The InfoSec D-List and IKANHAZFIZMA

Posted March 3rd, 2010 by

Andrew Hay, aside from being an all-around handsome guy, talked on Tuesday at B-Sides San Francisco about his life on the Information Security D-List.  Bill Brenner picked it up for CSO-Online and now it’s preserved for posterity.  Andrew’s been interviewing D-Listers and blogging the interviews.  They’re awesome inspiration if you’re one of the unsung heroes who go to work, grapple with the compliance hydra or the security operations tarpit all day, and go home to some conference videos so you can learn new skills and move on to the next project.  Yeah, I’m a D-Lister just like you folks, and I have tons of love and respect for all of you.

bware teh a-list kittehs

Similar Posts:

Posted in IKANHAZFIZMA | No Comments »

Federal CIO Council’s Guidelines on Security and Social Media

Posted September 17th, 2009 by

I got an email today from the author who said that it’s now officially on the street: Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0.  I’m listed as a reviewer/contributor, which means that maybe I have some good ideas from time to time or that I know some people who know people.  =)

Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document.

This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public.

Similar Posts:

Posted in Odds-n-Sods, The Guerilla CISO | No Comments »

The World Asks: is S.773 Censorship?

Posted May 15th, 2009 by

Here in the information assurance salt mines, we sure do loves us some conspiracies, so here’s the conspiracy of the month: S.773 gives the Government the ability to view your private data and the President disconnect authority over the Internet, which means he can sensor it.

Let’s look at the sections and paragraphs that would seem to say this:

Section 14:

(b) FUNCTIONS- The Secretary of Commerce–

(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access;

Section 18: The President–

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network;

(6) may order the disconnection of any Federal Government or United States critical infrastructure information systems or networks in the interest of national security;

Taken completely by itself, it would seem like this gives the president the authorities to do all sorts of wrong stuff, all he has to do is to declare something as critical infrastructure and declare it compromised or in the interests of national security.  And some people have:

And some movies (we all love movies):

Actually, Shelly is pretty astute and makes some good points, she just doens’t have the background in information security.

It makes me wonder since when have people considered social networking sites or the Internet as a whole as “critical infrastructure”. Then the BSOFH in me things “Ye gods, when did our society sink so low?”

Now, as far as going back to Section 14 of S.773, it exists because most of the critical infrastructure is privately-held.  There is a bit of history to understand here and that is that the critical infrastructure owners and operators are very reluctant to give the information on their piece of critical infrastructure to the Government.  Don’t blame them, I had the same problem as a contractor: if you give the Government information, the next step is them telling you how to change it and how to run your business.  Since the owners/operators are somewhat non-helpful, the Government needs more teeth to get what it needs.

But as far as private data traversing the critical infrastructure?  I think it’s a stretch to say that’s part of the requirements of Section 14, it’s to collect data “about” (the language of the bill) the critical infrastructure, not “processed, stored, or forwarded” on the critical infrastructure. But yeah, let’s scope this a little bit better, CapHill Staffers.

On to Section 18.  Critical infrastructure is defined elsewhere in law.  Let’s see the definitions section from HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection:

In this directive:

The term “critical infrastructure” has the meaning given to that term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).

The term “key resources” has the meaning given that term in section 2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9)).

The term “the Department” means the Department of Homeland Security.

The term “Federal departments and agencies” means those executive departments enumerated in 5 U.S.C. 101, and the Department of Homeland Security; independent establishments as defined by 5 U.S.C. 104(1);Government corporations as defined by 5 U.S.C. 103(1); and the United States Postal Service.

The terms “State,” and “local government,” when used in a geographical sense, have the same meanings given to those terms in section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).

The term “the Secretary” means the Secretary of Homeland Security.

The term “Sector-Specific Agency” means a Federal department or agency responsible for infrastructure protection activities in a designated critical infrastructure sector or key resources category. Sector-Specific Agencies will conduct their activities under this directive in accordance with guidance provided by the Secretary.

The terms “protect” and “secure” mean reducing the vulnerability of critical infrastructure or key resources in order to deter, mitigate, or neutralize terrorist attacks.

And referencing the Patriot Act gives us the following definition for critical infrastructure:

In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Since it’s not readily evident from what we really consider to be critical infrastructure, let’s look at the implemention of HSPD-7.  They’ve defined critical infrastructure sectors and key resources, each of which have a sector-specific plan on how to protect them.

  • Agriculture and Food
  • Banking and Finance
  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • National Monuments and Icons
  • Nuclear Reactors, Materials and Waste
  • Postal and Shipping
  • Transportation System
  • Water

And oh yeah, S.773 doesn’t mention key resources, only critical infrastructure.  Some of this key infrastructure isn’t even networked (*cough* icons and national monuments *cough*). Also note that “Teh Interblagosphere” isn’t listed, although you could make a case that information technology and communications sectors might include it.

Yes, this is not immediately obvious, you have to stitch about half a dozen laws together, but if we didn’t do pointers to other laws, we would have the legislative version of spaghetti code.

