If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed. You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

Nice, somebody added up all the security events in Norther Virginia and put them in one place. Not only is this a good idea, but I have no less than half a dozen events happening every month within 2 miles of where I live.  I now have a busy social calendar and I have to manage my “copious amounts of free time”.

Things haven’t been this happening since the Army of the Potomac invaded.

Bookmark to:

Oh yes, maybe I ate too much sushi last night, but I’m now adding a LOLCATS section to my blog over in the categories.  Stay tuned for moar.

Bookmark to:

Rmogull of Securosis and Gunnar Peterson claim that GRC is dead.  In my typical global-brained style, I want to cut to the root cause of why GRC is stillborn.

As a group, we need to come to the concensus that half of the security industry is a bunch of spam-sending FUD-mongering dotcom dropouts with MBAs who see the “perfect storm” of money and opportunity that an uncertain-but-necessary niche market brings.  Furthermore, I say we distance ourselves from them because they make the rest of us look bad.

Failed parking meter by cgansen. 

These are the same people who pitched technical policy compliance solutions for SOX which became continuous compliance which begat risk management which begat GRC.  Do we really need all this cr*p?

Look at the warning signs of this half of the industry, these were so true for the dotcom era:

• New companies qnd products you’ve never heard of
• Staff nobody’s ever heard of
• “Trendy” product class that everybody wants to do this year
• Claim to have product purchased by a “Major Financial Institution”
• Is a rebranding of a previously-failing product
• Company was not security-focused last year
• Company and product life-span of ~2 years
• No alignment with other vendors or industry leaders
• Technology is “hoaky”–SIEM solutions using MS Access as the back-end
• Feels “gimmicky”

If you see any of these in a perspective vendor, run away now!  And if you do buy, don’t say I didn’t warn you.

Now, in a past life, SSG Rybolov would say something witty like how people who are used to preventing and detecting fraud should be able to come up with a model to keep people from invading the industry looking for the filthy lucre.  In fact, I think I just might have.  =)

The other half of you all, the non-snake-oil-selling half, is great, keep up the good work and never, ever go to the dark side.

Bookmark to:

I have a very disturbing trend with comments to my blog:  I don’t get any comments on the serious stories–only the “fun” posts.

This leads me to believe one of the following is at play:

• I write succinctly and with authority and never make mistakes. (at least it helps to hope…)
• Nobody knows the subjects that I talk about because it’s a niche to a niche.
• I don’t sensationalize the news enough to make people want to comment.  Note that this is a radical departure from the mainstream media when it comes to security and government, where FUD-mongering is the norm.
• People are scared of me because they think I’m intellectually and emotionally unstable and that I’m going to trash them if they comment.  =)
• Government employees are afraid to put anything critical of their leadership in writing.
• Like they say about the classified world, “Those who know don’t talk, those who talk don’t know”. (side note:  what am I saying about myself here?)
• The First Rule of FISMA Club is that YOU DO NOT TALK ABOUT FISMA CLUB!!!111oneoneone
• If it’s your first comment, you have to fight.

Blog Explanation in French by Stephanie Booth

Now the problem for me is that in order to make security in the government work, we need to change the culture of the people doing it.  IT and specifically security require a zero-defects approach, and this is counter to survivability in a political environment.  The only way we can do that is if I’m not the only voice preaching in the wilderness–I really do want people to tell me I’m full of it and give a good rationale.  =)

In the spirit of helping, this is the Guerilla’s Guide to Commenting on http://www.guerilla-ciso.com/

• Everything in Moderation:  No big surprise–I moderate comments.  This is pretty much so I can keep the spam out.  I’ve only had one legitimate post that I deleted because it was personal in nature from a person who knew me in “a past life”.
• Email is Semi-Anonymous:  If you post a comment using a bogus email address, I’m happy with it as long as the content is relevant and doesn’t look like spam.  The email address is really only so wordpress can track you and automagically approve your next post as long as the name and email match up.
• Thou Shalt Remember the Chatham House Rule:  I do not repeat anything that was told to me in confidence.  Neither should you.  Yes, there are things I won’t write on here, like the conversation I had with [censored] from [censored] who confirmed that [censored]-[censored] is not yet final because [censored].
• I’m Neither a Crook Nor a Cop:  I have yet to receive any kind of subpoena asking for subscriber or commenter information, nor do I send you stupid spam jokes because I know who you are.

