FDCC Auditing with Nessus

Posted February 29th, 2008 by

Great article from the Tenable blog about how to use Nessus to do FDCC auditing.  As you’ve all heard me say repeatedly, the only way to make FDCC work is to have an automated tool to check large amounts of workstations concurrently.

Nummie goodness.  Expect to see similar things from a vendor near you. =)

Similar Posts:

Posted in Technical, What Works | 1 Comment »

Layers Upon Layers of Oversight

Posted February 28th, 2008 by

Think you’ve got it bad?  Think about our poor ISSO for a government IT system.  You have the following people looking over your shoulder:

  • Chief Information Security Officer
  • Information System Security Manager (ie, a manager of ISSOs)
  • Certification Agent
  • Independent Validation and Verification Teams
  • Inspector General
  • Office of Management and Budget
  • Government Accountability Office

It’s a high-pressure situation, and the phrase “Who watches those who watch the watchers?” comes to mind.

Just a thought for today:  how risk-adverse do you have to be in a situation like this, and how career-limiting can it turn out?

Similar Posts:

Posted in Rants | 1 Comment »

Been Off Teaching

Posted February 27th, 2008 by

I taught a 2-day seminar yesterday and the day before on Certification and Accreditation (NIST SP 800-37).  It’s fun but tiring, and yesterday I definitely got worked pretty hard, teaching 800-53, 800-53A, and C&A in the SDLC

I like to teach because I always learn when I do it.  But then again, I learn when I blog, too.

Anyway, revelations from yesterday, and things that I don’t really have an answer to yet:

#1 We need a better tool than a POA&M because we’re trying to use them in 2 different ways.  For those of you who don’t govorit’ govie, a POA&M is a “Plan of Actions and Milestones”, what you in the civilian world would call an action items list, a punch-list, or even a list of vulnerabilities.  The problem is that we’re trying to use the POA&M both as a short-term tasklist and as a long-term strategic planning tool.  I need to be able to do both, and I’m not sure if one POA&M list is the end-all be-all.  What I really need is 2 lists, one with a 30-60-90-day scope that is the ISSO/Project Team’s view, and one that is a long-term 1-2-5-year scope to mitigate programatic, enterprise-wide vulnerabilities that require CapEx or other investment such as standing up a secondary data center to support DR/COOP/BCP/$FooFlavorOfTheMonth.

#2 We have 2 conflicting purposes in information security in Government.  One is presenting a zero-defects face to the world.  The other is being able to freely discuss problems so that we can get them fixed.  Understanding the dynamics between these 2 competing ideas is understanding why the Government succeeds in some areas and fails in others.  To be bluntfully honest, I don’t think that as a profession, security people have a good, valid model to deal with this conflict, and until we do, we will have a significant cultural obstacle to go around.

#3 As a government (and as an industry), we are good at the tactical level and fairly good at the operational level, but where we need peoples’ thought-power to go is towards the strategic level.  This is my big heartburn about FISMA report cards:  what we should be doing is to collect Government-wide metrics in order to answer questions that we need to understand before we make strategic decisions.  As it is right now, our strategic moves are ad-hoc and consist mostly of trying to upscale some good security concepts (FDCC, limiting Internet connections, etc) into something that might or might not work at such a huge, megalithic scale.

#4 We’ve bought into the fact that CISOs work for the CIO.  This is old-school stylie and I’m not convinced that this is the way to do it.  If you look at the security controls in SP 800-53, there are activities entirely out of scope of the IT department.  Usually these involve gates, guards, and guns; personnel security; and facilities management.  For the time being, the official response is that “well, the CISO has to work with the people in charge of those areas to get their job done” and I’m thinking that maybe we’ve done a disservice to the senior security officer in our agencies by not having them report directly to the agency head.  Maybe we need true CSOs to take care of the non-IT security aspects and a CISO to take care of the geekspace.

