It’s a sad tale we all know too well: our poor CISOs are tied down with red tape while the attackers have all the time in the world. My only regret is that the hakker kitteh isn’t a siamese. =)
Posted in Hack the Planet, IKANHAZFIZMA | 
1 Comment »
Tags: government • lolcats • security
Rybolov really struck a note with me (as he usually does) with his blog entry with his decision that S.3474 was a bad thing. It reminds me of a conversation I had with a friend recently. Basically she ask me why bad thing happen even after smart people put their heads together and try to deal with the problem before facing a crisis. Intrigued with her question, I asked her what specifically she was asking about. She shared that she had been thinking about the tragedy of the Titanic sinking.
Of course she was referring to the sinking of the passenger ship RMS Titanic on the evening of 14 April 1912. She made two points, first that the experts declared that the ship was “unsinkable” – how could they be so wrong. Second, she wondered how the ship could be so poorly equipped with boats and safety equipment such that there was such great loss of life.
The Titanic’s Disaster photo by bobster1985.
Little did she know that I have had an odd fascination with the Titanic disaster since childhood and have basically read much of the common public material about the event. So, I replied that that no expert had ever declared her unsinkable, that it was basically something that was made up by the press and the dark spineless things that hang around the press. However, I added the designers and owners of the ship had made much of her advanced safety features when she was launched. A critical feature was including water-tight bulkheads in her design. This was something of an advanced and novel feature at the time. What it meant was that you could poke a pretty big hole in the ship, and as long as the whole was not spread over several of these water-tight compartments she would stay afloat. The problem was that the iceberg that she hit (the Titanic, not my friend), ignored all of this a tore a big gash along about a third of the length of the ship.
So, my friend pressed again about the lack of safety equipment, especially lifeboats. I told her that the problem here was that the Titanic indeed did meet all of the safety requirements of the time. And that a big part of the problem was that the safety requirements were drafted in 1894 at a time when there were rapid changes and in the size and design of ships of this kind. Those regulations indicated that all passenger ships over 10,000 tons required 16 life boats, and that’s how many the Titanic had. At the time the regulations were written there were hardly any ships over 10,000 tons in size. However, when Titanic was launched she was designed to be over 50,000 tons when fully loaded. The fact was that if each of these lifeboats was fully loaded they could barely hold half of the of the passengers and crew of the ship if fully loaded. What is worse, when the ship did sink, not all of the boats were usable because of speed and angle in which the ship began sinking.
So, the bottom-line was that when the Titanic was reviewed by the safety accountants, they took out their check-list and went over the ship with a fine tooth comb. When the day was done the ship fully met all the safety criteria and was certified as safe.
This is where I see the parallels between root causes of the Titanic disaster and the odd situation we find ourselves in today in terms of IT security. Security by checklist –especially out of date checklists—simply doesn’t work. Moreover, the entire mental framework that mixes up accounting practices and thoughts with security discipline and research is an utter failure. Audits only uncover the most egregious security failures. And, they uncover them at a point in time. The result is that audits can be gamed, and even ignored. On the other hand, formal reviews by experienced security professionals are rarely ignored. Sometimes not all of the resources are available to militate against some of the vulnerabilities pointed out by the professionals. And sometimes there is debate about the validity of specific observations made by security professionals. But, they are rarely ignored.
Interesting enough, because of the mixed IT security record of many government agencies, Congress is proposing – more audits! It seems to me what they should be considering is strengthening the management of IT security and moving from security audits often performed by unqualified individuals and teams toward security assessments conducted by security professionals. And since professionals are conducting these proposed assessments, they should be required to comment on the seriousness of deficiencies and possible mitigation actions. An additional assessment that the professionals should be required to report on is the adequacy of funding, staffing and higher management support. I don’t really see any point in giving a security program a failing grade if the existing program is well managed but subverted and underfunded by the department’s leadership.
Posted in FISMA, NIST, Risk Management, The Guerilla CISO | 4 Comments »
Tags: accounting • accreditation • C&A • fisma • government • infosec • itsatrap • law • legislation • management • publicpolicy • S3474 • security
Not that I’m creative enough to come up with this, the guilty parties behind the werds are shrdlu and danphilpott.
Posted in IKANHAZFIZMA | 1 Comment »
Tags: fisma • government • infosec • lolcats • security
What do you get when you have too many observers and not enough doers? You get the current state of oversight in the Government’s IT security implementation. With the focus supposedly switching from building projects to continuous monitoring, it leaves a question lingering in the back of my mind: are the auditors going to switch to near-real-time observation?
