Going Off the Deep End

So I was thinking the other day (this is the part where people who know me in person usually go “oh cr*p”), partially spurred by a conversation I had with @csoandy and @secbarbie a couple of months ago.  I’ll get the idea out there: as an industry we need to embrace the concept of split-horizon assessments.

Two Purposes for Assessments

Because this is an insane approach that I’m just feeling out, let me go on a solo riff and explain what I’m talking about.  You see, I have two distinct purposes for getting a security assessment, both of which are in contention with each other:

• I want to fix my security by asking for money to fix the things that need attention.  When I get an assessment for this purpose, enumeration of my badness/suckness is good.  If I have a set of results that say that everything is great, then there’s no need for me to be given any more resources (time, money, people, gear).  Short-term, I’m fine, but what about my infrastructure-type long-term projects?  The net effect of a highly-scored annual assessment just might kill my program in 2 years as my funding and people are shifted elsewhere, especially in a .
• I want to keep my job and help my {company|agency|group} stay out of trouble by showing my zero-defects face and by demonstrating my due-diligence in protecting what has been given to me.  While the assessor has helped me short-term by identifying my problems and being a total hardass, if I’m not around in 6 months to adopt the recommendations into my security program, has the assessor actually helped me?

And this is the dilemma for just about every security manager out there.  One of the strategies is to alternate assessment types, but then your management wonder just what the heck it is you’re doing because you’re on top one year, then on the bottom the next.

Split Rock Lighthouse and Horizon photo by puliarf.

Assessor Window-Shopping

Now for the dirty little secret of the testing business:  there are really good testers who are the ninjas of the InfoSec world and there are really bad testers who don’t even validate their unlicensed Nessus scan.  I know, you’re shocked and it’s so blindingly obvious that Bruce Schneier will blog it 3 years from now.  =)

But there’s the part that you didn’t know:  security managers pick their assessor depending on the political mood inside their organization.  This is nowhere near a science, from what I’ve seen it involves a lot of navel-gazing on the part of the security team to see which is the lesser evil: having everybody think you’re incompetent or never getting anything new ever again?

Building a Better Rat Race

In order to accomplish both of the goals that I’ve listed, what I really need is a split-horizon assessment.  In other words, I need 2 reports from one assessment with different views for different audiences.  I know this sounds highly cynical, but it’s something we’ve been doing for some time now but just informally.  Might as well make it formal.

So are you sold on this concept yet?  In true form, I have an idea on how to get to a world of split-horizon assessments.  You can take any catalog of controls and divide it into “gotta have it” and “nice to have” (I almost divide these along the lines of “vulnerability mitigation” and “sustainable security program” or the “CISO” and “OMB and Congress”) buckets.  Then in your compliance assessment standard, require 2 reports for each assessment.  One is reported to the regulating authority and the other stays with the organization.

Indecision Strikes

I don’t know if I’ve solved the problemspace or not, but I’m looking for feedback “from the Peanut Gallery” so leave some comments.

• Security Assessment Economics
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Security Assessments as Fraud, Waste, and Abuse
• A Funny Thing Happened Last Week on Capital Hill
• “Machines Don’t Cause Risk, People Do!”

If it wasn’t frustrating dealing with the huge conflict-of-interest that follows the Government’s InfoSec pocketbook, it would be absolutely hilarious to watch the myriad interactions between all the competing interests at work, all with their grand plan on how to “fix” something that, in their opinion, is grossly broken.  Not that their idea is any better or will be executed better, it’s that it’s something new and gives them soundbites.

I’ll even admit to having my own opinions from time to time, although I’m not in it for the filthy lucre, just trying to help.  =)

• Preliminary Findings on Cybersecurity Review Now Out
• Aurora and LOLCATS
• The InfoSec D-List and IKANHAZFIZMA
• Cyber-Workforce Training?
• Lolcats take on Laws, Sausage, Cyberwhatzits, and PCI

Fun things happened yesterday.  In case you hid under a rock, the Intertubes were rocking yesterday with the thudding of fingera on keyboard as I live-tweeted the Senate Homeland Committee’s hearing on “Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century”.  And oh yeah, there’s a revised version of S.3474 that includes some of the concepts in S.773.  Short version is that the cybersecurity bills are going through the sausage factory known as Capitol Hill and the results are starting to look plausible.

You can go watch the video and read the written testimonies here.  This is mandatory if you’re working with FISMA, critical infrastructure, or large-scale incident response.  I do have to warn you, there are some antics afoot:

• Senator Collins goes all FUD on us.
• Senator McCain grills Phil Reitinger if DHS can actually execute a cybersecurity mission.
• Alan Paller gets all animated and opens up boxes of paperwork.  I am not amused.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• In Response to “Cyber Security Coming to a Boil” Comments….
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 5

Some days I feel like all this “continuous monitoring” talk around the beltway is just really a codeword for “buy our junk”, much like the old standby “defense in depth”, only instead of firewalls and IDS, it’s desktop and server configuration management.  Even better that it works for both products and services.  The BSOFH in me likes having a phrase like “Near Real-Time Continuous Compliance Monitoring” which can mean anything from “tying thermite grenades to the racks in case of being captured” to “I think I’ll make a ham sandwich for lunch and charge you for the privilege”.

Anyway, our IKANHAZFIZMA lolcats have finally found a control worth monitoring:  the world’s supply of overstuffed cheeseburgers.  This continuous monitoring thing is serious business, just like the Internets.

• Federal Computer Week and S.773
• Metricon is Next Week
• Oh Lookie, Somebody’s Doing What I Said To Do….
• CISOin’ Ain’t Easy, But It’s a Living
• Draft of SP 800-37 R1 is Out for Public Review

Rybolov’s note:  Vlad’s on a rant, at times like this it’s best sit back, read, and laugh at his curmudgeonly and snark-filled sense of humor.

So there I am having a beer at my favorite brew pub Dogfish Head Alehouse, in Fairfax, when my phone vibrates to this ditty…. I couldn’t get past the “breaking news.”

From: <The SANS Institute>

Sent: Friday, May 28, 2010 4:05 PM

To:Vlad_the_Impaler@myoldisp.net

Subject: SANS NewsBites Vol. 12 Num. 42 : House attaches FISMA corrections to Defense Authorization Bill for rapid action

* PGP Signed by an unmatched address: 5/28/2010 at 2:52:21 PM

Breaking News: US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.

Alan

Yet another millstone (pun intended) piece of legislation passed on a Friday with… a cheerleader?!?!??? Whoa.

This ruined what was turning out to be a decent Friday afternoon for me…

My beef is this — I guess I really don’t understand what motivates someone who vilifies Federal CISOs and security contractors in the same sentence? Does the writer believe that CISOs are in the pocket of contractors? Even I am not that much of a cynic… Which CISO’s are “ignoring OMB?” All of them except NASA? Are all of our Government CISOs so out of touch that they LIKE throwing scarce IT dollars away on “out of date report writing contracts?” (sic.) (Vlad – Are hyphens too costly?)

I could drop to an ad hominem attack against the writer, but that’s pretty much unnecessary and probably too easy. I’ll leave that to others.

Suffice to say that what is motivating this newsbit appears IMHO to be less about doing things the right way, and more about doing things their way while grabbing all the headlines and talking head interviews they possibly can. (See “self-licking Ice Cream Cone” in my last post)

Yeah, I’m a cynic. I’m a security professional. What’s yer point?

• Next Up in Security Legislation: S3474
• No, FISMA Doesn’t Require That, Silly Product Pushers
• In Other News, I’m Saying “Nyet” on S.3474
• Ooh, “The Word” is out on S 3474
• “Machines Don’t Cause Risk, People Do!”

There are a couple definitions for “darknet”, all of them valid for this lol.

• Snowmageddon Meets the IKANHAZFIZMA Lolcats
• Incident Response and Lolcats
• LOLCATS: Defending our Cyber-Turf
• IKANHAZFIZMA and Transparency
• Aurora and LOLCATS