The funny thing to me is that some of our students come in expecting to get spoon-fed information on the one true way to do C&A, and what most of them walk away with is ideas for thought on what are the strengths and weaknesses to how we do business as Government information security people and how do we make it better.

The last thing that I noticed yesterday after all the classes were over:  we taught a C&A class and did not have a dedicated session on what a System Security Plan is and how to write one.  Deep down inside, I like this, because if you do the right things security-wise, you’ll find that the SSP practically writes itself.  =)

Similar Posts:

Posted in FISMA, NIST, Rants, What Doesn't Work | 2 Comments »

Government Can’t Turn on a Dime, News at 11

Posted February 27th, 2008 by

Are we done with the Federal Desktop Core Configuration yet? Are we compliant with OMB Memo 07-11?? Have we staved off dozens of script-kiddies armed with nmap and some ‘sploits they downloaded from teh Intarweb, all through hardening our desktops to the one true standard?

No? I didn’t think we would. Of course, neither did the CISOs and other security managers out there in the agencies. It’s too much too fast, and the government is too large to turn on a time. Or even a quarter, for that matter. =)

Now get ready for a blamestorm at the end of the month. By that time, all the agencies are supposed to report on their status to OMB. It’s not going to be pretty, but it’s hardly unexpected.

So why haven’t we finished this yet? Inquiring minds want to know.

Well, it all goes back to the big question of “how many directions can today’s government CISO be pulled in?” Think about it: You’ve got IPV6, HSPD-12, all the PII guidance (Memo 06-16 et al), reducing Internet connections down to 50, aligning your IT systems with the Federal Enterprise Architecture, getting your Internet connections monitored by Einstein, and the usual administrative overhead. that’s too many major initiatives all at the same time, and it’s a good way to be torn in too many directions at the same time. In government-speak, these are all what we call “unfunded mandates”, and one is bad enough to cripple your budget, much less a handful of them.

Where we’re at right now with FDCC is that the implementers are finding out what applications are broken, and we’re starting to impact operations–not being able to get the job done. Yes, this is the desired effect, it puts the pressure on the OS vendors and the application vendors, and it’s a good thing, IMO–we won’t buy your software if it doesn’t support our security model, and we’ll take our $75B IT budget with us. Suddenly, it’s the gorilla of market pressure throwing its weight around, and the BSOFH inside me likes this.

Now don’t get me wrong, I’m a big believer in FDCC (for both the Government and with a payoff for the civilian world), and I think it’s security-sound once it’s implemented, but in order for it to work, the following “infrastructure” needs to be in place:

  • An official image shared between agencies
  • Ability to buy a hardened FDCC OS as part of purchasing the hardware
  • Microsoft rolling FDCC into its standard COTS build that it offers to the rest of the world
  • Applications that are certified to run on the “one standard to rule them all” and on a list so I can pick one and know that it works
  • Security people who understand GPOs and that even though it’s a desktop configuration standard, it affects servers, too
  • An automated tool to validate technical policy compliance (there, I said it, and in this space it actually makes sense for a change)

Until you have these things, what OMB is asking for the agencies to get squeezed between a vendor who can’t ship a default-hardened OS, lazy applications vendors who won’t/can’t fix their software, and the 5+ levels of oversight that are watching over the shoulder of the average ISSO at the implementation level. In short, we’re throwing the implementers under the bus and making them do our dirty work because at the national level we have failed to build the right kind of influence over the vendors.

Gosh, it sounds like this would go so much better if we phased in FDCC along with the next tech refresh of our desktops, doesn’t it? That’s how the “sane world” would tackle something like this. Not a sermon, just a thought. =)

Similar Posts:

Posted in DISA, FISMA, NIST, Rants, Technical, What Doesn't Work, What Works | 1 Comment »

Wednesday Zombie Post–Zombie Squad

Posted February 27th, 2008 by

Wow, a zombie crew who actually do good things by raising money for charity and raising awareness of disaster preparation?  Sounds like a happy thing to me.

Similar Posts:

Posted in Zombies | No Comments »

In Search of a Better Catalog of Controls

Posted February 25th, 2008 by

I’ve been thinking about SP 800-53 lately because almost all of our efforts in the information assurance world lately are revolving around a catalog of controls concept.

Advantages that you get with a catalog of controls:

  • Standardization (Important when you’re dealing with auditors)
  • A minimum level of due dilligence “across the board”
  • Each control can have an objective/intent, implementation guidelines, and test cases to validate effectiveness
  • Easy to score (my cynical readers can retort with “auditor checklist” any time now)
  • Applicable to a workforce with varying degrees of training and ability (ie, you don’t all have to have PHDs in IA)

And the dark underbelly of a catalog of controls:

  • People just do the bare minimum because that’s all they get credit for
  • Controls still need to be tailored by highly-educated people
  • Enforces a “one size fits all” mentality which doesn’t work in the real world
  • Your security is not streamlined because you’re doing extra where you don’t need it and not enough where you do need it

If you had to recreate your own catalog of controls for internal and external use, how would you go about it?  Well, this is the approach that NIST used to make 800-53:

  • Collect all the control requirements from the various applicable laws (FISMA, Privacy Act, etc)
  • Collect all the control requirements from other applicable standards, policies, and procedures (PPD-63, OMB Memoranda)
  • Collect best practices from vendors and experienced security managers
  • Consider the control requirements from comparable control catalogs (27001, PCI, A-123, etc)
  • Lump all the requirements together and take the high-water mark
  • Add some housekeeping controls that have been implied to bridge the current-state with the desired-state (document your security controls, perform a formal risk assessment, etc)

So far, this all makes sense and is exactly how most of us would do it, right?  NIST even did us a HUGE favor and gave us a traceability matrix in the back of the book to show us where each control requirement came from.

Except for one thing:  this is a compliance-based model, and I’ve just described how to build your own compliance framework.  No, that wasn’t my intent to prove, I realized it as I recreated the process.

We live in a risk management world where what I really need to provide effective and adequate security is a control framework based on threat, risk, and countermeasure.  A catalog of controls does the first 2 for me, and what I end up with as the security practitioner downstream is just the list of countermeasures detatched from what we’re really trying to accomplish–the intent.

So there are 2 approaches that NIST took to minimize some of the negatives of the catalog of controls approach.  The first one is that they allow you to catagorize your system (FIPS-199) and pick a level of controls.  It’s not perfect by any means, but it does that first part of tailoring the controls into large, xtra-large, and jumbonormous-sized buckets so you can choose your own level of involvement.  Sadly, though, most often this process involves the managerial equivalent of throwing darts at a dartboard with H, M, and L written on it.  Yes, it’s easy, but the best thing you can do for security in the government is to pick the right size of security helping that you’re going to eat.

The second thing that NIST gives you is the ability to tailor your controls.  If you’re not doing business impact assessments for where you undershoot and overshoot the untailored 800-53 controls, you’re doing yourself a great injustice.

However, just like the compliance-driven model that it supports, a catalog of controls is only a 75% solution.  The geek in me cringes that we would be using a rock chisel for rocket surgery, but in effect that’s what we’ve done so far as an industry.  And yes, 75% is better than 0%, but it’s still 25% short of perfection.

Will our catalog of controls be around in 5 years?  I don’t know.  There might be other ways to do what we want to do, and I’m sure a couple bright and not-so-bright people would step forward with their opinions if you asked them.  I for one would like to see 2 control catalogs:  one based on the minimum level of compliance where you do not have an option to deviate (and kept very small), and a second catalog that breaks down into threat-risk-countermeasure tuples so that I can exclude controls based on the fact that the threat and subsequent risk does not exist.

After all, that’s the point of tailoring security controls:  to answer the age-old question “How much is enough?”

Similar Posts:

Posted in FISMA, NIST, Risk Management, What Doesn't Work, What Works | 3 Comments »

« Previous Entries

Visitor Geolocationing Widget: