Feeds

•  Posts RSS
•  Comments RSS
• Subscribe via Email

Phone-Readable

Recent Comments

• Darren Couch on DHS is Looking for a CISO
• MMO Tag on Training for the Zombie Pandemic
• Sam Bowne on The Rise of the Slow Denial of Service
• jg on Apache Killer Effects on Target
• Apache Killer Effects on Target | The Guerilla CISO on The Rise of the Slow Denial of Service

What’s Hot

Tags

Categories

• Army (24)
• BSOFH (15)
• Cyberwar (7)
• DDoS (7)
• Diary of a Startup (3)
• DISA (9)
• FISMA (148)
• Flyfish (20)
• Hack the Planet (28)
• IKANHAZFIZMA (79)
• ISM-Community (15)
• NIST (93)
• Odds-n-Sods (117)
• Outsourcing (32)
• Public Policy (35)
• Rants (108)
• Risk Management (75)
• Speaking (32)
• Technical (93)
• The Guerilla CISO (80)
• Uncategorized (6)
• What Doesn't Work (87)
• What Works (112)
• Zombies (44)

Blogroll

• Amrit Williams
• Ascension Blog
• BackTrack
• Backwater Angler
• Chateau Blogsville
• Chris Hoff
• Cypher Punk Reading List
• Emergent Chaos
• Gunnar Peterson
• How Is That Assurance Evidence
• InfoSecAlways
• ISM-Community
• ISM-Community Blogs
• ISM-Community Combined Feed
• Jack Whitsitt
• Layer 8
• LOLFED
• Martin McKeay
• My Linux Blog
• NoVa InfoSec Portal
• Rich Smith
• Riskanalys.is
• Rob Newby
• Security Buddha
• Securosis
• Technology Liberation Front
• The New School of Information Security
• The Ninja CISO
• This is Fly
• TSSCI Security

Archives

• October 2012
• May 2012
• December 2011
• November 2011
• September 2011
• August 2011
• April 2011
• February 2011
• January 2011
• December 2010
• November 2010
• October 2010
• September 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010
• February 2010
• January 2010
• December 2009
• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• October 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007

Blog under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License

Security Assessments as Fraud, Waste, and Abuse

Posted July 17th, 2008 by rybolov

I’m going to put on my Government Security Heretic Hat for awhile here, bear me out.  By my estimate, half of the security assessments received by the Government have some kind of fraud, waste, and abuse.

What makes me say this is the amount of redundancy in some testing that I’ve seen without any value added.

The way to avoid this redundancy is the concept of common/shared controls.  The whole idea is that you take whatever security controls you have across the board and put them into one bucket.  You test that bucket once and then whenever something  shares controls with that bucket, you look at the shared control bucket and make sure that the assessment is still relevant and accurate.

So, what makes a security assessment not fraud, waste, and abuse?  It’s a good assessment if it does the following:

• Does not repeat a previous assessment.
• Discovers previously-undiscovered vulnerabilities, weaknesses, or findings.
• Has findings that get fed into a risk management plan (accepted, avoided, transferred, etc–think POA&M).
• Is not exhaustive when it doesn’t need to be.
• Provides value to the project team, system owner, and Authorizing Official to make key decisions.

Now the problem is that the typical auditor has a hard time stopping–they have an ethical obligation to investigate anything that their “professional skepticism” tells them is out of place, just like cops have an ethical obligation to investigate anything that they think is a crime.

The Solution?  Don’t use auditors! The public accounting model that we adopted for information security does not scale the way that we need it to for ST&E, and we need to understand this in order to fix security in the Government.

What we need to be doing is Security Test and Evaluation which is focused on risk, not on compliance using a checklist of control objectives.  Usually if you know enough to say “Wow, your patch management process is whacked, you’re at a high risk!” then that’s enough to stop testing patch management controls.  This is one of the beefs I have with 800-53A in the hands of less-than-clueful people:  they will test until exhaustion.

There isn’t a whole lot of difference between ST&E and an audit, just the purpose.  Audits are by nature confrontational because you’re trying to prove that fraud, waste, and abuse hasn’t occured.  ST&E is helping the project team find things that they haven’t thought of before and eventually get the large problems funded and fixed.

