http://finance.yahoo.com/news/threat-spectacular-cyberattack-looms-official-185505164.html;_ylt=AotMcHbqlggVcFMe.957QkaiuYdG;_ylu=X3oDMTQ2N2JvbjJxBG1pdANDTkJDIEZlYXR1cmUgMgRwa
Ok, so I put that link in a draft a few weeks ago, fully intending on writing something about it sooner. I haven't gotten back to it until now, in the midst of watching "Live Free or Die Hard" again. For those of you not familiar with this movie, there is plenty to find on the Internet, so I will only say that it's about my line of work. I also checked them out today, and I find something very alarming here. References to the movie, which came out in 2007, cite sources that are even older , some even predate 9/11, and detail concern over an attack vector similar in nature. Fast forward to today, and the article above, and you can clearly see that not much has really changed in the minds of those that have the power to make a difference. Sure, there are good things being done, new government agencies, regulation proposals and updates, but underneath all that is still the same skepticism that was present back then. I'm not as concerned about the government end here, they seem to be on board now, albeit typically slow in getting things moving, no, I'm very concerned about industry here. Within the last year, a cyber security bill has been put forth to protect the nations critical infrastructure, but it has failed to pass. I can only assume that lobbyists and special interest groups are purposely trying to make the bill fail, and that leads right back to the industries that the bill is trying to protect in the first place.
We can read headlines that are indicators that there is a growing threat, the nations leaders are actively saying this, yet the CEO's and senior management of the industries that most certainly will fall first are still resistant. Now let us suppose that the U.S. fails to protect this before an attack happens, what about the other nations? Once a successful attack happens, there is no way that the attacker would stop there. No, just like conventional warfare, they would then take the next step and take down another nation, then another, then another. We, the protectors of networks, have a global responsibility, not just a local one.
Wednesday, November 21, 2012
Thursday, November 8, 2012
Air travel
I realized something today that I have missed for at least a year and a half. I get anxious about flying, to the point that I am highly sensitive to my emotions. Those that know me would say that I'm normally in control about my emotions. I will have to pay much closer attention to this in the future to see which emotions are most common. This trip I felt extremely lonely and missed my family before I even left the house for the airport.
TSA had their say again. No surprise this time, because I had forgotten about the new pocket knife that I had added to my right pocket with my companies logo on it. Not a big loss, and understandable this time, still, it seems that they are really picky. Maybe that is a sign that they are doing a good job?
Got to my destination, and my rental car company was short on cars, so I got the silver Ford Mustang 5.0 they had left. I've been dreaming about this for a while, because they often give me cars that are upgrades from what I've reserved, but it wasn't the experience I was expecting.
Day 2 was better, actually enjoyed the mustang, and had a productive day at work. Still missed the family, and tried hard not to stress about the flight home. Think it worked, even though the closer I got to flight time, I did notice some unusual behavior.
During the flight I had an episode that concerned me a bit. It had happened only once before, but not quite this bad. Once the plane reached altidute, the right side of my face went completely numb, to the point that I couldn't even close my right eye. I put my head back and tried to relax, but couldn't get any feeling back. I was starting to get a little anxious and concerned, when my stomach started to heave. I grabbed the air sickness bag and punched the attendant call button. It stopped shortly after I regained feeling in my face. After the plane landed, I called the wife and she was able to do a little research online. The most likely explanation is that my sinuses were blocked, causing the pressure to build up at altitude and compress a nerve, making my face numb. My ear had probably also not equalized either, causing the nausea. Throwing up may have caused both to equalize with the altitude and stop the problems, because it immediately got better and I gave no residual effects a day later. Bottom line is I should not ignore allergy medication during trips and be extremely cautious about flying with a stopped up nose.
TSA had their say again. No surprise this time, because I had forgotten about the new pocket knife that I had added to my right pocket with my companies logo on it. Not a big loss, and understandable this time, still, it seems that they are really picky. Maybe that is a sign that they are doing a good job?