I’ll end with one of my favorite army jokes:  “What’s the difference between a war story and a fairy tale?  A fairy tale begins with ‘Once upon a time’, war stories begin with ‘No sh*t, there I was’”.

Bookmark to:

A couple of weeks ago, Martin McKeay was in town and recorded an interview with me.  I wax poetically on my typical things–FISMA, risk assessment, anti-compliance.

The funny thing is, weeks later, I listened to myself and I actually sound like I know something…. Who woulda thunk it?  =)

Bookmark to:

I’ve said it a million times before:  I don’t care if you switch to $FooFramework, as long as you have the same people executing it with the same skillset, the results will be the same.  Last week and for the near-term, it’s a new bill to replicate the tenets of FISMA and the NIST framework thereof.

Last week, Representative Langevin introduced HR 5983, the “Homeland Security Network Defense and Accountability Act of 2008″.  Some press on the bill:

• Security Focus
• Committee on Homeland Security

Now the big question for me on this bill (and really, any proposed law) is this:  How does this provide anything above and beyond what is already required by FISMA, OMB policies, and NIST guidelines?  My short analysis:  Not much, and Rep Langevin is just “stirring the pot” with the big spoon of politics.

HR 5983 requires the following:

• Re-establishes the role and staffing requirements for the CIO, including network monitoring
• Testing the DHS networks using “attack-based” protocols
• IG audits and reporting
• Adding responsibility for contractor systems

Again, nothing new here that isn’t required already.  The only benefit to this bill that I see is that if it’s law, the Executive Branch has to request the funding in their budget request and Congress has to (maybe) fund it. It isn’t that DHS doesn’t have the in-house expertise–they own US-CERT.  It’s not that they have a lack of smart people–they own the Security Line of Business.  It’s that there are only so many hours in the day to get things done, and DHS has had lots of work since their creation in 2002.

A little bit of peeking behind the security kimono at DHS is in order.  DHS consists of subagencies, known as Operational Elements, such as TSA, ICE, CBP, etc.  The heads of these agencies are peers to the DHS CIO and have their own CIO and CISO, even though that’s not what they’re called.  See, the OEs do not have to listen to the DHS CIO, and that’s a huge problem.  Last year, DHS made the DHS CIO the budget approver for the OE’s IT budgets, which is a step forward, but still there is much room for improvement.  That’s something that Congress can fix.

Now it just isn’t a “Government IT Security News Day” without a comment from Alan Paller of SANS fame…

“One story is missing from this issue because the press hasn’t picked it up yet. Under Chairman Langevin of Rhode Island, the US House of Representatives Subcommittee on Emerging Threats and Cybersecurity just approved a new bill that changes how security will be measured, at least at the Department of Homeland Security. This is the beginning of the end of the huge waste under FISMA and the start of an era of continuous monitoring and automation. Long overdue. Look for news stories over the coming days.
Alan”

Like I say sometimes, I’m a bear of little brain and a recovering infantryman, but why is the answer to a law to make another law saying the same exactly the same thing.  All I have to say is this:  You’re not on Slashdot, you actually have to read the bill before you comment on it.  I didn’t see anything that supports what Alan’s saying.    =)

Capitol at Sunset by vgm8383.

To me, the very interesting thing about this bill is this provision:

“Before entering into or renewing a covered contract, the Secretary, acting through the Chief Information Officer, must determine that the contractor has an internal information systems security policy that complies with the Department’s information security requirements, including with regard to authentication, access control, risk management, intrusion detection and prevention, incident response, risk assessment, and remote access, and any other policies that the Secretary considers necessary to ensure the security of the Department’s information infrastructure.”

I have an issue with the language of this provision.  It’s one of scope.

But perhaps an explanation is in order.  Most (OK, mabye half or a little bit more, this isn’t a scientific number) government IT systems are contractor-operated.  These contractors have “Government data” on their corporate networks.  Some of this is fairly benign:  contracting collateral, statements of work, staffing plan, bill rates, etc.  Some of this is really bad:  PII, Privacy Act data, mission data, etc.  Some of this is “gray area”: trouble tickets, event data, SIEM data, etc.

Now taking this back to cost-effective, adequate security, what the Langevin bill means is that you’re taking the FISMA framework and applying it to all contractors without any bounds on what you consider within your realm of protection–ie, according to the language of the bill, if I’m any contractor supporting DHS in an outsourcing engagement, you can audit my network, whether or not it has Government data on it.  This is a problem because your oversight cuts into my margins and in some cases does not provide the Government with the desired level of security.

My response as a contractor is the following:

• Increase my rates to compensate for the cost of demonstrating compliance
• Do not bid DHS contracts
• Adopt a policy that says that DHS policies apply to the systems containing government mission data and meta-data
• Charge the Government at Time and Materials for any new requirements that they levy on you for mitigation

Unfortunately, this is a game that the Government will win at with respect to controlling the contractor’s network and lose at with respect to cost.

Good contractors understand the liability of having separation between Government data and their own network.  Back in my CISO role, that was the #1 rule–do not putGovernment data on the corporate network or ”cross the streams” (Thanks, Vlad).  In fact, I wrote a whole chunk of blog posts last year about outsourcing, go check them out.  In fact, we would give to the customer anything that could be built in a dedicated mode specifically for them.  The dedicated network sections used the customer’s policy, procedures, standards, and they got to test them whenever they wanted.  In back of that was a shared piece for things that needed large economy of scale, like the STK 8500 and the NOC dashboards to put all the performance data on one screen.

Having said that, some data does need to cross over to the contractor’s network (or, even better, a separate management network) in order to provide economy of scale.  In our case, it was trouble tickets–in order to split field technicians across different contracts to keep them billable, the only cost-effective way to do this is to have tickets go into a shared system.  Any other solution costs the Government a ton of money because they would be paying for full-time field techs to be on-site doing nothing.

The problem is that our guidance on contractor systems is grossly outdated and highly naive.  The big book of rules that we are using for contractor security is NISPOM.  Unfortunately, NISPOM only applies to classified data, and we’re left with a huge gap when it comes to unclassified data.

What we need is the unclassified version of NISPOM.

The NIST answer is in section 2.4 of SP 800-53:

The assurance or confidence that the risk to the organization’s operations, assets, and individuals is at an acceptable level depends on the trust that the authorizing official places in the external service provider. In some cases, the level of trust is based on the amount of direct control the authorizing official is able to exert on the external service provider with regard to the employment of appropriate security controls necessary for the protection of the service and the evidence brought forth as to the effectiveness of those controls. The level of control is usually established by the terms and conditions of the contract or service-level agreement with the external service provider and can range from extensive (e.g., negotiating a contract or agreement that specifies detailed security control requirements for the provider) to very limited (e.g., using a contract or service-level agreement to obtain commodity services such as commercial telecommunications services).

Hmmm, in a classic ploy of stealing lines from my Guerilla CISO Bag-o-Tricks ™, NIST has said “Well, it depends”.  And yes, it depends, but how do you impement that when OMB dictates that what NIST says is THE standard?

Bookmark to:

I’ve sat in on too many presentations lately.  After a couple of them, you start to think “Hey, I can do way better than that!”  And so I’ve been collecting my thoughts to get some presentations down and rehearsed.

Anyway, some sample topics I’ve thought up, hope you like them:

• Security curmudgeon 101:  It all starts with electric shock and goes downhill rapidly
• Contractors Never Go for Broke: how I learned to stop fearing unclear guidance and made a ton of moolah in the process
• Who Moved My InfoSec Cheese:  What to do when the great big SOX cow in the sky dries up
• Leadership Secrets of Attila the CISO: throwing dead bodies and the problem does create a solution!
• $Racial_Slur in the Wire:  why your perimeter is massive pwnage once they get past it
• The “S” in “SIEM” stands for “Suck”: learning how to deal with the limitations of security tools
• Lessons from Language School: how I embraced the language and culture of our sworn enemies so that we could more effectively kill them in a bout of mutually assured destruction and why it seems so quaint in the new millenium
• DAM Solutions: more than just the punch-line to analyst jokes
• Data Reduction for Dummies: since the classification follows the data, if we get rid of it all, we don’t need to secure it
• Physical and Environmental Protection for Packet Monkeys: learning why there’s a big red button on the wall of the data center next to the switches and what really happens when you push it

And, lo and behold, I am available to speak, always have been.  If you like an idea that I’ve put out there, put 3 squirrels on a park bench and I’ll give them a presentation.

Bookmark to: