Split-Horizon Assessments and the Oversight Effect

Posted July 7th, 2010 by

Going Off the Deep End

So I was thinking the other day (this is the part where people who know me in person usually go “oh cr*p”), partially spurred by a conversation I had with @csoandy and @secbarbie a couple of months ago.  I’ll get the idea out there: as an industry we need to embrace the concept of split-horizon assessments.

Two Purposes for Assessments

Because this is an insane approach that I’m just feeling out, let me go on a solo riff and explain what I’m talking about.  You see, I have two distinct purposes for getting a security assessment, both of which are in contention with each other:

  • I want to fix my security by asking for money to fix the things that need attention.  When I get an assessment for this purpose, enumeration of my badness/suckness is good.  If I have a set of results that say that everything is great, then there’s no need for me to be given any more resources (time, money, people, gear).  Short-term, I’m fine, but what about my infrastructure-type long-term projects?  The net effect of a highly-scored annual assessment just might kill my program in 2 years as my funding and people are shifted elsewhere, especially in a .
  • I want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me.  While the assessor has helped me short-term by identifying my problems and being a total hardass, if I’m not around in 6 months to adopt the recommendations into my security program, has the assessor actually helped me?

And this is the dilemma for just about every security manager out there.  One of the strategies is to alternate assessment types, but then your management wonder just what the heck it is you’re doing because you’re on top one year, then on the bottom the next.

Split Rock Lighthouse and Horizon photo by puliarf.

Assessor Window-Shopping

Now for the dirty little secret of the testing business:  there are really good testers who are the ninjas of the InfoSec world and there are really bad testers who don’t even validate their unlicensed Nessus scan.  I know, you’re shocked and it’s so blindingly obvious that Bruce Schneier will blog it 3 years from now.  =)

But there’s the part that you didn’t know:  security managers pick their assessor depending on the political mood inside their organization.  This is nowhere near a science, from what I’ve seen it involves a lot of navel-gazing on the part of the security team to see which is the lesser evil: having everybody think you’re incompetent or never getting anything new ever again?

Building a Better Rat Race

In order to accomplish both of the goals that I’ve listed, what I really need is a split-horizon assessment.  In other words, I need 2 reports from one assessment with different views for different audiences.  I know this sounds highly cynical, but it’s something we’ve been doing for some time now but just informally.  Might as well make it formal.

So are you sold on this concept yet?  In true form, I have an idea on how to get to a world of split-horizon assessments.  You can take any catalog of controls and divide it into “gotta have it” and “nice to have” (I almost divide these along the lines of “vulnerability mitigation” and “sustainable security program” or the “CISO” and “OMB and Congress”) buckets.  Then in your compliance assessment standard, require 2 reports for each assessment.  One is reported to the regulating authority and the other stays with the organization.

Indecision Strikes

I don’t know if I’ve solved the problemspace or not, but I’m looking for feedback “from the Peanut Gallery” so leave some comments.

Similar Posts:

Posted in Rants, What Doesn't Work, What Works | 7 Comments »

Federal CIO Council’s Guidelines on Security and Social Media

Posted September 17th, 2009 by

I got an email today from the author who said that it’s now officially on the street: Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0.  I’m listed as a reviewer/contributor, which means that maybe I have some good ideas from time to time or that I know some people who know people.  =)

Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document.

This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public.

Similar Posts:

Posted in Odds-n-Sods, The Guerilla CISO | No Comments »

Privacy Camp DC on June 20th

Posted June 11th, 2009 by

Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.

I’ll be going.  This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen.  You might end up running a conversation on your favorite privacy topic, so you have been warned. =)

*Most* of the folks going are of the civil libertarian slant.  With my background and where I work, I usually “bat for the other team on this issue”.  The organizers have assured me that I’ll be welcome and can play the heretic role.

How to play:

Some themes that I’ve seen develop so far:

  • How some concepts (System of Record) from the Privacy Act are outdated or at least showing their age
  • How the open government “movement” and the push for raw data means we need to look at the privacy concerns
  • FOIA and privacy data
  • Ending the political robocalls

See Y’all there!

Similar Posts:

Posted in Public Policy, Speaking | No Comments »

Everything I know about security, I learned from Ghostbusters…

Posted February 17th, 2009 by

(Well maybe not everything…)
I’ve been the defacto security officer at a government agency going on two years now; it’s been quite a challenge. Without getting too deeply into how this happened (since I’m a contractor), I’d like to share some of the insights, horror stories, tips, and interesting anecdotes I’ve gathered over the past 22+ months.

If nothing else, many of my “preconceived notions” about managing an effective security program at a federal agency have been confirmed. Many others have been changed in ways I would never have suspected. I’m going to attempt to explain these in what I hope is an insightful, if not humorous way.

Ghostbusters works for me… At the time (1984), it was, hands-down, the funniest movie I had ever seen–it left its mark. It sure beats “Dude Where’s My Car?” for quotes that can be applied to security. But then some may say I’ve either set the bar a bit low, or I need to expand my movie viewing habits. Hey, work with me on this one people!!!

So, here are several quotes from the movie and their application to my philosophy on information security. I hope you enjoy it!

Ecto-1 photo by chad davis.

I’m from security, and I’m ready to believe you.
Listen. Foster discussion. Then, draw upon your experience and make your decision. Do not enter into a discussion with a mandate (unless from above). Mandates do not foster discussions, especially in areas where policy is absent or maybe not-so-explicit. Most importantly, this is an invitation for the person you’re talking to begin their side of their story.
Important Safety Tip: As the security professional, remember – this is the time for you to begin listening!

“Next time, if <someone> asks whether you’re a GOD, you say YES!”
Face it. Many of us security folks are humble. We all may even know what it is we don’t know. We might be a little gun-shy in our first few weeks on the job. However, don’t let your humility or shyness overcome you…

Like it or not, you are your organization’s security expert. “The Shell Answer Man,” the “Pro from Dover,” the “Go-to Guy/Gal.” While you may not have committed the processes contained within the IKE negotiation phases to memory, and may not be able to quote RFC 3514 off the top of your head, you probably DO know where to find the information… “I don’t know,” should never roll off your lips.

When you’re hired as the subject matter expert on security, you need to be confident–whether you’re knocking a soft-toss out of the park, but especially when you tell folks that you’ll research the topic and get back to them. Come back with the facts, and your credibility will be strengthened.

Likewise, when you have reservations about a particular situation, let folks know why you’re not jumping on board their crazy train. Invite discussion. State your case plainly and propose solutions, or if you can’t suggest an alternative, discuss it offline in another meeting focused on solutions. While your mission is to guard the organization’s interests, you can’t do so at the expense of the organization’s mission. Working closely with client service or engineering teams shows that security can be an integral part of solution development, and not an impediment. Think of this as guiding others to the solution – without telling them the “right” answer. This allows others to “own” the solution – their help may be valuable, if not necessary to help you socialize a potentially contentious (or expensive) solution.

“Don’t cross the streams…”
I love this one. I get to use this at least twice a day while speaking to engineering, operations, management or other folks at my agency. It’s gotten so that people have heard it so many times, they’re using it. Best part is, they are using the phrase correctly!

So what does this mean exactly? Generally/normally, the following things should never be directly connected to one another:

  • Classified and Unclassified Networks
  • The Internet and a Classified Network
  • Networks classified at different levels
  • Development, Test, and Production Networks/Environments
  • Accredited/trusted networks / less trusted
  • Management and Production Networks

“Wait! I thought you said crossing the streams was BAD?!”
So, what does this Ghostbusters quote mean to we security folk?
Every policy, however rigidly enforced, needs a waiver process.

So what do I really mean? When you understand and can quantify the risk of a particular practice or a particular action, you can develop compensating controls to make otherwise unthinkable practices (e.g., connecting unclassified networks to classified networks) less risky. In this example, it can be done using one-way guard technology, or some other similar trusted, manual process.

Face it, jumping off a bridge can be dangerous, if not suicidal. However, when the jumper attaches themselves to a bungee cord or uses a parasail, the act of jumping off a bridge can be reduced from a Darwin-qualifying stunt to thrilling fun or awesome opening movie scene (like the opening of the first XXX movie starring Vin Diesel as Xander Cage). It may not be for everyone – but, given the right safety equipment, some of us might even consider taking the leap.

There’s an even better example. Let’s say your network security policy forbids use of USB memory devices. Anyone seen with one is given a stern talking-to, if not killed outright. Well, maybe not killed… the first time. Let’s say a virus or worm gets into your network. Hey – it happens. As a precautionary measure, your response to this type of incident requires you to sever your network connections to your business partners as well as the Internet. So… How do you get the new virus definition file and virus engine from your Platinum Support Provider and install it on your server? It just so happens that in this case, you downloaded a copy using your uninfected laptop via your home internet connection… onto a USB memory stick. So, how do you reconcile what needs to be done against your policy? Obviously, an exception to the policy needs to be made.

As a matter of fact, every organization needs a policy that allows exceptions to be made to existing policy. This may sound like doublespeak, and the above may not be the best example, but it certainly does illustrate the point.

“What about the Twinkie?  Tell him about the Twinkie?!”
Never hide stuff from superiors. They don’t like surprises.
Never hide stuff from auditors. They have less of a sense of humor than your superiors.

“Human sacrifice, dogs and cats living together… MASS HYSTERIA.”
FUD doesn’t work. Don’t try it!

I hope these good-natured examples have gotten you to laugh (minimally), or possibly gotten the aspiring CISOs among you to think about how you might use humor in your day-to-day existence. I’d like to leave you with one more thought:
If you’re not having fun, you’re doing it wrong!


FUD Fighter photo by cote.

Similar Posts:

Posted in BSOFH | 4 Comments »

When the Feds Come Calling

Posted October 21st, 2008 by

I’ve seen the scenario about a dozen times in the last 2 months–contractors and service providers of all sorts responding to the Government’s security requirements in the middle of a contract.  It’s almost reached the stage where I have it programmed as a “battle drill” ala the infantryman’s Battle Drill 1A, and I’m here to share the secret of negotiating these things.

Let’s see, without naming names, let’s look at where I’ve seen this come up:

  • Non-Government Organizations that assist the Government with para-Government services to the citizens
  • Companies doing research and development funded by the Government–health care and military
  • Universities who do joint research with the Government
  • Anybody who runs something that the Government has designated as “critical infrastructure”
  • State and local governments who use Federal Government data for their social plans (unemployment system, food stamps, and ) and homeland security-esque activities (law enforcement, disaster response)
  • Health Care Providers who service Government insurance plans

For the purposes of this blog post, I’ll refer to all of these groups as contractors or service providers.  Yes, I’m mixing analogies, making huge generalizations, and I’m not precise at all.  However, these groups should all have the same goals and the approach is the same, so bear with me while I lump them all together.

Really, guys, you need to understand both sides of the story because this a cause for negotiations.  I’ll explain why in a minute.

On the Government side:  Well, we have some people we share data with.  It’s not a lot, and it’s sanitized so the value of it is minimal except for the Washington Post Front Page Metric.  Even so, the data is PII that we’ve taken an anonymizer to so that it’s just statistical data that doesn’t directly identify anybody.  We’ve got a pretty good handle on our own IT systems over the past 2 years, so our CISO and IG want us to focus on data that goes outside of our boundaries.  Now I don’t expect/want to “own” the contractor’s IT systems because they provide us a service, not an IT system.  My core problem is that I’m trying to take an existing contract and add security requirements retroactively to it and I’m not sure exactly how to do that.

Our Goals:

  • Accomplishing the goals of the program that we provided data to support
  • Protection of the data outside of our boundaries
  • Proving due-diligence to our 5 layers of oversight that we are doing the best we can to protect the data
  • Translating what we need into something the contractor understands
  • Being able to provide for the security of Government-owned data at little to no additional cost to the program

On the contractor/service provider side:  We took some data from the Government and now they’re coming out of the blue saying that we need to be FISMA-compliant.  Now I don’t want to sound whiney, but this FISMA thing is a huge undertaking and I’ve heard that for a small business such as ourselves, it can cripple us financially.  While I still want to help the Government add security to our project, I need to at least break even on the security support.  Our core problem is to keep security from impacting our project’s profitability.

