Well, we have half a bazillion people saying that we need a Cybersecurity person of some sort at the White House, but nobody’s stepped up to take the job and to be honest, I don’t anybody wants it all that badly. It might be time to call out for real heroes.
Posted in IKANHAZFIZMA | 
No Comments »
Tags: government • lolcats • security
Rybolov’s Note: Hello all, I’m venturing into an open-ended series of blog posts aimed at starting conversation. Note that I’m not selling anything *yet* but ideas and maybe some points for discussion.
Let’s get this out there from the very beginning: I agree with Ranum that full-scale, nation-v/s-nation Cyberwar is not a reality. Not yet anyway, and hopefully it never will be. However, on a smaller scale with well-defined objectives, cyberwar is not only happening now, but it is also a natural progression over the past century.
Looking at where we’re coming from in the existing models and techniques for activities similar to cyberwar, it frames our present state very nicely :
Electronic Countermeasures. This has been happening for some time. The first recorded use of electronic countermeasures (ECM) was in 1905 when the Russians tried to jam radio signals of the Japananese fleet besieging Port Arthur. If you think about ECM as DOS based on radio, sonar, etc, then it seems like cyberwar is just an extension of the same denial of communications that we’ve been doing since communication was “invented”.
Modern Tactical Collection and Jamming. This is where Ranum’s point about spies and soldiers falls apart, mostly because we don’t have clandestine operators doing electronic collection at the tactical level–they’re doing both collection and “attack”. The typical battle flow goes something along the lines of scanning for items of interest, collecting on a specific target, then jamming once hostilities have begun. Doctrinally, collection is called Electronic Support and jamming is called Electronic Attack. What you can expect in a cyberwar is a period of reconnaissance and surveillance for an extended length of time followed by “direct action” during other “kinetic” hostilities.
Radio Station Jamming. This is a wonderful little world that most of you never knew existed. The Warsaw Pact used to jam Radio America and other sorts of fun propaganda that we would send at them. Apparently we’ve had some interesting radio jamming since the end of the Cold War, with China, Cuba, North Korea, and South Korea implicated in some degree or another.
Website Denial-of-Service. Since only old people listen to radio anymore and most news is on the Internet, so it makes sense to DOS news sites with an opposing viewpoint. This happens all the time, with attacks ranging from script kiddies doing ping floods to massive DOSBots and some kind of racketeering action… “You got a nice website, it would be pretty bad if nobody could see it.” Makes me wonder why the US hasn’t taken Al Jazeera off the Internet. Oh, that’s right, somebody already tried it. However, in my mind, jamming something like Al Jazeera is very comparable to jamming Voice of America.
Estonia and Gruzija DOS. These worked pretty well from a denial-of-communications standpoint, but only because of the size of the target. And so what if it did block the Internet, when it comes to military forces, it’s at best an annoyance, at most it will slow you down just enough. Going back to radio jamming, blocking out a signal only works when you have more network to throw at the target than the target has network to communicate with the other end. Believe it or not, there are calculators to determine this.
Given this evolution of communications denial, it’s not unthinkable that people wouldn’t be launching electronic attacks at each other via radar, radio, carrier pigeon, IP or any other way they can.
However, as in the previous precedents and more to some of the points of Ranum’s talk at DojoSec, electronic attacks by themselves only achieve limited objectives. Typically the most likely type of attack is to conduct a physical attack and use the electronic attack, whether it’s radio, radar, or IT assets, to delay the enemy’s response. This is why you have to take an electronic attack seriously if it’s being launched by a country which has a military capable of attacking you physically–it might be just a jamming attack, it might be a precursor to an invasion.
Bottom line here is this: if you use it for communication, it’s a target and has been for some time.
Posted in Technical, The Guerilla CISO, What Doesn't Work, What Works | 5 Comments »
Tags: cashcows • cybercommand • cybercorps • Cyberwar • government • infosec • infosharing • itsatrap • moneymoneymoney • pwnage • risk • security
After the presentation of a ninja last year at Daycon, I needed a break from IT ninjas. A year later, however, I seem to have captured a picture of a cyber-ninja lolcat.
Posted in IKANHAZFIZMA | No Comments »
Tags: government • infosec • lolcats • security
Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.
I’ll be going. This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen. You might end up running a conversation on your favorite privacy topic, so you have been warned. =)
*Most* of the folks going are of the civil libertarian slant. With my background and where I work, I usually “bat for the other team on this issue”. The organizers have assured me that I’ll be welcome and can play the heretic role.
How to play:
Some themes that I’ve seen develop so far:
See Y’all there!
Posted in Public Policy, Speaking | No Comments »
Tags: collusion • datacentric • government • infosec • infosharing • law • legislation • privacy • publicpolicy • security • seminar • speaking • training
And by “We”, I mean the security industry as a whole. And yes, this is your public-policy lesson for today, let me drag my soapbox over here and sit for a spell while I talk at you.
By “Survive”, I mean that we need some kind of self-regulatory framework that fulfills the niche that PCI-DSS occupies currently. Keep reading, I’ll explain.
