Since it’s SCAP week here inside the beltway, I thought that it would be a fitting theme for today’s IKANHAZFIZMA.
Posted in IKANHAZFIZMA | 
2 Comments »
Tags: government • infosec • lolcats • scap • security
I just got back from the SCAP 2008 conference at NIST HQ, and this is a collection of my thoughts in a somewhat random order:
Presention slides are available at the NVD website
I blogged about SCAP a year ago, and started pushing it in conversations with security managers that I came across. Really, if you’re managing security of anything and you don’t know what SCAP is, you need to get smart on it really fast, if for no other reason than that you will be pitched it by vendors sporting new certifications.
Introduction to SCAP: SCAP is a collection of XML schemas/standards that allow technical security information to be exchanged between tools. It consists of the following standards:
Hall of Standards inside NIST HQ photo by ME!!!
What’s the big deal with SCAP: SCAP allows data exchanges between tools. So, for example, you can take a technical policy compliance tool, load up the official Government hardening policy in XCCDF for, say, Windows 2003, run a compliance scan, export the data in OVAL, and load the results into a final application that can help your CISO keep track of all the vulnerabilities. Basically, imagine that you’re DoD and have 1.5 million desktops–how do you manage all of the technical information on those without having tools that can import and export from each other?
And then there was the Federal Desktop Core Configuration (FDCC): OMB and Karen Evans handed SCAP its first trial-by-fire. FDCC is a configuration standard that is to be rolled out to every Government desktop. According to responses received by OMB from the departments in the executive branch (see, Karen, I WAS paying attention =) ), there are roughly 3.5 Million desktops inside the Government. The only way to manage these desktops is through automation, and SCAP is providing that.
He sings, he dances, that Tony Sager is a great guy: So he’s presented at Black Hat, now SCAP 2008 (.pdf caveat). Basically, while the NSA has a great red-team (think pen-test) capability, they had a major change of heart and realized, like the rest of the security world (*cough*Ranum*cough*), that while attacking is fun, it isn’t very productive at defending your systems–there is much more work to be done for the defenders, and we need more clueful people doing that.
Vendors are jumping on the bandwagon with both feet: The amount of uptake from the vulnerability and policy compliance vendors is amazing. I would give numbers of how many are certified, but I literally get a new announcement in my news reader ever week or so. For vendors, being certified means that you can sell your product to the Government, not being certified means that you get to sit on the bench watching everybody else have all the fun. The GSA SAIR Smart-Buy Blanket Purchase Agreement sweetens the deal immensely by having your product easily purchasable in massive quantities by the Government.
Where are the rest of the standards: Yes, FDCC is great, but where are the rest of the hardening standards in cute importable XML files, ready to be snarfed into my SCAP-compliant tool? Truth be told, this is one problem with SCAP right now because everybody has been focusing on FDCC and hasn’t had time yet to look at the other platforms. Key word is “yet” because it’s happening real soon now, and it’s fairly trivial to convert the already-existing DISA STIGs or CIS Benchmarks into XCCDF. In fact, Sun was blindsided by somebody who had made some SCAP schemas for their products and they had no idea that anybody was working on it–new content gets added practically daily because of the open-source nature of SCAP.
Changing Government role: This is going to be controversial. With NVD/CVE, the government became the authoritative source for vulnerabilities. So far that’s worked pretty well. With the rest of SCAP, the Government changes roles to be a provider of content and configurations. If NIST is smart, they’ll stay out of this because they prefer to be in the R&D business and not the operations side of things. Look for DHS to pick up the role of being a definitions provider. Government has to be careful here because they could in some instances be competing with companies that sell SCAP-like feed services. Not a happy spot for either side of the fence.
More information security trickle-down effect: A repeated theme at SCAP 2008 is that the public sector is interested in what Big SCAP can do for them. The vendors are using SCAP certification as a differentiator for the time being, but expect to see SCAP for security management standards like PCI-DSS, HIPAA, and SOX–to be honest here, though, most of the vendors in this space cut their teeth on these standards, it’s just a matter of legwork to be able to export in SCAP schemas. Woot, we all win thanks to the magic that is the Government flexing its IT budget dollars!
OS and Applications vendors: these guys are feeling the squeeze of standardization. On one hand, the smart vendors (Oracle, Microsoft, Sun, Cisco) have people already working with DISA/NSA to help produce the configuration guides, they just have to sit back and let somebody turn the guides into SCAP content. Some of the applications vendors still haven’t figured out that their software is about to be made obsolete in the Government market because they don’t have the knowledge base to self-certify with FDCC and later OS standards. With a 3-year lead time required for some of the desktop applications before a feature request (make my junk work with FDCC) makes it into a product release, there had better be some cluebat work going on in the application vendor community. Adobe, I’m talking to you and Lifecycle ES–if you need help, just call me.
But how about system integrators: Well, for the time being, system integrators have almost a free ride–they just have to deal with FDCC. There are some of them that have some cool solutions built on the capabilities of SCAP, but for the most part I haven’t seen much movement except for people who do some R&D. Unfortunately for system integrators, the Federal Acquisition Regulation now requires that anything you sell to the Government be configured IAW the NIST checklists program. And just how do you think the NIST checklists program will be implemented? I’ll take SCAP for $5Bazillion, Alex. Smart sytem integrators will at least keep an eye on SCAP before it blindsides them 6 months from now.
Technical compliance tools are destined to be a commodity: For the longest time, the vulnerability assessment vendors made their reputation by having the best vulnerability signatures. In order to get true compatibility across products, standardized SCAP feeds means that the pure-play security tools are going to have less things to differentiate themselves from all the other tools and they fall into a commodity market centered on the accuracy of their checks with reduced false positives and negatives. While it may seem like a joyride for the time being (hey, we just got our ticket to sell to the Gubmint by being SCAP-certified), that will soon turn into frustration as the business model changes and the margins get smaller. Smart vendors will figure out ways to differentiate themselves and will survive, the others will not.
Which leads me to this: Why is it that SCAP only applies to security tools? I mean, seriously, guys like BigFix and NetIQ have crossover from technical policy compliance to network management systems–CPE in particular. What we need is a similar effort applied to network and data center tools. And don’t point me at SNMP, I’m talking rich data. =) On a positive note, expect some of the security pure-play tools to be bought up and incorporated into enterprise suites if they aren’t already.
Side notes:
I love how the many deer (well over 9000 deer on the NIST campus) all have ear tags. It brings up all sorts of scientific studies ideas. But apparently the deer are on birth control shots or something….
Former Potomac Forum students: Whattayaknow, I met some of our former students who are probably reading this right now because I pimped out my blog probably too aggressively. =) Hi Shawn, Marc, and Bob!
Old friends: Wow, I found some of them, too. Hi Jess, Walid, Chris, and a cast of thousands.
Deer on NIST Gaithersburg Campus photo by Chucka_NC.
Posted in DISA, FISMA, NIST, Technical, What Works | 2 Comments »
Tags: 800-53 • 800-53A • auditor • blog • cashcows • catalogofcontrols • certification • compliance • dhs • fdcc • fisma • government • infosec • infosharing • management • moneymoneymoney • omb • pen-test • risk • scalability • scap • security • securitylob • seminar • smartbuy • tools
Ever wondered if your electricity supply was safe from computer attack? Congress wondered that too. So they asked the Federal Energy Regulatory Commission (FERC) to find out. The answers they received in October of 2007 were not encouraging.
After 9/11 there was concern about the safety of the Bulk Power Supply (BPS). The President’s Commission on Critical Infrastructure Protection released a report which was explicit about the dangers faced. A frightening example of these dangers was demonstrated by the Aurora vulnerability, essentially a software hack that made a generator crash hard. When faced with this example industry moved to mitigate the problem with some prodding from Department of Homeland Security (DHS), Nuclear Regulatory Commission (NRC) and FERC. The Nuclear Sector, which is regulated by NRC, issued a requirement to address the problem. The Electric Sector was issued a recommendation to address the problem by the Electric Sector Information Sharing and Analysis Center (ES-ISAC). Guess which industry has moved forward with successful mitigation efforts and which has not. FERC reported back on these findings in October of 2007.
Fast forward to now. On September 11th the Bulk Power System Protection Act (BPSPA) of 2008 (PDF link) was put forward by Rep. Rick Boucher (D-VA), chairman of the House Subcommittee on Energy and Air Quality. In addition to the September 11th hearing on the BPSPA a closed door hearing was expected to be conducted the following week. The goal of this legislation is to expand the emergency power of FERC to regulate cybersecurity for the BPS. The act itself does not appear to be strongly opposed by the energy industry but, as always, the devil is in the details.
Diablo Canyon Nuclear Power Plant photo by emdot.
The draft legislation is disputed on three major points; whether to include national security threats, disclosure of threat information and a sunset provision.
FERC recommends wording that would make explicit the requirement to address national security threats. This seems an implicit and reasonable expectation that the people of the United States would have of the agency regulating the BPS but the Energy Sector considers this too expansive a role. They argue that it might cause expensive requirements to be issued such as stockpiling fuel.
The disclosure of threat information is a sore point. Here you can understand the pain of the industry in dealing with government intelligence agencies who would like to keep details of a threat spare to preserve the source of that information. Unfortunately the government must preserve their sources while providing enough information for the industry to react.
Both FERC and the Energy Sector agree on the idea of a sunset provision. The sunset provision in this case stipulates that so long as an order is implemented as a standard it should terminate one year after issuance unless renewed by the President or the Secretary of Energy. The issue is whether this sunset will include the orders to address existing problems (such as the Aurora vulnerability) in addition to orders issued for future vulnerabilities. FERC recommends that only future orders should be sunsetted while the Energy Sector recommends both current and future orders should be sunsetted.
One element which is not adequately addressed in this legislation is how FERC will build the capability to assess and manage cybersecurity issues for the BPS. What should be in place is a bipartite separation of duties between FERC and NIST similar to what is in place with the dual OMB/NIST FISMA roles. FERC would oversee the security while NIST would provide technical guidance on what security should be put in place. FERC does not have the experience in security frameworks or in depth expertise in SCADA security which is required for a cybersecurity initiative of this magnitude.
It is worth noting that Energy Policy Act of 2005 (PDF link) established a process through which the North American Electric Reliability Corporation’s (NERC) was authorized to enforce cybersecurity in the Energy Sector. NERC had gone so far as to create Critical Infrastructure Protection (CIP) standards to include with their Reliability Standards and had present them to FERC for approval by late 2007.
A review of the NERC CIP standards (CIP-001 through CIP-009) does not inspire confidence in NERC’s cybersecurity capabilities. I will discuss the shortcomings of this guidance in a subsequent post.
Posted in What Doesn't Work | 3 Comments »
Tags: BPS • catalogofcontrols • compliance • dhs • fisma • government • infosec • itsatrap • law • legislation • omb • risk • security
The Potomac Forum crew is back at it again with a C&A seminar on the 15th and 16th. While 2 days isn’t long enough to earn your black belt at C&A-Foo, it is enough so that if you’re a solid program manager or technical lead, you’ll walk out being at least able to understand the core of the process.
As usual, some of the instructors should be familiar to my blog readers. =)
Posted in FISMA, Speaking | No Comments »
Tags: 800-37 • 800-53 • 800-53A • accreditation • C&A • catalogofcontrols • categorization • certification • compliance • datacentric • fips-199 • fisma • government • infosec • management • risk • security • speaking
Federal Computer Week: Senate Panel Rejects Weakening S 3474
Gene Schultz: Goodbye FISMA (as We Know It)
Let’s talk through the FCW article first, shall we? =)
“The measure would amend the original FISMA legislation, which outlined compliance activities for agencies to meet each year. However, many agencies have turned FISMA compliance into a paperwork exercise, Carper said.”
Um, no, I don’t get that. The original FISMA is an information security management law, this law mostly formalizes the role, responsibility, and authority of the CISO. They intentionally named it FISMA 2008 to make people think that it was ammending the original FISMA, but it doesn’t do that.
Don’t believe the hype, this will not change the original FISMA, it’s just an addition.
“Carper said CIOs primarily develop and oversee policy, but the CISO handles the daily information security activities. He suggested that a CISO council could have a sunset date of two or three years. If the council demonstrated benefits, it could be extended, Carper said.”
OK, fair enough on the cost and coordination, but what the CISO council objectionists don’t understand is that the CIOs don’t know all of the nuts and bolts of security, that’s why we have CISO as a mandatory position in this bill–so that the CIO has a subject-matter-expert to help them out. Yes, it’s that specialized as a profession.
Now for Gene Schultz:
“First and foremost, to comply with this statute involves generating huge amounts of paperwork to document actions (or lack thereof) taken to address the many areas that FISMA describes. A completely ineffective security practice can get high FISMA marks, as has happened numerous times before.”
OK, this is a little lesson on FISMA paperwork: people are doing 4x what they should be doing for the following reasons:
So you think you’re going to do any better with any other framework/law and the same people executing it?
“Two US Senators, Joseph Lieberman of Connecticut and Tom Carper of Delaware, have recently introduced a Senate bill that would render the 2002 version of FISMA obsolete.”
No, to be bluntfully honest, the old version of FISMA will still be around. Somebody’s been drinking the kool-aid from the lawmakers and the press machine. If anything, this adds more junk that you can get audited on and an additional layer of paperwork to demonstrate that you have met the provisions of FISMA 2008.
Post No Bills photo by striatic.
Note to our nation’s Lawmakers: as long as you approach information security from the compliance angle, we as a government are doomed to failure and to turn the entire thing into the checklist activity because the people who evaluate compliance are auditors who only know checklists–it’s not a law problem, it’s a people and skills problem.
This bill is actually pretty good with the exception of divorcing the mission owners from the security of the systems that support their mission.
However, if you think that you can reduce the compliance trap by adding more things that will end up on a compliance checklist, you have to be kidding yourself or you don’t understand the auditor mentality.
I keep reconvincing myself that the only way the government can win at security is to promote programs to develop people with security skills. Of course, that isn’t as sexy as throwing out a bill that you can claim will make FISMA obsolete.
And finally, for those of you playing along at home, the Thomas entry for S 3474, the bill’s page on Washington Watch and the bill’s page on GovTrack.
Posted in FISMA | 3 Comments »
Tags: auditor • catalogofcontrols • categorization • comments • compliance • fisma • FUD • government • infosec • law • legislation • management • risk • S3474 • security
And here we have it, a bill introduced by Senators Carper and Lieberman to increase security in the Government, known as FISMA 2008. I’m still waiting on the text to appear on the Thomas entry, but I’ll go through the major provisions from the congressional record.
Congressional Record of the Bill’s Introduction and text (Starts on CR 8388 and goes through CR 8391)
Major provisions:
The Law photo by F.S.M.
From the NextGov article and the congressional record:
“Our bill empowers chief information security officers to deny access to the agency network if proper security policies are not being followed. If we are going to hold these hardworking individuals accountable in Congress for information security, then we should give them the authority to do so,” said Carper.
Um, yeah, we’ve given them the authority in this bill, but my problem is that it completely removes the DAA/AO/mission owners from the picture–the CISO is now responsible for the secure operations of IT systems and has disconnect authority.
I think that philosophically this bill is a step backwards. The more progressive thought is that security is the responsibility of the agency head and the mission owners and that the CISO just provides support as a subject matter expert. Under this bill, we’re back to a world where the CISO is the sole decision-maker when it comes to security. Wow, that’s so… 1990’s-ish.
However, we all know that the CISOs are the people getting the security job done from day to day, and this bill makes sense if you assume that the agency heads and DAAs/AOs have 0 interest or skills to assist in the security of their data. That might or might not be true, I’ll leave it up to you to decide.
Questions for today are these (and yes, I want to hear what you think):
Posted in FISMA, What Doesn't Work, What Works | 4 Comments »
Tags: compliance • datacentric • fisma • government • infosec • law • legislation • management • risk • security
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email