Information Security Travel Guide
Stephen Northcutt, an Information Security Researcher, United Airlines
1k, Writer and Instructor, documents the struggles of the travel and
hospitality industries as we all face continually increasing energy costs.
He and his peers share their travel experiences and give you quick tips
and short reviews of the companies they do business with as they travel.
If you came across this article because of a Google search, what you
want is probably here, just use find with your browser (CTRL - F), it
is easier than reading from top to bottom; however, you may get some
useful tips if you stick around and read. Each major cluster of trips is
documented in a separate file.
Other Related Articles in Information Security Travel Guide
Information Security Travel Guide Edition 10 - Stephen Northcutt
Apr 28th, 2009
By Stephen Northcutt, Google+
[March 31, 2009] On Kauai the day before Conficker -C
I love the security prediction business, but I will be honest. I have no clue. I will be watching the Internet Storm Center for updates, here is their Conficker roll up. The weather is quasi nice here on Kauai, a lot of rain, but some cloud shine, I should slip out and get a walk in between storms.
Social Media and EmailDoing some research into the changing pattern of Internet use. It seems Social Media is gaining and email is losing. Social Media Online reports "Interesting data from Nielsen Online that two-thirds of the world’s Internet population visit social networking or blogging sites, accounting for almost 10% of all internet time." There are a number of aspects to Social Media and I doubt I am going to get all of them, but they seem to fall into these categories:
- Relationship sites. My favorite social media site is LinkedIn where I am SANS Institute. I use this to establish and maintain connections with people I meet. If they change emails or whatever, we stay linked. A lot of people use Plaxo as well.
- What are you doing now? The big dog is Twitter, but Facebook's newest incarnation and LinkedIn all have this.
- Bookmarking sites, number one is Digg followed by Propeller, I don't do much of this anymore.
- Web pretense is MySpace, I keep a stub, but that is it.
There are a number of points here, let's drill down:
- Don't rush to add something to your email marketing program. I think that is good advice. I tend to delete mail I do not recognize. If you try the next new thing with me, you might well get an unsubscribe.
- Study your audience, What are the sub-groups? Maybe various members of the organization can each "adopt" a sub group.
- As you identify sub-groups in your audience, are there already Social Media matching sub-groups forming?
- Don't try to stay up with the competition, the world is changing very quickly, they may not have any idea what they are doing.
- Be public, communicate, communicate, communicate, make sure your name is out front, ask your customers to use their names as quotes. As an example, I received an email today thanking me for the course I author and teach SANS Security Leadership Essentials and wrote back immediately asking to use the material. Here is the quote:
• Two-Factor authorization for remote users.
• Web Filtering.
• Intrusion detection systems for our internet facing offices.
• Security awareness program.
- -Jerry Farnstrom, Information Security Manager, Long Term Care Group Inc.
- Be unexpected, the blog uses the example of sending a custom postcard to acknowledge receipt of an order instead of an email. Not sure that is worth the fixed cost, but we do need to look for ways to stand out. For instance, if one of your email lists is losing luster, consider making it a web presence, perhaps a blog with tweets on Twitter. If it is a recurring subject, start a hashtag. In the past, web hits were primarily a function of content; today, they are content, thought leadership, and community.
- Be personal, one of the things that SANS has always done is make the CEO accessible. To succeed in the new genre, we need to do more of that. Have more of the people in the company adopt a population group or sub-group and be a spokesperson for that group.
I will end by pointing to a new story about a restaurant mixing Social Media and Email in a very commonsense manner to keep their brand alive with their customers. I don't know that Social Media is eclipsing Email, but no sensible company would ignore either.
[April 1, 2009] Looks like we will survive Conficker, what's next?
Since television reporting on Conficker such as CNN and CTV are proving to be unreliable, I popped up to Facebook to see if there were any trustworthy news reports, the best one is shown below:
Bill Brenner RT > Best line yet: @gattaca: CDC confirms conficker has made the cross species jump to humans. Rate of infection is rising exponentially.Then on to Twitter where DRInfosec was re-tweeting the Conficker Eye Chart. Who would have guessed social media would be so useful in science! Other notables, headline of a Story, "Go Conficker Yourself". Wired Magazine has a hilarious time line posting. Brian Krebs from the Washington Post weighed in with an April Fool report. But don't let down your guard, according to PCWorld, Conficker may be more widespread than previously thought. NMAP 4.85BETA6 finds it with the handy command "nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]". The Vancouver Sun says, Conficker is not a big deal. The Guardian Tech Blog puts it, "Anti virus companies' worst fears realized as Conficker does... nothing". Snopes, the urban legend folks, did post a pearl of wisdom from Roger Thompson, "We expect that they have achieved their aim of building a fairly bullet-proof botnet, and will now simply farm it, which means they'll probably harvest credit card numbers, bank accounts and identities from as many victims as possible, and then do it all again," he said."
FAA Security IssuesI fly a lot, so you can imagine that when I read the following in Network World, I was less than ecstatic, ""Literally, we're an unlocked door and a whole lot of open windows, no pun intended," said David Bowen, the FAA's assistant administrator for Information Services and Chief Information Officer last week. But that was just one observation Bowen offered up as a frank evaluation of the agency's security systems, citing numerous problems he and others are tasked with fixing."
The Government Accounting Office agrees they have issues. The problem is that this report is from year 2000, when are they going to get them fixed? According to Slashdot they were hacked last month, but they are looking into it. In 2007, the Internet Storm Center reported a system crash stranding passengers, a year later it happened again, actually they have always had problems. Still feel OK? According to the FAA, the Boeing 787 is vulnerable to hack attacks.
[April 2, 2009] Two days till fly day, on Kauai
Sun is shining, need to enjoy some of the weather. On a conference call where we have been debating the implementation of code for 30 minutes, everyone's points are valid, but it seems drawn out.
Fred Cohen & Associates put out a new Analyst's paper on Risk Management, only two pages, and it is worth the read. The title is "There are no black swans"; the concept is that we do not handle low probability, high consequence potential events well (as an example, a terrorist fires a nuclear device as an air burst creating electromagnetic pulse which destroys all computers anywhere near the event). They also point out that we need to differentiate fairly random events from human motivated events.
PCI Briefing for Cybercrime at US House of RepresentativesChairwoman Clarke, "“In light of the rising number of publicly reported data breaches, Chairman Thompson launched an investigation to determine whether the PCI Standards have been effective in reducing cybercrime. The results of this investigation suggest that the PCI Standards are of questionable strength and effectiveness” [for decreasing cybercrime and data theft]." I found this, and also http://blogs.verisign.com/securityconvergence/2009/03/review_of_pci_congressional_he.php , at Anton Chuvakin's blog.
My analysis of the Rockefella-Snowe Cyber LegislationI was supposed to be packing to leave for Washington DC, but someone saw my Twitter request for a copy of the proposed legislation; here are some quick reactions off a first pass. I look forward to a longer read and deeper consideration.
Section 1 is the table of contents
Section 2 is an analysis of the problems that we face, the material is accurate and not overstated with two exceptions, the Katrina and 9/11 references do not add either taste or accuracy.
Section 3 is the Cybersecurity Advisory Panel. That seems to make sense, we need for the government to get wise cross disciplinary counsel.
Section 4 is the rapid establishment of a security dashboard. Well, as long as they take meaningful measurements that might be handy, else FISMA act III.
Section 5 is the establishment of non-profit State and Regional security centers. I have some concerns that this will be a boondoggle, but would love to see a pilot.
Section 6 NIST standards. NIST is great and I love a number of the SP-800 documents, but they are often too high level to be truly measurable. This could work and it could be great, but there would have to be a focus on actually measuring.
Section 7 Mandatory licensing within three years to do work for the Feds. OK, this is one place I have some special insight. I do a fairly big chunk of the DoD 8570 training and oversee the certification results from a GIAC perspective. Doing this for all federal employees just isn't going to happen in three years unless it really gets some high level support and people make some hard decisions. Also, to use the current training / certification paradigm would be prohibitively expensive. However, if a few groups like CompTIA, GIAC, ISACA and ISC were to put country first and differences last, there are ways to do this. You would have to create a thousand certified trainers in a pretty short span of time, but it could be done. Or, we could go lowest common denominator and focus on Security + as the first objective, but I would like to raise the bar just a bit higher.
