If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

The US Army occassionally does things right.

Well, one of the things that they do right is training. Our training process for squad and above is mostly focused around the Observer-Controller (OC) and their value proposition (my MBA word for the day, TYVM). Whenever you are training, there is an OC tagging right along with you to assess what and why you are doing something and then make recommendations at the end.

 

Observer-Controllers hard at work, photo by David Axe

What an OC brings with them (aside from their 31337 BBQ Ski11z):

• Experience of having seen the same task done hundreds of times with various groups.
• A strong understanding of the doctrinally-correct way to do a task.
• Techniques to fill out where doctrine is not specific enough.
• Sometimes they have pre-written standard operating procedures that they will share with you.

What an OC will never do:

• Use you resources to support themselves.
• Own the solution space for you.
• Criticize you in front of your troops.
• Interfere with your ability to do your mission.

Hmmm, sounds like the things that a good auditor does.

Auditors are in a fantastic position to help the auditee because of the wide range of experience in how other companies have been doing the exact same thing that you are doing.  Point is, there is a level of collusion that needs to happen between the auditor and the auditee, and the extent of that collusion is really what we’re talking about when we start looking at Separation of Duties and similar things.

Over the years, auditors and auditees have had the nature of their relationship change numerous times. Around the time of Sarbanes-Oxley, the pendulum swung wildly the way of “no relationship no how” and now it’s slowly moving back to somewhere normal. Here’s a podcast with Michael Oxley talking about how auditors need to collude better with the auditee.  Disclaimer:  this is part of a series that is produced by my firm, but I had no part in this, Mkay?

Here in DC, we have a saying (Ok, I made it up my own self):  “Collusion is not just a technique, it’s THE technique.”  =)

Bookmark to:

Very nice article in Military Information Technology Magazine (Online edition in case you couldn’t figure it out) about the DITSCAP to DIACAP transition.

Just looking at the concepts behind DIACAP, they’re very sound.  In some places, the article whines a bit too much.  Me, I’m glad to see DITSCAP go the way of the flesh in favor of risk registers and sharing of risk information with “business partners”.

My favorite quote this week:

“The services face a number of other challenges in implementing DIACAP, not least of which is what Lundgren called ’significant cultural issue’ in moving from the ‘paperwork drill’ characteristic of DITSCAP, to DIACAP, ‘where you’re expected to actually go out and do the testing.’”

How can that NOT be a good thing?

Some other good quotes in the article and my random thoughts:

“Training and education of personnel is another concern faced by DoD components, according to King. ‘They must make sure they have a cadre of information assurance professionals who are in full understanding of what DIACAP is and how it differs from DITSCAP,’ he said. ‘This includes the complete realm of IA professionals, including principle certification and accreditation personnel to program managers and IA managers. There is a significant training and education tail that need to be accomplished for DIACAP to be properly implemented.’”

Well, to be very honest, I think that this was a problem with DITSCAP, is a problem with NIST 800-37, and will continue to be a problem until I work myself out of a job because everybody in the government understands risk management.

“This is going to save money and time because it allows capabilities to be put out to the field without having to be certified and accredited three or four times.”

That’s a happy thing.  Wait until DoD figures out how to do common controls, then they’ll find out how to save scads of money.

Now want to know the secret to why DIACAP will succeed?  This is a bit of brilliance that needs to be pointed out.  DIACAP became the standard in late 2007 after the DoD watched the civilian agencies go through 5 years of FISMA implementation and were able to steal the best parts and ignore the bad parts.

Future state:  civilian agencies borrowing some of the DIACAP details, like scorecards and eMASS.

Future state:  merging of DIACAP, DCID 6/3, and SP 800-37.

Future state:  adoption of the “one standard to rule them all” by anybody who trades data with the Government.

Bookmark to:

Ok, we all know how to patrol in the woods looking for things to shoot. We’ve been doing that since the beginning of time, and really it’s ingrained nature for most people. Some people say that it’s why we developed bigger and better brains–so we could hunt more effectively.

Then the world changed. We went from being hunter-gatherers to living on farms to living in cities. And as you might expect, the amount of warfare conducted in cities has grown comparatively, from the Meistertrunk of Rothenburg in the middle ages to the burning of Atlanta during the Civil War to the Rattenkreig of Stalingrad to the mean streets of Baghdad. Truth of the matter is, nowadays cities are where the critical infrastructure is, and that’s where a modern army needs to learn how to combat and win against their enemies. In the US Army, we have a word for it: Military Operations on Urbanized Terrain, or MOUT (the department of modernization just told me that it’s now “OU” or “Urban Operations”).

One lesson from MOUT that there are many ways to kill people. Yes, you can shoot them (the good ol’ standby), but there are new ways: “anti-handling devices” (aka, booby traps and IEDs), channelization of traffic into better kill zones, better line-of-sight for snipers, ability to hide ambushes, short engagement ranges for anti-armor teams, etc.

In MOUT, you have to live with the fact that heavily barricading a building means it’s harder for the bad guys to get in and it’s also harder for you to get out if the building is on fire. It’s something to think about in the IT world where protecting against one type of attack means that you are susceptible to another attack: think dual-homing all your servers on a backup network to help with availability but meaning that if one server gets hacked, it’s a shorter path to the other servers.

Just like MOUT, there are many ways to “die” in the IT security world. Let’s see, this year it’s XSS, Ajax attacks, and USB drives. 5 years ago it was worms, virii and unpatched systems. Next year it will most likely be application vulnerabilities.

Now welcome risk management into that picture. Risk management means being able to triage the “bazillion ways to die” and come up with a list of the ones you need to fix now, the ones you need to fix over the next year, and the ones it doesn’t make sense to fix. In MOUT, it’s a question of “Do I spend the time putting in more wire and mines,” or “Do I need to work on blowing holes between rooms so I can move people and weapons internally?” or even “Which parts of the city do I rig with explosives and give away to the bad guys because they have no strategic value to me?”

Bookmark to:

Let’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.

See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.

So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.

Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.

But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”

Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.

Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.

The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.

Bookmark to:

2 blogs from Wired caught my eye today:

• Mom and Lawyer in Montana Hunts Terrorists on the Interweb

• Woman Volunteers to be a “Pain Ray” Guinea Pig

Maybe it’s just me today, but is this like watching a train wreck to anybody else? So fascinating I can’t put it down.

The first story seems like something right out of my Russian classes: the grandmother who hangs camouflage netting on the steeples of PeterburgPetrogradLeningradPeterburg to keep the fascist bombers from using them as aiming points.

Less-lethal weapons are cool to experiment with. I mean, um…. we never did get to lock Schmidt (all 250 pounds of pure muscle) in the shipping container and pop a stinger in after him, but with all the movies I’ve seen with bored joes tasering each other in a supply depot near you, less-lethal weapons seem to be the extreme sports of the year.

Here, watch some more pain ray guinea pigs.

Bookmark to:

I’ve thrown rocks at children. Many children, in fact. I’m not too proud of it, but it’s something you do when you’re in Afghanistan.

In fact, contrary to what you hear about opium poppies being the #1 crop in Afghanistan, truth is it’s the #1 cash crop. There is a crop that is more prolific even than the poppies, and that crop is rocks.

Now when we would roll up into a village, we were the neatest thing to happen there since Genghis Khan. Some of these villages were so remote, they asked us if we were the Russians because last that they heard, the Russians were the invaders.

Being interesting to the locals means that you get flooded with kids. They come from everywhere. You can stop your patrol out in the middle of the desert with nobody in sight for 3 kilometers, and within 10 minutes you will be surrounded by kids. They all ask for the same thing: pens. They need them for school. The ones with more advanced English skills would say something like “I am student, give me pen”.

On one of the first long patrols that I was on, we went to one village and the kids gathered around. The adults in the village threw rocks at them to chase them away.

Needless to say, I was utterly shocked the first time I saw it. But after a couple of weeks when the initial shock wore off, I started to notice something: when the adults would pick up a rock, the kids would smile and start to do little dekes left and right as if to say “am I gonna go this way or am I gonna go the other way?”

Then it dawned on me: throwing rocks at kids is a national sport. Not much else to do out in the desert except rock-throwing.

After a month of being in-country, I started throwing my own rocks at the kids. I would throw it slow–lobbing more than anything–just to let them know that they needed to stand back a little bit.

There’s a point to this little story, and that point is that after you’ve been in Afghanistan for long enough, a rock is the solution to any problem that you have.

Case in point: you park the truck on a fairly steep slope. You’re worried that it might roll away in the middle of the night. Solution? Put a head-sized rock under the tires.

Case in point: some guy dies and you need to bury him. It’s a massive PITA to dig a grave, so what do the locals do? That’s right, they build a rock pile right there.

Case in point: You’re bored and have nothing to do. Stack rocks up to build towers. The original theory as explained to me is that the locals don’t have HBO at home, so they stack rocks.

Case in point: You need protection from bullets. Instead of digging, stack up some rocks and build a fighting position. The bonus is that it blends in with all the other rocks on the hillside.

The ultimate act of rocks-as-solutions was one of the last patrols I did. We were in an irrigated area and needed to cross a ditch. There was a bridge but it was too narrow. So we took some large rocks, dropped them into the ditch, and put one side of the truck on the bridge and the other side on the new rock bridge.

I’m still trying to figure out what IT security problems I can fix with a rock, other than the obvious “You want to do what? Film marketing material in the data center? *smack smack smack* You sure about that?” or “My level of pain is equal to your level of pain.”

And as far as the kids and pens for them, after a month of being there, we started writing back home asking for school supplies and we handed out pens, paper, and soccer balls everywhere we went. I even made a habit out of giving beanie babies to the girls and gum to the boys.

See? I’m not a total jerk. =)

Bookmark to:

Robert Scoble has an interesting interview with founder and demo of Plazes.

It’s such a strange concept to me because I have spent most of my adult life making sure that people either didn’t track $us or to allow $us to track other people and what they are doing.  I just don’t buy off on the fact that people would volunteer their geolocation and current activity–I’m too much inclined to answer “Nun yo” if you ask where I’m at than I am to tell you the truth.

At this point about all I can do is shrug and say “Wow, the Web 2.0 kids are weird.” =)

Now all we need is for Al Qaeda to register and we’ll be golden.  “I’m sitting at a teastand in Quetta, here is my GPS grid and I’ll be here for a couple of hours.”

Bookmark to: