If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed (I can even email my blog posts to you when I publish a new one) or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. If you want to see me blog about anything in particular, drop me a private email on how you think I'm completely full of myself, extend me an invitation to speak at your next security meeting/event, or just to ship a huge bag of money in my direction, you can do that through my contact page. Thanks for visiting and happy hacking!

I’ve always wondered why I have yet to meet anyone in the Government using Database Activity Monitoring (DAM) solutions, and yet the Government has some of the largest, most sensitive databases around.  I’m going to try to lay out why I think it’s a great idea for Government to court the DAM vendors.

Volume of PII: The Government owns huge databases that are usually authoritative sources.  While the private sector laments the leaks of Social Security Numbers, let’s stop and think for a minute.  There is A database inside the Social Security Administration that holds everybody’s number and is THE database where SSNs are assigned.  DAM can help here by flagging queries that retrieve large sets of data.

Targetted Privacy Information:  Remember the news reports about people looking at the presidential candidate’s passport information?  Because of the depth of PII that the Government holds about any one individual, it provides a phenomenal opportunity for invation of someone’s privacy.  DAM can help here by flagging VIPs and sending an alert anytime one of them is searched for. (DHS guys, there’s an opportunity for you to host the list under LoB)

Sensitive Information: Some Government databases come from classified sources.  If you were to look at all that information in aggregate, you could determing the classified version of events.  And then there are the classified databases themselves.  Think about Robert Hanssen attacking the Automated Case System at the FBI–a proper DAM implementation would have noticed the activity.  One interesting DAM rule here:  queries where the user is also the subject of the query.

Financial Data:  The Government moves huge amounts of money, well into $Trillions.  We’re not just talking internal purchasing controls, it’s usually programs where the Government buys something or… I dunno… “loans” $700B to the financial industry to stay solvent.  All that data is stored in databases.

HR Data:  Being one of the largest employers in the world, the Government is sitting on one of the largest repository of employee data anywhere.  That’s in a database, DAM can help.

Guys, DAM in the Government just makes sense.

Problems with the Government adopting/using DAM solutions:

DAM not in catalog of controls: I’ve mentioned this before, it’s the dual-edge nature of a catalog of controls in that it’s hard to justify any kind of security that isn’t explicitly stated in the catalog.

Newness of DAM:  If it’s new, I can’t justify it to my management and my auditors.  This will get fixed in time, let the hype cycle run itself out.

Historical DAM Customer Base:  It’s the “Look, I’m not a friggin’ bank” problem again.  DAM vendors don’t actively pursue/understand Government clients–they’re usually looking for customers needing help with SOX and PCI-DSS controls.

London is in Our Database photo by Roger Lancefield.

Bookmark to:

Hide Sites

Yes, auditors are the source of many lulz for those of us, mostly because they ask silly questions off of their script.

But hey, it’s a hard job to do, and I have lots of respect for auditors.  A good auditor is worth their weight in fibre runs any day of the week.

Bookmark to:

Hide Sites

Note the emphasis on good.  Note the emphasis on public policy.

Yes, folks, we need good policy people.  Think about the state of security and public policy today:

• We have FISMA which is a law.  Everybody’s whipping boy but it’s exactly where it needs to be to have risk-based management of IT security.
• We have a framework for implementing FISMA.  It’s a pretty good set of process, policy, and standards that have spilled over into the private sector.
• You need a crowbar to get good/smart security people to deal with politics, it takes a death ray to get them to deal with public policy.
• We don’t have high-level policy-makers who understand risk management and they are co-opting the model of compliance.
• Public policy is the upstream neighbor of information security and what public policy people do influences what we do.
• If we want to succeed in security at the operational and tactical level, we need to have the right decisions made at the strategic level, and that includes public policy.
• I’m not just talking about security and the Government, this is also with things like breach laws; compliance frameworks (PCI, HIPAA); and how unpatched and zombified desktops hurt everybody else.

So in true Guerilla CISO style, I’m doing something about it.  Armed with my favorite govie (who is actually the lead on this, I’m just a straphanger), The New School of Information Security (Hi Adam and Andrew), some government policy directives, and the National Strategy to Secure Cyberspace, I am teaching an Information Security Management and Public Policy class for Carnegie Mellon’s Heinz School.

The more I work with the Masters of Science in Public Policy Management program, the more I’m sold on it.  Basically the students do a year on-campus in Pittsburg, then they have the option of staying there or coming to DC.  The students who come to DC work a 32-hour week (some do more), 2 night classes, and class for most of Friday.  Our information security class fits in as a sector-specific deep-dive, the other one being healthcare (which needs smart public policy people, too).

Which is where we need some help.  It’s a little behind the game, but we’re constantly looking for Government agencies, NGOs/NPOs, and contractors who are interested in taking on interns.  Even better if you have jobs that don’t have a US citizenship requirement.  If you want to be linked up, just drop me a line.

And oh yeah, my blogging has slowed down because I’m working 2 new projects and traveling to Tennessee and teaching Thursday nights and my life just got way busy.  =)

Alexander Hamilton Statue photo by dbking.

Bookmark to:

Hide Sites

Something fun and new for you guys:  the estimated cost of S.3474 (.pdf caveat applies) if it were to be signed into law in its current state.  Thank you Congressional Budget Office.

Bottom line: $40M in 2009 and $570M from 2009-2013.

A quick update on S.3473:  it’s not going to get voted on by this Congress–the bill ran out of time and all of the politicians ran into campaign season so it’s hard to pin them down and get anything done.  In fact, none of the handful of security bills are going to get looked at until the next Congress.  So yeah, their fate depends on both the presidential and congressional elections next week, then let’s see if there is enough congressional bandwidth to push these bills through after the new administration transitions in.

Some of my S.3474 coverage if you’re interested.

Bookmark to:

Hide Sites

While the rest of the world had a nice relaxing weekend preparing for the upcoming election, our Guerilla CISO LOLCATS spent lots of their time tracking down non-patched computers.  Yet another highly-glamorous CISO activity that somehow doesn’t end up in the recruiting posters.  What’s that?  Oh yeah, we don’t really recruit security managers, it’s more like being voluntold.

Sometimes in my less-coherent hours, this is exactly how I picture desktops reaching out to WSUS for those oh-so-critical patches:

Bookmark to:

Hide Sites

This is an article in Federal Computer week that’s fairly obvious to anybody who’s ever been any kind of security manager in Government:  it’s a hard job.  Realistically, you have to have such a wide range of skills that it’s hard to find people who can do it all.  It’s even worse if you have a couple subpar managers working under you.

I’ve said it a million times, I’ll say it again, in the public sector, a CISO spends 80% of their time doing basic project management and personnel management, and only 20% doing anything that could remotely be called “security”.

Bookmark to:

Hide Sites

Paraben is a leading vendor for digital forensics products (http://www.paraben.com/). However, within this huge international market, Paraben specializes in digital forensic products for mobile devices such as PDA and phones. Paraben just recently released a very nice product called the Cell Seizure Investigator (CSI) Stick (http://www.csistick.com/index.html).

Aside from the overly-dramatic marketing embedded in the name of the product, this seems to be another solid addition to the Paraben product line. The device is designed to make a forensically correct copy of the data on your mobile phone–including call records, address books, and text messages. The devices look basically like a USB flash memory drive with the addition of an adapter/interface unit.

The copying process is largely automatic and the CSI Stick is quite reasonably priced at $99 -199, depending on the software bundle. The market reaction to this product is also quite positive. My friends in the industry who have used the device consider it an indispensable time-saving device. I can hardly wait until I get my have on one myself. In the past when, I was tasked to recover such data it was much more time consuming and hardware intensive process.

Equally fascinating, is the release (if you can call it that) of a product with a similar form-factor from Microsoft. The product is released on a flash drive and is called COFEE (Computer Online Forensic Evidence Extractor — http://www.microsoft.com/presspass/features/2008/apr08/04-28crantonqa.mspx).  Microsoft indicates that COFEE contains 150 commands that facilitate the collection of digital evidence from computers that it is physically connected to. In addition, COFEE can decrypt passwords, and collect information on a computer’s Internet activity, as well as data stored in the computer. Microsoft has indicated that COFEE has been made available to law-enforcement agencies only. And, according to one report, law-enforcement agencies in 15 nations have been provided with the device.

My initial reaction to this news was that it was not an unexpected development and that the announcement would be greeted with inevitable jokes about the need for Microsoft to also release a companion product called DONUTS. In fact, the reaction of the technical press has been largely negative and suspicious. Most of the concerns seem to center on privacy and individual rights. However, there isn’t a single capability associated with COFEE that I have been able to confirm, that doesn’t exist in some other commercial or open-source product. I do wish that I could get my hands on a trial or lender copy of COFFEE so that I could confirm this position.

Locksmith Sign photo by Meanest Indian.

While I admit that I have always been concerned about the safeguarding individual’s civil liberties, I am largely puzzled at the negative reactions. One element of the outcry that I do understand is an emotional one and that centers on the concept that a company that is paid to protect your secrets should not also be selling the tools and techniques to compromise those secrets. On an emotional level this makes sense.

However, the real world is very different. For example, every major automobile manufacturer cooperates with locksmiths to insure that there are low-cost and non-destructive means to circumvent you car locks in the event that you lock you keys in your cars or just loose you car key outright. Without getting into the details of defeating car locks, may automobile manufactures even provide specialized equipment and technical materials directly to locksmiths to facilitate this process.

If there are concerns that Microsoft my be caught in a ethical conflict of interest, we need to look at similar conflicts in other industries, and that’s food for thought.

Bookmark to:

Hide Sites