Section 8 All DNS contracts would be subject to reviewed by the Section 3 Advisory panel. I am not sure that helping IANA will make things better, but would love to understand why we feel the government can do a better job of running the name space.
Section 9 Secure DNS W00T! Preach it, let's make sure we do not lose sight of this objective!!!
Section 10 Promote Cybersecurity awareness. Just don't spend too much money, you can't secure stupid. NIST SP 800-50 is an already existing well thought out master plan, so no big boondoggle, let's just go do it.
Section 11 Advance research, I like the problems they want to have people work on:
- How to deploy systems that are secure from the get-go
- How to test that sw is fairly flaw-free
- How to verify sw only does what it is supposed to do
- How to guarantee privacy
- (and other equally challenging and relevant problems)
- This was followed by a lot of stuff related to money that I did not understand.
Section 13 Cybersecurity competition, a way to identify talent, sounds good
Section 14 Public-Private Clearinghouse. Sadly I do not think it can work; the government agencies seemed to have all been absent on the day they taught sharing in Kindergarten
Section 15 Cyber Risk Management report, best tip I have is: ask Dr. Fred Cohen to have a shot at reviewing it, and maybe Nassim Taleb as well
Section 16 Legal Framework Review, yup, this probably needs doing, we have a bunch of laws, some of which we enforce, some we don't
Section 17 Civil liberties review, I wish this had gotten a few more sentences, but agree this is important
Section 18 Cybersecurity Responsibilities and Authority, a few more collateral duties for the President, good thing he has a Blackberry to keep him on track
Section 19 Quadrennial Review, makes sense to take stock of our situation from time to time
Section 20 Joint Intelligence Review, sounds classified
Section 21 International Norms and Deterrence, does anyone remember 1999 when the Russians wanted to talk about cyber detente? We should have talked!
Section 22 Secure Products and Services Acquisitions Board - this is something NIST and OMB are pretty nifty at, could be a blessing
Section 23 Definitions, I finally got to learn what cyber means
[April 03, 2009] Last full day on Kauai
Nice day, bit of Kona in the air, not much wind, but hopefully Kathy and I can steal some time to ride our bikes in the afternoon. We have the monster list needed to manage leaving for two and a half weeks, and we are counting down.
Musings on federal certifications.If, in fact, the government requires certification, they will probably look at the DoD 8570 program for guidance since it has so much operational field experience. I think they did a number of things right, could tune up a few things, but that is what pioneering is all about. One decision 8570 made is to with commercial certifications; the government might be able to get to market with a government-only certification, but probably can't maintain it well over time. Here are my thoughts based on the 8570 paradigm. All of this is highly biased personal opinion, but keep in mind that you can count on one hand (and have fingers left over) the number of people that have as much face time with 8570 candidates as I do.
|Level||Information Assurance Technical IAT||Information Assurance Management IAM|
|4||GSE (any technical)||GSE Compliance (ISC)2 ISSEP|
|3||GIAC GCIH/GPEN or Certified Ethical Hacker or ISACA CISA||GIAC GSLC|
|2||GIAC Security Essentials /(ISC)2 CISSP®||ISACA CISM, (ISC)2 CISSP®|
|1||CompTIA Security+||CompTIA Security+|
Notes on the technical trackLevel 1 should be CompTIA and they should stay stay Level 1. This is their classic strength: if you cannot earn a Security+, you cannot play in this game.
Level 2 should be GIAC Security Essentials for people that are more technical (have some form of hands on role) and CISSP for people that are listed as technical, but have more of a policy role.
Level 3 should be the journeyman level where journeyman is defined as a person that can do their job with minimal supervision. These tend to be GS-12s in government, although that varies widely; if you are in Washington DC, they tend to be GS-12s and in some backwater location, GS-11s. They should have the "500" level cert that matches closest to their job. I only listed a few here, but with an industry survey, I think there would be a number of commercial certifications that would work here. This link takes you to the SANS 500 level courses as an example.
Level 4. This is where 8570 missed the boat. They really did not think about the go-to person. The person that has strong technical responsibilities and functions as the "engineer" or architect. The credential needs to be hard to get and something that only the best can achieve. The GSE is a good example of this.
Notes on the management trackLevel 1 should be CompTIA, they teach the foundational terminology and concepts. This is all the security some government managers should need to know. As I have been teaching 8570, I sometimes have managers that have no security responsibilities.
Level 2 is a great place for the CISSP and CISM. Neither really covers the pragmatics, but both have a lot more coverage of the terminology, concepts and theory of security than the Security+.
Level 3 is the GSLC. It covers 100% of the Security+ in fact it is certified by CompTIA as a Security+ course. It covers over 70% of the CISSP material and then has additional material. It is also being submitted to the NSA CNSS for CNSSI certification. We incorporate as much of the NIST SP 800 guidance as possible. It is more pragmatic/real life applicable than the CISSP/CISM. It also addresses the management issues.
Level 4, these are placeholders to be honest. What we need is a high quality course and certification that covers the Consensus Audit Guidelines (CAG) and the compliance issues related to this.
[Saturday April 04, 2009] Fly day, goodbye Kauai, hello Washington DC
Nice day, not too windy, no rain, but have to fly. Had a cup of Kona coffee to start the day, cleared out my email, and am packed except for my electronics. Read The Shack last night, don't know if I like it or not, conflicted, but that is some powerful writing; it is an account of a hurt man's encounter with Elohim God. Leave for the airport in a little over an hour.
John Gilligan on the Consensus Audit Guidelines:MEMORANDUM TO THE CONTRIBUTORS AND REVIEWERS OF THE CONSENSUS AUDIT GUIDELINES
FROM: John M. Gilligan (on behalf of the Consensus Audit Guidelines editorial team)
We want to thank you for your continuing interest in the Consensus Audit Guidelines initiative. The thirty-day public comment period concluded last week. During that period, we received over 60 sets of comments from individuals and organizations. The overwhelming majority of the comments were extremely positive endorsing both the concept of focusing on a subset of security controls as well as the specific set of controls identified in the draft document. The paragraphs below provide a brief summary of major comments as well as the next steps for this initiative.
While almost all of the reviews were generally very supportive of the initiative, many provided helpful general observations and recommendations. In some cases specific wording changes were supplied. The latter were greatly appreciated. Some general comments suggested the need to clarify the purpose of the Consensus Audit Guidelines initiative as well as its relationship with legislative efforts and NIST publications. Based on comments received, we will make some minor changes to the title and the introductory materials of the document to clarify the purpose. The new title will be “Twenty Most Important Controls for Continuous Automated Cyber Security: Consensus Audit Guidelines”. The text will also clarify the intent is specifically to focus on technical controls, rather than physical controls, and known attack patterns, rather than potential future attack patterns. Moreover, we will clarify that the most significant difference between the Twenty Most Important Controls and NIST control guidelines efforts is the fact that the Twenty Most Important Controls intentionally leave out many controls that are included in the NIST publications for the express purpose of prioritizing near term attention. In addition, the authors of the controls specifically designed the set of controls to address internal as well as external threat patterns. We will endeavor to make this clear in the revised document.
As you have noted, Senators Rockefeller and Snow introduced legislation earlier this week that, in part, parallels the objectives of the Twenty Most Important Controls. Their bill includes requirements to field controls tied to attack patterns, and requires NIST to identify controls that are “continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks”. We may also see the reintroduction of the FISMA 2.0 legislation that had very similar wording.
We anticipate having a revised document that incorporates the comments by the end of April. We will make available a version that shows changes made as well as a summary of comments received. With the strong endorsements received during the open comment period and with the improvements resulting from the many comments, we will approach the CIO Council to recommend they sponsor a set of near term pilot implementations. In addition, we are planning a series of workshops that would focus on identifying requirements for automated tools that would support the individual controls. GSA is looking to use these requirements to award government-wide contract vehicles that would ideally provide multiple tools for each control, as appropriate.
We greatly appreciate the time and energy you have contributed to this important effort. The consensus process is a powerful tool to accelerate our collective efforts to improve the security of our cyber systems. We look forward to a continuing dialogue.
/* Stephen Northcutt's comments, the draft has been available at www.sans.org/cag, might want to snarf a copy in case they take it down. Overall this seems like a positive effort and a step forward. If you read Marcus Ranum's post then you know we need to keep trying to step forward. */
[Sunday April 5, 2009] In position at the Westin Washington D.C (no thanks to United)
Cherry blossoms are cherry blossoming, as our cab pulled into DC, I saw hundreds and hundreds of people running. Whenever I see that I look at the back of the line to see if a dinosaur or alien is chasing them as that is the only way you are going to get me to run. No dinosaur, apparently something called a Marine Corps Marathon. I am burnt, didn't sleep on the planes, but finished a really good book, How We Decide by Jonah Lehrer. The movie on flight 317 was Yes Man with Jim Carrey. I have never been a really big Jim Carrey fan, so watched a bit, but mostly read my book on how the brain makes decisions. I have been thinking about flawed decision making a lot lately. Lucky to be here, the trip started under a bit of a cloud back in Lihue Kauai. United boarded our plane, flight 317 a bit late. Then we sat there and sat there and finally the captain made an announcement that he didn't know what was wrong either. Then fifteen minutes later they announce they are trying to figure out who is going to fly the plane to San Francisco and who was going to fly to Los Angeles. Apparently one of the planes had a mechanical problem and one of the pilots did not feel comfortable flying it. So we got off of our plane and got on the plane originally bound for San Francisco. Our pilot apologized and frankly stated there had been some poor decision making. Needless to say, my connection to Dulles was now long gone. United tried to be nice, they did not charge for food, so I had the chef salad which would normally be nine dollars and one glass of wine. A couple folks really took advantage of the free liquor, but I wanted to read my book. Kathy and I were aisles across and we scored exit rows. My seatmates were a nice couple, he was active duty Army National Guard so we thanked them for serving our country. I knew I was screwed and didn't want to get shuttled to an LAX hotel for the night, so I called Diane before they shut the aircraft door and asked her to see if there was anything she could do and to please text or email me if there was and I would check my phone as we landed in LAX.
Sure enough, Diane managed to get us on a later flight, so I write this from the Westin City Center 1400 M Street NW. It is an OK hotel, but very noisy, it is one of those open floor plans so there is always the sound of echoing. You hear excited kids in the daytime and drunks at night. Reminds me of the Westin in Christchurch NZ. I am going to try to get a nap after I post my blog for the day. Turned on a classical music station as white noise since the hotel is so noisy. As we were landing at LAX, I pulled up Diane's SMS on my phone, gate and departure time, perfect. I then briefed my seatmates to get to customer service as fast as you can, do not stop for the bathroom, just get in line. I let them off the plane in front of me and Kathy and I headed that way. I got in line at customer service and Kathy got in line at what we hoped was our gate. United only had one person working customer service after screwing up an entire plane. Kathy got to the head of the line first, so I joined her, there was even one upgrade seat available so we put Kathy in the front of the plane. Wouldn't you know it though, the National Guard couple saw what we did and got in our line losing their place in the customer service line. They will be sleeping in a hotel near LAX and eating breakfast from a voucher for sure. As I say, I have been thinking about flawed decision making a lot lately. The crew on flight 644 to Dulles was very attentive, I didn't score an exit row this time, but they came by with water multiple times. There was a school trip, maybe sixty kids so the flight attendants had their hands full, but they did a fine job. The movie was Marley and Me, I am normally a sucker for a dog movie, but this just did not work for me, but I had a book so it wasn't an issue.
Kathy just tried to get a shower at the Westin and the shower door is kind of sticky. The reason: broken glass. We found it in the shower, on the bathroom floor and the carpet. And don't blame us, we just got here. Yikes!
Tonight is the reception for @sanlogman sponsored by LogRhythm, I will try to get a nap so I can be fresh and do the meet and greet. If you are there, please make a point of chatting with me.
Consensus Audit Guideline SW Security Summit Focus on Automated ToolsI usually know what is going on around SANS, but I just noticed this yesterday. April 29, they have a summit in Washington at the Marriott Wardman Park (one of my favorite conference hotels) on software security with an emphasis on automating auditing. Sounds pretty exciting, I am double booked, or I would try to show up. The agenda is here. The basics:
- The Consensus Audit Guidelines is emerging as the new federal standard for how to secure and audit IT security
- One of the 20 controls in the CAG is Application Software Security – how to proactively protect your applications with web app scanners, code scanners, web firewalls and by developing secure code in the first place – bake security into the application
- On 29 April we will host a summit to discuss current best practices in AppSec with the ultimate goal of determining the best tools and practices to implement the CAG
- The gathering will include industry thought leaders and practitioners including: Alan Paller of SANS, Bob Martin of Mitre, Conrad Vessy of NSA, Jeremiah Grossman of Whitehat, several federal CIOs and CISOs that will tell how their organizations operate and vendors available to discuss their tools
- This is a chance to
o Hear best practices and to be involved in the development of the processes and selection of the best tools to protect out IT systems
o Be a thought leader in your organization on this new standard
[Tuesday April 07, 2009] On Train #89 from Washington DC to Richmond VA
The Log Summit went well. The highlight for me was a panel discussion on the Consensus Audit Guidelines with Eric Cole, Mike Poor, Chris Brenton and myself, moderated by Alan Paller. I was lucky to get a word in edgewise, but I learned a few tips. The most important was to monitor outbound traffic for the user agent, most malware has its own user agent. The Westin tried, but they are a goofy hotel, I would not pick them for a meeting, there was a big black hair on the top tortilla for the speaker lunch and many other similar hotel sins. We did eat at two restaurants worth mentioning, the Thai Tanic, very popular with the locals; we were not smart enough to set up a reservation so we ate at the bar; they had reasonable prices, good service, and good food. Last night we splurged and went to Il Mulino of New York on Vermont St., DC, pricey, but absolutely fabulous. I had the Red Snapper with Seafood Sauce, Kathy had the filet, which was super-tender and smothered in a porcini sauce. It is rare for me to go to a restaurant where the food is better than I can cook, but this scores. We also have been to the one in Orlando, they are both similar, but different. It was the first time I ever saw a Captain's tip line on a bill; according to this web site that should be about 5% of pretax.
Most interesting thing I saw on Twitter today: "googleRT @SarahM - Google's Jim Gerber at #bsec09: 2009 expected to be the first year in which Internet-enabled phones outsell PCs." Interesting, I wonder how long it will be till I can use a cell phone instead of a laptop, I don't find the iPhone to be a suitable replacement.
Anyway, traveling on the train is luxurious. I have my laptop plugged in, I get to see the area between Quantico and Richmond, much of which is along the Potomac, it brings back so many memories of commuting on the train while writing Network Intrusion Detection first edition, and also sea kayaking and sailing with Kathy. It will be nice to spend a few days in Richmond. My Verizon modem has only dropped carrier once,which is incredible. The buds are on the trees, redbuds are already showing color, the cherry trees in Washington DC were at their peak, it is definately springtime in Virginia.
On Social Media:Larry Walsh has posted an article that Twitter is Dead: "Social networks don’t become obsolete, but rather irrelevant. The major social networks share many things in common—functionality, features, presentation, etc. What they also share is that they wither if they don’t attract enough users and they fall out of favor once they exceed a critical mass of users. MySpace peaked when it signed more than 75 million users. Facebook is done now that it’s approaching 200 million worldwide. As they’d say on "Happy Days," Facebook and MySpace still do what they’ve always done—they’ve just “jumped the shark.””
I dunno. I think Twitter is going to prove to be a news source more than anything else, a way for millions of people to post news. I am excited to see what happens at RSA, I expect there will be a lot of blogging, twittering and the like. OTOH, maybe the 140 char limit will do it in, just saw the flutter video, too funny. There is a discussion on LinkedIn about Facebook. "How do you control Facebook in companies? Heard this question from a friend.Cant think of any other than user awareness training or block it completely." Here are a couple thoughts:
To define your solution, sit down and understand the problem that you are trying to solve. If it's just blocking access to Facebook, any of the solutions posted could work for you.
Local: block it in HOSTS. file, use K9, block at personal firewall, etc.
Network: Block on firewall, router ACL, proxy, gateway, etc.
Internetwork: Bluecoat, Surfcontrol, WebSense, etc.
