Posted April 30th, 2008 by rybolov
Maybe I’ve been working on slide decks for too long. That’s why I haven’t been blogging much over the past week: when you spend 8 hours a day revising and formatting slides, your brain turns to jello.
Then suddenly on Tuesday, it hit me: the Government’s problem with security is one of scale. And at this point you all go “Duh, where have you been for the past 200 years?” And yes, it’s not a problem exclusive to security, it goes hand-in-hand with personnel management, financial management, $foo management, and $bar management
Large-Scale Scaley Carp Photo by radcarper
Now the scale in itself isn’t really the problem, it’s that we don’t have information security models that scale to that level. And what I mean by that is that each agency is pretty much their own enterprise. The entire executive branch is one huge federation of independent enterprises (and some of the enterprises are federated, but we’ll ignore that for the time being). Most of our existing thoughts on information security management are focused on the enterprise, and the only hope to use them is to manage each enterprise separately.
Really, folks, we don’t have information security models that scale up as massively as we need to, and what we’ve been doing is borrowing from other fields, most notably Federal law and public accounting. Unfortunately for us, these are models based on compliance, not risk management. Even then, I don’t see the compliance angle going away anytime soon.
Now this is the really big problem: everybody has some kind of criticism about how the Government runs their information security. But I don’t see anybody with a viable alternative, nor do I expect to see one because the only people with problems on this scale are large governments.
Posted in FISMA, Rants | No Comments »
Tags: accounting • compliance • fisma • government • infosec • management • scalability • security
Posted April 30th, 2008 by rybolov
OK, I saw this really cool widget on a blog somewhere. It tests the literacy level of your blog and tells you at what level you write. Sure, OK, I’ll bite. Bloggers love bling, dontcha know?
Fortunately for anybody who has eyes, the code that the site gives you to put the widget on your blog contains a SEO-spamming link. Oh joy, it’s easily removable if you’re halfway knowledgeable. But you still can use the textbox to feed urls to the machine.
Anyway, in the interest of science and all things egotastical, I submitted some sample security blogs and was highly surprised at some of the results. My rundown on how particular sites rate:
Now if I check out Amrit’s blog tomorrow and he’s got a genius sticker displayed prominently on his site, I’ll take the blame and rage from the blogosphere. It’s only fitting.
To be honest, I’m surprised I didn’t come in at the preschool level, what with my lowbrow sense of humor and all. =)
Posted in Odds-n-Sods, The Guerilla CISO | 10 Comments »
Tags: blog • genius • literacy • pwnage
Posted April 24th, 2008 by rybolov
The US Army occassionally does things right.
Well, one of the things that they do right is training. Our training process for squad and above is mostly focused around the Observer-Controller (OC) and their value proposition (my MBA word for the day, TYVM). Whenever you are training, there is an OC tagging right along with you to assess what and why you are doing something and then make recommendations at the end.
Observer-Controllers hard at work, photo by David Axe
What an OC brings with them (aside from their 31337 BBQ Ski11z):
- Experience of having seen the same task done hundreds of times with various groups.
- A strong understanding of the doctrinally-correct way to do a task.
- Techniques to fill out where doctrine is not specific enough.
- Sometimes they have pre-written standard operating procedures that they will share with you.
What an OC will never do:
- Use you resources to support themselves.
- Own the solution space for you.
- Criticize you in front of your troops.
- Interfere with your ability to do your mission.
Hmmm, sounds like the things that a good auditor does.
Auditors are in a fantastic position to help the auditee because of the wide range of experience in how other companies have been doing the exact same thing that you are doing. Point is, there is a level of collusion that needs to happen between the auditor and the auditee, and the extent of that collusion is really what we’re talking about when we start looking at Separation of Duties and similar things.
Over the years, auditors and auditees have had the nature of their relationship change numerous times. Around the time of Sarbanes-Oxley, the pendulum swung wildly the way of “no relationship no how” and now it’s slowly moving back to somewhere normal. Here’s a podcast with Michael Oxley talking about how auditors need to collude better with the auditee. Disclaimer: this is part of a series that is produced by my firm, but I had no part in this, Mkay?
Here in DC, we have a saying (Ok, I made it up my own self): “Collusion is not just a technique, it’s THE technique.” =)
Posted in Army, What Works | 1 Comment »
Tags: auditor • bbq • collusion • security
Posted April 23rd, 2008 by rybolov
I don’t know where to start with this one: zombies riding motorcycles.
Posted in Zombies | No Comments »
Posted April 23rd, 2008 by rybolov
Interestingly, Splunk has been going after FISMA dollars here lately. check out the Forbes article, video on YouTube, and their own articles. I guess there’s another “pig at the trough” (heh, including myself from time to time).
It’s interesting how companies decide to play in the Government market. It seems like they fall into 2 categories: companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.
To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.
Which brings up the one big elephant in the room that nobody will talk about: who is making money on FISMA?
This is my quick rundown on where the money is at:
- Large Security Services Firms: Definitely. About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received. Survival tip: combining FISMA services with other advisory/assessment services.
- Software and Product Vendors: Yes and no. Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V). Survival tip: Partner with the large integrator firms.
- Managed Security Service Providers: Yes, for the time being, but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities. Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
- System Integrators: It’s split. One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause. The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost. Survival tip: Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
- 8(a) and Security Boutique Firms: Yes, depending on how well they can absorb overhead while they look for work. Survival tip: being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
- Security Training Providers: Yes. These guys always win when there’s a demand. That’s why SANS, ISC2, and a host of hundreds are all located around the beltway. Survival tip: trying to absorb government representation in training events and as speakers.
Posted in FISMA, Outsourcing, What Doesn't Work, What Works | No Comments »
Tags: cashcows • fisma • moneymoneymoney • mssp • security • splunk
Posted April 21st, 2008 by rybolov
Second draft of NIST SP 800-39, Managing Risk from Information Systems, an Organization Perspective, is out, go have a read and see what you think. NIST really does welcome and use comments.
When 800-39 first came out, I gave it a quick scan and said to myself “meh, this is a rehash of all the things said elsewhere, especially 800-37. The general consensus between my friends was the same, but that after you get over that initial impression, you realize that the 800-39 Risk Management Framework is the stuff that fills in the gaps between everything and that this is how successful CISOs have been running their shops. One thing to think about is that NIST writes doctrine not technique, so you still have to read between the lines.
Anyway, it’s worth your time to give it a read, then drop your comments to NIST. They love it when you doo….
Posted in NIST, Risk Management | 1 Comment »