If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

I’ve sat in on too many presentations lately.  After a couple of them, you start to think “Hey, I can do way better than that!”  And so I’ve been collecting my thoughts to get some presentations down and rehearsed.

Anyway, some sample topics I’ve thought up, hope you like them:

• Security curmudgeon 101:  It all starts with electric shock and goes downhill rapidly
• Contractors Never Go for Broke: how I learned to stop fearing unclear guidance and made a ton of moolah in the process
• Who Moved My InfoSec Cheese:  What to do when the great big SOX cow in the sky dries up
• Leadership Secrets of Attila the CISO: throwing dead bodies and the problem does create a solution!
• $Racial_Slur in the Wire:  why your perimeter is massive pwnage once they get past it
• The “S” in “SIEM” stands for “Suck”: learning how to deal with the limitations of security tools
• Lessons from Language School: how I embraced the language and culture of our sworn enemies so that we could more effectively kill them in a bout of mutually assured destruction and why it seems so quaint in the new millenium
• DAM Solutions: more than just the punch-line to analyst jokes
• Data Reduction for Dummies: since the classification follows the data, if we get rid of it all, we don’t need to secure it
• Physical and Environmental Protection for Packet Monkeys: learning why there’s a big red button on the wall of the data center next to the switches and what really happens when you push it

And, lo and behold, I am available to speak, always have been.  If you like an idea that I’ve put out there, put 3 squirrels on a park bench and I’ll give them a presentation.

Bookmark to:

Heh, sensationalist title, but you get the point.  There are two worlds out there contained in two reports that came out last week.  And yet, they seem to contradict each other.

Let’s see our combatants, shall we:

In this corner we have GAO.  GAO issued THEIR report as a prepared testimony to Congress.  They’ve delivered it numerous times to various committees, and I dare say that Mr Wilshusen is getting some milage with this report.  Basic summary:  numbers are getting better, but 21 out of 24 agencies do not have a complete information security program.

And in this corner we have OMB.  OMB issued THEIR report as a formal report to Congress.  This is a one-shot annual deal, although afterwords there is bound to be some hearings on it.  Basic summary:  we’re doing pretty well and we’re working to police up the odds and ends even more efficiently.

Now keep in mind these two simple facts:  GAO works for Congress (Legislative Branch), OMB works for the President (Executive Branch).  This is critical to remember, so file it away.

The funniest thing for me as an outside observer to look at is that if you look at the numbers that they report, they’re identical.  A view behind the inner workings of the government:  both groups are working off exactly the same sets of data.

In preparing for this testimony, GAO analyzed agency, IG, Office of Management and Budget (OMB), and GAO reports on information security and reviewed OMB FISMA reporting instructions, information technology security guidance, and information on reported security incidents.   –GAO Report

In other words, GAO used exactly what was reported to OMB but came up with different conclusions.  Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

I didn’t catch this with the GAO report, but I noticed it with the OMB report:  229 systems are not categorized, but 94% of these are certified and accredited.  Say what?  How can you tell if the security controls are implemented and the residual risk of the system is at an acceptable level when you have not determined what protection needs you have, much less your requirements?  This is akin to saying that a piece of software has passed through user acceptance testing when the user population doesn’t know what their needs or requirements are.  Now occasionally you don’t know how to classify a system because it breaks our model:  a low-criticality network that serves as the backbone for one highly-critical application, a legacy application that it’s just not worth it to classify because we’re in the process of decommissioning it, etc.

Now as much as I want to stand up and tell you that the agencies have been doing outstanding C&As, I just don’t believe the IGs whey they say that some of them have “satisfactory” C&A processes.  Maybe I’m just a little bit cynical, but that’s the way I call it.  I know some of these agencies, no way would I say “satisfactory” for some of them.

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we?  The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year.  You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

And that, dear readers, is the difference between the two reports.

So in the end of all this, which report is the one true report because the other one is full of lies, damn lies, and statistics?  Well, they’re both just as accurate (they came from the same source data, remember), only from different angles.

The cynic/BSOFH in me says that you need to pull out the OMB report most of the time, especially when it’s time for your annual review, and pull out the GAO report when you need to justify your IT security budget.  But no, none of the CISOs or CIOs I know in the government would do that, would they?   =)

Bookmark to:

Greetz and shouts out to Rybolov for fixing my spare PC (yet again) and finally allowing me to contribute…

I’m a contractor filling the role of CISO at a Government Agency.  (That’s another story for another time. )  I really try to keep things light, because security can be a pretty dull business, especially if it’s done right.

Lately, I’ve run into my share of prima donnas — like the one in charge of building our whiz-bang operations support system…  Don’t get me wrong, it’s a very important project — so important that the network engineers I depend on to get things done (like design the security environment for the system) have been assimilated. Resistance was futile.  Heaven forbid one of his resources should be diverted from supporting this project to address their primary duties like helping to deal with, oh a network outage, or SECURITY INCIDENT!

Being resourceful (as all good CISOs should be) I found workarounds to all of the roadblocks this guy dropped into my path. Over time, this has really grated on me — the fact that I’m writing about this is all you need to know…

So I did what everyone should do — I vented to my boss! Together, we realized, that this guy (a subcontractor of ours) was on Everyone’s Shiznit List. We actually PAY this guy to do this to us!  Venting turned to commiserating to funny stories to hysterical childlike laughter.

In the midst of this, I uttered the phrase that will be framed in my CISO office, if, and when I leave Cubeville behind…

Vlad’s Rule #1

If you’re going to act like a prima donna in the CISO’s office, you WILL wear a tutu, so I can see you coming.

And when folks break into prima donna mode in a meeting or discussion, I will henceforth utter the following Key Phrase (in my favorite Redneck voice) when they cross the line:

“Lighten up Francis!  You didn’t bring your tutu widjadidja?”    Feel free to use this liberally. (All I ask is a mental footnote.)

Suddenly, things weren’t so bad.

Did I mention I like to keep things light?

Bookmark to:

Roger writes about his workplace instituting a bag-check on a Friday afternoon. My first though was “Gack, that’s part of the FISMA guidance? Somebody definitely was reading between the lines,” followed by, “I wonder how much miscarriage of security is conducted by people who claim to be the long-lost intellectual progeny of Ron and Marianne (Ron Ross and Marianne Swanson from NIST, work with me here)”. Then I remembered my own security strangeness and laughed….

So a couple of years ago I was in a meeting between my physical security guy and an auditor from the government. I got there a couple of minutes late so I didn’t get introduced. No biggie, my guy had everything in control and had done most of the work with this auditor already. A tip-off should have been that I was the only guy in the room wearing a suit, thereby identifying myself as some kind of manager, but alas for our auditor wasn’t that bright.

But then a problem sprung up: it all revolves around physical access policy and procedure. I had a procedure that said that all employees, contractors, and visitors will badge in EVERY time they enter the building. OK, some of you should be saying a big “DUH!” at this point, and you would be right. Anyway, the auditor didn’t like that. They wanted a specific policy line that says “When you come into the building after a fire drill, you should all badge back in.”

I watched my physical security guy try to rationalize the finding away. “We already say that here in the general procedure,” he said. He drew a Ven diagram on the white board–”See, fire drill is part of ‘every’”. The auditor just wasn’t buying it.

As a last-ditch attempt, I stepped in with the classic contractor phrase: “Where does this requirement come from?” The auditor looked at me and not taking the hint that A) I know what I’m doing, B) I teach this stuff and C) I’m the guy in the suit, you would think I was important in some way; replied “Well, it comes from NIST. You see, they have this book of requirements called 800-53 and it says that you have to have a process to badge back in after a fire drill.”

At that point, I realized the situation. Life had handed me a bozo and it was easier to write a one-line correction than it was to try to educate them on the error of their ways and ask them to show me where it says that in SP 800-53.

So my advice to Roger: One afternoon checking bags (yay, my favorite activity to do in my “spare time”!) is sometimes easier than trying to educate your auditor.

And watch out for bozos. They’ll wear you down to a nub. =)

Bookmark to:

I’ve thrown rocks at children. Many children, in fact. I’m not too proud of it, but it’s something you do when you’re in Afghanistan.

In fact, contrary to what you hear about opium poppies being the #1 crop in Afghanistan, truth is it’s the #1 cash crop. There is a crop that is more prolific even than the poppies, and that crop is rocks.

Now when we would roll up into a village, we were the neatest thing to happen there since Genghis Khan. Some of these villages were so remote, they asked us if we were the Russians because last that they heard, the Russians were the invaders.

Being interesting to the locals means that you get flooded with kids. They come from everywhere. You can stop your patrol out in the middle of the desert with nobody in sight for 3 kilometers, and within 10 minutes you will be surrounded by kids. They all ask for the same thing: pens. They need them for school. The ones with more advanced English skills would say something like “I am student, give me pen”.

On one of the first long patrols that I was on, we went to one village and the kids gathered around. The adults in the village threw rocks at them to chase them away.

Needless to say, I was utterly shocked the first time I saw it. But after a couple of weeks when the initial shock wore off, I started to notice something: when the adults would pick up a rock, the kids would smile and start to do little dekes left and right as if to say “am I gonna go this way or am I gonna go the other way?”

Then it dawned on me: throwing rocks at kids is a national sport. Not much else to do out in the desert except rock-throwing.

After a month of being in-country, I started throwing my own rocks at the kids. I would throw it slow–lobbing more than anything–just to let them know that they needed to stand back a little bit.

There’s a point to this little story, and that point is that after you’ve been in Afghanistan for long enough, a rock is the solution to any problem that you have.

Case in point: you park the truck on a fairly steep slope. You’re worried that it might roll away in the middle of the night. Solution? Put a head-sized rock under the tires.

Case in point: some guy dies and you need to bury him. It’s a massive PITA to dig a grave, so what do the locals do? That’s right, they build a rock pile right there.

Case in point: You’re bored and have nothing to do. Stack rocks up to build towers. The original theory as explained to me is that the locals don’t have HBO at home, so they stack rocks.

Case in point: You need protection from bullets. Instead of digging, stack up some rocks and build a fighting position. The bonus is that it blends in with all the other rocks on the hillside.

The ultimate act of rocks-as-solutions was one of the last patrols I did. We were in an irrigated area and needed to cross a ditch. There was a bridge but it was too narrow. So we took some large rocks, dropped them into the ditch, and put one side of the truck on the bridge and the other side on the new rock bridge.

I’m still trying to figure out what IT security problems I can fix with a rock, other than the obvious “You want to do what? Film marketing material in the data center? *smack smack smack* You sure about that?” or “My level of pain is equal to your level of pain.”

And as far as the kids and pens for them, after a month of being there, we started writing back home asking for school supplies and we handed out pens, paper, and soccer balls everywhere we went. I even made a habit out of giving beanie babies to the girls and gum to the boys.

See? I’m not a total jerk. =)

Bookmark to:

MP-52 Self-Destructing RFID Implants
Control:
The organization equips all employee-integrated storage media with self-igniting RFID devices so that they can be tracked throughout any government facility and destroyed upon command.

Supplemental Guidance:
All CISOs know that the information inside their employees’ heads is the real culprit.  When they get a new job, they take that information–all learned on the taxpayers’ dime–with them.  This is a much bigger security risk than the data on a USB drive could ever be.  Instead of denying the obvious truth, why don’t we implement security controls to minimize the impact of out-of-control employees?

Control Enhancements:
(1) The organization destroys the information inside an employee’s head when the employee leaves the organization, much like hard drives need to be degaussed before they are sent for maintenance.
Low: MP-52 Moderate: MP-52(1) High: MP-52(1)

Bookmark to: