Security Assessments as Fraud, Waste, and Abuse

Posted July 17th, 2008 by

I’m going to put on my Government Security Heretic Hat for awhile here, bear me out.  By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.

What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.

The way to avoid this redundancy is the concept of common/shared controls.  The whole idea is that you take whatever security controls you have across the board and put them into one bucket.  You test that bucket once and then whenever something  shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.

So, what makes a security assessment not fraud, waste, and abuse?  It’s a good assessment if it does the following:

  • Does not repeat a previous assessment.
  • Discovers previously-undiscovered vulnerabilities, weaknesses, or findings.
  • Has findings that get fed into a risk management plan (accepted, avoided, transferred, etc–think POA&M).
  • Is not exhaustive when it doesn’t need to be.
  • Provides value to the project team, system owner, and Authorizing Official to make key decisions.

Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.

The Solution?  Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.

What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives.  Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls.  This is one of the beefs I have with 800-53A in the hands of less-than-clueful people:  they will test until exhaustion.

There isn’t a whole lot of difference between ST&E and an audit, just the purpose.  Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured.  ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.

The Little Frauds Songbook

The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library

Similar Posts:

Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »

8 Responses

  1.  Exhaustive Security Testing is Bad For You | The Guerilla CISO Says:

    […] if you’re a government employee. Thanks for visiting and happy hacking!Hot on the heels of Security Assessments as Fraud, Waste, and Abuse comes this heartwarming […]

  2.  bambijihad Says:

    There may be a part of the equation that you have overlooked. If I’m the ISSO for a system whose CA and DA view C&A as a superfluous documentation exercise, won’t understand the contents of a package they have no intention or reading in the first place, then I will calibrate my efforts accordingly. And yes, I have found myself in that situation more often than I care to recount.

    There appears to be a pervasive attitude toward C&A and other things security, that they are little more than make work projects which constitute a check box which must be checked, but doesn’t really add value to the overall agency/program/project/whatever.

    Perhaps, the blame falls squarely in our laps as security professionals as we have allowed in too many charlatans who read from 800-53 like Moses reading the Ten Commandments, and are not very adept at couching security controls in terms of business goals and risk management strategies.

    But then, I’m the dumbest guy who reads the site.

  3.  rybolov Says:

    Hehe… you found out the reason why I blog about this stuff: in order to point out the flaws in our system and to counter the people who complain that the system is a cascade failure.

    Yes, it is our fault because we suffer with charlatans, but it’s also the nature of Government–anytime you have something on such a huge scale, there is going to be an amount of fraud, waste, and abuse.

    You’re so not the dumbest guy around, you got a clue.

    And hey, you jumped ship and didn’t tell me!

  4.  shrdlu Says:

    Might it be fair to say that ST&E should be used to assess the *effectiveness* of security controls, whereas the purpose of a security audit is to assess the level of *compliance* with previously established controls and policies?

    In other words, an audit can and should repeat assessments to see if you frickin’ fixed the problems they found last year. (Especially if you are an outside agency trying to verify compliance.) An ST&E, on the other hand, should be the anti-checklist: what else did we NOT think of, or NOT implement well enough?

  5.  rybolov Says:

    Hi shrdlu, more to come on this topic in the near future.

  6.  Vlad the Impaler Says:

    Ahh, the curmudgeon in me rises to the fore…

    After having done ST&E for more years than I can count, let me offer the following definitions in Vlad-speak:

    ST&E == exhaustive functional/security testing (what I do before I accredit something). In the old days, this was done in the actual environment, under controlled, nearly operational conditions.

    Audit == high level statistical sampling to determine level of “compliance.”

    Exhaustive security testing can indeed be bad for you, especially if you’re dealing with a development project with shoddy QA. The ST&E team rapidly becomes the QA staff…

    My Bottom Line here is that ST&E should not only test the effectiveness and correctness of the controls implementation, it also takes on some of the mettle of acceptance testing, in that you test suitability against a concept of operations (CONOPS.)

    Clear as Mud?



  7.  rybolov Says:

    I wonder if my friend at Harris still has the post-it that I stuck on his monitor as a constant reminder: “ST&E !== QA”

  8.  How to Not Let FISMA Become a Paperwork Exercise | The Guerilla CISO Says:

    […] Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse. […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: