following in their FISMA report to congress:

To “get to green” under the E-Government scorecard, agencies must meet the following 3 security criteria:

  • IG or Agency Head verifies effectiveness of the Department-wide IT security remediation process. (rybolov: Plans of Actions and Milestones)
  • IG or Agency Head rates the agency C&A process as “Satisfactory” or better.
  • The agency has 90 percent of all IT systems properly secured (certified and accredited). (rybolov: C&A does not always equate to “secured”, but is an indicator)

In order to “maintain green,” by July 1, 2008, agencies must meet the following security and privacy criteria:

  1. All systems certified and accredited. (rybolov: same C&A caveat as before)
  2. Systems installed and maintained in accordance with security configurations. (rybolov: lots of wiggle room here since it’s the agency’s standard except for the Federal Desktop Core Configuration)
  3. Has demonstrated for 90 Percent of applicable systems a PIA has been conducted and is publicly posted. (rybolov:  PIA is a Privacy Impact Assessment.  It gets posted in the Federal Register as a public notification of what the Government is collecting and what the use is)
  4. Has demonstrated for 90 percent of systems with PII contained in a system of records covered by the Privacy Act to have developed, published, and maintained a current SORN. (rybolov: System of Record Notice, this is what is filed with the Federal Register)
  5. Has an agreed-upon plan to meet communication requirements for COOP and COG. (rybolov: Continuity of Government)

You can view the current scorecard and learn more about it at results.gov.

OMB Management Watch List:  This is a list of “at-risk” projects.  Security is one part of the list of risks, but for the most part this is a list of high-risk projects within the context of a program/project manager.  The security criteria for being on the Watch List are based on on IG assessments of:

  • Certification and Accreditation
  • Plan of Actions and Milestones
  • Privacy Impact Assessment

 You can check out the most recent Watch List at OMB’s website.

Combined Catalog of Controls:  Superseding DoDI 8500.2 (DoD catalog of controls) and DCID 6/3 (intelligence community catalog of controls) with a reinforced SP 800-53.  Process flow would be along SP 800-37.  I’ve talked about this before.

Security Line of Business:  Agencies become subject-matter experts in an area and become a contractor to the other agencies.  Not a new concept, we’ve seen it elsewhere.

Privacy Management:  OMB Memo 07-16 lays out a privacy plan containing the following tenets:

  • Breach Notification:  Requires each agency to have a breach notification policy
  • SSN Reduction:  Each agency reduces the use of Social Security Numbers where not needed
  • PII Reduction:  Restrict the collection of PII where not needed
  • Rules of Behavior:  Rules for employees to follow when they deal with PII

SCAP and FDCC:  I’ve covered these in much detail. 

Trusted Internet Connections: This is a plan to reduce the number of Government internet connections to 50.  Even the most ardent OMB supporters have to agree that this is both a fairly arbitrary number, not achiveable in the next several years, and not even really a good idea.  You heard it here first, folks, but conventional wisdom says that 500 is a better, more realistic number for the time being, and that is the “real” number that OMB is considering.  The start of this is OMB Memo 08-05.

Einstein:  Basically a Government-wide IDS and SIEM run by US-CERT.  It’s offered under the Security Line of Business.  The good thing about Einstein is that it allows DHS to correllate events government-wide.

Air Force Cyber Command:  It’s provisional now, doesn’t have a permanent headquarters, and is trying to figure out what its mission is, but it’s here.  Gossip around town is that it’s focused on both defensive and offensive missions, although they pictures are all defensive-based.  There’s some information on their website, but be sure to read between the lines.  =)

Cyber Corps:  Scholarship program for college students (both post-grad and undergrad) with a public service obligation following graduation.  You can find out more here.

SmartBuy:  A GSA-run program to bulk-purchase commercial off-the-shelf software at a high-volume discount.  Think of it as a buyer’s club for software.  SmartBuy has disk-encryption software.  You can get more information on the GSA website.



Similar Posts:

Posted in FISMA | 2 Comments »
Tags:

Next Entries »


Visitor Geolocationing Widget: