The Honor System

Posted July 11th, 2007 by

Seth Godin has a phenomenal blog post about the honor system and how it affects the secret squirrels and the chicken littles of the security world.  I knew there was a reason we liked Seth.



Similar Posts:

Posted in Odds-n-Sods, Risk Management | 1 Comment »

Security Controls You Won’t See in SP 800-53

Posted July 11th, 2007 by

Going back through my email makes me laugh.  As crazy as I probably seem to my blog readers, there are things that I can’t really share with the world.  This is not one of them, but it could be offensive to some people, so rest assured I’m joking, people.   =)

PS-9 Stalinistic Purge of the IT Department
Control:
The organization: (i) conducts periodic arrests and interrogations on any member of its staff deemed to have “significant security responsibility”; and (ii) asks personnel being interrogated to name three (3) of their accomplices.

Supplemental Guidance:
Geeks are like peasant-workers.  You have to intimidate them at periodic intervals so that they don’t think they can take over the business functions of your organization.

Control Enhancements:
(1) The organization establishes a “show trial” system to publicly humiliate personnel being interrogated as a deterrent to other personnel who might be considering challenging the management structure.
(2) The organization hoists the heads of those found guilty of “crimes against the organization” on a pike at the entrance to the organizations headquarters or data center.

Low: PS-9  Moderate: PS-9(1)  High: PS-9(1)(2)



Similar Posts:

Posted in FISMA, The Guerilla CISO | 2 Comments »

Wednesday Zombie Blog–Dr Squid

Posted July 11th, 2007 by

My wife used to work for this guy as his pixel engineer making posters, flyers, etc.  As a sideline, he started making horror movies with private financing–if you give him $100 you get to be a big-shot movie producer:

For just $100, you can be listed as a producer on the cool horror anthology, TWISTED FATES. In addition, you will get a free copy of the finished tape and a special certificate honoring your role as producer. While the movie is in production, you’ll be kept up updated via e-mail and have access to private “sneak peek” webpages offering early glimpses at screen captures from the shoot.

Now usually he cranks out such ultra-B movies about such interesting subjects as Redneck Bloodsucking Vampires and The Evilmaker.  In order to get a little taste of the peril, check out the video review for BRV.  Think of a modern-day Ed Wood.

Well, Dr Squid has a  zombie movie:  Zombie Love Slave.  I’m waiting for him to figure out what kind of vehicle he wants to release the movie in.  A side project of mine is to convince him that he needs to make more zombie movies.



Similar Posts:

Posted in Zombies | 1 Comment »

More Vendor Spam

Posted July 11th, 2007 by

Goodie, more security vendor spam today. Do people really think that spamming security people with security products actually works?  I almost always get spam on two types of products:  compliance tools and hard drive encryption solutions.  Makes me think that maybe this segment of the marketplace isn’t the most honest around, which poses problems in an industry based on personal integrity.

Dear Rybolov,

This message is meant for your information security and compliance team, and discusses enterprise strategies for encrypting laptop hard drives and controlling usage of removable storage devices, including USB drives, iPods, PDAs and smartphones. Please feel free to forward it as appropriate.

Increased usage of laptops and devices has extended the security perimeter of your organization. They allow sensitive information to leak out, unauthorized files to flow in, and are very often misplaced, lost or stolen. The good news is there are now solutions available for enterprises to centrally manage, control and encrypt these devices.

My name is <withheld> with <withheld>, an IT security firm specializing in data lifecycle security. Recently, some of the largest financial, healthcare, and government organizations in the U.S. have implemented solutions for encrypting hard drives and controlling removable storage devices.

Please review our website for more information: <withheld>. I am also able to schedule technical demonstrations for the appropriate individuals on your security team.

Thank you for your attention to this matter and I look forward to hearing from you soon.

Sincerely,

<withheld>



Similar Posts:

Posted in The Guerilla CISO | No Comments »

Power Outages Do Happen

Posted July 10th, 2007 by

Finally had one today. It was great. The generators kicked on. The building-wide UPS worked. The NOC and SOC still had power. The other working areas ran out of AC, power, and people before I got there.  No problem, the engineers can go elsewhere to work as long as the operations people still have what they need.

Before you ask, no I didn’t create the problem as a BOFH DR test, and the outage did not occur immediately after a line like “so, what does this big, shiny, red button labeled ‘EPO’ really do?”.  =)



Similar Posts:

Posted in Risk Management, The Guerilla CISO | 5 Comments »

Another Day, Another Vendor

Posted July 10th, 2007 by

So I got “roped into” another vendor presentation yesterday. I should have done a little bit of research beforehand because then I would know that the product they pitch is Yet Another Technical Policy Compliance Tool (YATPCT)(tm) and I could have safely skipped it.

From my standpoint, this market is getting crowded, but the nature of the beast is that it’s low sales volume but high cost. Ie, it’s a market that will forever be make-or-break. Not a good place to be as a vendor, and I have a feeling that the majority of them will die a horrendous death but to the business leadership one sale looks pretty good.

One thing that I did see is that the typical YATPCT has now evolved. Most of them have incorporated workflow now so they’re aiming for “security team in a box”.

Now for people who know what they are doing, the people that I refer to as “clueful”, these tools are pretty good at keeping you on track. The problem is that there is a shortage of clueful people, so they’re buying tools to compensate for the lack of skill. The end result of this game is that you end up broke with no adequate security–not exactly what I would call “effective security”.

One of these days I’ll find a vendor who “gets it” and is worth my time to teach them how to do the last 5% of what they need to work for me. God knows I’ve taken hours to explain it to anyone that wanted to hear. This is what I want to see:

  • Grouping assets together
  • Determining a criticality for the group based on the Business Reference Model (SP 800-60)
  • Yes, a baseline of controls from 800-53 but the ability to add my own controls and do tailoring because I have to distill the control into an exact requirement that people can build to
  • The ability to extract a complete System Security Plan to hand to an auditor
  • An engine to build a test plan and record results
  • Workflow for Plan of Action and Milestones so I can get funding from Congress and actually get things fixed. Exhibit 300 format would be highly superb.

The problem is that a tool adds to the effort involved, not detracts from it–you still have to use the thing in addition to all the people-power. If you still need the people with the wetware to use the tool, what has the tool effectively saved you? Probably not much. In fact, I ask the basic question: what does automation really provide for something that is perpetually a one-off system? You only get efficiency when you optimize the parts of a process that are repeated–ask any programmer about it. Yet at the same time, if you have a set of systems that habitually have a large amount of shared controls between them, why aren’t they lumped together into the same system already?

In the meantime, all I see are SoX technical compliance solutions kluged into FISMA compliance solutions. We think differently here inside the beltway. I don’t assign dollar values to individual servers, and I don’t care about ALE calculations. To be bluntfully honest, I don’t really care about compliance, I care about risk management (both security risk and project risk), so at the end of this exercise, no matter what the scope of it is, I want to know what the residual risk is and if we should do one of the following:

  • Leave it as-is
  • Pump more money into it
  • Kill it or at least investigate feasible alternatives
  • Beat people about the head with the giant foam cluebat until they fix a small subset of problems
  • Fire the staff
  • Fire the evaluation staff
  • Go fishing (trick answer, I was going to do that anyway) =)


Similar Posts:

Posted in FISMA, NIST, Risk Management | 5 Comments »

« Previous Entries Next Entries »


Visitor Geolocationing Widget: