Taking a sharp deviation on the usual zombie theme, we here at the Guerilla CISO are taking a look at something I’ve been avoiding for the duration of my blog:  The Ethical Zombie.

A brief excerpt:

“The simplest version of the conceivability argument goes as follows:

1. Zombies are conceivable.
2. Whatever is conceivable is possible.
3. Therefore zombies are possible.”

• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post–The Federal Vampire and Zombie Agency
• Wednesday Zombie Post–The Zombies
• Wednesday Zombie Post–The Combat Guide

Roger writes about his workplace instituting a bag-check on a Friday afternoon. My first though was “Gack, that’s part of the FISMA guidance? Somebody definitely was reading between the lines,” followed by, “I wonder how much miscarriage of security is conducted by people who claim to be the long-lost intellectual progeny of Ron and Marianne (Ron Ross and Marianne Swanson from NIST, work with me here)”. Then I remembered my own security strangeness and laughed….

So a couple of years ago I was in a meeting between my physical security guy and an auditor from the government. I got there a couple of minutes late so I didn’t get introduced. No biggie, my guy had everything in control and had done most of the work with this auditor already. A tip-off should have been that I was the only guy in the room wearing a suit, thereby identifying myself as some kind of manager, but alas for our auditor wasn’t that bright.

But then a problem sprung up: it all revolves around physical access policy and procedure. I had a procedure that said that all employees, contractors, and visitors will badge in EVERY time they enter the building. OK, some of you should be saying a big “DUH!” at this point, and you would be right. Anyway, the auditor didn’t like that. They wanted a specific policy line that says “When you come into the building after a fire drill, you should all badge back in.”

I watched my physical security guy try to rationalize the finding away. “We already say that here in the general procedure,” he said. He drew a Ven diagram on the white board–“See, fire drill is part of ‘every'”. The auditor just wasn’t buying it.

As a last-ditch attempt, I stepped in with the classic contractor phrase: “Where does this requirement come from?” The auditor looked at me and not taking the hint that A) I know what I’m doing, B) I teach this stuff and C) I’m the guy in the suit, you would think I was important in some way; replied “Well, it comes from NIST. You see, they have this book of requirements called 800-53 and it says that you have to have a process to badge back in after a fire drill.”

At that point, I realized the situation. Life had handed me a bozo and it was easier to write a one-line correction than it was to try to educate them on the error of their ways and ask them to show me where it says that in SP 800-53.

So my advice to Roger: One afternoon checking bags (yay, my favorite activity to do in my “spare time”!) is sometimes easier than trying to educate your auditor.

And watch out for bozos. They’ll wear you down to a nub. =)

• Mike’s Guide to Information Security Policy
• Opportunity Costs and the 20 Critical Security Controls
• The Vendors are Already Jumping on the 07-11 Bandwagon
• In Search of a Better Catalog of Controls
• Some Comments on SP 800-39

Not that anyone would find themselves in a situation like this: you have a firewall that’s actually a router and you want to fix it. Maybe it’s that you’re replacing a router with a firewall, maybe it’s that you had some doofuses who set up the firewall as a “Default Allow” in the first place.

Hey, we’re not being judgemental here at the Guerilla CISO, we’re all about fixing things. =)
So here is the process to follow:

1. Get a logging server. Even better if you point it at something that lets you sort through the data better (Chuvakin, you can chime in with a subtle bit of log evangelizing here =) ). But hey, grep still works, the key here is that we’re logging and we can store a month’s worth of data.
2. That “Default Allow” rule at the end of the chain? Set it to log everything that hits it. Keep it as “Allow” for the time being.
3. Build and implement a ruleset for your core services that should be “Global” or “Enterprise-Wide”:
   • DNS
   • Active Directory
   • NTP
   • SNMP/NMS
   • Patching
   • Vulnerability Scanners
   • Identification and Authentication (TACACS, Radius, etc)
   • File Servers
   • Any Application-Specific Traffic
   • Remote Management/RDP/SSH/$foo
4. Wait it out. A month is probably a good sample of network traffic that will show you where the obvious trends are.
5. Review the data flows that were logged passing through the last rule. You might have to do some correlation with scan results, server inventory, or network drawrings.
6. Add rules for the data flows that you want to keep. There might be some things here that are obviously misconfigured and you need to push them to the server and network guys to fix.
7. Do another sample period or if you’re feeling confident/BSOFH-ish, skip it. I can hear a voice in the back of my head saying “It’s an iterative process after all…” but I’ll ignore it for the time being.
8. Flip the last rule in the chain to “Deny”.
9. ????
10. Profit!

• Apache Killer Effects on Target
• Stress-Test Apache with Intent to Tune: BSOFH Tip for the Software Masochist
• Your Security “Requirements” are Teh Suxxorz
• 20 Critical Security Controls: Control-by-Control
• The Rise of the Slow Denial of Service

Interesting commentary at Technology Liberation Front about RealID and how under the new Court Security Improvement Act of 2007, federal judges can use their court address as their home address in RealID databases.  Then I stop and ponder who else can get exempted from having their real address in RealID.

Then the madness starts and I have to think happy thoughts like whiskers on kittens with blue satin sashes frolicking in schnitzel with noodles that stays on my nose and eyelashes. =)

The Russian watcher in me can’t help but think back to the halcyon days of the Cold War and remember one word:  “Nomenklatura“.  Maybe we should coin the phrase “Beznomenklatura”: the people who are privileged enough to not be on the list.

• Entrepreneurship and Government 2.0
• Security Awareness and Training
• Core Belief #4 — Compliance is a Dead-End
• MREs and Bad News
• I’m Now Trackable

During Christmas I took 2 weeks of vacation with a blogging break at both the beginning and the end.   I’m now ready to write some more.

Ah yes, the joy of doing nothing.  I’m back to work and ready for more stories of life in the information security trenches.

So what do I do when I’m not at work harassing the engineers? This is how a Guerilla CISO spends his 2 weeks of “relative bliss”:

• Played a ton of Guild Wars (cedega on Debian)
• Hooked up my wife with a dual-core Ubuntu workstation
• Moved my wife’s mac to be a slave for fileserving and vnc sessions
• Fixed up an older laptop with Ubuntu to make it useful again
• General tech refreshes for some things: 2GB RAM upgrade, 2 new Nvidia cards
• Started a friend’s 10-year-old down the pygame road

• Stress-Test Apache with Intent to Tune: BSOFH Tip for the Software Masochist
• The Guerilla CISO
• Personnel Turnover
• Omigod, I’m Part of a Botnet?!?!?!
• It’s a Blogiversary