Going back to Section 18 of S.773, what paragraph 2 does is give the President the authority to disconnect critical infrastructure or government-owned IT systems from the Internet if they have been compromised.  That’s fairly scoped, I think.  I know I’ll get some non-technical readers on this blog post, but basically one of the first steps in incident response is to disconnect the system, fix it, then restore service.

Paragraph 6 is the part that scares me, mostly because it has the same disconnect authority as paragraph 2and the same scope (critical infrastructure and but the only justification is “in the interests of national security”. In other words, we don’t have to tell you why we disconnected your systems from the Internet because you don’t have the clearances to understand.

So how do we fix this bill?

Section 14 needs an enumeration of the types of data that we can request from critical infrastructure owners and operators. Something like the following:

  • Architecture and toplogy
  • Vulnerability scan results
  • Asset inventories
  • Audit results

The bill has a definitions section–Section 23.  We need to adopt the verbiage from HSPD-7 and include it in Section 23.  That takes care of some of the scoping issues.

We need a definition for “compromise” and we need a definition for “national security”. Odds are these will be references to other laws.

Add a recourse for critical infrastructure owners who have been disconnected: At the very minimum, give them the conditions under which they can be reconnected and some method of appeal.

Similar Posts:

Posted in Public Policy, Rants | 3 Comments »

In Response to “Cyber Security Coming to a Boil” Comments….

Posted March 24th, 2009 by

Rybolov’s comment: This is Ian’s response to the comments for his post on Cybersecurity Coming to a Boil.  It was such a good dialog that he wanted to make a large comment which as we all know, eventually transforms itself into a blog post.  =)

You are making some excellent points; putting the leadership of the Administration’s new Cyber security initiative directly in the White House might appear to be a temporary solution or a quick fix. From my point of view, it looks more like an honest approach. By that I mean that I think the Administration is acknowledging a few things:

  • This is a significant problem
  • There is no coherent approach across the government
  • There is no clear leadership or authority to act on the issue across the government
  • Because of the perception that a large budget commitment will have to be allocated to any effective solution, many Agencies are claiming leadership or competing for leadership to scoop up those resources
  • The Administration does not know what the specific solution they are proposing is — YET

I think this last point is the most important and is driving the 60-day security assessment. I also think that assessment is much more complex than a simple review of FISMA scores for the past few years. I suspect that the 60-day review is also considering things like legal mandates and authorities for various aspects of Cyber security on a National level. If that is the case, I’m not familiar with a similar review ever having taken place.

2004 World Cyber Games photo by jurvetson.  Contrary to what the LiquidMatrix Security folks might think, the purpose of this post isn’t to jam “cyber” into every 5th word.  =)

So, where does this take us? Well, I think we will see the Cyber Security Czar, propose a unified policy, a unified approach and probably some basic enabling legislation. I suspect that this will mean that the Czar will have direct control over existing programs and resources. I think the Cyber Security Czar taking control of Cyber Security-related research programs will be one of the most visible first steps toward establishing central control.

From this we will see new organizational and reporting authorities that will span existing Agencies. I think we can also anticipate that we will see new policies put in place and a new set of guidelines of minimum level of security capabilities mandated for all Agency networks (raising bottom-line security). This last point will probably prove to be the most trying or contentious effort within the existing Agency structure. It is not clear how existing Agencies that are clearly underfunding or under supporting Cyber Security will be assessed. It is even less clear where remedial funding or personnel positions will come from. And the stickiest point of all is…. how do you reform the leadership and policy in those Agencies to positively change their security culture? I noticed that someone used the C-word in response to my initial comments. This goes way beyond compliance. In the case of some Federal Agencies and perhaps some industries we may be talking about a complete change sea-change with respect to the emphasis and priority given to Cyber Security.

These are all difficult issues. And I believe the Administration will address them one step at a time.
In the long-term it is less clear how Cyber Security will be managed. The so-called war on drugs has been managed by central authority directly from the White House for decades. And to be sure, to put a working national system together that protects our Government and critical national infrastructure from Cyber attack will probably take a similar level of effort and perhaps require a similar long-term commitment. Let’s just hope that it is better thought-out and more effective than the so-called war on drugs.

Vlad’s point concerning Intelligence Community taking the lead with respect to Cyber Security is an interesting one, I think the Intelligence Community will be important players in this new initiative. To be frank, between the Defense and Intelligence Communities there is considerable technical expertise that will be sorely needed. However, for legal reasons, there are real limits as to what the Intelligence and Defense Communities can do in many situations. This is a parallel problem to the Cyber Security as a Law Enforcement problem. The “solution” will clearly involve a variety of players each with their own expertise and authorities. And while I am not anticipating that Tom Clancy will be appointed the Cyber Security Czar any time soon. I do expect that a long-term approach will require the stand-up of either a new organization empowered to act across current legal boundaries (that will require new legislation), or a new coordinating organization like the Counter Terrorism Center, that will allow all of the current players bring their individual strengths and authorities to focus on a situation on a case by case basis as they are needed (that may require new legislation).

If you press me, I think a joint coordinating body will be the preferred choice of the Administration. Everyone likes the idea of everyone working and playing well together. And, that option also sounds a lot less expensive. And that is important in today’s economic climate.

