1. Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
2. Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cybersecurity capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
4. Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cybersecurity for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
5. Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
6. Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
7. Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
8. Requiring the Office of Personnel Management to reform the way cybersecurity personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cybersecurity effort and protect its own networks.

The Committee will hold a hearing on the legislation June 15, 2010.

Background

There has been a great deal of activity since I posted “FISMA: Paperwork Or Actual Security?” The House passed on a 229 to 186 roll call vote the 2011 Defense Authorization spending bill that includes measures to upgrade the Federal Information Security Management Act (FISMA). The authorization bill now faces reconciliation with the Senate version. The Senate version has yet to be considered on the Senate floor but did pass through the Senate Armed Services Committee. The House action put pressure on the Senate to act.

Action came from the US Senate Committee on Homeland Security and Governmental Affairs, who’s chairman is Senator Joe Lieberman (ID-Conn.), an original cosponsor of the bill. Lieberman had been talking about a comprehensive cybersecurity reform bill that would incorporate much of the language in the United States Information and Communications Act (S. 921) with the FISMA reform legislation introduced in April 2009 by Senator Thomas R. Carper (D.-Del). Many provisions of Carper’s bill mirror provisions in included in the House bill. Carper was pressing to include:

1. standardize Inspector Generals’ information security audits;
2. create a Chief Information Security Officer Council to establish information security best practices and guidelines, while strengthening the role of Chief Information Security Officers;
3. allow the Department of Homeland Security to conduct “red team” penetration tests against civilian agencies;
4. allow Congress to measure the effectiveness of agencies’ information security plans and procedures.

Lieberman wanted Senator Susan Collins (R-Maine), the ranking Republican on the Homeland Security panel, named on the bill. The problem was that Collins is on record opposing the top cybersecurity official in government being housed in the White House, believing the official should be quartered in the Department of Homeland Security. It looks like Lieberman and Collins were able to come to an agreement and move forward on the bill.

Thoughts

If you are interested in learning more and keeping up with FISMA, you will find Dan Philpott (twitter danphilpott) site FISMApedia interesting. It describes itself as “a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets.” Philpott also posts to the Guerilla CISO.

Federal CIO Vivek Kundra, writing on the Chief Information Officers Council Blog concerning the new FISMA states “In the past, Federal agencies spent enormous time and money creating the old paper-based reports. The State Department alone, in the past six years, spent $133 million amassing 95,000 pages of security documentation for about 150 major IT systems. This works out to roughly $1,400 per page in reports that were often outdated days within being published.” Kundra goes on to state, “As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork.”

For intelligent comments on FISMA, let us turn to a few folks who eat, sleep, and breathe FISMA. Michael Smith, aka rybolov, is the creator of the Guerilla CISO blog. Concerning the $1,400 per page cost, Smith in his post “A Funny Thing Happened Last Week on Capital Hill,” writes “If you buy into the State Department’s cost of $1400 per sheet, you’re absolutely daft.” Smith goes on to point out, “The cost of a security program divided by the total number of sheets of paper is probably right. In fact, if you do the security bits right, your cost per sheet will go up considerably because you’re doing much more security work while the volume of paperwork is reduced.”

Concerning allocating money towards red teams, Smith makes the point, “Do we really need penetration testing to prove that we have problems? In Mike Smith’s world, we’re just not there yet, and proving that we’re not there is just an excuse to throw the InfoSec practitioners under the bus when they’re not the people who created the situation in the first place.” Nicely put.

Smith’s recommendations to fix FISMA:

1. You have to start with workforce management. This has been addressed numerous times and has a couple of different manifestations: DoDI 8570.10, contract clauses for levels of experience, role-based training, etc. Until you have an adequate supply of clueful people to match the
   demand, you will continue to get subpar performance.
2. More testing will not help, it’s about execution. In the current culture, we believe that the more testing we do, the more likely the people being tested will be able to execute. This is highly wrong and I’ve commented on it before. I think that if it was really a fact of people being lazy or fraudulent then we would have fixed it by now. My theory is that the problem is that we have too many wonks who know the law but not the tech and not enough techs that know the law. In order to do the job, you need both. This is also where I deviate from the SANS/20 Critical Security Controls approach and the IGs that love it.
3. Fix Plans of Actions and Milestones. These are supposed to be long-term/strategic problems, not the short-term/tactical application of patches–the tactical stuff should be automated. The reasoning is that you use these plans for budget requests for the following years.
4. Fix the budget train. Right now the people with the budget (programs) are not the people running the IT and the security of it
   (CIO/CISO). I don’t know if the answer here is a larger dedicated budget for CISO’s staff or a larger “CISO Tax” on all program budgets. I could really policy-geek out on you here, just take my word for it that the people with the money are not the people protecting information and until you account for that, you will always have a problem.

More recently, Smith posted “How to Not Let FISMA Become a Paperwork Exercise” where he addresses and comments on the key criticisms of FISMA:

• Reduce paperwork requirements. Yes, some is needed.  Most is not.
• Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse.
• Increase technical effectiveness. IE, get from the procedural and managerial tasks and get down into the technical parts of security.

Smith offers advice on “how do you keep from letting FISMA cripple you or turn into death-by-compliance.” Go to the post and read his advice.

Off the same site Joe Faraone, aka Vlad, gives his take in the post “Machines Don’t Cause Risk, People Do!“. He disagrees with Alan Paller, director of research for SANS, when he writes, “At the risk of bashing Alan Paller yet again, I am often turned off by the approach of ‘being able to know the status of every machine at every minute,’ – as if machines by themselves cause bad security… It’s way too tactical (incorrect IMHO) and too easy to make that claim.” Faraone goes on to make the point, “Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration.”

Paller has been very vocal in his opinion against FISMA. He is frequently quoted (ex: “Sans founder slams ‘terribly damaging’ US cybersecurity law“). Paller has told the the House Committee on Oversight and Government Reform’s Subcommittee on Government Management, Organization and Procurement that FISMA, as it has been implemented and enforced until now has been more detrimental than helpful to government IT security.

FISMA was needed to get government moving in a security focus direction. Philpott in his post “The 10 CAG-egorically Wrong Ways to Introduce Standards” makes the point “Speaking as someone who scrambled to secure Federal systems before FISMA and NIST’s extensive guidance, having that documentation greatly improves my ability to efficiently and effectively secure systems.”

Statements painting FISMA as worthless, or detrimental, might grab headlines but are not real helpful. Nor are statements by Paller like, “US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.” Faraone calls Paller on this statement in the post, “When the News Breaks, We Fix It.”

Richard Bejtlich in this post “Thoughts on New OMB FISMA Memo” adds his opinion on FISMA reform when he writes “Long-time blog readers should know I’ve been writing about FISMA for five years, calling it a ‘joke,’ a ‘jobs program for so-called security companies without the technical skills to operationally defend systems,’ and other kind words. Any departure from the previous implementation is a welcome change.”

OMB issued “FY 2010 Reporting Instructions for the Federal Information Security” (M-10-15 ) on April 21, 2010. It identifies a three-tiered reporting approach which includes:

1. Data feeds directly from security management tools
2. Government-wide benchmarking on security posture
3. Agency-specific interviews

Bejtlich analyzes what is really changing for FISMA implementation and concludes, “It’s probably going to take .gov-savvy lawyer to really explain what these points mean, but private enterprise working with government data should probably take a close look at these new FISMA developments.”

Other Important Legislation

With more than 35 cybersecurity-related measures before Congress right now, take some time to review the presentation “Cybersecurity: The U.S. Legislative Agenda” by Melissa E. Hathaway, former acting senior director of cyberspace for the Obama administration who now runs Hathaway Global Strategies and has advisory roles at several IT companies. You might remember Hathaway from her work on the “Cyberspace Policy Review,” which was the result of a 60-day, comprehensive, “clean-slate” directed by the President to review and assess U.S. policies and structures for cybersecurity. To quote Hathaway concerning the nine key legislation to watch:

• Data Breach Legislation (S. 139): It will normalize the 46 State Data breach laws into one national umbrella. It may be expanded to include more than Personal Identifiable Information (PII). One issue with this bill is that it would consolidate all reporting to the US Secret Service, which is not helpful for broader information sharing with industry or across government.
• Data Accountability and Trust Act (H.R. 2221): It was voted out of the House of Representatives in early December 2009. It requires the ISPs to make victims aware of infection if seeing breach across network. I
  believe the Comcast Denver, CO pilot program could be anticipatory market movement associated with this bill (to better understand costs). It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone. As you may know, Germany just passed a law requiring their ISPs to inform their citizens/consumers if they have been infected.
• International Cybercrime Reporting and Cooperation Act (S. 1438 and H.R. 4692): This bill was introduced by Sen Gillibrand, and co-sponsored by Sen Hatch, which will give it strength in the Judiciary Committee. The bill requires the President to produce an annual report to Congress providing an assessment of every country’s level of ICT utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated 5 years of “bad behavior”. This Bill and any hearing around it will certainly draw attention to the recent Google/PRC debacle. It has a sister bill in the House of Representatives, H.R. 4692 mirrors the areas of focus. **Note Sen Kerry and Sen. Gillibrand have also introduced S. 3193 (International Cyberspace and Cybersecurity Coordination Act of 2010) to authorize the creation of a senior coordinator at the State Department, with the rank and status of Ambassador at Large.
• Cybersecurity Enhancement Act (H.R. 4061): It passed the House of Representatives in February (2/2/10). In addition to providing additional responsibility to NIST, it creates an office for a national coordinator for
  the networking and information technology research and development program to improve cybersecurity research and development and coordination between the federal government, academia and private sector. The NITRD office (within the Office of Science and Technology Policy) already coordinates all of the Cyber R&D which for this year is well over $4B. While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, its not clear how the new office will interact with the current OSTP responsibilities.
• FISMA II (S. 921): It updates FISMA I from compliance driven (check-list) to measures that are performance based. It uses the State Department’s Risk Scoring tool which measures its systems on a continuous basis against known vulnerabilities and offers meaningful feedback in the form of actionable remediation techniques to the operators and high level feedback to senior managers to ensure accountability is one example that could serve as a model for the rest of government. It also affords the department and agency chief information security officer the focus and attention it need and deserve. Finally, it is possible that FISMA II will address procurement reform.
• Intelligence Authorization Act (H.R. 2071): It strengthens and enhances America’s intelligence capabilities, and improves congressional oversight of our intelligence agencies. It provides our intelligence community
  with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts, and more effectively prevent the spread of weapons of mass destruction. Contains multiple Congressionally Directed Actions for CNCI.
• Cybersecurity Act of 2009 (S. 773): The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity. It
  establishes a Cybersecurity Advisory Panel (Presidential Level) and a National Clearinghouse for information sharing. Additionally, it extends the Scholarship for Service program (increases to 1000 scholarships) and increases the National Science Foundation’s budget for R&D.
• The Grid Reliability and Infrastructure Defense Act (H.R. 5026): The bill amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to mandate measures to protect against system “vulnerabilities” if it finds that the North American Electricity Reliability Corp. (“NERC) standards are insufficient. If passed, the legislation will provide a security framework for the Smart Grid.
• Energy and Water Appropriations Act 2010 (Law): It appropriates additional funds for Cybersecurity: $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Final Thoughts

The Committee will hold a hearing on the legislation next week, starting on June 15, 2010. Watch for analysis from the folks listed above. I am sure they will have interesting analysis as more details are released. This is going to be interesting.

Related Posts:

• FedRAMP and Recent Changes Prepare Feds for Cloud Adoption
• FISMA: Paperwork Or Actual Security?

Once upon a time, folks tossed up web sites and pretty much anything went. Mob ruled. You acted badly, you got flamed. For those not familiar with the term, “flaming” refers to “the berating of a person in an Internet newsgroup, Web forum or e-mail list by others in the group.” Those were the simple days. While flaming still goes on, there are now laws and regulations that affect the operation of information systems. Life may seem as chaotic as ever, but as information security professionals we need to take time to listen and learn what is going on in the legal world. James Christensen painted “The Listener” and describes the listener as “Listening to his still, small, inner-voice, he remains centered without being overcome.We can all find peace in this busy world, but sometimes need to be reminded that we are in charge of our destiny and each of us has the ability to focus without being pushed and pulled as victims.” Good or bad, laws and regulations have a major impact on how we operate. We need to learn and understand the environment from where we must now operate.

Let me start off with a legal disclaimer, I am not a lawyer. I can only point you to sources of information which can help you be aware of legal issues. For a single source of information, take a look at “Information Security Law“ by Mark G. Milone. Stephen Northcutt, founder of the SANS GIAC certification program, highly recommended this publications in the SANS Musings area.