Got to my destination, and my rental car company was short on cars, so I got the silver Ford Mustang 5.0 they had left. I've been dreaming about this for a while, because they often give me cars that are upgrades from what I've reserved, but it wasn't the experience I was expecting.
Day 2 was better, actually enjoyed the mustang, and had a productive day at work. Still missed the family, and tried hard not to stress about the flight home. Think it worked, even though the closer I got to flight time, I did notice some unusual behavior.
During the flight I had an episode that concerned me a bit. It had happened only once before, but not quite this bad. Once the plane reached altidute, the right side of my face went completely numb, to the point that I couldn't even close my right eye. I put my head back and tried to relax, but couldn't get any feeling back. I was starting to get a little anxious and concerned, when my stomach started to heave. I grabbed the air sickness bag and punched the attendant call button. It stopped shortly after I regained feeling in my face. After the plane landed, I called the wife and she was able to do a little research online. The most likely explanation is that my sinuses were blocked, causing the pressure to build up at altitude and compress a nerve, making my face numb. My ear had probably also not equalized either, causing the nausea. Throwing up may have caused both to equalize with the altitude and stop the problems, because it immediately got better and I gave no residual effects a day later. Bottom line is I should not ignore allergy medication during trips and be extremely cautious about flying with a stopped up nose.
Friday, September 21, 2012
Mapping Security Control Catalogs
So I have a new project underway in my spare time. My wife and I are going into business and, as it happens, must comply with not just one, but two sets of information system security control regulations, one industry, and one federal. Being intimately familiar with DoD 8500 and NIST, I welcomed the challenge that came with this in attempting to translate the other two into a framework that I understood better and immediately ran into an issue. The two regulations are PCI-DSS and HIPAA, which are not fully developed information system security programs, therefore, it doesn't make sense to show compliance just for compliances sake. I wanted to do this the right way and adopt a full program and then map the other two standards to it, so chose NIST as I have been impressed with it's flexibility in the control set. I am not happy with it's security categorization, so instead, chose the CNSSI-1253 to perform this function for my program.
So far, so good.
NIST has publised SP 800-66 that maps HIPAA to SP 800-53 Rev 2, but I'm wanting to be on the cutting edge, which meant that I had some updating to do with that map in order to get it into SP 800-53 Rev 3 (and soon Rev 4). Ok, not too bad, NIST markups and discrepancies aren't too bad to work with and I don't see a big problem with not being specific in the control enhancement area as HIPAA is rather vauge when it comes to stipulating requirements, so the base controls should do fine. So far, it's a little work to get the HIPAA map updated, but looks fairly easy.
Then I turned to PCI-DSS to look at that.
Drastic difference here, as this control set is more specific than the NIST control set in certain areas, and darn it all, no-one seems to have mapped this to NIST. I did find a few maps that I could reference, but not use or change directly, mainly using yet a third control set that I wasn't interested in at all (ISO 27000, COBIT, and CSA). In develing deeper into these maps, it seemed that the ISO and COBIT maps weren't all that useful to me, but the CSA seemed to do a wonderful job as it published a map between all the control sets mentioned in this post as well as a few more. So I grabbed that and really took a good look at it. Bottom line, it's a good effort on their part, but for my purposes, I can't use it.
The basic reason is that in order to map control sets, you have to start with a base set, then perform the map to the set you want to use. In my case, I have to do that twice, once with PCI-DSS, and once with HIPAA. Once you have it done that direction, you can reference the other two sets from the set you use to show compliance. Since the maps I had tried before had essentially done this against a set that I wasn't interested in, I was attempting to compare apples to oranges to get it back into the right framework. Sure, the maps are somewhat useful to narrow down the field, but only when the control set they use is nearly identical to the one you want to use.
Crap, I'm going to have to do this the hard way: map the sets manually.
Doing it this way has a huge drawback, in that you are entirely dependant upon your own subjectivity, which the entity that you are trying to show compliance with may not agree with. I didn't want to do this, but in the absence of publically avaliable or official maps, I really have no choice. Fortunately, I do carry the credentials to make my map more credible to anyone looking at it.
