Monday, May 31, 2010

Happy Memorial Day!

In honor of those who have and do serve our country, Happy Memorial Day!
A special shout out to Grandpa Burton who served in Europe (where he earned a purple heart during the Battle of the Bulge) and Grandpa Baker who served in the Pacific.

To my Dad and uncle who served during the Vietnam era, Semper Fi!

Last but not least my friends Mike Smith-Gulf War 1 (from EOUSA), Mike Smith-Afghanistan (from Guerilla CISO fame) and Ferguson, thanks for your more recent service.

Tuesday, May 25, 2010

On Greed and Complianciness

Disclaimer: This post is not inspired by any past or present events in my work or personal life. The opinions expressed here are mine and not necessarily those of any of my employers, customers, vendors or organizations with which I affiliate.

As the Gulf coast becomes another environmental disaster and still recovering from the financial meltdown, I can't help but think about the parallels between having a well run information security program and compliance. You must know by now, I am an advocate of the work NIST has done as a result of FISMA. This has led to the many 800-series documents which helped many organizations, despite what the haters may say. We need compliance and compliance frameworks, if we don't then nothing will happen.

BP was not required to have the secondary piece of equipment, so they didn't put it in. Now look what happened. Wall Street gambles with people's mortgages and livelihoods, and the taxpayers (in the form of the Federal Reserve and Bailouts) have financed the losses.

In the same vein, why would an agency or department spend taxpayer money on security when they aren't required to? Especially since there is a deficit and a push to contain costs. They wouldn't. Congress had to mandate it.

I'm not trying to make a political statement, I am saying that without compliance programs and frameworks - a company would do nothing. Without the threat of fines from compliance or public relations disasters, a corporation has no incentive to do ... anything.

So here again, let us not confuse failures because a company practices complianciness. We should also not be surprised that an organization chooses to take the path of least resistance and doesn't put resources towards a real information protection program.

Friday, May 7, 2010

Attention Cloud Fanatics

The Bureau of Engraving and Printing web site is back up. I am not sure when it came up but I thought I would conduct my own uninformed lessons learned.

My initial impressions: The cloud has the same problems that other platforms do.

I am not a cloud apologist, but I think that we can all agree that application security sucks as a general rule and not enough people are listening to OWASP.

So while I would love to throw "cloud" or outsourced services under the bus, this is an application vulnerability that could happen to any site. It is a "failure to assess" as opposed to a "failure to communicate".

There is a decent wrap-up of the whole thing here: My problem with that story is the last paragraphs that talk about staying patched and using anti-malware software. But at least he agrees that it isn't necessarily cloud related.

The bottom line for me is that "it's the basics, stupid". Cloud, not cloud, embedded, virtualized, whatever. It all comes back to the same types of problems and there is no easy fix.

Tuesday, May 4, 2010

This Week in Gov't Computing

And by this week I mean today, yesterday and part of last week.

It has been exciting though. Agency CIOs will now be required to report to OMB via CyberScope by November 15th. This is all laid out in Memoranda 10-15. My take away: Significant weaknesses don't need to be reported. WTF is that? You have to maintain it on file of course, so that you can provide it upon request.

CIOs are going to report the following:
  • Inventory
  • Systems and Services
  • Hardware
  • Software
  • External Connections
  • Security Training and
  • Identity Management and Access
That's super, right? There's instructions available here. Eventually, Vivek and Howard want it all in an Excel spreadsheet or XML format and then uploaded. You'll need to submit it monthly starting in January 2011. Sounds to me like someone has bought into the SANS Critical Consensus Whatever. But we know how I feel about that one already.

IGs will also need to report through the old system but on this set of categories:
  • Certification and Accreditation
  • Configuration Management
  • Security Incident Management
  • Security Training
  • Remediation/Plans of Actions and Milestones
  • Remote Access
  • Identity Management
  • Continuous Monitoring
  • Contractor Oversight
  • Contingency Planning
I'm not saying that the old process didn't need to be overhauled, but here again the Feds are moving away from a risk-based approach to control monitoring. Bejtlich seems to agree.

In other news, my Dad's agency (Bureau of Engraving and Printing) has had their web site HACKED! OMFG!

Oh wait, not so much. More on it at the Register and the AVG blog. Most importantly, Dad doesn't work on the external web site or in IT for that matter.

The first thing to consider is that the BEP external web site probably got a Low baseline assigned to it. It has also been reported in the Register article that it may be related to the Network Solutions Wordpress hacks of last month. Could very well be, but let us remember that someone should have run a pen test. If they did run a pen test, well then may be its time for a new testing vendor. Panda gives a detailed breakdown.

This is the kind of thing that doesn't inspire confidence in the government's ability to protect information. And while there isn't any data leakage or loss from the site itself, the A portion of CIA has fallen down severely. The web site is still off line as of May 4th, 2010 at 21:45 GMT.

Lastly, there is a new GAO report out on the Federal Housing Finance Agency say that the info sec controls could be better. This is important because FHFA is the agency that: "... regulates Fannie Mae, Freddie Mac and the 12 Federal Home Loan Banks." So that's what's happening there.