For those with very limited budgets, there are other sources that provide information about IT and law. The law firm Baker & McKenzie was maintaining an information security law resource. Unfortunately, the site has not been updated since March 2006. It is still a great source of information and links. The Internet Library of Law and Court Decisions is a site maintained by Martin Samson, a partner in the New York law firm of Davidoff Malito & Hutcher LLP. It is a very well organized site with analysis of over 430 court decision and links to additional resources within each state. Scott & Scott recently published a nice chart of state data breach notification laws. The site also has links to papers on “ The Business Impact of Data Breach” and “Obtaining a Patent on Open Source Software.” Cornell University’s Legal Information Institute maintains an interesting legal site that is great for looking up information on U.S. Codes. The Tech Law Journal provides regularly updated news and analysis. The Department of Justice maintains a site, which focuses on Computer Crime & Intellectual Property. The Law Library of Congress is a great source of information.

If your organization ever does work with other countries, the Library of Congress also maintains the Multinational Collections Database. There you can find information from international jurisdictions on particular legal topics. Computer Law Review International can help keep you informed on technology law in the European countries. Keeping informed on international law is somewhat like being a veterinarian. Now, some folks would think being a veterinarian would be easier than a human doctor. The problem is, you end having to study all kinds of animals. It can get quite complicated. On the flip side, the patients complain less and do not generally sue. I am kept quite busy trying to be aware of legal issues when it comes to US laws. Keeping an eye on international laws takes more time than I have. If you need to find information, there are many other sites on the Internet providing links to sites, like CataLaw and the Electronic Information System for International Law. Never forget about Google; one of the best ways to find information on particular legal issues in a particular country.

For more recent U.S. legal information, I find blogs provide a good source of information. There is a law professor blog network which describes itself as, “a network of web logs (blogs) designed from the ground-up to assist law professors in their scholarship and teaching.” The site consists of links to sites focused on a particular areas of law. Then those sites provide both resources, links, news, and information of interest. It is a great source of information. A few blogs that I subscribe to in my RSS reader are:

• Bag and Baggage – written by an intellectual property and technology lawyer.
• edd blog online – The site describes itself as, “An insiders look into the ever evolving landscape of legal discovery to include but not limited to computer forensics, electronic discovery, email archiving, online review and proactive management.”
• Ernie the Attorney – Ernest Svenson, an business litigator for Svenson Law Firm
• Google Public Policy blog – the name says it all.
• Groklaw – I’ll quote wikipedia, “Groklaw is a blog that was started May 16, 2003 by paralegal Pamela Jones (posting as PJ) at Radio UserLand . Groklaw’s name derives from Robert A. Heinlein’s neologism ‘ grok‘, roughly meaning “to understand completely”, which had previously entered geek slang. The blog has extensively covered the SCO-Linux lawsuits , being critical of SCO.”
• John Palfrey – from the Berkman Center at Harvard Law School.
• Law.com legal technology section- law.com describes the site as, ” connects legal professionals to more than 20 award-winning national and regional legal publications online, including The American Lawyer , The National Law Journal, New York Law Journal and Legal Times, and delivers top legal news electronically to a growing national and global audience of subscribers each day on The Newswire.”
• Privacy Law Blog – maintained by the Privacy and Data Security Practice Group.
• Realtime IT Compliance – done by Rebecca Herold, who is not a lawyer. She does a great job covering compliance issues dealing with laws.
• Silicon Valley Media Law Blog – done by Cathy Kirman of Wilson Sonsini Goodrich & Rosati.
• Stanford Center for Internet and Society – To quote the site, “In the heart of the Silicon Valley, legal doctrine is emerging that will determine the course of civil rights and technological innovation for decades to come. The Center for Internet and Society (CIS), housed at Stanford Law School and a part of the Law, Science and Technology Program , is at the apex of this evolving area of law.”
• The Shout – Jennifer Granick, from the Stanford Center for Internet and Society, personal blog. It basically is the same as the Stanford Center for Internet and Society.
• Walking With Elephants – to quote the site, “a perspective of the software industry by a guy with a shovel behind the elephants .”
• Wall Street Journal Law Blog – Peter Lattman is the lead writer. The blog focuses on law and business.

I enjoy legal blogs because I like listening to lawyers discuss issues. That might sound strange. I know when I took the SANS System Forensics, Investigation and Response course, the students in my class found the day dedicated to Computer Investigative Law for Forensic Analyst the roughest day. I found it the most interesting. Law and information technology have much in common. Artur Bergman over at O’Reilly Radar would agree. Artur wrote a very interesting posting, “Law is Code,” where he discusses a presentation that Dan Kaminsky gave at Foo Camp. Dan described how to turn noise into visualizations. To demonstrate this, Dan used the Project Gutenberg, kernel32.dll and the US Code to produce some interesting visualizations maps. Dan demonstrated that both law and code share, to quote Artur, “a highly structured set of instructions that allows a state machine to function, ideally without any ambiguity.”

Law is about precedents and interpretations. Each law generates a number of interpretations, while each interpretation depends on the specific facts of the case. Being aware of the pertinent information technology laws is only the start. Keeping up on rulings via news posting and listening to lawyers discuss issues will help us understand interpretations of the law. Like James Christensen’s listener, may we all figure out how to use the law to keep us centered while the noise of the IT world swirls around us.

Last week I spent Monday driving through a few states. It was an eight hour drive. When possible, I prefer driving over flying. While it may take longer, I use the time to listen to podcasts. Since I had taken the SANS System Forensics, Investigation & Response course (SEC 508), I had access to their lectures in MP3 format. The lecture on Computer Investigative Law for Forensic Analysts was prepared and taught by Richard P. Salgado. I had taken the course at a Community SANS event, close to where my brother lives. Yes, I was trying to keep my expenses down, and my brother and his family were kind enough to put me up for the week. While the course was well taught, knowledge of the legal issues of forensics was not the instructors strong point. This was reflected by the fact that the students hated that day. If only they had Richard P. Salgado. He did an amazing job.

Why am I mentioning this on a blog posting on intrusion detection systems (IDS)? The law has an ever increasing role in IT. This is especially true in the area of forensics, incident response, and intrusion detection/prevention. Before you setup any IDS system, make sure you are authorized and legally clear to do so.

With that disclaimer out of the way, I spent the weekend beginning to develop a network monitoring system. Sure, for years I have worked with Snort, but I am doing something different. For those unfamiliar with Snort, to quote their site:

Snort® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

It is a great product. Along with Snort, I have used the Basic Analysis and Security Engine (BASE), which is based on the Analysis Console for Intrusion Databases (ACID) project. BASE provides a web front-end to query and analyze the alerts coming from a SNORT IDS system. If you are pulling down software, I also suggest checking out Sguil.

Richard Bejtlich recently posted on his blog, TaoSecurity, an entry titled “DHS Einstein Demonstrates Value of Session Data.” Richard makes the statement, in relation to collecting session data:

This is just the sort of project I’d like to roll out at my new job, possibly combining Argus with ArgusEye, or maybe just Sguil without Snort.

An intriguing project. This weekend was about setting up an IDS system using Bro. To understand the importance of Bro, you need to first review the different styles of intrusion detection.

• Signature Based – looks for specific, known attacks.
  • Pros: good attack libraries, easy to understand results.
  • Cons: unable to detect new attacks or even just variants.
• Anomaly Detection – build/infer a profile of “normal use” and flag deviations.
  • Pros: potentially detects wide rand of attacks, including previously unknown types of attacks.
  • Cons: can be “trained” to accept attacks as normal, and potentially misses a wide rand of attacks including known attacks.
• Activity Based – inspect traffic and construct “events,” look for patterns of activity that deviate from a site policy.
  • Pros: potentially detects wide range of attacks (including novel), framework can accommodate signatures and anomalies.
  • Cons: policies/specification require significant development and maintenance and harder to construct attack libraries

Snort is a signature based IDS. Bro is an activity based IDS, though it does include a signature engine for matching specific patterns in packet streams. Bro is compatible with Snort. somewhat. With Bro analysis, signature matches generate events which are amenable to high level policy script processing rather than direct alerts. Other difference include that Snort is user friendly and Bro is a beast to learn. Worse still, there are no good guides for Bro. Sure, you can subscribe to the mailing list and there is a Bro Wiki. Geek00l has done some very good postings:

• Regex – Magic for NetSe[x|c]Anal(yst)?
• Bro-IDS: Enable Full Content Data Logging
• Time Machine – Payload Centric
• Bro-IDS v1.2
• Bro-IDS – Signature Matching
• FreeBSD – IDS Sensor Tweaking
• Bro-IDS – The learning process
• Multipurposes post :]
• Bro-IDS – Be Loved
• Bro-IDS – Installation Experience

Geek00l convinced Richard Bejtlich take a second look at Bro, and Richard posted:

• Bro Basics Follow-Up
• Bro Basics

That will get you started.

My interest in Bro comes from the fact that a design goal of Bro was to handle high speed, large volume monitoring. Snort, on a security appliance, can handle such traffic. Force10 released such a box, the P10, which can handle up to 1000 signatures. I have worked with the open source version of Snort on high volume networks, and it has not been pleasant. While the P10 might work well, I am interested in different capabilities.

Bro offers an interesting solution to handling monitoring on 10G traffic. If you are working with FreeBSD, there are ways to tune the kernel. While I have previously run into problems with Bro, my past problems were more likely due to trying to work under the Apple environment. Supported 10G Ethernet cards drivers had not yet been developed. Fortunately, that appears to have changed. I’ll post more as I make progress.

I was talking with a gentleman from a university who told me that they are not allowed to inspect the payload of a packet when doing network monitoring. He went on to say that they only inspected the header and if through this method they can demonstrated possible hacking activity, then they could go to the chancellor for an exception. Only with the exception could they start doing packet capturing of the person in question. This struck me as very odd, since the law relating to electronic monitoring is the Electronic Communication Privacy Act (ECPA). I did not see, if the university was following this law, how an exception could be issued by the chancellor and not a judge. I wondered about what were the legal requirements verse the business risk management policies of the university.

The university policy appears to be based on the American Association of Collegiate Registrars and Admissions Officers report, “Final Report NSF – LAMP Project: Identifying Where Technology Logging and Monitoring for Increased Security End and Violations of Personal Privacy and Student Records Begin.” The study focused on the Family Educational Rights and Privacy Act of 1974 (FERPA). That law was written to afford students and their parents (in case of minor students) certain rights to the protection of their education records. To quote the LAMP report, “When systems data are collected in logs, such data include information that itself or when matched with other data can be used to identify individuals and their behavior patterns. As college and university environments increase the number of functions that are networked, the ability to create an increasingly complex picture of individual activities grow. What may begin as logging activity to protect the efficient and effective functioning of one system can be targeted data collection and surveillance of a specific individual.” It goes on to state, “If a record is directly related to a student — i.e., identifiably associated with a specific individual — and if it is retained by the institution in any form (e.g., handwriting, print, tapes, film, microfilm, microfiche, and form of electronic data storage), it is an education record under the law, and the student is afforded certain rights.”

The report breaks data into three levels:

1. Level I is for the purpose of network or operations management. Either data yielded cannot be associated with an individual user or functions are enabled in such a way as to effectively separate identifiable information from other output.
2. Level II is also for the purpose of network and operations management as well as security. The data may be associated with individual users through multiple steps. The data are separated into log output to facilitate analysis of specific functions but to provide checkpoints before data can be linked and related in such a way that education records are created. Access should be restricted. Individuals handling data must be trained in FERPA. Archiving of data is short in duration.
3. Level III is primary for the purpose of security. Data yielded at this level include IP addresses, user IDs, account information, email addresses, date and time stamps, and any other readily identifiable information. Individuals with access are very few and have high-level authorizations documented in their position description. Individuals dealing with this level of data are highly trained in FERPA and data access procedures. Archiving is extremely short.

The LAMP report makes recommendations based on the diverse work force that handle student records. It is a report, not law. I remember when I went to school, which was after 1974, and our student IDs had our social security numbers on them. Later, when I was in graduate school, they allowed us to apply for another identification number, but by default the student ID still had a person’s social security number. I am glad the university is taking this issue more seriously.