If you need to be a little more granular or less heavy-handed than outright banning site access, you should consult a vendor or consultant once you have defined your problem. Cheers!
My suggestion is that maybe, at least for the present, HR should create a stub page for all employees so an outsider can't spoof. Since anyone can create a FaceBook page with any name, someone could spoof as an employee. Ain't social media grand *grin*
[Thursday April 09, 2009] Working in Richmond Virginia
Yesterday we had a social media call. I got blindsided big time. Mason asked to have the call set up (I think) and then could not make it. There was no agenda and I ended up in the lead with my boss on the line. The good news is that we all survived, plus it will make a good "always have an agenda" story for my classes. We also have a basic plan. In the spirit of better late than later, we are going to get an official blog.
The EconomyLots of crazy news in my inbox. Toyota is going to restructure US operations, bringing Yoshi Inaba out of retirement. Wells Fargo is talking about a profit, yes, that is right, a bank talking about a profit. The bank of England is holding rates at half a percent. Commodities, a key indicator of both recovery and inflation are flat. Investor sentiment is still bearish, and there is a ton of money on the sidelines. Consumer confidence has only been this low twice since 1979. Housing prices continue to fall. Global shipping is nudging upwards. What does this all mean? I think we are finally about at the bottom. Stock prices historically lead the recovery by several months. We will still see a few profit-taking sell-offs of course, but on the whole I think the recovery is at hand. However, I do not see how they are going to contain inflation. My own investment portfolio is not optimized for inflation at all.
Security NewsAccording to Federal Computer Week, President Barack Obama today said he intends to nominate Robert “Rand” Beers to lead the Homeland Security Department’s National Protection and Programs Directorate. Air Force Gen. Kevin Chilton, commander of the Strategic Command, plans to hold military to military talks with the Chinese about cybersecurity. GSA is excited that Martha Johnson is returning.
[Friday April 10, 2009] Happy Birthday Suzy Northcutt
Kathy and I are still hunkered down in Richmond, it just did not make sense to go back to Hawaii from the Log Management Summit. I enjoyed doing the research for the keynote. I think it went well, I am trying to incorporate some of the tips from the Exceptional Presenter into my delivery style so I try to think back over the details.
My next research areas will be privacy. I feel better about Twitter than I did a week ago, because I now realize Twitter can be a super source of content. One of the people I follow uses the handle PrivacyProf and she is a wealth of information. To get up and running on Twitter, all you have to do is create a Twitter account and then search for people or click on the link in this note. I notice that the Internet Storm Center is over 1,800 followers and SANS is bumping 600, so it takes time, but this may work out. According to this blog, the US Govt is experimenting with Twitter. Also, here are some tips Steve Peterson shared with me:
SANS is coming to HalifaxWe are going to run an experiment and try a security course in Halifax. We will run SANS Security Leadership Essentials. If you know someone in Eastern Canada or the Northern USA that would benefit from a security management course, please let them know about it.
[Saturday April 11, 2009] Two more days in Richmond VA
Richmond is incredible, I can't get over the amount of shopping. We are near Short Pump and they have a store for everything, a Franklin Covey, Charles Schwab, you name it, it is here. What is most amazing though are the supermarkets: Whole Foods, Trader Joe's ( I like it the best so far), Fresh, (if you don't have time to prepare a meal, you should visit Fresh), and I have truly enjoyed cooking while I am here. Kathy and I have agreed to keep the house minimalist. A few antiques from Antique Mall, including fold-up desks for both of our laptops (did I mention they have tons of antiques here?), a bed, a day-bed in case a guest comes over. I can't wait till I have enough time to visit Caravatis and get a few special architectural features. We also have designed the art for the house. Everything will be original digital prints. We just need to decide where everything should go and order everything. Maybe I will take a break from writing and do that.
TwitterologyI have learned a bit more about Twitter, hope this is not old hat for you, but I am catching up as fast as I can. Twitter was the first to announce the crash of Continental 737, by survivor Mike Wilson. When water ice was found on Mars by the Phoenix lander, the report was released on Twitter. ATT used Twitter during a service outage to keep customers updated. All of that was learned from twitterurly. Twitter is not just for kids, middle aged people seem to like too. Someone feels Google wants to buy Twitter.
Another tool is search.twitter.com, you should probably check on your name at least weekly and any brands associated with you. Yesterday, I did a search and found:
I hear Stephen Northcutt said at SANS Log Management summit: 85% SIEM installs are “deployment restarts”? http://bitly.com/1a2moJ
Which is close, but not entirely accurate, so I replied with the fact, it was a quote, and my source. And also:
Security Shorttakes:DNS and TCP Internet security researcher Jack Louis died of smoke inhalation in Sweden.
Blog: commentary on the Rockefeller-Snowe cyber security legislation (so far I am avoiding press questions because I know so little)
Lenny Zeltser love mind mapping tools ( makes one of us)
[Sunday April 12, 2009] Last full day in Richmond VA
Happy Easter, got up, drinking some coffee, if all goes well we will show up at Calvary Chapel Richmond. I have always been on travel, so Hunter and Kathy are joking the pastor doesn't believe I exist. I plan to say I only come to church on Easter. Not sure how I ran into this, but a woman jumped the enclosure at the Berlin Zoo, went swimming with a Polar Bear and got bit. OK, back to stuff that matters.
Outrage! Marcus Luttrell, US Navy Seal, sole survivor of a firefight in Afganistan found his dog Dasy ( acronymn for his lost comrades) lying in a ditch. She'd been shot in the left shoulder. He tracked the killers down and made a citizens arrest. When I first heard the story I was concerned it was a spoof, but according to the news, this is not an isolated incident. Not sure if you remember his story, but he was the sole survivor of a major Taliban attack. While doing recon, they ran into two goat herders and had to decide whether to kill them or not. They let them go and apparently, the goat herders turned them in. He did a video later talking about how war is not black and white.
Cyber Insider ThreatDarkreading ran a story about the insider threat not being considered enough, they also reference a study by Redshift. The problem is that an insider has access and knowledge; if they have motivation to do harm, they can often destroy the business. Some of the poster children for insider attacks include Nick Leeson, Jerome Kerviel, John Walker, Roger Duronio, Terry Childs, Danielle Duan, and Jon Paul Oson. In general, insider attacks do not require much technical sophistication, they are planned in advance, and financial gain or revenge is a common motive. A CERT/Secret Service study indicates about 20% were perceived as disgruntled employees and over 25% had prior convictions, so background checks get the nod here, and over half the attacks took place from the workplace.
FraudThe following section is background for updates I am doing to my course, SANS Security Leadership Essentials. It has a fraud section that I have never been entirely happy with. There are many types of fraud.
Card not present fraudAccording to Silicon.com, "The value of card-not-present fraud - which covers transactions made by phone, internet or mail order where no physical card is handled by the retailer - also rose year-on-year. Apacs found card-not-present fraud totalled £328.4m last year - up 13 per cent since 2007's £290.5m - and now makes up more than half of all card fraud in the UK." Visa sells a service called CyberSource, designed to reduce online fraud as does FairIssac. One of the online fraud detection techniques is called geolocation, if someone is making an order, where is the IP address found. One vendor that sells this service is Quova; according to their press release, "Six of the eleven vendors listed in the Magic Quadrant report have integrated Quova's IP geolocation data in their risk monitoring, card-not-present fraud detection and multifactor authentication solutions. These include Oracle Corp., RSA, The Security Division of EMC, VeriSign (NASDAQ: VRSN), Accertify, Arcot Systems, Inc. and Guardian Analytics." Other Geolocation services include: http://www.ip2location.com/, and http://www.ipligence.com/geolocation/.
Online auction fraudOnline auction sites such as eBay are a major source of fraud; this article tells you what to do and has resources to get you up to speed. Here is another good set of online auction safety tips.
Work at home fraudWikipedia has a great article on fraud, including the work at home fraud, "Fraudulent schemes often use the Internet to advertise purported business opportunities that will allow individuals to earn thousands of dollars a month in "work-at-home" ventures. These schemes typically require the individuals to pay anywhere from $35 to several hundred dollars or more, but fail to deliver the materials or information that would be needed to make the work-at-home opportunity a potentially viable business. Often, after paying a registration fee, the applicant will be sent advice on how to place ads similar to the one that recruited him in order to recruit others, which is effectively a pyramid scheme. Other types of work at home scams include home assembly kits. The applicant pays a fee for the kit, but after assembling and returning the item, it’s rejected as substandard, meaning the applicant is out of pocket for the materials. Similar scams include home-working directories, medical billing, data entry (data entry scam) at home or reading books for money. Fraudulent schemes often use the Internet to advertise purported business opportunities that will allow individuals to earn thousands of dollars a month in "work-at-home" ventures. These schemes typically require the individuals to pay anywhere from $35 to several hundred dollars or more, but fail to deliver the materials or information that would be needed to make the work-at-home opportunity a potentially viable business. Often, after paying a registration fee, the applicant will be sent advice on how to place ads similar to the one that recruited him in order to recruit others, which is effectively a pyramid scheme. Other types of work at home scams include home assembly kits. The applicant pays a fee for the kit, but after assembling and returning the item, it’s rejected as substandard, meaning the applicant is out of pocket for the materials. Similar scams include home-working directories, medical billing, data entry (data entry scam) at home or reading books for money." No surprise many people are fooled, the websites look professional and, of course, some opportunities are legit. Here are some sample websites:
Here are some resources that can help you learn a bit more about work at home scams:
Investment FraudEveryone has heard of Madoff and his Ponzi scheme that wrecked so many lives and even caused a suicide. But Madoff is far from alone. Marc Drier may have swindled less money, estimates range around $380 million, but did it with a rare flair and put over 250 attorney employees at risk. He is currently in house arrest. Citibank has been charged with irregularities if not a full-on Ponzi. What is a Ponzi scheme? According to Wikipedia, "The scheme is named after Charles Ponzi, who became notorious for using the technique after emigrating from Italy to the United States in 1903. Ponzi did not invent the scheme (Charles Dickens' 1857 novel Little Dorrit described such a scheme decades before Ponzi was born, for example), but his operation took in so much money that it was the first to become known throughout the United States. His original scheme was in theory based on arbitraging international reply coupons for postage stamps, but soon diverted investors' money to support payments to earlier investors and Ponzi's personal wealth." Other recent examples include, Shawn Merriman, 46, of Aurora, Colorado, who ran a Ponzi scheme and used $30 million in investor money to buy classic cars and Rembrandt masterpieces. The jury is still out on Mr. Stanford, "Stanford Group sold $8 billion in self-styled certificates of deposit while telling clients their funds would be placed primarily in easily sold financial instruments monitored by more than 20 analysts and audited by Antiguan regulators, according to the SEC." According to Felix Salmon, "A couple of factual points here: firstly, the SEC is "conceding" nothing. All they're saying is that the overwhelming majority of Stanford's funds disappeared into a "black box" controlled by Stanford and his CFO, James Davis. Now, given that it's hard to simply obliterate $8 billion, that money had to go somewhere, and I daresay some of it wound up being "invested" in some form or another."
Weizhen Tang, 50, of Toronto the "Chinese Warren Buffett" faces federal charges of running a Ponzi scheme that targeted primarily Chinese-Americans and has left millions of dollars unaccounted for, the Securities and Exchange Commission announced Monday. Tang raised between $50 million and $75 million from about 200 investors for his Canada-based hedge fund, Oversea Chinese Fund Limited Partnership, and operated a Ponzi scheme with the hedge fund since at least 2006, the SEC said. According to the Department of Justice, "John Anthony Miller, 51, of San Clemente, pleaded guilty today to mail fraud in relation to the Ponzi scheme, as well as bribery, passport fraud and identity fraud charges resulting from his attempt to procure a fraudulent passport and flee the country after his scheme collapsed. From 2000 through November 2008, Miller operated a Ponzi scheme through his Newport Beach-based investment companies, JAM Jr. Enterprises and Forte Financial Partners. Miller promised investors “guaranteed” annual returns of between 10 percent and 18 percent per year, telling investors that their money would be invested in foreign currency trading, oil wells, real estate and other vehicles. During the course of the scheme, Miller provided investors with monthly account statements that falsely represented they were earning the promised returns. In fact, Miller had never earned any real profits from his investment activity and, in the pattern of a typical Ponzi scheme, used money from some investors to make Ponzi payments to other investors. Over the course of his scheme, Miller defrauded more than 200 people out of more than $15 million, taking millions of dollars that his victims has initially invested in IRA retirement savings accounts."
That is enough examples, I am sure you get the idea. Some may prove to be just bad investors instead of criminals, but I am sure you get the idea. What do all of these stories have in common? Greed on the investors' part. Each of these investment opportunities promised higher returns than normal. In fact, that is exactly what should have brought Madoff down. Another investor, Markopolos, was able to analyze Madoff's returns versus his stated methodology and deduce his returns were impossible. Here are a couple of web sites to help you avoid investor fraud.
The AT&T Outage and its implicationsThe media is abuzz about hackers penetrating SCADA systems and that is important. But what is much more relevant is the AT&T, and just about every other communications provider outage in California. According the CNET, "Police told the newspaper that four AT&T fiber-optic cables were severed shortly before 1:30 a.m. PDT along Monterey Highway north of Blossom Hill Road in South San Jose. A cable in San Carlos, Calif., owned by Sprint Nextel was also cut about two hours later, Crystal Davis, a Sprint spokeswoman confirmed." Now, AT&T is raising their bounty to $250k, also from CNET, "AT&T has increased its reward to $250,000 for information that will help law enforcement arrest and convict vandals who cut the company's fiber-optic cables in San Jose, Calif., on Thursday, the company said in its Twitter feed." I applaud AT&T and to be honest, I would not be so frugal if I was calling the shots at a big communications company. Perhaps you remember the Mel Gibson movie Ransom, but sometimes you have to raise the stakes. You see it will always be possible to cut fiber, all it takes is a bolt cutter, so the deterrence needs to be off the charts. When I say it should be death penalty at a minimum, you think I am a cruel person perhaps, but think about the implications of disabling 911 emergency calls in California over a long period of time and over a large land mass. We can be as concerned as we want about hackers getting into the SCADA system and truly it is important, after all we have the famous documented case of Vitek Boden in 2000, a disgruntled employee in Australia that hacked a SCADA system to release sewage. Well folks, now we have another case, low tech hackers with bolt cutters shutting down the infrastructure in California. I wonder what the loss estimates are going to be, a billion dollars easily, probably ten times that and more important, how many lives that could not be saved while 911 was down.
[Monday April 13, 2009] In position for #sanstysons
Before I left Richmond, I got to handle one of the new Ruger Mini 14s, major improvement in quality since I had last handled one. I am not really a big gun guy, but we have a wild pig problem on our farm. We are going to have to do something! We took a hired car from Richmond VA to Tysons Corners. Spring is really busting out in Virginia, the redbuds, dogwoods are at their peak, there is that new growth gentle green on all the hardwood trees. Taking the car was a mistake, they were nice, but it was expensive and I95 and 495 both had traffic jams. I guess what I will do is expense what the cheapest solution would have been, taxi to the train station, train, taxi to Tysons, but we are packed heavy because this is a long trip. I tweeted that we were coming up and Rob Lee is going to meet us for dinner, how cool is that?
The Sheraton is a nice place, our room was clean and big enough. There is a cell tower close so I didn't bother trying the in-room Internet, my Verizon EVDO card is what I use most of the time these days. Nice size closet, flatscreen TV, what's not to like.
I received an email from ISSA today, they are honoring various people that have been important to security. I like these kinds of things, but you have to force integrity, it can become an Old Boy's Network really fast. Here is the summary:
Among the honorees are six professionals who will be recognized for their lifetime achievement by being inducted into the association’s Hall of Fame, the most prestigious tribute ISSA bestows upon an information security practitioner. This year’s honorees include: Mary Ann Davidson, Chief Security Officer, Oracle; Steve Hunt, CEO, Hunt Business Intelligence; Lynn McNulty, President, McNulty and Associates; George Proeller, Adjunct Professor, Colorado Technical University; Ron Ross, Senior Computer Scientist and Information Security Researcher, National Institute of Standards and Technology; and Roy Wilkinson, Chief Security Officer, ImagiTech.
Association volunteers inducted into the Honor Roll for sustained contributions to the Information Security community, the advancement of ISSA, and the enhancement of the professionalism of the membership, include: Bart Moerman; Elio Molteni, Security Solution Strategist, CA; Allen Scalise, President, Great Lakes Networks; and Brian Schultz, Senior Director, Information Assurance, Battelle Memorial Institute.
Mark Johnson, Chief Information Security Officer, Vanderbilt University, has been selected as the Security Professional of 2008 for his outstanding service to the Middle Tennessee Chapter and overall contributions to ISSA. MITRE Corporation will be honored for its long-standing support of the information security profession and ISSA chapters, and Sharon Ehlers, Principal Information Systems Security Engineer, Argotek, Inc., will receive the President’s Award for Public Service for her significant contribution to the development of Intelligence Community Directive 503.
The really amazing thing is that I do not know any of these people personally. I have heard of some of them. I think that I met Ron Ross and George Proeller at one point, but we are not connected. Yet I get out more than just a little bit, and my LinkedIn account has over 600 connections. Oh well, it shows how big of a community we have become. And folks, even though I do not know you, my hat is off to you and please keep doing what you are doing to make the world just a bit safer.
[Tuesday April 14, 2009] Management and Leadership Competencies Complete #sanstysons
I had a small, but very interactive class. Looking forward to my primary course. It was a rainy day, drizzle mostly, made everything soft. Had a great conversation with Mike Murr about whether blogging and social media was effective. Met with Johannes Ullrich at dinner to talk about some fine points of the gold program.
Looks like North Carolina might be leaning towards requiring a Private Investigation license to do digital forensics. Feel free to post, twitter, retweet or just say tut tut. A meeting today with a member of the Senate Judiciary Committee resulted in the conclusion that, absent persuasive input from attorneys, the bill requiring digital forensic specialists to obtain a license regulated by the NC Private Protective Services Board will more probably than not be enacted.
A meeting with the Judiciary Committee chairman is being attempted. A meeting has been scheduled with the House bill sponsor tomorrow.
The ABA Resolution author, Jody Westby, spoke at length with the Chair of the Judiciary Committee, Senator Hartsell, to express the concerns of the ABA. Senator Hartsell promised to make copies of the Resolution to distribute to the committee members at the hearing scheduled for Thursday, 16 April.
Presenters I have communicated with will first request exemption. If that request meets with resistance, then presenters will submit substitution language exempting DFSs if they are working under supervision of individuals already licensed by NC (attorneys, courts, accountants, etc.) but also requiring the following of those DFSs not working under supervision:
1. A nationally recognized certification which has:
- a. A written and practical examination of skills
- b. A code of professional ethics.
- c. An ethics board which reviews violations.
- d. A regular recertification process.
ACTION REQUESTED: I think it prudent that the organizations represented in this working group act IMMEDIATELY to prepare and email a joint letter to the committee members. We do not have time for you to obtain board approval. The letter should be emailed no later than noon, Wednesday, 15 April.
You have to be willing to take the authoritative bull by the horns and step up to sign on behalf of your organization, or we risk losing the licensing issue in North Carolina.
Organizations might also want to consider reaching out to their memberships and request letter writing campaigns. I have an Excel file with bill sponsors/committee members contact info for both House and Senate.
[Wednesday April 15, 2009] Teaching #sanstysons, disturbed
I realize many people feel that blogging is all emotion, but I try to share a lot of facts. However, when I see the United States Government shooting itself in the foot and selling us out to the Chinese it hurts. I googled "Skills Incentive Program". The number one hit was: www.usaid.gov/policy/ads/400/467mae.pdfThe overall idea is sound, give people more pay for skills. The government agency that did this was USAID, overall fairly squared away. State Department has done the same thing. So why am I ticked off? On page 10 of the .pdf it lists the GSE for a 10% pay increase. They call it the GIAC Security Engineer while the GSE stands for GIAC Security Expert, but whatever. But look how they paired it. The GSE is in the same category as:
- Microsoft Certified Systems Administrator (MCSA) in Windows 2000 or 2003
- Bachelor’s Degree (IT related)
- Information Systems Security Professionals Certificate (NSTISSI No. 4011)
- Global Information Assurance Certification (GIAC) Security Engineer (GSE)
- Nortel Certified Support Specialist (NCSS) - The following three exams are required for this certification: Technology Standards and Protocols for IP Telephony Solutions; Communications Server (CS) RIS 4.0 (or higher) Hardware Installation and Maintenance; and Communications Server (CS) RIS 4.0 (or higher) Software Installation and Maintenance
- Federal Communications Commission (FCC) General Radio Telephone License (Elements 1 & 3)
- Building Industry Consulting Service International (BICSI) Installer Level 2
- International Information Systems Security Certification Consortium (ISC2) Certification and Accreditation Professional (CAP) credential and CompTIA Security + (both certifications are required)
- ISC2 Systems Security Certified Practitioner (SSCP)
- Master CIW Web Site Manager
- Master CIW Administrator
What does it take to get a GSE? Three other GIAC certs, two papers and a three day hands-on certification. Do any of the listed cert peers remotely compare? No! What would be a reasonable choice out of the 18 or so GIAC certs to be in this list, the GSEC. Are you familiar with game theory? This was a brilliant move. Since there are only 14 or so people that have successfully passed the GSE, by listing this with MUCH lower level certifications, it shuts GIAC out of being part of the Skills Incentive Program at USAID and also, it appears, State Department. I refuse to get on my soapbox to talk about how GIAC certifications stack up in the world of information security, but I will state this was a dirty deed, approaching criminal. If you know GIAC and you accept that a GIAC CERT happens to be vualuable indicator of information security skill, the persons that engineered this sold out their own country. That means they are traitors. Need proof this matters? Have any doubt we are losing the cyberwar? Let's talk, firstname.lastname@example.org.
[Thursday April 16, 2009] #sanstysons
David Shackleford did his amazing history of hacking talk tonight, brilliant!
This came in the mail box, not sure if it is a good idea, but certainly worth knowing about:
- United Alert® transforms emergency alert systems into a free web accessible notification service for everyone. Florham Park, New Jersey - April 15, 2009 - United Alert (www.UnitedAlert.com) has taken a leap towards changing the individually sold, average alert system into a unified, feature-rich, website for the public. The system was uniquely designed as a group communication service for government, schools, corporations and even personal use. No one should be without proper emergency notification abilities due to tight budgets during these economic times. United Alert has made this service free to all federal, state, local government and school entities nationwide to improve homeland security and unify the nation's emergency alerting and response.
- The service is not limited to public security information, but is a one stop shop for any notification needs. Being available to all parties, anyone can create their own groups to broadcast text messages and emails for social networking, modern marketing and more. With United Alert, communication is enhanced during critical times via mass notification in real time. Messages for your designated group, safety alerts, scheduled notifications and reminders can be sent from the United Alert website or from your mobile phone.
- Federal, state, local government and schools can visit the website and create their own groups to start informing their communities of important announcements. A corporation can create a private group to notify their employees during critical times or disaster recovery situations, a local store can create a group in order to notify customers of real time deals, or perhaps a little league coach or school may find it helpful to create a group in order to notify parents of schedule changes or rain dates.
- The public can also submit crime tips by text or email via the "Homeland Security Tip" submission feature. By creating a group and getting your community involved, United Alert can help you put thousands of eyes and ears on the streets looking for suspects. Once tips are submitted from the general public, United Alert is applied as a real "intelligence fusion center" in which law enforcement can share the intelligence gained from the public with other law enforcement officials and states. Vital tips and comments can be forwarded through the United Alert website.
- Members are also given the opportunity to participate in the Human Emergency Grid™(HEG), a collaborative effort in which the general public can volunteer their professional expertise to government entities during emergencies or critical times. United Alert - A breakthrough in the mass notification arena with a unique approach to emergency alerting. United we stand...join United Alert today! www.UnitedAlert.com
[Monday April 20, 2009] #rsac finally in positionReception is in three hours, have not registered yet, but in position at the Hilton. Heavens, this place brings back memories, I must have been in this hotel at least forty nights over the years; I wish we still ran events in San Francisco. The line for the Innovation Sandbox is out of control, so Kathy and I grabbed lunch at David's, the food is still terrible, unhealthy and overpriced, but I love the atmosphere. This is a get in, get out operation for me, but I will try to spend some time at the SANS booth; if you want to tweetup, drop on by.
Laura and she gave me permission to share. Keep in mind that she is one of the true experts in certification and accreditation, so I was excited to read what she had to share. One important comment though, the CAG cannot be a SANS thing, it needs to be a community thing, SANS is willing to help, to throw resources at this, but it needs to be about community:
- I am confused about the mission and the purpose of the CAG. For example, based on what was stated in several SANS NewsBites, it appears to me that one purpose of CAG is to use it as a vehicle to disparage FISMA and to try to dissuade U.S. federal agencies from paying attention to NIST SP 800-53 Rev 2…and I have to say that I don’t really think that is a good idea. I am not convinced that everyone in the infosec community is that tuned in to how C&A and FISMA works at U.S. federal agencies though I know many people have a lot of opinions on FISMA and government security. For example, it seems that there is a misconception that to comply with FISMA, one only fills out pieces of paper and that vulnerability scans and penetration tests are never done and that code checkers and fuzzers are never used. It is possible that some agencies do not perform vulnerability scans, penetration tests etc… However, I have never been part of a C&A process that did not include that kind of security testing. FISMA does specifically state that security controls have to be tested and so if they are not tested, it is really a violation of FISMA, and the system should not gain an Authority to Operate and should not be accredited. The word “testing” is used in many places through FISMA.
- Since it has been mapped to NIST 800-53 Rev 2 security controls, CAG appears to be targeted primarily to U.S. federal agencies. However, probably 80% of the U.S. critical infrastructure is in the hands of private industry. It’s my understanding that some of the folks at NIST believe that due to the fact that CAG is mapped to 800-53, Rev 2, CAG might confuse federal agencies on how to comply with FISMA. While FISMA may not be perfect, it is at least regulated which means that someone is auditing something, and there is an effort being made to make it better, and to make it work, and to see if people are doing what they are supposed to be doing. There is a huge amount of private industry that is completely unregulated when it comes to information security and in my opinion that is a great big accident waiting to happen. Regulation appears to be based on the idea of companies self-regulating using the strategy “Let’s try not to screw up so we don’t lose our customers.” When I worked in private industry, every place I worked had security break-ins and they went largely unreported and never made it to the news. No auditors came in to see if the problems were ever fixed. Even though some of these were publicly traded companies, no one from the SEC ever came in to see if the problems were fixed. One company I worked at told prospective customers one thing about security, when the reality of how things were set up as far as security went was really another thing…and the only thing to legally create compliance was the contract between the customer and the company.
- Though things like Sarbanes-Oxley and Gramm-Leach-Bliley and HIPAA exist, how many cases have you read about that companies have been cited for violations of SarBox, GLB, or HIPAA? Hardly any. Also, those regulations do not apply to a large part of private industry critical infrastructure.
- Another problem that requires clarification is that there are lots of government networks connected to private industry who are in turn connected to other companies and other industries that do not need to comply with FISMA, GLB, SarBox, or HIPAA. In my experience, the only time private industry ever tries to comply with FISMA is if the requirement for compliance is written into a contract. However, many contracts do not mention FISMA.
- Since FISMA 2008 (S.3474) has been introduced, I was wondering if CAG was an attempt to influence that bill in some way. Due to some comments in SANS NewsBites, I was also wondering if there is a goal to get federal agencies to stop using SP 800-53 Rev 2, and to start using CAG instead. However, I don’t think that will ever happen due to a number of reasons. First, SANS is a private company that is certainly trying to make a profit. There is nothing wrong with that of course since to stay in business, that is a good idea. However, private companies cannot make laws since that would be a conflict of interest. I don’t think the government will ever abandon FISMA/NIST for CAG simply because SANS is a for profit company.
- While the critical controls defined in CAG might be good ones, I would really like to see the mission and purpose of CAG clarified answering the questions:
- - Who specifically was it written for?
- - Why was it written?
- - Who should use it?
- - Is there any connection between CAG and S.3474?
- - Who in private industry should use CAG?
- Other items that I think are unclear about CAG are:
- - Is it a goal to try to get government inspectors to see if agencies comply with CAG?
- - If agencies start using CAG, how will we know if they are in compliance with CAG?
- If it is not possible to check if anyone is in compliance with CAG, then government agencies probably will not use it because government agencies tend to do only those tasks they have to do based on audits from inspectors.
- I think you will get the widest audience for CAG if it is written to apply to the largest amount of systems and networks possible so that it appeals to more than just government networks. There are some facets of private industry that are trying to setup compliance programs. Last year I did an audit of an e-mortgage compliance program for a very large financial institution. They really could have used some guidance because their compliance program was not too well thought out (but I give them credit for trying to start the program and it was certainly better than no compliance program at all). Even in private industry, for CAG to work, it needs inspectors/auditors to check to see if people who use it have in fact complied with it according to its intent.
- As far as the NIST C&A methodology goes, it is only one way to comply with FISMA. Some agencies use DIACAP, some use NIACAP, some use NISCAP, some use DCID 6/3, some used ICD 503, and I actually think some are still using DITSCAP even though they likely should be using DIACAP instead. Some agencies use a hybrid of several of these methodologies. I’m not sure that anyone in Congress really understands that. The Government Reform Committee has a new Chair, and based on what the trade rags publish about FISMA, I can only image that the new Chair is completely confused about how FISMA actually works or doesn’t work. While some industry experts suggest that there is a goal to get all government agencies to comply with FISMA, or security, the same way, I am not hopeful that that will ever happen. If we cannot even get a group of people within one agency to agree on how to do things one way, how can we get all the agencies together to agree to do things one way? My experience has been that if one government agency wants to do things one way, and another government agency wants to do things another way, there is no stopping them.
- Another thing I thought I’d mention is that for the FISMA Center CFCP exam, there is no requirement to memorize the names of any of the NIST SP 800-53 Rev 2 security controls. The reason for this is that in my opinion, memorizing monikers does not mean you understand security concepts or can understand how to improve government security. Also, monikers and acronyms can change.
- One thing I teach in my FISMA classes is that I tell students FISMA was designed to make you think. There is no one-size fits all such that you can push a button on a scanner make yourself compliant. There are some things that scanners, fuzzers, and penetration testing does not pick up. For example, let’s say an auditor came in and wanted to know how often users were re-certified for the purpose of removing accounts that were never activated, and to check to see if employees that no longer worked there have in fact had their accounts disabled/removed - there is no automated tool that will tell you that. The auditor needs to get a list of who the employees are that have left, and then check to see if they still have live accounts. That is just one example.
- I think that improving security is always a good thing. The more people that CAG can be used to motivate to take actions on computer security, the better off we all will be.
- Not sure if any of that is helpful or not.
[Tuesday April 21, 2009] #rsac pressing the fleshI got to #rsac at 4:30 P.M. April 20, it took me three attempts to get a badge that let me be a speaker, delegate and exhibitor. In fact, I had to social engineer the security guards to get into the show room floor before 6 P.M. I went to the Innovation Sandbox and totally did not get it, but have a demo card from one of the vendors that I might try. Last night I helped work the SANS booth, also tried to connect with as many people as I could. Then Brian Correia, Kathy and I went to dinner with Thomas Dawkins, Sr. Group Product Manager Trustworthy Computing Microsoft. They are putting a lot of energy into something they call end to end trust. They have a set of papers written by a number of really heavy hitters in the security world. I have some concerns since this impacts both anonymity and traceability, but I am open to consider a dialog.
As always, I caught up with a number of folks from every walk of life and that is fun. I also try to look for new trends, I think one of those trends is increasing use of cell phones and especially PDAs for authentication, especially two factor authentication. For instance, consider the following Tweet:
danielrm26: Phuck yeah! Verisign now has a soft VIP token that runs on iPhone and Blackberry! #infosec #rsac
In a fast paced walkthrough, I noticed two vendors that appear to be startups who have authentication via phone:
So, how was the show today [April 20]? Well, here is one post:
I felt the show reception had decent crowd density. At first, many attendees were more focused on getting food or prize gifts than finding technology, and, of course, later they have had a few drinks and don't make as much sense. One thing I noticed was a lack of stars. At the SANS booth we had Rob Lee, Stephen Northcutt, Ed Skoudis, Jon Ham, John Strand, and Kevin Johnson, in and out and on and off. I went to Tripwire, no Gene Kim. nCircle, no TK. LogRhythm, no Chris, and on and on it went. Now I must say, Secunia was packing heavy with their stars and from a walk by, I think Norman was as well, but that was not generally the case.
What is your point, Stephen? In the past, many frameworks for security had items that did not directly map to exposure OR level of diffiliculty to repair. What is needed is a framework that keeps all of this and more in consideration. However, all of the current frameworks have a large exposure to opinion. Even if majority rule, opinion is not a strong platform to base security trainng on.
Hilton Hotel notesAte breakfast this morning at the Hilton San Francisco's Urban Tavern; worst service for a breakfast buffet ever in my history of hotels, zero coffee refills. Tipped 6.5% which is the lowest I will go. I know the server has to eat, but jeepers, my server was terrible and when you serve an overpriced buffet ($30 for hot food), you have to refill the coffee. The hotel though, is a true flagship, mostly it is firing on all cylinders, good security presence, no long lines for check in, efficient taxi, clean room. As I said before, I have spent at least forty nights in this hotel in my life, and I would certainly come back.
More RSA News #rsacThe SANS booth is getting good traffic and the SANS faculty who are presenting come by often. If you are a member of the tribe, it is a great place to tweet up. I will also be in the RSA speaker lounge some of the afternoon getting ready for my talk, "Lessons Learned: Endpoint Security - What Works and What Does Not," 5:40 - 6:30PM HOST-108, Location: Purple 304.
Met with Sunil Bhargava CTO Intellitactics and Jamie French, Sales Engineer to take a close look at their SAFE products. These are appliances designed to get operational quickly and give full log management capability. Their focus is both ease of use and full capability. Really interesting, I hope I get to learn more.
The most novel thing I have seen today is the Altor Networks product, it is a firewall for the virtual space. I hope to learn more about it as well. Rich Mogull from Securosis was kind enough to stop by for a second in the speaker room. He says the Imperva visualization stuff rocks; I like Imperva and will try to swing by and get a look for myself. If you are going to the SC Awards tonight, please look for me, I will be in a black tux, accompanied by a tall lovely woman (with long blond hair, in a Calvin Klien black gown) who I happen to be married to. Plus, we have a table, so ask for the SANS table. OK, need to grab some kind of food and get back to it.
Gene Kim (@RealGeneKim) posted: "Thought "Wow! Tons of glam and glitz this year @ #RSAC." Then realized I was in the Ad/Media conference next door..." I made the same mistake, I think that conference would be fun! Gene, I would love to shake your hand if you are around, went by Tripwire booth a couple times.
[Wednesday April 22, 2009] Home to Kauai
The sun was out when we first got home, but cool air has been coming in for the past hour. I feel like I have been run over with a MAC truck, so very tired; Kathy, the wiser of the two of us, is taking a nap. Winning the RSA SC Magazine awards for best security training last night was a hoot. As they were reading the candidates, I asked the folks at my table if they would join me on the stage if we won. They said they would, awesome. All in all, there were eleven of us on the stage: Johannes Ullrich, Marcus Sachs, and Alan Paller, who were not at our table (we got Marcus via an SMS message.) From our table we had Brian Correia, Dennis Kirby, Ken Cole and SANS instructors Stephen Sims, Rob Lee, Ed Skoudis, Jeff Frisk and myself; 11 guys in tuxedos, that sent a message. I don't think most people realize just what the SANS Institute is capable of. We have some very big names in the industry and a lot of bench strength in terms of developing writers, researchers and instructors. Afterwards, I got to speak with Shawn Carpenter, he is really happy at NetWitness. I saw Amit, but was not able to make contact. Netwitness also won an SC award.
Today, the Internet Storm Center and Pauldotcom earned several awards from the RSA Social Security meetup, here are a few twitter snippets, then off to bed for me:
edskoudis Total congrats to @pauldotcom, @haxorthematrix, & @strandjs on a well-deserved victory for best podcast. Thanks for all the insight and fun!
johullrich nice! @sans_isc is winning RSA Social Security Award for Tech Blog. Thanks handlers! (even if we still refuse to call it a blog ;-) )
haxorthematrix WE WON! Thanks to all who voted for us, and thanks to all of the other podcasts. We owe it all to you, our listeners and podcast community.
pauldotcom We are winners of the RSA Social Security Awards Best Security Podcast! Thanks to everyone, especially all you listeners!
Retweeting a few more RSA Tidbits #rsacJDeLuccia My ranking of GRC type solutions: Archer Tech, Symantec, RSAM, and last is CA .. based on demos, materials, staff, and #RSA dialogues
JDeLuccia The team of Prevx at #RSA is just as impressive as I suspected ...
threatpost Secunia pushes for standard to patch consumer apps http://tinyurl.com/dlosyc
mroesch AT&T is executing a fail whale, 2 minutes from dial to ring, 3G is flakey as a pie crust #rsac
http://thingsyoushouldnottwitter.com/ (off topic, and warning, adult humor)
bigdata: #rsac Diff between sys admin and data mining: MSFT & NSA plan similarly-sized facilities in SA, MSFT=75 FTE's, NSA=1500 http://bit.ly/yNZr (expand)
[Thursday April 23, 2009] Loose ends
Dodgy reporting from Silicon.com
I noticed the following:
If you want to make sure your systems are safe from hackers, you've got to test, test, test, says Quocirca's Fran Howarth.
"The top two threats facing organisations today are web-based applications and end users, according to information security researcher the Sans Institute. Vulnerabilities affecting web applications account for almost half of the total weaknesses seen, Sans says. They are being exploited to convert trusted websites into malicious servers that can launch client-side exploits that are usually delivered via a web page or an email, such as in phishing scams. Considering the large number of vulnerabilities that are found in web-based applications, it is of great importance that security is built into applications early on in the software development lifecycle - and that they are tested regularly to identify and remove flaws as soon as possible."
OK, but SANS is all capitals, not Sans. I have to wonder if this reporter actually spoke to anyone at all or did she falsify her sources. I found her on LinkedIn and asked, we will see if we get a response.
More RSA Retweets as it winds down #rsacJDeLuccia This mornings circus was well worth it - met an awesome entrepreneur on return flight from Reputation Defender http://twurl.nl/zklcqg:
threatpost Attackers becoming an industry of their own http://tinyurl.com/csh6jy
mroesch Immunet and PixlCloud were two interesting early-stage startups I learned about
lennyzeltser Weighing mere 3 grams, this tiny 4-8GB flash drive makes losing and leaking data easier than ever :-) http://tr.im/jwJO
mroesch Last day of RSA for me, what a week! Cool things I saw -> Glasshouse/Splunk integration, Ironkey managed USB drives
BillBrenner70 RT @CSOonline column: Has RSA Jumped the Shark? http://www.csoonline.com/ar... <BTW, it was great seeing all my Twitter friends!
benrothke Met a cool company today at RSA #rsac - Tufin Software Technologies - http://www.tufin.com/
rwestervelt: Security Wire Weekly Special Edition: Kaspersky sees Internet IDs ahead. http://bit.ly/vT3GS (expand) #RSAC
mediaphyter: Security Bloggers Meet-Up Pics! (thanks @bill_pennington). Flickr: http://bit.ly/1401bN (expand) and Facebook: http://bit.ly/nZk5E (expand) #rsac
[Friday April 24, 2009] Trying to live Hawaiian style
So much travel, so much technical stimulation. I hope Kathy and I can slip out to the farm today. It will be rainy so we will need to be careful, it gets really slippery, I once had to show up at conference with a huge black eye from a fall. Gotta go though, the great squash is probably trying to choke out my fruit trees and that cannot be allowed to happen. I gave the squash a serious haircut before I flew on this trip, but everything happens faster in the rainforest. How big is the squash? Quarter acre or so, it is an invasive food producing vine, lovely if you can keep it under control. Can't swim in the ocean, too cold, too much rain, the runoff brings heavy bacteria counts. I want to be in the ocean so very much.