Tuesday, August 19, 2008

Friday, August 15, 2008

Good Blog Entry

http://taosecurity.blogspot.com/2008/08/more-threat-reduction-not-just.html

Thursday, August 14, 2008

Document Release and the SCAP Conference

Yesterday, NIST released two documents. One is the update to 800-60 (Vol 1 and Vol 2), which assists system owners with identifying the information types and things to consider when categorizing a system.

The other is draft Interagency Report 7511, which describes the process that a tool must go through in order to be SCAP-validated. The italics of course meaning that you should beware that there are/could be tools that say they are compliant not validated. Validated of course meaning that an independent, accredited lab has run through the certification requirements.

Cursory review shows me that the IR 7511 will help all of us understand the criteria to be SCAP validated. I say cursory because I have no intention of going through this document in the near future. It is clearly written for vendors who want to get their product tested and they can use this as the beginning of their requirements management process. Also, their QA teams will certainly implement it before they spend money on testing.

Also coming up is the annual SCAP conference, I went to last year's and it was generally good. I will be going again this year. So, if you aren't going and you want to know what happened leave a comment. If you are going, and you feel like ranting at / with me contact direct: cyberhiker -at- gmail -dot- com.

Wednesday, August 13, 2008

OMB Memo 08-22

It is about FDCC compliance, which and it offers no new content for me. I am also a day or two late.

http://www.whitehouse.gov/omb/memoranda/fy2008/m08-22.pdf

The interesting part is on page 4:
Revised Part 39 of the Federal Acquisition Regulation (FAR) On February 28, 2008, revised Part 39 of the Federal Acquisition Regulation (FAR) was published which reads:
PART 39-ACQUISITION OF INFORMATION TECHNOLOGY
1. The authority citation for 48 CFR part 39 continues to read as follows: Authority: 40 U.S.C. 121(c); 10U.S.C. chapter 137; and 42 U.S.C. 2473(c).
2. Amend section 39.101 by revising paragraph (d) to read as follows:
39.101 Policy.
* * * * *
(d) In acquiring information technology, agencies shall include the appropriate IT security policies and requirements, including use of common security configurations available from the NIST's website at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.
I think that this has been implied for quite some time, but this is the first time that I have personally taken notice of it. Take note of the first four words in the paragraph "In acquiring information technology". Not software, not hardware, that's everything. Outsourcers, be prepared!

In other events, the C5 auditing platform by Secure Elements has built in some functionality to be "green", and that isn't President Management Agenda green - it is TreeHugger green. For which I am happy. Why? I compost, I recycle, I garden organic and I have TerraPass for 25 tons of carbon per year to offset the cars and house. I bought a laptop based on its energy rating, all my lightbulbs are CFLs and I am currently on a quest to reduce my vampire power consumption. So yea!

That's all I have for now.

Friday, August 8, 2008

I am messing with some new templates for the blog, so there may be some issues. Since I am cheap and I won't buy one, and I won't spend the time to develop my own.

Please bear with me while I find one I like.

More Commentary from the Unknowing

I am not certain what the point of this article started out as:

http://www.scmagazineus.com/Is-FISMA-fizzling/article/113025/

But I am fairly certain that someone said, "Go write something about FISMA." For me, it is additional aggravation. Why? Let me tell you.

They ask the same people the same questions every time expecting a different result. Albert Einstein said it best.

FISMA is a paperwork drill at a minimum, when properly applied it can actually benefit the organization. Like most things you reap what you sow. If you believe it is a paperwork drill, then that is what you get. If you believe that value can be driven by:
  • requiring a set of controls be implemented;
  • testing against that set of controls;
  • identifying risks based on a control's lack of implementation;
  • strengthen the controls now that you know the risks;
  • tracking residual risks throughout the life cycle of the system.

Then, you perhaps may see some return.

My opinion is that those who think that a paperwork drill is sufficient should consider changing their tune, because it won't be long before someone expects a real risk management.

Think 800-60 is to FIPS 199 and 800-53 is to FIPS 200 as 800-39 is to ...?

Wednesday, August 6, 2008

Well Ok!

The laptop in San Francisco has been recovered.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111839&intsrc=hm_list


I suppose what bothers me the most is that OMB has a 1 hour requirement to report the loss. In this case, the loss occurred on July 26th and we only really found out on August 4th. Now, as if by magic it has been found.

I am hoping that at some point, the truth about where the laptop was for

Tuesday, August 5, 2008

Another Stolen Laptop

A vendor to the Transportation Security Administration lost a laptop from a locker

Details: http://www.washingtonpost.com/wp-dyn/content/article/2008/08/04/AR2008080402703.html

No Comment.

Friday, August 1, 2008

The Federal Information Infrastructure Response Enhancement Act

Apparently, when it rains it pours. I picked up this link this evening:

http://www.nextgov.com/nextgov/ng_20080801_2626.php

I suppose what scared me the most when I read this little article is this line:

"Members of the federal information security community have been involved in shaping the bill..."

Which means vendors. I also think the CISO council that they want formed will need defined intervals and smaller working groups inside that structure.

Lastly, this idea of DHS running a red team. Why not fund each IG with the ability to do real audits? Or the GAO? Then there isn't going to be any of this, "DHS isn't going to look at my stuff". Because I agree that the red team would have to be so big that managing it would be close to impossible

We'll see though. My final thought based on what little information I have here is ... let's treat the problem not the symptoms. What I mean is why can't they legislate a better risk management, rather than running some more scans.

You know why ... vendors sell scanning tools, not solid risk management processes and procedures. I'm just saying.