Wednesday, September 25, 2013

More Annoyance

Back again.

Yesterday, I said that the recent survey about FISMA failure is horse shit. I stand by that claim and will now add more.

The only thing this report says is that their process is too focused on compliance and they wish they had more money. When is the last time that you talked to someone where they didn't wish they had more money for their program? Whatever the program was. "I wish I had more money for building my space station" or "If I had another $2 million dollars, I could get something with red blinking lights instead of blue blinking lights."

This survey has had it's effect, we're talking about FISMA. The failure does not lie in the law though. I see and hear about the failures every day. Management buy-in is lacking, risks ignored, security bolt-ones at the end of the project, or security isn't keeping up with technology. I think that just about everyone in this industry could say all the same things. And they don't have a law to tell them they have to do it. A lot of organizations have no prevailing regulatory requirement to follow and those security folks have to get more done with much less than the government provides to a lot of agencies.

One of the slides said that nation-states were attacking the government systems all the time. Whatever, everyone is getting attacked by nation-states.

A different slide said that users were their problem and they didn't have enough training budget. To this, I refer you back two paragraphs where virtually every CISO/ISSO complains about this.

I said on the Southern Fried Security podcast FISMA episode that FISMA improved Federal government security. Anyone that can prove other wise please step forward. Because when FISMA was passed many agencies were lucky to have a firewall and anti-virus. Let alone web application firewalls, intrusion detection systems and pen tests. No one was training users on security awareness on a regular basis (not for the places I was working for anyway).

In the end, FISMA leaves the implementation of policy to the agencies. That policy should be based on 800-53. If you need help, I am here for you.

That is all.

Monday, September 23, 2013

Annoyed

I find myself being annoyed yet again by an article.  It's here if you want to read it.

The essence of it being that FISMA is a failure (still) and government doesn't know how to secure a rowboat let alone the vast number of systems in existence.  Also that 

No information security program is perfect, and based on this article many think that they are going to improve their programs simply because of continuous monitoring.  Wrong.  

The continuous monitoring needs to effective.  Not lip service.  Many agencies are hindered by congressional budget wrangling in the form of sequestration and other stupidity.  They are further hindered by grand standing and empire building.  The thing that seems to be lost is that they probably could do better if someone wasn't telling them they only need 

The title of the article states that they can do better.  But most of the time, it's the basics that are failing agencies.

What you need:
  • Get a decent policy document together based on 800-53 Rev 4 (this includes tailoring and filling out all the little spots you are supposed to);
  • Assess your risks and not just your policy violations or exceptions;
  • Centralize what you can (if you're a big agency or department, why not use the economics of scale? i.e. IR, Media Management, Asset Management, other less sexy things);
  • Plan, Plan, Plan;
  • Train, Train, Train;
  • Scan, Scan, Scan;
  • Patch, Patch, Patch;
  • Watch your logs; and finally
  • Accept your failures and learn from them.
The article alluded to some of this.  But if you have a decent program then your compliance will happen.

That is all.