Our Goals:

  • Accomplishing the goals of the program that we were provided data to support
  • Protection of the data given to us to keep the Government happy and continuing to fund us (the spice must flow!)
  • Giving something to the Government so that they can demonstrate due-diligence to their auditors and IG
  • Translating what we do into something the Government understands
  • Keeping the cost of security to an absolute minimum or at least funded for what we do add because it wasn’t scoped into the SOW

Hmm, looks like these goals are very much in alignment with each other.  About the only thing we need to figure out is scope and cost, which sounds very much like a negotiation.

Hardcore Negotiation Skills photo by shinosan.

Little-known facts that might help in our scenario here:

  • Section 2.4 of SP 800-53 discusses the use of compensating controls for contractor and service-provider systems.
  • One of the concepts in security and the Government is that agencies are to provide “adequate security” for their information and information systems.  Have a look at FISMA and OMB Circular A-130.
  • Repeat after me:  “The endstate is to provide a level of protection for the data equivalent or superior to what the Government would provide for that data.”
  • Appendix G in SP 800-53 has a traceability matrix through different standards that can serve as a “Rosetta Stone” for understanding each other.  Note to NIST:  let’s throw in PCI-DSS, Sarbanes-Oxley,  and change ISO 17799 to 27001.

So what’s a security geek to do?  Well, this, dear readers, is Rybolov’s 5-fold path to Government/contractor nirvana:

  1. Contractor and Government have a kickoff session to meet each other and build raport, starting from a common ground such as how you both have similar goals.  The problem really is one of managing each others’ expectations.
  2. Both Government and Contractor perform internal risk assessment to determine what kind of outcome they want to negotiate.
  3. Contractor and Government meet a week later to negotiate on security.
  4. Contractor provides documentation on what security controls they have in place.  This might be as minimal as a contract with the guard force company at their major sites, or it might be just employee background checks and
  5. Contractor and Government negotiate for a 6-month plan-of-action.  For most organizations considering ISO 27001, this is a good time to make a promise to get it done.  For smaller organizations or data , we may not even

Assumptions and dependencies:

  • The data we’re talking about is low-criticality or even moderate-criticality.
  • This isn’t an outsourced IT system that could be considered government-owned, contractor-operated (GO-CO)

Similar Posts:

Posted in FISMA, Outsourcing | 1 Comment »

Imagine that, System Integrators Doing Security Jointly with DoD

Posted September 11th, 2008 by

First, some links:

Synopsis: DoD wants to know how its system integrators protect the “Controlled Unclassified Information” that they give them.  Hmm, sounds like the fun posts I’ve done about NISPOM, SBU and my data types as a managed service provider.

This RFI is interesting to me because basically what the Government is doing is collecting “best practices” on how contractors are protecting non-classified data and then they’ll see what is reasonable.

Faustian Contract

Faustian Contract photo by skinny bunny.

However, looking at the problem, I don’t see this as much of a safeguards issue as I do a contracts issue.  Contractors want to do the right thing, it’s just that they can’t decide if security is which of these things:

  • A service that they should include as part of the work breakdown structure in proposals.  This is good, but can be a problem if you want to keep the solution cheap and drop the security services from the project because the RFP/SOW doesn’t specify what exactly the Government wants by way of security.
  • A cost of doing business that they should reduce as much as possible.  For system integrators, this is key:  perform scope management to keep the Government from bleeding you dry with stupid security managers who don’t understand compensating controls.  Problem with this approach is that the Government won’t get all of what they need because the paranoia level is set by the contractor who wants to save money.

Well, the answer is that security is a little bit of both, but most of all it’s a customer care issue.  The Government wants security, and you want to give it to them in the flavor that they want, but you’re still not a dotorg–you want to get compensated for what you do provide and still make a profit of some sort.

Guess what?  It takes cooperation between the Government and its contractors.  This “Contractor must be compliant with FISMA and NIST Guidelines” paragraph just doesn’t cut it anymore, and what DoD is doing is to research how its contractors are doing their security piece.  Pretty good idea once you think about it.

Now I’m not the sharpest bear in the forest, but it would occur to me that we need this to happen in the civilian agencies, too.  Odds are they’ll just straphang on the DoD efforts. =)

Similar Posts:

Posted in Outsourcing, Risk Management | No Comments »

« Previous Entries

Visitor Geolocationing Widget: