Ah yes, the magic of Google hacking and advanced operators.  All the “infosec cool kids” have been having a blast this week using a combination of filetype and site operators to look for classification markings in documents. I figure that with the WikiLeaks brouhaha lately, it might be a good idea to write a “howto” for government organizations to check for web leaks.

Now for the search string:, “enter document marking here” site:agency.gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf looks for typical document formats on the agency.gov website looking for a specific caveat.  You could easily put in a key phrase used for marking sensitive documents in your agency.  Obviously there will be results from published organizational policy describing how to mark documents, but there will also be other things that should be looked at.

Typical document markings, all you have to do is pick out key phrases from your agency policy that have the verbatim disclaimer to put on docs:

• “This document contains sensitive security information”
• “Disclosure is prohibited”
• “This document contains confidential information”
• “Not for release”
• “No part of this document may be released”
• “Unauthorized release may result in civil penalty or other action”
• Any one of a thousand other key words listed on Wikipedia

Other ideas:

• Use the “site:gov” operator to look for documents government-wide.
• Drop the “site” operator altogether and look for agency information that has been published on the web by third parties.
• Chain the markings together with an “or” for one long search string: “not for release” | “no part of this document may be released” site:gov filetype:rtf | filetype:ppt | filetype:pptx | filetype:csv | filetype:xls | filetype:xlsx | filetype:docx | filetype:doc | filetype:pdf

If you’re not doing this already, I recommend setting up a weekly/daily search looking for documents that have been indexed and follow up on them as an incident.

• Clouds of CAG Confusion
• Database Activity Monitoring for the Government
• Ed Bellis’s Little SCAP Project
• Some Words From a FAR
• How to Not Let FISMA Become a Paperwork Exercise

Build security in or bolt it on afterwords? Our IKANHAZFIZMA LOLCATS have an opinion on this today.

• Lolcats and QR Codes
• Lolcats Protect the End Users
• Redundant Lolcats
• Lolcats Coming to you from the Cloud
• Lolcats, Capital Hill, and a Haiku

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

• Compliant doesn’t mean secure.
• You can always go above the minimum baseline.
• You don’t know what you don’t know.
• Security is a journey, not a destination.
• We all know that $Foo is dying/dead/failing/stillborn.
• There is no silver bullet.
• It’s security, it’s supposed to be hard.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• Let’s Face it, Half the Security Industry is a Pyramid Scheme
• Inside the Obama Administration’s Cyber Security Agenda
• Beware the Cyber-Katrina!

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.

• Some Comments on SP 800-39
• GAO’s 5 Steps to “Fix” FISMA
• Old Saint NIST: Ho Ho Hold on, what’s this?
• “Machines Don’t Cause Risk, People Do!”
• Clouds, FISMA, and the Lawyers

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.

• Massively Scaled Security Solutions for Massively Scaled IT
• Why We Need PCI-DSS to Survive
• DojoCon 2009 Presentation
• Building A Modern Security Policy For Social Media and Government
• Professor Rybolov’s Guide to InfoSec and Public Policy Analysis

A common theme for me this year:  as a security manager, how do you use metrics to tell your boss that you’re doing a good job and yet at the same time you’re doing a bad job and need more money, time, and resources?

• SCAP in Lulz
• Oh to be a Program Manager
• Preliminary Findings on Cybersecurity Review Now Out
• Cyber-Ninja Lolcats Caught on Film
• IKANHAZFIZMA Finds Caution Tape