The Little Frauds Harrigan & Hart’s Songs & Sketches Photo by Boston Public Library

Similar Posts:

• How to Not Let FISMA Become a Paperwork Exercise
• Cloud Computing and the Government
• Some Thoughts on POA&M Abuse
• 20 Critical Security Controls: Control-by-Control
• An Open Letter to NIST About SP 800-30

Posted in FISMA, NIST, Risk Management, What Doesn't Work | 8 Comments »
Tags: auditor • cashcows • catalogofcontrols • compliance • fisma • government • infosec • itsatrap • management • moneymoneymoney • risk • scalability • security

8 Responses

1.  Exhaustive Security Testing is Bad For You | The Guerilla CISO Says:
   July 17th, 2008 at 5:39 pm

   […] if you’re a government employee. Thanks for visiting and happy hacking!Hot on the heels of Security Assessments as Fraud, Waste, and Abuse comes this heartwarming […]

2.  bambijihad Says:
   July 17th, 2008 at 7:45 pm

   GC,
   There may be a part of the equation that you have overlooked. If I’m the ISSO for a system whose CA and DA view C&A as a superfluous documentation exercise, won’t understand the contents of a package they have no intention or reading in the first place, then I will calibrate my efforts accordingly. And yes, I have found myself in that situation more often than I care to recount.

   There appears to be a pervasive attitude toward C&A and other things security, that they are little more than make work projects which constitute a check box which must be checked, but doesn’t really add value to the overall agency/program/project/whatever.

   Perhaps, the blame falls squarely in our laps as security professionals as we have allowed in too many charlatans who read from 800-53 like Moses reading the Ten Commandments, and are not very adept at couching security controls in terms of business goals and risk management strategies.

   But then, I’m the dumbest guy who reads the site.

3.  rybolov Says:
   July 17th, 2008 at 8:32 pm

   Hehe… you found out the reason why I blog about this stuff: in order to point out the flaws in our system and to counter the people who complain that the system is a cascade failure.

   Yes, it is our fault because we suffer with charlatans, but it’s also the nature of Government–anytime you have something on such a huge scale, there is going to be an amount of fraud, waste, and abuse.

   You’re so not the dumbest guy around, you got a clue.

   And hey, you jumped ship and didn’t tell me!

4.  shrdlu Says:
   July 18th, 2008 at 10:05 am

   Might it be fair to say that ST&E should be used to assess the *effectiveness* of security controls, whereas the purpose of a security audit is to assess the level of *compliance* with previously established controls and policies?

   In other words, an audit can and should repeat assessments to see if you frickin’ fixed the problems they found last year. (Especially if you are an outside agency trying to verify compliance.) An ST&E, on the other hand, should be the anti-checklist: what else did we NOT think of, or NOT implement well enough?

5.  rybolov Says:
   July 18th, 2008 at 10:36 am

   Hi shrdlu, more to come on this topic in the near future.

6.  Vlad the Impaler Says:
   July 22nd, 2008 at 3:37 pm

   Ahh, the curmudgeon in me rises to the fore…

   After having done ST&E for more years than I can count, let me offer the following definitions in Vlad-speak:

   ST&E == exhaustive functional/security testing (what I do before I accredit something). In the old days, this was done in the actual environment, under controlled, nearly operational conditions.

   Audit == high level statistical sampling to determine level of “compliance.”

   Exhaustive security testing can indeed be bad for you, especially if you’re dealing with a development project with shoddy QA. The ST&E team rapidly becomes the QA staff…

   My Bottom Line here is that ST&E should not only test the effectiveness and correctness of the controls implementation, it also takes on some of the mettle of acceptance testing, in that you test suitability against a concept of operations (CONOPS.)

   Clear as Mud?

   😉

   Vlad

7.  rybolov Says:
   July 24th, 2008 at 8:21 am

   I wonder if my friend at Harris still has the post-it that I stuck on his monitor as a constant reminder: “ST&E !== QA”

8.  How to Not Let FISMA Become a Paperwork Exercise | The Guerilla CISO Says:
   June 7th, 2010 at 10:10 am

   […] Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse. […]

Leave a Comment