Cellular Phone Hacking

Posted August 5th, 2010 by

With a shout-out to Chris Paget who generated some of the biggest buzz at Defcon with his GSM hacks.



Similar Posts:

Posted in Hack the Planet, IKANHAZFIZMA | 1 Comment »
Tags:

Auditors, Frameworks, and Philosophy

Posted August 4th, 2010 by

Now I’ve been reasonably impressed with GovInfoSecurity.com and Eric Chabrow’s articles but this one supporting 20 CSC doesn’t make sense to me.  On one hand, you don’t have to treat your auditor’s word as gospel but on the other hand if we feed them what to say then suddenly it has merit?

Or is it just that all the security management frameworks suck and auditors remind us of that on a daily basis.  =)

However, it seems that there are 3 ways that people approach frameworks:

  • From the Top–starting at the organization mission and working down the stack through policy, procedures, and then technology.  This is the approach taken by holistic frameworks like the NIST Risk Management Framework and ISO 27001/27002.  I think that if we start solely from this angle, then we end up with a massive case of analysis paralysis and policy created in a vacuum that is about as effective as it might sound.
  • From the Bottom–starting with technology, then building procedures and policy where you need to.  This is the approach of the 20 Critical Security Controls.  When we start with this, we go all crazy buying bling and in 6 months it all implodes because it’s just not sustainable–you have no way to justify additional money or staff to operate the gear.
  • And Then There’s Reality–what I really need is both approaches at the same time and I need it done a year ago. *sigh*


Similar Posts:

Posted in FISMA, Rants | 3 Comments »
Tags:

Metricon is Next Week

Posted August 4th, 2010 by

…and I’m excited.  I’ll be talking on “Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks” which is an Idea I’ve been mulling over on how to “build a better rat race” or at least to consciously build security management frameworks in a coherent manner. Obviously I’ll put up slides afterwords.

Agenda is here, I think there is still time to sign up and come as long as you’re not going to be a wallflower.  =)



Similar Posts:

Posted in Uncategorized | 1 Comment »
Tags:

Split-Horizon Assessments and the Oversight Effect

Posted July 7th, 2010 by

Going Off the Deep End

So I was thinking the other day (this is the part where people who know me in person usually go “oh cr*p”), partially spurred by a conversation I had with @csoandy and @secbarbie a couple of months ago.  I’ll get the idea out there: as an industry we need to embrace the concept of split-horizon assessments.

Two Purposes for Assessments

Because this is an insane approach that I’m just feeling out, let me go on a solo riff and explain what I’m talking about.  You see, I have two distinct purposes for getting a security assessment, both of which are in contention with each other:

  • I want to fix my security by asking for money to fix the things that need attention.  When I get an assessment for this purpose, enumeration of my badness/suckness is good.  If I have a set of results that say that everything is great, then there’s no need for me to be given any more resources (time, money, people, gear).  Short-term, I’m fine, but what about my infrastructure-type long-term projects?  The net effect of a highly-scored annual assessment just might kill my program in 2 years as my funding and people are shifted elsewhere, especially in a .
  • I want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me.  While the assessor has helped me short-term by identifying my problems and being a total hardass, if I’m not around in 6 months to adopt the recommendations into my security program, has the assessor actually helped me?

And this is the dilemma for just about every security manager out there.  One of the strategies is to alternate assessment types, but then your management wonder just what the heck it is you’re doing because you’re on top one year, then on the bottom the next.

Split Rock Lighthouse and Horizon photo by puliarf.

Assessor Window-Shopping

Now for the dirty little secret of the testing business:  there are really good testers who are the ninjas of the InfoSec world and there are really bad testers who don’t even validate their unlicensed Nessus scan.  I know, you’re shocked and it’s so blindingly obvious that Bruce Schneier will blog it 3 years from now.  =)

But there’s the part that you didn’t know:  security managers pick their assessor depending on the political mood inside their organization.  This is nowhere near a science, from what I’ve seen it involves a lot of navel-gazing on the part of the security team to see which is the lesser evil: having everybody think you’re incompetent or never getting anything new ever again?

Building a Better Rat Race

In order to accomplish both of the goals that I’ve listed, what I really need is a split-horizon assessment.  In other words, I need 2 reports from one assessment with different views for different audiences.  I know this sounds highly cynical, but it’s something we’ve been doing for some time now but just informally.  Might as well make it formal.

So are you sold on this concept yet?  In true form, I have an idea on how to get to a world of split-horizon assessments.  You can take any catalog of controls and divide it into “gotta have it” and “nice to have” (I almost divide these along the lines of “vulnerability mitigation” and “sustainable security program” or the “CISO” and “OMB and Congress”) buckets.  Then in your compliance assessment standard, require 2 reports for each assessment.  One is reported to the regulating authority and the other stays with the organization.

Indecision Strikes

I don’t know if I’ve solved the problemspace or not, but I’m looking for feedback “from the Peanut Gallery” so leave some comments.



Similar Posts:

Posted in Rants, What Doesn't Work, What Works | 7 Comments »
Tags:

A Stable InfoSec Program?

Posted June 17th, 2010 by

If it wasn’t frustrating dealing with the huge conflict-of-interest that follows the Government’s InfoSec pocketbook, it would be absolutely hilarious to watch the myriad interactions between all the competing interests at work, all with their grand plan on how to “fix” something that, in their opinion, is grossly broken.  Not that their idea is any better or will be executed better, it’s that it’s something new and gives them soundbites.

I’ll even admit to having my own opinions from time to time, although I’m not in it for the filthy lucre, just trying to help.  =)

stable foundashun 4 my infosec program? lots of "it depends"



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

Senate Homeland Security Hearings and the Lieberman-Carper-Collins Bill

Posted June 16th, 2010 by

Fun things happened yesterday.  In case you hid under a rock, the Intertubes were rocking yesterday with the thudding of fingera on keyboard as I live-tweeted the Senate Homeland Committee’s hearing on “Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century”.  And oh yeah, there’s a revised version of S.3474 that includes some of the concepts in S.773.  Short version is that the cybersecurity bills are going through the sausage factory known as Capitol Hill and the results are starting to look plausible.

You can go watch the video and read the written testimonies here.  This is mandatory if you’re working with FISMA, critical infrastructure, or large-scale incident response.  I do have to warn you, there are some antics afoot:

  • Senator Collins goes all FUD on us.
  • Senator McCain grills Phil Reitinger if DHS can actually execute a cybersecurity mission.
  • Alan Paller gets all animated and opens up boxes of paperwork.  I am not amused.


Similar Posts:

Posted in FISMA, Public Policy, Risk Management | 2 Comments »
Tags:

« Previous Entries Next Entries »


Visitor Geolocationing Widget: