This Week in Gov't Computing

And by this week I mean today, yesterday and part of last week.

It has been exciting though. Agency CIOs will now be required to report to OMB via CyberScope by November 15th. This is all laid out in Memoranda 10-15. My take away: Significant weaknesses don't need to be reported. WTF is that? You have to maintain it on file of course, so that you can provide it upon request.

CIOs are going to report the following:

• Inventory
• Systems and Services
• Hardware
• Software
• External Connections
• Security Training and
• Identity Management and Access

That's super, right? There's instructions available here. Eventually, Vivek and Howard want it all in an Excel spreadsheet or XML format and then uploaded. You'll need to submit it monthly starting in January 2011. Sounds to me like someone has bought into the SANS Critical Consensus Whatever. But we know how I feel about that one already.

IGs will also need to report through the old system but on this set of categories:

• Certification and Accreditation
• Configuration Management
• Security Incident Management
• Security Training
• Remediation/Plans of Actions and Milestones
• Remote Access
• Identity Management
• Continuous Monitoring
• Contractor Oversight
• Contingency Planning

I'm not saying that the old process didn't need to be overhauled, but here again the Feds are moving away from a risk-based approach to control monitoring. Bejtlich seems to agree.

In other news, my Dad's agency (Bureau of Engraving and Printing) has had their web site HACKED! OMFG!

Oh wait, not so much. More on it at the Register and the AVG blog. Most importantly, Dad doesn't work on the external web site or in IT for that matter.

The first thing to consider is that the BEP external web site probably got a Low baseline assigned to it. It has also been reported in the Register article that it may be related to the Network Solutions Wordpress hacks of last month. Could very well be, but let us remember that someone should have run a pen test. If they did run a pen test, well then may be its time for a new testing vendor. Panda gives a detailed breakdown.

This is the kind of thing that doesn't inspire confidence in the government's ability to protect information. And while there isn't any data leakage or loss from the site itself, the A portion of CIA has fallen down severely. The web site is still off line as of May 4th, 2010 at 21:45 GMT.

Lastly, there is a new GAO report out on the Federal Housing Finance Agency say that the info sec controls could be better. This is important because FHFA is the agency that: "... regulates Fannie Mae, Freddie Mac and the 12 Federal Home Loan Banks." So that's what's happening there.

Missing the Point ... Again.

There has been a lot of who-ha (technical term) going around on the changes to Information Security in the Federal government. As the title suggests, there are many, many pundits and "experts" who proclaimed FISMA as a failure and needs an overhaul. It is my opinion that very little will actually change. Why you ask?

Institutional Momentum.

Like most things in the government, the original idea came from DoD and the Intel community. In this way, Certification and Accreditation could be a point in time event because they were running mainframes with hard wired terminals. So things did not change all that often. Systems evolved, web applications were developed, cloud computing, buzz word du jour, blah blah and suddenly the process is broken.

Did you know that certification is only mentioned once in FISMA? And not even the certification that we think of, it concerns a certification authority for digital signatures. Congress did not force the Certification and Accreditation process onto the Executive. If we jump into our way-back machine you may recall a post where I said that FISMA is about risk management. Continuous monitoring and vulnerability management were part of this vernacular from the start. FISMA was perverted into a checklist / table top exercise to keep costs and schedule under control, which is totally permissible if you accept the risk. Some of the feds simply were not ready to implement the NIST recommendations. Some still are not.

You may also know that a few weeks back, SP 800-37 Rev 1 went final. It seems that it has taken just over seven years, but the government produced meaningful recommendations to create a process to manage risk. With this document and the upcoming SP 800-39, we finally move in the direction of strategic risk management. While I have only taken a cursory look at the bills on the Hill, my understanding that there is little in the way of increasing the government’s ability to respond to incidents, perform practical contingency and business continuity exercises or enforce more extensive testing methodologies. I believe this has to do with vendor influences, but I could be completely wrong in my assumptions.

FISMA has done exactly what it was intended to do. Those who didn't/don't/can't understand security, vilified it from the start. Which I felt was an attempt at a self fulfilling prophecy. Lest we forget where we were in 2002. Very little was done beyond a firewall on the perimeter and some A/V on the desktops. Because of FISMA and the thousands (perhaps millions) of findings written, many more technologies have been deployed such as web application testing and intrusion detection. We all understand that we can and should do more, but that is all security programs. This one just happens to be open to regular public criticism. Outside critics should consider the 800 series documents for what they are, guidance for the creation of a solid security program and not as simply a compliance effort.

It would have been better if the new legislation simply said "Do what we already told you to do, but ‘this time with four part harmony and feeling’". Ending with funding for agency staff education and time off to go learn what information system risk management really is.

The New 800-37

Attention everyone: the 800-37 Rev 1 has gone final! I think I may re-cap the changes in this forum. We'll see if that actually comes together.

http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

Out.

ShmooCon

I will be at ShmooCon February 5th until the 7th. By luck, I managed to get a room at the last minute.

Hit me on twitter at http://twitter.com/cyberhiker during the event. Even if you just want a snowfall report.

Technology Death Pronouncment

I haven't seen much of the Firewalls, Anti-Virus and IDS are Dead technologies recently, Mind you I have been extremely busy with other things of late.

The short version is that I am ready to proclaim that nothing is dead. That's right. No matter how hard we try to get away from mainframes or Windows NT or whatever. Most of us have to deal with things on a regular basis. So get over it.

What should be dead is calling different technologies dead. Especially since there will always be a reason to use whatever "it" is, even if the reason is a bad one.

There are couple reasons for this. The finance guys don't have a lot of patience for needing to spend $1 Million at the beginning of the year and then reading in *Business* magazine by *expert* that *technology* is now on a slab.

The reality of it is that the uninitiated gets upset. It also upsets me. But for different reasons. Here are a group of people (security staff) in a company who have probably fought for months to bring something in, get it installed and operating. Only for some blow hole to come through and make an uninformed opinion about everyone's environment.

The aforementioned blow hole comes with credibility, because they are published. The people on staff probably not. I don't hate the blow hole though because they are trying to sell magazines and announcing the death of whatever sells X publication.

It all comes down to profiling the risks to your organization. If you are a decision maker, take advice from industry rags with a grain of salt. If you are in the trenches, be sure that your business cases are tight and the deciders know what the technology does and the risks it is mitigating.

That is all.