Hence, the age-old cybersecurity question:
Posted in IKANHAZFIZMA | 3 Comments »
Tags: auditor • catalogofcontrols • compliance • government • infosec • lolcats • management • security
I love transition time. We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole. And then, they all leave.
Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk. Talk is cheap, security is not.
Many years ago when I became an infantryman, our guest speaker at graduation made one of the most profound statements that I remember over 8 years later: “Infantrymen vote with their feet”. In other words, we’re doers, not talkers, and at one point in our lives we decided that something was important enough to give up 4 years of our lives, maybe more, for this cause. Even Colonel Davy Crockett after he lost re-election to the House of Representatives wrote “I told the people of my district that I would serve them as faithfully as I had done; but if not … you may all go to hell, and I will go to Texas.” He died less than 3 years later at the Alamo. That, ladies and gentlemen, is how you vote with your feet.
My personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from. If you think about everything we’ve done to date, it’s almost always a way of compensating for our lack of skilled people:
As an industry, we have failed (at least in the public sector) at generating people with the skills to do the job.
And in light of this, my challenge to you: have a good idea and think you know how to solve the information security? Yes, we need those, but what we really need are IT security infantrymen who are willing to be doers instead of talkers. To answer the title of my blog post, the thing that the Government is missing is you.
Infantry Action Photo by Army.mil
So how can you help? I know moving to DC is a bit of a stretch for most of you to do. This is a short list of ideas what you can do:
Posted in Army, Rants, The Guerilla CISO | 8 Comments »
Tags: blog • dhs • government • infosec • security • training
So rybolov asked for another guest blog and a hot topic on my mind recently is training. Training in the IT world is kind of like the chicken before the egg argument – every employer whats you to have the latest Security F00$ training but they never want to pay for it. What is an IT professional to do?
So why are the majority of employers hesitant to train their IT staff? Are they afraid they are going to bring new skills to your resume and then you will jump ship to the next “jump and bump opportunity”? Or do they really have funding shortfalls and budget cuts to to prevent you from taking that 7 day Bahamas IT training cruise you wanted wanted to take this winter? My take is that it is probably a little bit of both.
Let’s think about this for a minute. You are a cash-strapped IT Manager at $your_organization_name_here and have limited funding for a never-ending list of training requests. In your attempt to balance training with the rest of your budget, you eventually have to cut training to the bare minimum. If you do splurge and spend the money to send an employee to the latest security F00$ training, the next time he/she is unhappy they might leave. But chances are you have program requirements that dictate some level of yearly training that is required. This situation can also be double whammy if you are in a consulting or contracting role where opportunity costs also means you are not billable during your time in training.
My suggestion is to strike some kind of balance to make both the employee and IT management happy. If you are in the role of government management, consider the possibility of allowing your contracting/consulting staff to bill their training hours to the program instead of going on company overhead. Another possibility to consider is if you involved in IT management in the consulting/private/commercial sector, consider offering a reasonable allowance each year towards training. It does not have to be huge amount of money to pay for an expensive 10 day conference out of town but enough to pay the tuition for a week long training class. This will show the employee that you are serious about keeping them current in their career field but at the same time put some effort on them to be reasonable with their training requests. Depending on your geographic location, you can usually find job related training locally, especially if you are located anywhere near the beltway.
I was recently faced with this dilemma in my current position. We were told training funding was not available this year and that we would have to wait until next year. After thinking about this for a while, I approached my manager with an idea they bought into. I identified an area within my field that I have really wanted to get into the last few years but the opportunity never presented itself. Since we have the need for this skill and the organization was planning on investing in this area in 2009, I offered to pay my own tuition to attend this training if they would allow me use PTO for the classes. They agreed and I purchased a one-year training package that will allow me to attend an unlimited number of classes from the vendor over the next year. When training funding becomes available again next year, we are planning on putting my training allowance towards travel costs. In the end, I was able to turn the situation into a win-win for both my employer and my skills set. In a world of shrinking IT budgets, a little creativity can go a long way in meeting your training goals.
Football Training photo by melyviz
Posted in Odds-n-Sods, What Works | 3 Comments »
Tags: cashcows • certification • government • infosec • infosharing • management • moneymoneymoney • security • training
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email