Similar Posts:

Posted in FISMA, Public Policy, Technical | 2 Comments »

Lamenting the Seppuku of the NinjaCISO

Posted February 25th, 2009 by

At the beginning of the year, I was absolutely tickled pink: I almost had a copycat.

The NinjaCISO blog was started shortly after the new year and seemed interesting in what they had to say over the next couple of months.  I eagerly waited for their every post, wondering what kind of insight the Ninja would come up with next.  Since for the most part we operate in unchartered waters here at the Guerilla-CISO, it sometimes is nice to get different points of view so we don’t feel like we’re some kind of bizarre Government information security self-licking ice cream cone.

Then in mid-February, the whole blog was replaced with a cartoon saying that “On the Internet, nobody knows that you’re a dog”.  This can mean only one thing:  the Ninja was given a cease-and-desist by their chain of command and was forced to commit blog seppuku.  And the blogging world experienced a small void.

Nobody Knows You’re a Dog lifted from

See, dear readers, this is a problem for Government employees who blog.  Let’s look at a little bit more extreme example: military bloggers (milblogs).

You see, the military has gone back and forth on this a couple of times.  In April 2007, the Army decided that soldiers shouldn’t blog without notifying their commander, (clarified here) and the Global War Against Blogs was started, much to the dismay of a lot of clueful people who understand the value that blogs bring to the DoD.

Yes, Joe is dumb.  Joe talks about stuff that he shouldn’t really talk about.  But Joe can also talk about the village in Afghanistan where he’s a local hero because he rescued a policeman while he was being held hostage.  Joe can also talk about the school that the Taliban burned and how US money and some “local matching funds” from the Provincial Governor brought carpets, pens, and pads of paper so that the kids could continue to learn how to read and write.

And this is the conundrum: in a war where the “bad guys” are winning the media war, how do you give a voice to the guys doing good things but just enough so that they don’t talk about anything that you don’t want them to–troop movements, physical security problems, and how they really feel about the administration’s policies?

And so back to my real message here:  we as an industry need to hear from the invisible people who make information security in the Government work.  Otherwise, you would think that FISMA is failing, Government CISOs are a bunch of buffoons who don’t know how to get a good report card, DHS is monitoring the Interwebs looking for the next Nick Haflinger, and the only people getting any benefit out of the way we do information security is a bunch of fat-cat contractors and their shareholders. (Side note, how do I sign on for this contractor wealth thing?  I must be doing it all wrong.)

We now have an administration that talks about openness, transparent democracy, and all this Government 2.0 stuff.  Truth be told, I don’t think anybody has thought about extending that transparency to trickle down to the “worker-bees”.  These are really 2 different issues: official blogs v/s personal blogs that might be career-related.  I think we have a pretty good handle on the official blogs, but there is a huge void of policy in the realm of personal blogs.

Message to the administration: what we want and need is a blog policy for Government employees that works like this:

  • Don’t use your title or agency in anything you write
  • Don’t use Government IT resources (desktops, servers, or network) to blog
  • Don’t blog at work on the clock as a Government employee
  • Do use a pseudonym if at all possible
  • Do not violate the Hatch Act with your blog
  • Do try to blog objectively about policy issues
  • Do talk about your successes
  • Do encourage others to make the Government the best that it can be
  • Do offer suggestions to problems

As for the NinjaCISO’s content, you can catch bits and pieces of it here on Technorati.

Orwell’s Reporter Lady Goldstein photo by Boris from Vienna.  For clarification, we’re not talking 1984-type things here folks, this is just the blagosphere.  However, it is a funny picture.

Similar Posts:

Posted in Rants | 1 Comment »

It’s a Blogiversary

Posted February 23rd, 2009 by

While I’ve been busy running all over the US and Canada, I missed a quasi-momentus date: the second anniversary of the Guerilla-CISO.  You can read the “Hello World” post if you want to see why this blog was started.

Blah Blah blah much has happened since then.  I swapped out blog platforms early on.  I started playing the didgeridoo.  I went on a zombie stint for 9 months.  I switched employers.  I added FISMA lolcats (IKANHAZFIZMA).  I started getting the one-liners out on twitter.  Most momentous is that I’ve picked up other authors.

  • Ian Charters (ian99), an international man of mystery, is a retired govie with a background in attacking stuff and doing forensics.
  • Joe Faraone (Vlad the Impaler), besides being a spitting imitation of George Lucas, is the guy who did one of the earliest certification and accreditations and informally laid down some of the concepts that became doctrine.
  • Dan Philpott (danphilpott), Government 2.0 security pundit extraordinaire, is the genius behind and one of the sharpest guys I know.
  • Mini-Me, he’s short, he’s bald, and he guest-blogs from time to time about needing a hairdryer.

So in a way, I’ve become “the pusher”–the guy who harrasses the other authors until they write something just to quiet me up for a couple of weeks.

Similar Posts:

Posted in The Guerilla CISO | 1 Comment »

« Previous Entries

Visitor Geolocationing Widget: