Saturday, June 20, 2009 from 8:00 AM – 5:00 PM (ET) in downtown DC.

I’ll be going.  This will be a “Bar Camp Stylie” event, where you’re not just an attendee, you’re also a volunteer to make it all happen.  You might end up running a conversation on your favorite privacy topic, so you have been warned. =)

*Most* of the folks going are of the civil libertarian slant.  With my background and where I work, I usually “bat for the other team on this issue”.  The organizers have assured me that I’ll be welcome and can play the heretic role.

How to play:

• Sign up here.
• Check out the wiki, help out with preparation.
• Follow @PrivacyCampDC on twitter
• Be a sponsor.

Some themes that I’ve seen develop so far:

• How some concepts (System of Record) from the Privacy Act are outdated or at least showing their age
• How the open government “movement” and the push for raw data means we need to look at the privacy concerns
• FOIA and privacy data
• Ending the political robocalls

See Y’all there!

Bookmark to:

Hide Sites

So way back in the halcyon days of 2008 when Dan Philpott, Chris Burton, Ian Charters, and I went to the NIST SCAP Conference.  Just by a strange coincidence, Ed Bellis threw out a twit along the lines of “wow, I wish there was a way to import and export all this vulnerability data” and I replied back with “Um, you mean like SCAP?

Fast forward 6 months.  Ed Bellis has been busy.  He delivered this presentation at SnowFROC 2009 in Denver:

So some ideas I have about what Ed is doing:

#1 This vulnerability correllation and automation should be part of vulnerability assessment (VA) products.  In fact, most VA products include some kind of ticketing and workflow nowadays if you get the “enterprise edition”. That’s nice, but…

#2 The VA industry is a broken market with compatibility in workflow.  Everybody wants to sell you *their* product to be the authoritative manager. That’s cool and all, but what I really need is the connectors to your competitor’s products so that I can have one database of vulnerabilities, one set of charts to show my auditors, and one trouble ticket system. SCAP helps here but only for static, bulk data transfers–that gets ugly really quickly.

#3 Ed’s correllation and automation software is a perfect community project because it’s a conflict of interest for any VA vendor to write it themselves. And to be honest, I wouldn’t be surprised if there aren’t a dozen skunkwork projects that people will admit to creating just in the comments section of this post. I remember 5 years ago trying to hack together some perl to take the output from the DISA SRR Scripts and aggregate them into a .csv.

#4 The web application security world needs to adopt SCAP. So far it’s just been the OS and shrinkwrapped application vendors and the whole race to detection and patching. Now the interesting part to me is that the market is all around tying vulnerabilities to specific versions of software and a patch, where when you get to the web application world, it’s more along the lines of one-off misconfigurations and coding errors. It takes a little bit of a mindshift in the vulnerability world, but that’s OK in my book.

#5 This solution is exactly what the Government needs and is exactly why SCAP was created. Imagine you’re the Federal Government with 3.5 million desktops, the only way you can manage all those is through VA automation and a tool that aggregates information from various VA products across multiple zones of trust, environments, and even organizations.

#6 Help Ed out! We need this.

Bookmark to:

Hide Sites

Back in 1995 the junior high school students around the world were taken in by a sensationalized and carefully marketed hoax film called Alien Autopsy. Alien Autopsy was in fact a cheap film purporting to be actual footage of an actual autopsy of the cadaver of an extraterrestrial. The film was marketed as footage shot during the famous 1947 Roswell incident.

Alien Autopsy photo by jurvetson.

Well, back in 1995 I was in a mood for a good laugh so I popped up some popcorn, chilled a six-pack of Mountain Dew and kicked up my feet for a little silly entertainment. A couple of friends came over just in time for the show. So, I popped more popcorn, chilled more drinks and we all had a great time giggling, guffawing, and generally acting like a bunch of nitwits having some good clean fun.

Then in 2005, my wife asked if I could sit down with her to watch something called Grey’s Anatomy. Thinking that I was about to relive a guilty pleasure from ten years before, I readily agreed. Let’s face it, a show called Grey’s Anatomy could only be a sequel to the 1995 Alien Autopsy.

Well, having been fooled, I shared my mistake and agony with the guys at work the next day. To say the least, they were amused at the story but entirely at my expense. Some mistakes in life should just never be mentioned again.

I hope that is not the case with today’s comments. Today, I’d like to encourage you all to down load and read my paper on the History of Digital Forensics (.pdf caveat applies). It is based on a paper I presented at NIST’s annual digital forensics conference. However, since the slides from briefings do not read well, I converted the presentation to prose. Dissect it as you think appropriate. That is to say, let me know what you think.

Bookmark to:

Hide Sites

I’ve always wondered why I have yet to meet anyone in the Government using Database Activity Monitoring (DAM) solutions, and yet the Government has some of the largest, most sensitive databases around.  I’m going to try to lay out why I think it’s a great idea for Government to court the DAM vendors.

Volume of PII: The Government owns huge databases that are usually authoritative sources.  While the private sector laments the leaks of Social Security Numbers, let’s stop and think for a minute.  There is A database inside the Social Security Administration that holds everybody’s number and is THE database where SSNs are assigned.  DAM can help here by flagging queries that retrieve large sets of data.