So, I'm just getting started, but already I see a pattern starting to form in that my subjective view is very granular and differs from the maps I've been able to find.
So far, so good.
NIST has publised SP 800-66 that maps HIPAA to SP 800-53 Rev 2, but I'm wanting to be on the cutting edge, which meant that I had some updating to do with that map in order to get it into SP 800-53 Rev 3 (and soon Rev 4). Ok, not too bad, NIST markups and discrepancies aren't too bad to work with and I don't see a big problem with not being specific in the control enhancement area as HIPAA is rather vauge when it comes to stipulating requirements, so the base controls should do fine. So far, it's a little work to get the HIPAA map updated, but looks fairly easy.
Then I turned to PCI-DSS to look at that.
Drastic difference here, as this control set is more specific than the NIST control set in certain areas, and darn it all, no-one seems to have mapped this to NIST. I did find a few maps that I could reference, but not use or change directly, mainly using yet a third control set that I wasn't interested in at all (ISO 27000, COBIT, and CSA). In develing deeper into these maps, it seemed that the ISO and COBIT maps weren't all that useful to me, but the CSA seemed to do a wonderful job as it published a map between all the control sets mentioned in this post as well as a few more. So I grabbed that and really took a good look at it. Bottom line, it's a good effort on their part, but for my purposes, I can't use it.
The basic reason is that in order to map control sets, you have to start with a base set, then perform the map to the set you want to use. In my case, I have to do that twice, once with PCI-DSS, and once with HIPAA. Once you have it done that direction, you can reference the other two sets from the set you use to show compliance. Since the maps I had tried before had essentially done this against a set that I wasn't interested in, I was attempting to compare apples to oranges to get it back into the right framework. Sure, the maps are somewhat useful to narrow down the field, but only when the control set they use is nearly identical to the one you want to use.
Crap, I'm going to have to do this the hard way: map the sets manually.
Doing it this way has a huge drawback, in that you are entirely dependant upon your own subjectivity, which the entity that you are trying to show compliance with may not agree with. I didn't want to do this, but in the absence of publically avaliable or official maps, I really have no choice. Fortunately, I do carry the credentials to make my map more credible to anyone looking at it.
So, I'm just getting started, but already I see a pattern starting to form in that my subjective view is very granular and differs from the maps I've been able to find.
Sunday, July 29, 2012
Political Happenings
So, I'm not sure if anyone has been following this ridiculous chain of events that has been flooding the news lately, but if you haven't, don't worry, I don't think you are missing much. Apparently it started with the CEO of the restaurant chain Chick-Fil-A being quoted as against gay marriage. There has been a flurry of support and a move to boycot since. The latest round apparently involved their Facebook page being shut down for twelve hours and a resurrection with a plea for support set for August 1. While I don't eat there, and won't be rushing to do so anytime soon, I'm finding it very hard to stay quiet on the issues, which is very out of character for me as I'm not usually for or against either politics or religion.
Let me try to break down the issues here. There are two main issues here, one political, one religious. Then there are the side issues, namely of free marketing and private industry terms of service. First, the political.
The first amendment of the Constitution of the United States grants the right of free speech. The CEO exercised that right by expressing his own opinion on a public matter. Somehow it got tied to the opinion of the company he runs, which is unfortunate, but ultimately happens when people in the public eye are linked to their affiliations. I'm not one to do this, but the CEO rolled with this one, so now it IS fact, where it probably wasn't initially. I'm not a lawyer, but I believe that the Constitution covers the company's rights in this regard as well, so any attempt at suppressing this right could lead to a challenge by the company in a court of law.
The second major issue is religious. Ok, so any formalized religion that names the specific verse in the Bible as the word of their deity and bans homosexual relationships would support the CEO. It follows that anyone against this position would be offended by his words. Both sides are exercising their first amendment rights here, and neither is more justified than the other in terms of a court case since no foul has been committed according to the law. There is separation of church and state here in the US, so the two sides can argue for as long as they have breath to do so, and neither should be disparaged in their right to do so, nor suppressed, forced to be silenced, or in any other way repressed. My view here on the specific issue is irrelevant as I stand on the right of free speech as well as the freedom of religion, thus so far, nothing has been said or done that violates these rights, I have remained silent.
Here's where it gets a bit tricky. The sub-issues have muddied the waters, and I do have an opinion here. Let's start with the free marketing. While I see that the CEO has the right to promote and support the planned show set for this Wednesday, I believe he is using it unduly to line his pockets. I don't even really blame him, I blame the people that are supposedly supporting him. Sure, they have the right to do so, but I just don't see how making this show of support means more than just giving him money, which would happen in the normal course anyway. To me, this has zero moral value, and no significant influence on the topic at all.
As for the fourth issue, Facebook, in it's terms of service, retains the right to perform any action it deems necessary including denial of service to any entity it sees as in violation to the terms it sets forth. While I don't know the specifics of why the page was shut down, nor the reasoning behind its resurrection, I can not find any fault with the action. Facebook, after all, is another private company, any their users are bound to its terms of service. Whether the action violated the first amendment or not is irrelevant because the terms of service prevail here, not the Constitution. Facebook is not a Government run institution, nor public forum, as such, the Constitution has no power to enforce the right of free speech to the users of this private service. Those that don't understand this need to go back to school and start reading all agreements that they sign.
So, bottom line here is that no law has been broken, and the debate has not been settled religiously, privately, or otherwise. Business as usual, and in my opinion, not worthy of so much media attention as has been given.
Let me try to break down the issues here. There are two main issues here, one political, one religious. Then there are the side issues, namely of free marketing and private industry terms of service. First, the political.
The first amendment of the Constitution of the United States grants the right of free speech. The CEO exercised that right by expressing his own opinion on a public matter. Somehow it got tied to the opinion of the company he runs, which is unfortunate, but ultimately happens when people in the public eye are linked to their affiliations. I'm not one to do this, but the CEO rolled with this one, so now it IS fact, where it probably wasn't initially. I'm not a lawyer, but I believe that the Constitution covers the company's rights in this regard as well, so any attempt at suppressing this right could lead to a challenge by the company in a court of law.
The second major issue is religious. Ok, so any formalized religion that names the specific verse in the Bible as the word of their deity and bans homosexual relationships would support the CEO. It follows that anyone against this position would be offended by his words. Both sides are exercising their first amendment rights here, and neither is more justified than the other in terms of a court case since no foul has been committed according to the law. There is separation of church and state here in the US, so the two sides can argue for as long as they have breath to do so, and neither should be disparaged in their right to do so, nor suppressed, forced to be silenced, or in any other way repressed. My view here on the specific issue is irrelevant as I stand on the right of free speech as well as the freedom of religion, thus so far, nothing has been said or done that violates these rights, I have remained silent.
Here's where it gets a bit tricky. The sub-issues have muddied the waters, and I do have an opinion here. Let's start with the free marketing. While I see that the CEO has the right to promote and support the planned show set for this Wednesday, I believe he is using it unduly to line his pockets. I don't even really blame him, I blame the people that are supposedly supporting him. Sure, they have the right to do so, but I just don't see how making this show of support means more than just giving him money, which would happen in the normal course anyway. To me, this has zero moral value, and no significant influence on the topic at all.
As for the fourth issue, Facebook, in it's terms of service, retains the right to perform any action it deems necessary including denial of service to any entity it sees as in violation to the terms it sets forth. While I don't know the specifics of why the page was shut down, nor the reasoning behind its resurrection, I can not find any fault with the action. Facebook, after all, is another private company, any their users are bound to its terms of service. Whether the action violated the first amendment or not is irrelevant because the terms of service prevail here, not the Constitution. Facebook is not a Government run institution, nor public forum, as such, the Constitution has no power to enforce the right of free speech to the users of this private service. Those that don't understand this need to go back to school and start reading all agreements that they sign.
So, bottom line here is that no law has been broken, and the debate has not been settled religiously, privately, or otherwise. Business as usual, and in my opinion, not worthy of so much media attention as has been given.
Thursday, May 31, 2012
Hazards of corporate takeovers in Information Security
The best practice taught by computer security experts everywhere is diversification across your security products. This is different than the practice of establishing a common baseline and acquiring the same make and model of component equipment for that component function in the environment. The idea is simple, but the explanation is complex. Your security architecture is made up of many different components doing different things in order to accomplish a mission function. In the same way a house is built, a computer system is built. Many different components to make up the whole. On the surface, you have a resilient barrier to keep the outside out (IT system: boundary protection, House: stucco, brick, weather-resistant wood, roofing material). Inside of that, you have a buffer zone to insulate the interior from the impact of extreme penetrating elements (IT system: DMZ, honeypots, externally facing servers, House: wood framing, insulation). Inside of that, you have another barrier between the buffer zone and the interior (IT system: internal firewalls, authentication servers, House: interior drywall). At protected points, you have controlled access to the inside (IT system: VPN, privileged functions, House: locking doors and windows). And at unprotected points, you have holes that can be used to gain access to the inside (IT system: weaknesses expressed as vulnerabilities, House: various vents and weak points such as the garage door). Just as a house, an IT system should be fitted with security measures to mitigate the possibility that an intruder could gain access to the inside. An alarm system is analogous to audit monitoring and reporting and IDS devices. Additional reinforcements like window bars and sticks in the tracks of windows are comparable to IPS devices and two-factor authentication.
So, what is the problem? It’s with those holes, the weak points. A house built with the standard equipment used in all the rest of the houses in the neighborhood may experience a common fault, like a particularly weak locking mechanism, that if known, can be used again and again to gain access to any house using that mechanism. Furthermore, if security devices bought from the same company are used for multiple layers for protection, they may experience a common weakness, making it that much easier for an intruder to penetrate to the warm comfort of the interior. Business is business, and corporate policy dictates the way that business is conducted. A corporate takeover may introduce a weaker policy structure than what existed previously, plus you have the possibility of layoffs that may introduce an out of work expert in the technology used that is now disgruntled. This guy knows all your secrets, knows the back doors, and knows the products. You’ve just made him mad and unemployed, and in an act of desperation, he could sell what he knows, or even take an active role in a penetration attempt. At the very least, he is subject to a social engineering attempt that he is now more susceptible to because he is no longer subject to any sanctions that existed when he was employed.
Another aspect to consider is with the components themselves. A single manufacturer supplying multiple levels of protection devices with a common vulnerability or method in the design poses significant risk to an intruder because the same exploit will work at multiple layers. Take our house as an example again, it has a door with an added security door as the main entry point, but both doors are fitted with a lock from the same manufacturer. It is well known that there exists a vulnerability in certain locks that a simple application of a hammer is able to break and allow the door to be opened. Two swings, and the intruder gains access to the house. In our IT system, let’s say that both the exterior and interior firewalls are made by the same company and have a back door installed in them from the vendor. The same hard coded default password is able to open those firewalls and an intruder is in the network within seconds.
Friday, May 25, 2012
Web 2.0
Wow, it's been a while since I have been up here. I do see that I've updated my certificate, or was that automatic? Hmm...this Web 2.0 stuff (or is it cloud) has me a bit confused sometimes. I know that I can link accounts, and sometimes it surprises me what that actually accomplishes. I have actually cut the links between certain sites just because of that reason. I don't fully trust the links are doing what I think I want them to do. The Internet is going the way of Microsoft in that it is anticipating things for you. Not necessarily a good thing. Granted, it can be useful, but think about what that may mean for some of you. No more secrets in your life, everything is out there for millions to see just by clicking through a few links or typing a few key words in a search engine. I had actually LOST this blog, didn't remember which engine I used, so I went to Google and typed in Phaldor blog, and found it on the second link. Talk about big brother...
Subscribe to:
Comments (Atom)