The Electronic Privacy Information Center is considered a somewhat radical group. Their letter concerning peer-to-peer (P2P) is interesting in that it referenced the NSF LAMP study. While their statement, “Monitoring the content of communications is fundamentally incompatible with the mission of educational institutions to foster critical thinking and exploration” might reflect a view held by many in the education field, it does not address the legal issues. BTW, the top five schools to receive RIAA complaints concerning P2P are Ohio, Purdue, the University of Nebraska-Lincoln, University of Tennessee and the University of South Carolina. It looks like some universities are not listening to EPIC. At Michigan State, first time offenders get a warning. Second time offenders have to watch an eight-minute anti-piracy DVD produced by the RIAA. Third time offenders face suspension. The entertainment industry typically can identify a student only by his or her numerical Internet address and must rely on the school to correlate that information with its own records to trace a person’s real-world identity. Federal law requires universities to take action to stop repeat offenders, or else the universities can be sued. Other universities are more receptive to the views of EPIC and are not concerned about legal action. Purdue, which has received 1,068 complaints so far this year, said it rarely even notifies students accused by the RIAA because it’s too much trouble to track down alleged offenders.

I have heard that excuse before from a university. A lifetime ago, I worked for a university. The university started up a community network for the surrounding counties. The issue of attempting to block pornographic sites came up. At that time, we were told not to try to block anything. Now, we were swamped with work, but concern about us overworking was not the motivation behind the do nothing policy. The legal opinion of the university lawyers was that it is better to claim you cannot do something than to make an attempt, fail to block a few, and then be held liable for the few that you do not block. I am thankful my mail provider does not have that philosophy, or I could never find any mail amongst all the spam.

The idea of not doing anything does not provide legal cover when it can be demonstrated that industry best practices differ from your company’s actions. For example, Morgan Stanley ended up paying a $15 million dollar fine as a result of the firm not appropriately or adequately retaining emails. Rebecca Herold wrote an interesting blog on “The Security and Privacy Risks of Blogs, IMs, and Email.” She quotes from the American Management Association (AMA) and The ePolicy Institute, “Last year, the inability to produce subpoenaed e-mail resulted in million dollar—even billion dollar—lawsuits against U.S. companies. In fact, 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail.”

I agree with Rebecca in her posting, “New Data Retention Requirements in the EU” where she states, “I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers.” The Federal Rules of Civil Procedure was just updated in December 2006. David Stern over on the Security Catalyst forum sums up the changes as:

1. Files, instant messages, and email must be properly stored to allow efficient retrieval
2. Corporate counsel must understand how records are retained and retrieved so that they can provide a description of all retained data
3. Electronically stored information must be available to facilitate rapid searches. The lawyers no longer have to wait for discovery paperwork

David goes on to state, “Legal experts have warned that setting an unusually short retention period and then claiming that the records have been deleted will be seen as malfeasance.” While it is true that there is not yet a single authoritative source for retention periods, David points out that “The PCAOB’s Audit Standard 3 and the SEC both require 7 years, so setting your time to that range should not be out of the question. While these rules only apply to litigation cases in Federal Court, these rules have historically worked their way down to the lower courts.”

Mr. William Cook, leading data security attorney for the firm Wildman Harrold, told me on the issue of monitoring, “You have the right, and some would argue, obligation to monitor the data and traffic on your own systems.” Mr. Cooke did a presentation for the NSF Cybersecurity Summit 2007 where he presented on “Legal Perspectives on Data Security.

There are three U.S. federal statutes govern the interception, accessing, use, disclosure and privacy protections of electronic and wire communications. The U.S. Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2701-2712) of 1986 covers stored communications. Real-time interception, as in wireless networks, is covered by the Pen/Trap Statute, 18 U.S.C. §§ 3121-3127, centered in addressing information (like 802.11 protocol headers), and by the Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522, centered in the contents of communication.

The Department of Justice (DOJ) has written on the challenges of unlawful conduct involving the user of the Internet. In order to provide the legal background, answers.com has an informative post on the “Electronic Communication Privacy Act.”

The Electronic Communications Privacy Act of 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat. 1848, 18 U.S.C. § 2510) was enacted by the U.S. Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wire Tap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications. Later, ECPA was amended, and weakened to some extent, by some provisions of the USA PATRIOT Act. In addition, Section 2709 of the Act, which allowed the FBI to issue National Security Letters to ISPs ordering them to disclose records about their customers, was ruled unconstitutional under the First (and possibly Fourth) Amendments in ACLU v. Ashcroft (2004). It is thought that this could be applied to other uses of NSLs.

Title I of ECPA protects electronic communications while in transit. Title II of the ECPA, the Stored Communications Act (SCA) protects messages stored on computers, but its protections are weaker than the ECPA’s. Title III prohibits the use of pen register and/or trap and trace devices to record dialing, routing, addressing, and signalling information used in the process of transmitting wire or electronic communications. Several court cases have raised the question of whether e-mail messages are protected under ECPA while they were in temporary storage enroute to their final destination. In United States v. Councilman, a U.S. district court and a three judge appeals panel ruled they were not, but in 2005, the full United States Court of Appeals for the First Circuit ruled that they were. Privacy advocates were relieved, though the ruling might still be appealed to the U.S. Supreme Court. They had argued in Amicus curiae briefs that if the ECPA did not protect e-mail in temporary storage, its added protections were meaningless as virtually all electronic mail is stored temporarily in transit at least once and that Congress would have known this in 1986 when the law was passed. (see e.g. RFC 822).

Title III of the Omnibus Crime Control and Safe Street Act as amended (18 U.S.C. §2520(a); 18 U.S.C. §2511(1)(a)-(d)), “gives individuals a private right of action for any improper taping of their conversations to which they did not consent.” However, there is an exception for business telephone calls when the monitoring of the calls and taping over an extension phone is done in the ordinary course of business. The most commonly used exception to Title III’s requirements permits “a person acting under color of law” to intercept an “electronic communication” where “such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(c).

State law may add additional protection providing one-party or two-party consent requirement. For example, in New York (as of 2005) consent of only one party to a conversation is necessary to lawfully record an in-person or telephonic communication. California and Florida are two-party consent states. Stroock & Stroock & Lavan discuss this issue in their posting title, “The Consent-to-Record Provision.

Robert Strang, who was acting as Assistant United States Attorney for the Southern District of New York where he was the Computer Telecommunications Coordinator, did a nice writeup titled, “Recognizing and Meeting Title III Concerns in Computer Investigations.” To quote Strang:

In 1986, Congress passed the Electronic Communications Privacy Act (“ECPA”), which, among others things, extended the prohibitions contained in Title III of the Omnibus Crime and Control and Safe Streets Act of 1968 (the “Wiretap Act”), 18 U.S.C. §§ 2510-2521, to electronic communications that are intercepted contemporaneously with their transmission—that is electronic communications that are in transit between machines and which contain no aural (human voice) component. Thus, communications involving computers, faxes, and pagers (other than “tone-only” pagers) all enjoy the broad protections provided by Title III unless one or more of the statutory exceptions to Title III applies. In the computer context, both the government and third parties are prohibited from installing “sniffer” computer software, such as the FBI’s Carnivore program, to record keystroke and computer traffic of a specific target unless one of the exceptions is present.

Title III permits “a person not acting under color of law” to intercept an “electronic communication” where “such person is a party to the communication, or one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). That is where banners end up being important. This exception provides a the implied consent of the subject hacker himself through computer “banners.”

One of the key provision on Title III is that it also permits providers of a communication service, including an electronic communication service, the right to intercept communications as a “necessary incident to the rendition of his service” or to protect “the rights or property of the provider of that service.” 18 U.S.C. § 2511(2)(a)(i). This exception permits a private party to monitor activities on its system to prevent misuse of the system through damage, fraud, or theft of services. Since computer hacking often involves damage or disabling of a network’s computer security system, as well as theft of the network’s service, this exception permits a system administrator to monitor the activities of a hacker while on the network.

Strang points out that there are limitations. The monitoring must be reasonably connected to the protection of the provider’s service. It cannot be used as a pretext to engage in unrelated monitoring. John S. Caragozian and Donald E. Warner Jr. demonstrate this point very well with quoting various cases in their posting, “Privacy Rights of Employees Using Computers in California.” A key point is that the right to monitor is justified by the right to protect one’s own system from harm. An ISP, for example, may not be able to monitor the activities of one of its customers under this exception for allegedly engaging in hacking activities on other networks. Another limitation of this exception is that it does not permit a private provider of the communication service to authorize the government to conduct the monitoring; the monitoring must be done by the provider itself.

Law is complicated, and I certainly am not a lawyer. This posting was an attempt to make some sense of a few laws while providing additional links to information. For additional information, the US Department of Justice maintains a web site on computer crime and intellectual property. The DOJ site provided news and documents relating to cyber crime. There is also the podcast, CyberSpeak. The hosts, Bret Padres and Ovie Carroll, are both former U.S. Air Force Office of Special Investigations (AFOSI) agents. They provide a very entertaining weekly podcast on computer security, computer crime, and computer forensics topics.