And the “Why” is a magical phrase, everybody say it after me: self-regulatory organization. In other words, the IT industry (and the Payment Card Industry) needs to regulate itself before it crosses the line into being considered for statutory regulation (ie, making a law) by the Federal Government.
Remember the PCI-DSS hearings with the House Committe on Homeland Security (AKA the Thompson Committee)? All the Security Twits were abuzz about it, and it did my heart great justice to hear all the cool kids become security and public policy wonks at least for an afternoon. Well, there is a little secret here and that is that when Congress gets involved, they’re gathering information to determine if they need to regulate an industry. That’s about all Congress can do: make laws that you (and the Executive Branch) have to follow, maybe divvy up some tax money, and bring people in to testify. Other than that, it’s just positioning to gain favor with other politicians and maybe some votes in the next election.
Regulation means audits and more compliance. They go together like TCP and IP. Most regulatory laws have at least some designation for a party who will perform oversight. They have to do this because, well, if you’re not audited/assessed/evaluated/whatever, then it’s really an optional law, which doesn’t make sense at all.
Yay Audits photo by joebeone.
Another magical phrase that the public policy sector can share with the information security world: audit burden. Audit burden is how much a company or individual pays both in direct costs (paying the auditors) and in indirect costs (babysitting the auditors, producing evidence for the auditors, taking people away from making money to talk to auditors, “audit requirements”, etc). I think we can all agree that low audit burden is good, high audit burden is bad. In fact, I think that’s one of the problems with FISMA as implemented is that it has a high audit burden with moderately tangible results. But I digress, this post is about PCI-DSS.
There’s even a concept that is mulling around in the back of my head to make a metric that compares the audit burden to the amount of security that it provides to the amount of assurance that it provides against statutory regulation. It almost sounds like the start of a balanced scorecard for security management frameworks, now if I could get @alexhutton to jump on it, his quant brain would churn out great things in short order.
But this is the lesson for today: self-regulation is preferrable to legislation.
The sad fact here is that if we don’t figure out as an industry how to make PCI-DSS or any other forms of self-regulation work, Congress will regulate for us. Don’t like PCI-DSS because of the audit burden, wait until you have a law that requires you to do the same controls framework. It will be the same thing, only with bigger penalties for failure, larger audit burdens to avoid the larger penalties, larger industries created to satisfy the market demand for audit. Come meet the new regulatory body, same as the old only bigger and meaner. =)
However, self-regulation works if you do it right, and by right I mean this:
Hmm, sounds like making an ISO standard, which brings its own set of politics.
While we need some form of self-regulation, right now PCI-DSS and ISO 27001 are the closest that we have in the private sector. Yeah, it sucks, but it sucks the least, just like our form of government.
Posted in Public Policy, Rants | 11 Comments »
Tags: auditor • compliance • government • infosec • itsatrap • law • legislation • management • metrics • pci-dss • publicpolicy • risk • scalability • security
Ack, Plans of Action and Milestones. I love them and I hate them.
For those of you who “don’t habla Federali”, a POA&M is basically an IOU from the system owner to the accreditor that yes, we will fix something but for some reason we can’t do it right now. Usually these are findings from Security Test and Evaluation (ST&E) or Certification and Accreditation (C&A). In fact, some places I’ve worked, they won’t make new POA&Ms unless they’re traceable back to ST&E results.
Functions that a POA&M fulfills:
But today, we’re going to talk about POA&M abuse. I’ve seen my fair share of this.
Conflicting Goals: The basic problem is that we want POA&Ms to satisfy too many conflicting functions. IE, if we use the number of open POA&Ms as a metric to determine if our system owners are doing their job and closing out issues but we also turn around and report these at an enterprise level to OMB or at the department level, then it’s a conflict of interest to get these closed as fast as possible, even if it means losing your ability to track things at the system level or to spend the time doing things that solve long-term security problems–our vulnerability/weakness/risk management process forces us into creating small, easily-to-satisfy POA&Ms instead of long-term projects.
Near-Term v/s Long-Term: If we set up POA&Ms with due dates of 30-60-90 (for high, moderate, and low risks) days, we don’t really have time at all to turn these POA&Ms into budget support. Well, if we manage the budget up to 3 years in advance and we have 90 days for high-risk findings, then that means we’ll have exactly 0 input into the budget from any POA&M unless we can delay the bugger for 2 years or so, much too long for it to actually be fixable.
Bad POA&Ms: Let’s face it, sometimes the one-for-one nature of ST&E, C&A, and risk assessment findings to POA&Ms means that you get POA&Ms that are “bad” and by that I mean that they can’t be satisfied or they’re not really something that you need to fix.
Some of the bad POA&Ms I’ve seen, these are paraphrased from the original:
Plan of Action for Refresh Philly photo by jonny goldstein.
Keys to POA&M Nirvana: So over the years, I’ve observed some techniques for success in working with POA&Ms:
And then the keys to Building Good POA&Ms:
Yes, I stole the last 2 bullets from the picture above, but they make really good sense in a way that “know thyself” is awesome advice from the Oracle at Delphi.
Posted in BSOFH, FISMA | No Comments »
Tags: accreditation • C&A • certification • compliance • fisma • government • infosec • management • metrics • risk • scalability • security
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email