Targetted Privacy Information:  Remember the news reports about people looking at the presidential candidate’s passport information?  Because of the depth of PII that the Government holds about any one individual, it provides a phenomenal opportunity for invation of someone’s privacy.  DAM can help here by flagging VIPs and sending an alert anytime one of them is searched for. (DHS guys, there’s an opportunity for you to host the list under LoB)

Sensitive Information: Some Government databases come from classified sources.  If you were to look at all that information in aggregate, you could determing the classified version of events.  And then there are the classified databases themselves.  Think about Robert Hanssen attacking the Automated Case System at the FBI–a proper DAM implementation would have noticed the activity.  One interesting DAM rule here:  queries where the user is also the subject of the query.

Financial Data:  The Government moves huge amounts of money, well into $Trillions.  We’re not just talking internal purchasing controls, it’s usually programs where the Government buys something or… I dunno… “loans” $700B to the financial industry to stay solvent.  All that data is stored in databases.

HR Data:  Being one of the largest employers in the world, the Government is sitting on one of the largest repository of employee data anywhere.  That’s in a database, DAM can help.

Guys, DAM in the Government just makes sense.

Problems with the Government adopting/using DAM solutions:

DAM not in catalog of controls: I’ve mentioned this before, it’s the dual-edge nature of a catalog of controls in that it’s hard to justify any kind of security that isn’t explicitly stated in the catalog.

Newness of DAM:  If it’s new, I can’t justify it to my management and my auditors.  This will get fixed in time, let the hype cycle run itself out.

Historical DAM Customer Base:  It’s the “Look, I’m not a friggin’ bank” problem again.  DAM vendors don’t actively pursue/understand Government clients–they’re usually looking for customers needing help with SOX and PCI-DSS controls.

London is in Our Database photo by Roger Lancefield.

Bookmark to:

Hide Sites

The Potomac Forum crew is back at it again with a C&A seminar on the 15th and 16th.  While 2 days isn’t long enough to earn your black belt at C&A-Foo, it is enough so that if you’re a solid program manager or technical lead, you’ll walk out being at least able to understand the core of the process.

As usual, some of the instructors should be familiar to my blog readers.  =)

Bookmark to:

Hide Sites

And here we have it, a bill introduced by Senators Carper and Lieberman to increase security in the Government, known as FISMA 2008. I’m still waiting on the text to appear on the Thomas entry, but I’ll go through the major provisions from the congressional record.

Article from NextGov

Thomas Reference

Congressional Record of the Bill’s Introduction and text (Starts on CR 8388 and goes through CR 8391)

Major provisions:

• Changes some definitions of “assessment”, “audit” and “evaluation”. OK, I had to do some research on this one.  Thankfully, this is all online.  Sidenote: it’s not Section 3545 as per the bill, it’s Section 3535.  Basically this is just rewording and rescoping of annual audits to be written the way it should have been in the first place.
• Creates a CISO position at each agency. Hey, I thought this was already created by FISMA.  What we need is not CISOs that work for the CIO, what we need are agency CSOs (I’ll even take an agency Chief Risk Officer) that have authority over all of security, not just IT geek concerns.
• Creates a CISO Council. Fantastic idea, how come I didn’t think of it?
• Qualifications for CISOs. Not a bad idea, but the bill doesn’t elaborate too much.
• Responsibilities for CISOs. This is an interesting section.  Much of this is in guidance from NIST/DISA/CNSS already.  I like most of these measures, but I’m not sure that they need to be codified into law except for the pieces that reside outside of the agencies, like the coordination with US-CERT.  Putting the CISO’s responsibilities into law does give the CISO more teeth if they need it, but you have to wield the law carefully.

The Law photo by F.S.M.

From the NextGov article and the congressional record:

“Our bill empowers chief information security officers to deny access to the agency network if proper security policies are not being followed. If we are going to hold these hardworking individuals accountable in Congress for information security, then we should give them the authority to do so,” said Carper.

Um, yeah, we’ve given them the authority in this bill, but my problem is that it completely removes the DAA/AO/mission owners from the picture–the CISO is now responsible for the secure operations of IT systems and has disconnect authority.

I think that philosophically this bill is a step backwards.  The more progressive thought is that security is the responsibility of the agency head and the mission owners and that the CISO just provides support as a subject matter expert.  Under this bill, we’re back to a world where the CISO is the sole decision-maker when it comes to security.  Wow, that’s so… 1990’s-ish.

However, we all know that the CISOs are the people getting the security job done from day to day, and this bill makes sense if you assume that the agency heads and DAAs/AOs have 0 interest or skills to assist in the security of their data.  That might or might not be true, I’ll leave it up to you to decide.

Questions for today are these (and yes, I want to hear what you think):

• Are we willing to scrap the “business/system owner” concepts that our security management processes are modeled around?
• Are we willing to admit that the DAA/AO concept is a failure because of lack of understanding and capabilities on their part?
• Are the mission owners willing to take an outage on their supporting IT infrastructure because the CISO took the system offline because they didn’t secure the system properly in the first place?
• Can we rely on a management technique where the stakeholders are removed from the decisionmaking of a trained expert?

Bookmark to:

Hide Sites