ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.

Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.

Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Focusing back to COBIT 5, the planned primary improvements will consist of:

• Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
• Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
• COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
• COBIT 5 will consist of a set of publications providing:
  • The content of COBIT 5 required for enterprise implementation and assurance activities
  • Focussed guidance publications on functional, responsibility and organisational views to help
    COBIT users with a specific area of interest to better understand how COBIT can support their role.
• Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
• Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.

If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):

ISACA is looking for feedback by the close 12 April 2010. There is also a LinkedIn Group setup by Grzegorz Albinowski where you can discuss and stay informed on COBIT 5 developments.

For a little perspective, remember back in August 2008, the Air Force suspended all efforts to the establishment of the Cyber Command. This was after the Air Force was hyping the Cyber Command capabilities on TV, in Web video advertisement, and in presentations. In September, the Pentagon decided that the US Strategic Command in Omaha, NE should create and run a version of the joint Cyber Command. Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

In October, top Air Force leadership decided to continue efforts to stand up the Cyber Command. At the time, Air Force Secretary Michael Donley made the statement, “The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena. We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Top military officials in May 2009 argued for a single joint command and went on to tell the media that a “Cyber attack could bring U.S. military response.” In June 2009, Defense Secretary Robert M. Gates in a memo Stated, “Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

The Defense Department failed to meet an Oct. 1 target launch date. There have been no confirmation hearing for the command’s first director. Nakashima is reporting that the project was delayed by “congressional questions about its mission and possible privacy concerns.”

NSA Deputy Director John (Chris) Inglis said “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.” The offensive measure lead to many policy and doctrinal questions involving cyber warfare. Nakashima goes on to report one official familiar with the Pentagon’s plans, who was not authorized to speak for the record, stated “The rules can vary dramatically depending upon under what authority you’re doing something. An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Offensive computing is a difficult topic to tackle. Remember Col. Charles W. Williamson III? He ran into a bit of controversy back in May 2008 when he posted “Carpet bombing in cyberspace: Why America needs a military botnet.” He stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” The problem will always be in cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations stated, “I don’t think there’s any dispute about the need for Cyber Command. We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Nakashima reports officials stated:

“The initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

Lt. Gen. Keith B. Alexander, director of the NSA, has been nominated by President Obama to be the director of the Cyber Command. Congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month. Once the staff are satisfied the understand the command’s purpose and operating place, the Senate Armed Service Committee can hold the confirmation hearing for a new director.

Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” Of course, Saint Bernard of Clairvaux would have cautioned, “Hell is full of good intentions or desires.” While there are many issues involved with the development of a US Cyber Command, steps are continuing to occur. Issues are being considered. Is it progress? I believe so. Stay tuned and we will all see what happens.

Thanks to Angry Alien Productions for providing links to 30-Second Bunnies Theatre. If you have never watched these collection of movies re-enacted by animated bunnies in 30 seconds, more or less, follow the links. If you enjoy the episodes, support the creative effort by buying the recently released DVD through Amazon.

For geeks, and those who love them, Kreg Steppe and Douglas E. Welch have written a story that you are going to love, “A Geek Christmas Story.” To quote the site, it is the story of “Mattie Stevens, a young boy of the early 80’s, dreams of owning a Commodore 64. He sets out to convince everyone this is the perfect gift. But, along the way runs into opposition from his parents and everyone around him including old Santa Claus”

Take a look at the all star cast of players from the podcasting community:
Narrator: Kreg Steppe – Technorama
Harvey Stevens: Dad – Kevin Devin
Mandy Stevens: Mom – Susie Murph – How to Grow your Geek Podcast
Mattie Stevens: Son – Daniel Devin
Sandy Stevens: Little Brother – Spencer Holden
Curtz Eisenberg: Friend to Mattie – Harrison Steppe
General Beringer: General – Douglas E. Welch
Lieutenant: Steve Holden – Tech News Radio
Mrs. Little: Katie Floyd – Mac Power Users Podcast
Santa’s Helper: Chuck Tomasi – Chuckchat.com
Santa: Larry Pesce – Pauldotcom.com Podcast
Judge: Victor Cajiao – Typical Mac User Podcast – Typical Shutterbug Podcast
Andrew Carnagie: Andy Helsby – Absoblogginlutely!
J.P. Morgan: Grant Bichocco – Mr.Grant.com
UPS Guy: Paul Asadoorian- Pauldotcom.com Podcast
Skipper: Rylie Starcher

Not to leave anyone out, because they have all done such a great job, the show was produced by:

George Starcher – Typical Mac User Podcast
Victor Cajiao – Typical Mac User Podcast - – Typical Shutterbug Podcast
Steve Holden – Tech News Radio - Jersey Boys Podcast – AztecMedia.net

The folks at FiT do fantastic, creative, stories around Halloween and Christmas (Server Room of Horrors – Halloween 2005; A Geek Christmas Carol – Christmas 2005; Server Room of Horrors – Halloween 2006; Lucky the Reindeer and the Island of Misfit Geeks – Christmas 2006; It’s the Great Server Chuck and Kreg! – Halloween 2007). Take the time to listen to this year’s Christmas story. You won’t be disappointed.

On a mission to reveal the truth behind Pere Noel, Mone took time for an interview on NPR’s Morning Edition and did an one hour lecture at MIT. Shaula Clark reporting for the Boston Phoenix on the MIT lecture, exposed some of Babbo Natale’s trade secrets:

• Kanakaloka is not immortal, but retains his jolly vigor with the help of organ printers.
• Swiety Mikolaj does not, in fact, leave toys under the tree; instead, he comes bearing complex chemical reactions — toys assemble themselves in their packaging.
• Ded Moroz’s Christmas Eve rounds are actually accomplished via several teams of Santa-recruited lieutenants, a series of short-distance wormholes, and time travel.
• Papai Noel’s base of operations (actually in Greenland, not the North Pole) is greatly threatened by global warming — to keep his unfathomably large server farm cool, he needs the Arctic chill. Papai Noel’s own green initiatives include planting trees and cloning his elves (“because he wouldn’t want [them] breeding on their own”).

According to Mone, Sinter Klaas uses tools that are hundreds of years beyond what we have at our disposal. For example, “Santa’s suit is laden with what are called metamaterials, which have the effect of bending light around a person so that they turn invisible” — which can come in handy if there are curious children peeking during his Christmas deliveries.

Questions on the Internet have been raised as to where Mone may have obtained his information. At the beginning of the month, Mone traveled to Google allegedly to take part in the Authors@Google series. During the talk Mone discussed how implanted listening devices in the ornaments help Hoteiosho keep the naughty and nice kids straight. Also discussed was the use of cloning and wormhole technology to help Baba Chaghaloo get to every household. A few posts on the Internet question whether Google could be providing information to Shengdan Laoren through advance data mining in exchange for some of the advance technologies.

Could the US government also be involved? Those Internet posts point to the partnership between Google and NORAD (the North American Aerospace Defense Command), a bi-national United States and Canadian organization. NORAD and Google are helping children track the journey of Jolasveinar around the world using Google Maps and Google Earth. In a possible attempt to gain patents and disrupt Google market shares, there are even rumors that Gaghant Baba’s workshop has been purchased by Bill Gates. Could a secret message exist behind the Microsoft Bing commercial about Daidi na Nollag?

Google maintains that they take user privacy very seriously. In this case, I believe them. If there is trickery, Tomten would likely be behind it. How can one trust a person who goes by so many names? And what exactly is his past? Every country provides a different story. If he is a jolly old elf, there are reports that elves have used trickery as a means to an end. Local and federal governments across the world have gift policies limiting the the value and number of gifts that can be given to government employees. Gifts can be used as bribes. One could begin to wonder if the gift bearing holiday might be a cover for a massive yearly bribery event. More troubling, attempts to trace those questioning Internet posts lead back to ISPs in Greenland. Maybe Jack Bauer is needed to get at the truth.

I am not saying Chimney John is not a jolly nice fellow. I am just not a great believer in security through obscurity. There is a great deal we don’t know about Samichlaus. As security minded people, we need to be always questioning. Video of Mone’s Google talk has been made available. View it below and judge for yourself:

Wishing you a great holiday, wherever you may be and whatever you may believe.

• The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
• Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter.
• The militants use programs such as SkyGrabber, from Russian company SkySoftware. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” Andrew Solonikov, one of the software’s developers said by email from Russia.
• The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes.
• Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
• Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.
• The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.
• Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

What lessons are applicable to your organization? Three points to think about:

1. Design, cost, and risk. There is no doubt that there are many difficulties with adding encryption to drones. Design of these systems involves many factors (power, weight, security, transmission rates, etc.). The problem is that the risk of snooping due to the lack of encryption has been known about since the 1990s. With each drone costing $10-12 million, and the Air Force expected to buy 375, that is a sizable investment. When making design decisions, organizations can expect to have to defend their choices.
2. Developing with standards. Future development with possible different contractors seems unlikely if widely used encryption systems are not readily compatible with the current contractor’s proprietary communications technology. Companies should want to foster flexibility and avoid vendor lock-in. It is also unlikely that sharing information will be possible with allies unless widely encryptions systems can be used.
3. Being realistic when assessing the risk. Companies need to avoid reports that they failed to understand the risk. In this article, the worse statement is that the “Pentagon assumed local adversaries wouldn’t know how to exploit it.”

Underestimating risk is a constant threat in security. It is wise to remember the words of Sun Tzu from The Art of War, “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

Clickjacking, as described Grossman, is a browser vulnerability exploitation that gives “an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.” Dave Aitel adds a little more detail when he wrote to insecure.org:

Essentially if your web page is in the same frame as another page you can slide them under your buttons/URLS using DHTML such that when the user is clicking on your link, they instead really are clicking on some random place on a web page of your choice. This process is essentially invisible to the end user.

Clickjacking is a well-known issue and isn’t really anything new. The decision to do a presentation came about because RSnake and Grossman felt clickjacking was severely under appreciated and largely undefended. They had hoped they could begin to change that perception. The presentation was to consist of demonstrating the potential attacks along with some proof of concept (PoC) code and real working exploits. The problem was, to quote RSnake, “None of the issues we found relating to the browser were particularly easy to fix, it turns out.” Please read RSnake’s post, “Clickjacking” and Gossman’s post “(Cancelled) / Clickjacking – OWASP AppSec Talk.” The posts outline their decision to cancel along with additional details. Editorial Note: If you are interested at all in security, start reading both RSnake’s and Grossman’s blogs. Their posts are always very informative.

Ryan Naraine of ZDNet posted “Clickjacking: Researchers raise alert for scary new cross-browser exploit” and included this great quote:

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

The news about clickjacking is not a news flash. Even news about the cancellation, RSnake and Grossman posted over ten days ago. The OWASP NYC AppSec 2008 Conference ended yesterday having run from from Sept 22nd – 25th 2008. What is new is that Giorgio Maone wrote Ryan Naraine concerning how NoScript can help. Clickjacking being “very, freaking scary” and “near impossible” to fix properly, sounds like another problem getting a bit more press in the US right now. All the more reason that while waiting for a patch, folks need a solution today. NoScript has can help. To quote Maone:

I had access to detailed information about how this attack works and I can tell you the following:

1. It’s really scary
2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <iframe>” option.

Finally, some good news. And that, my friend, is what makes it a news flash.

This past Monday, portions of the plan dealing with the counterintelligence, supply chain security, and research and development, were discussed with industry group. Up until now, disclosures have been limited to information regarding effort to improve the security of government network. The Deputy Secretary for DHS, Paul Schneider, discussed the three focus areas:

1. Establishing the front lines of defense against cyber attacks and reducing current vulnerabilities.
2. Defending against a full spectrum of threats by using intelligence.
3. Shaping the future through research and investment in new technologies.

It is interesting that Schneider cited the conflict between Russia and Georgia as “perhaps the first instance of military actions containing a clear cyber element.” There is no doubt that the government is very concern about cyber’s role in future warfare. Jack M. Germain wrote an article for TechNewsWorld titled “The Winds of Cyber War.” Tom Stracener, Sr. Security Analyst for Cenzic, told Germain, “The attack on Georgia shows an economy of scale. It was massive attacks on multiple levels. This is not just a U.S. problem. Hamas and Hezbollah have been doing this for years against Israeli Web sites. These types of attacks against opponents’ Web sites are also very common in South America. All of this points to a future of widespread information warfare. It is becoming one more big weapon in the war arsenal.”

Germain’s article goes into further explanation of the government’s attempts to address these concerns. Patrick Peterson, Vice President of Technology at IronPort Systems, stated that the U.S. government decided 12 months ago to spend 30 million to prepare for cyber attacks by establishing the Comprehensive National Cybersecurity Initiative (CNCI). Germain reports that “CNCI was commissioned by two different executive orders to proactively harden government computer systems against intruders rather than reacting to intrusions after the fact.” Peterson goes on to explain, “The activities of the CNCI are so secretive that it functions as an underground agency. Even Senator [Joe] Lieberman, after hounding the administration for an explanation, only received an official letter that was heavily redacted, indicating that the CNCI is a super top secret agency that operates on a need-to-know basis.” Keep in mind that DHS has been designated to play a significant role in implementation of CNCI.

Schneider went on to say, “In research and development we will be spending a significant amount of resources in the private sector and that’s because that’s where the technology’s going to come from.” Industry has a vital role to play in the initiative, as Schneider points out, “We don’t own the nation’s information technology networks or communications infrastructure. What we are faced with is the absolute need for a very unique partnership in order to defend this network.”

The National Science Foundation FY 2009 budget request included $116.9 million for cybersecurity research and education, with $30.0 million specifically devoted respectively to research in usability ($10 million), theoretical foundations ($10 million), and privacy ($10 million) to support the CNCI. NSF stated, “These investments in cybersecurity and information security and privacy will produce research results that allow society to more fully exploit the potential benefits of an increasingly networked world. In addition, the Scholarship for Service program, which funds scholarships to build a cadre of federal professionals with skills required to protect the nation’s critical information infrastructure, increases by 30 percent to $15 million.”

Concerning the the intrusion detection component, Einstein, Schneider stated, “We’ll be deploying a much more aggressive system that will allow us to look for patterns of malicious code–to shut them down before they do real harm.” Schneider did not elaborate further on how these aggressive systems would shut down malicious code. Stephanie Condon, of CNET News, reports that DHS’ Under Secretary for the National Protection and Programs Directorate, Robert Jamison said the department is currently working closely with three different vendors to test “Einstein 2″ in different environments.

On Captol Hill yesterday, there was a hearing before the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology called “Cybersecurity Recommendations for the Next Administration.” There is a live/recorded video feed of the hearing available.

Schneider expressed confidence in continuation of the cyber initiatives stating “The majority of the people running these programs will be running these programs on January 21.” Schneider continued to explain while “any administration can come in with new policies,” he said the elements of the Cybersecurity Initiative, like common situational awareness, “are foundation pieces of any cybersecurity strategy.” One might argue that Schneider comments may have been also addressing critics that are questioning DHS’ future role in cybersecurity. Dennis Fisher, Executive Editor for SearchSecurity, provides additional details in his article “DHS should lose cybersecurity authority, experts say.” Condon also provides insight in the article, “Critics: Homeland Security unprepared for cyberthreats.”

“Our view is that any improvement in the nation’s cybersecurity must go outside of DHS to be effective,” stated James Lewis, Director and Senior Fellow, Technology and Public Policy Program. Lewis appeared on behalf of CSIS’s Commission on Cybersecurity for the 44th Presidency, a group made up of 40 cybersecurity and government experts. A final report is expected in November and will contain recommendations for the next administration.

Government Accountability Office (GAO) released two reports (No. 1 and No. 2) adding to the public criticism of DHS. The GAO has been reporting on DHS’ cybersecurity efforts since 2005 and has made 30 recommendations to the department. David Powner, GAO’s director of information management issues, stated, “Clearly our work has demonstrated that DHS has been completely ineffective in fulfilling their role as the cybersecurity focal point.” The GAO’s new reports include descriptions of the department’s failure to fully address 15 key cyberanalysis and warning attributes related to activities such as monitoring government networks for unusual activity. “Congress has to be involved with this,” Lewis said, “to support building the infrastructure that will keep us secure.”

Paul Kurtz is a partner at Good Harbor Consulting (which is lead by Richard A. Clarke), and a former adviser to President Bush on cybersecurity issues. Kurtz reports that during a late June briefing for private-sector executives about the new cybersecurity initiative, senior DHS officials had disagreed openly about how to move ahead. “What was so discouraging about that day, and I’ll never forget it, is that we had infighting between DHS leaders as to how to proceed,” Kurtz said. “It demonstrated in spades the lack of leadership, and that no one is in charge at DHS. It was a travesty. We had 70 or so private sector people in the room who had spent a lot of time and once again been asked to come up with some ways that we could better work together and the department basically threw it overboard. It was incredibly discouraging to witness.” Kurtz also stated DHS’ problems stems from the fact that, “you have several people with their hands on the steering wheel.” Echoing Kurtz concerns is subcommittee member Rep. William Pascrell, D-N.J, “The last time I checked, we had at least four people at DHS who claim to be in charge of cybersecurity.”

Kurtz stressed that “there is good work being done.” Lewis agrees and describes the major problem being that the department, “really doesn’t have the authority to direct other departments and agencies. If anything, its authority has probably declined as other departments have moved out on this issue.” Lewis went on to say, “The conclusion we reached is only the White House has the authority and oversight for cybersecurity. This is now a serious national security problem and should be treated as such.” Lewis also expressed the opinion that strengthening the department’s authority was no longer a viable option at this point. “I began in this effort by thinking that we should strengthen DHS,” he told the hearing. “We did not receive much encouragement when we put that forward.” In the end, Lewis reports that his suggestion that the problems could be solved by strengthening DHS’ authority was “shot down by my own commission.”

Of course, this is Washington and other explanations for DHS’ criticism are possible. “Rearranging the deck chairs is a classic inside-the-Beltway pastime, but all that it ensures is that in two years the government’s cyber efforts will be in the same place,” Laura Keehner, DHS Press Secretary, stated. Michael Smith in his must read post, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive,” provides some great insight into the different perspectives and motives government agencies might have. In government, where a great deal of money is involved along with secrecy shrouding most of the operations, who knows what is real? Still, it is fun to watch and speculate. As promised, below are the links to publicly available articles from which the information used in this post was obtain.

• Government elaborates, slightly, on cybersecurity plan by Stephanie Condon
• Agencies discuss new cybersecurity plan by Ben Bain
• The Winds of Cyber War by Jack M. Germain
• Cybersecurity Recommendations for the Next Administration
• Critics: Homeland Security unprepared for cyberthreats by Stephanie Condon
• DHS should lose cybersecurity authority, experts say by Dennis Fisher, Executive Editor

Interesting side note, on March 17th, thieves broke into another Archive America van and stole six backup tapes from the university Miami medical school. Computerworld reported that the medical records were part of the Miami Project to Cure Paralysis at the University of Miami. The lost tape contained addresses, Social Security numbers and health information on all two million patients since 1999. For reasons unexplained, Archive America did not report the incident for 48 hours. Then the university took an additional month to report the data breach.

On April 29th, BNY Mellon Working Capital Solutions attempted to send a tape by a national courier from Philadelphia to Pittsburgh. The tape never arrived. BNY Mellon Working Capital Solutions services include processing payments on behalf of its institutional clients, such as mutual funds or pension funds. Bank officials stated the tape “consisted of images of scanned checks and other documents relating to payments made to BNY Mellon’s institutional clients. Most of the checks were in connection with commercial or other business-to-business payments, though some involved payments from consumers.” By May 16th, all parties were notified. The data loss involved 47 institutional clients.

BNY Mellon initially identified approximately 270,000 individuals at 409 institutions as being affected by the first incident. Company officials reported notifications were completed by early April. Continuing forensic investigation later identified an additional four million individuals and an additional 293 institutions. Those folks were notified towards the end of May. At that time, Ron Sommer, BNY Mellon spokesman, explained, “We’d like to provide people with a more current characterization [of what happened], but we are not yet in a position to make that available. Our intention is to make it available as soon as we can.”

The bank reports that since May, after two incidents of data loss, it has instituted new stringent standards for the transport of confidential data and is initiating a company wide training program on data security for all employees. Brian Rogan, the bank’s chief risk officer, stated, “We are actively engaged in a top-to-bottom review of our security policies and procedures _ including retaining a leading independent consultant to conduct an objective analysis of our current practices _ and we are taking the steps necessary to ensure we have industry-leading security measures in place across all of our businesses.”

A few days ago (6 months after the first data loss), BNY Mellon confirmed the number of people affected now appear to be 12.5 million. Currently, this is the largest reported U.S. data breach for 2008. To deal with the situation, BNY Mellon is offering 24 months of free credit monitoring by Experian through the Triple Alert program, as well as $25,000 fraud protection insurance. George Jenkins, over on the I’ve Been Mugged blog site, has done a review of the services along with how the breach personally affected his family. For any of the 12.5 million people affected, George’s posts will be of great interest. Connecticut governor Jodi Rell feels that, “It is simply outrageous that this mountain of information was not better protected, and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months later.” Good, it is not just me.

International Cybercrime (Of The Horse)

via The Center for Internet and Society on 5/8/08

A colleague and I were just discussing a new international working group, chaired by the FBI, which has “band[ed] together to fight cyber crime in a synergistic way.” The group is called the Strategic Alliance Cyber Crime Working Group; it even has a tagline: “Cyber Solidarity: Five Nations, One Mission.”

read more

Warping court memories with subtle suggestions

via Mind Hacks on 5/8/08

The legal system works on a principal of innocent until proven guilty by the evidence presented in court, but Cognitive Daily covers several studies that shown our memory of the evidence is affected by moral judgements of the person in question.

With their trademark clarity, CogDaily discuss a study [pdf] by psychologist David Pizarro that found if participants were told about man leaving a restaurant without paying, they remembered the unpaid bill being more expensive if they were told he treated the waiters rudely, than if they were told he was generally a responsible person.

The study is reminiscent of a famous experiment by a young Elizabeth Loftus called Reconstruction of Automobile Destruction.

It was simple but elegantly designed. Groups of people were shown clips of cars crashing and then asked how fast the cars were travelling, but with different verbs in the question.

For example, some people were asked how fast the cars were travelling when they “smashed” into each other, others how fast when they “bumped” into each other, others how fast when they “contacted” with each other, and so on.

Loftus found that simply asking the questions with a different verb altered people’s memories of the speed of the crash – like so:

“smashed” : 40.8 miles per hour
“collided” : 39.3 miles per hour
“bumped”: 38.1 miles per hour
“hit” : 34 miles per hour
“contacted” : 31.8 miles per hour

Needless to say, these sorts of tricks have been used by lawyers ever since.

Link to CogDaily on moral blame can change the memory of a crime.
pdf of full-text paper.
Link to Wikipedia page Loftus’s car crash study.

Reducing costs not as easy as security, say ANZ CIOs

via The IT Skeptic’s ITIL Pipe on 5/8/08

Computerworld New Zealand – Auckland,New Zealand The top five hottest skills, according to respondents, are networking, IT service management, help desk, and enterprise applications. … (more)

Egypt shuts off cell anonymity

via ZDNet Government on 5/8/08

As protests continue to mount over rising food prices, Egypt is moving to keep close tabs on cellphone users. The government wants cellphone companies to close down anonymous subscribers, Reuters reports.
“Everyone who uses the telephone must be known,” Trade Minister Rachid Mohamed Rachid told a news conference, adding that the move was needed for “public [...]

The Art of the Business Card

via How to Change the World on 5/8/08

A few weeks ago I was in Charlotte to make a speech for Network Solutions, and I met Justin Ruckman. He handed me his business card–which I just loved. For once, a business card that cuts to the chase and is readable. Hallelujah! So I asked him to make business cards for me. Take a look at your business card: Can people really read the 8 point type? If you want Justin to make business cards for you, his site is here.

Web Oriented Architecture Webinar Series

via Real World SOA | David Linthicum on 5/8/08

I’ve had a number of you who have asked me to bring back the Webinar series I was doing a year or so ago. So, I’m going to start on 5/13, next week, delivering the first of many Webinars around the notion of Web Oriented Architecture, or WOA. The description is below, and you can register here. It’s free, with very little commercial interruption. Come learn about WOA and SOA in the real world. David Linthicum: Delivering Enterprise Data to the Emerging Web Data is the driving force behind the emerging Internet. While the Web used to be a collection… READ MORE

The man who defied Milgram’s conformity experiment

via Mind Hacks on 5/8/08

Jewish Currents has an interesting first person account from one of the people who took part in Stanley Milgram’s famous conformity experiment where 65% of participants were ordered to fatally shock another participant. This article is written by one of the 15% who refused to continue.

The learner, said the professor, would be in an adjoining room, out of my sight, and strapped to a chair so that his arms could not move — this so that the learner could not jump around and damage the equipment or do harm to himself. I was to be seated in front of a console marked with lettering colored yellow for “Slight Shock” (15 volts) up to purple for “Danger: Severe Shock” (450 volts). The shocks would increase by 15-volt increments with each incorrect answer.

I was very suspicious and asked a number of questions: Isn’t it dangerous? How do you know the learner doesn’t have a bad heart and can’t take the shocks? What if he wants to stop, can he get out of the chair? The professor assured me that the shocks were not painful or harmful since the amperage was lowered as the voltage increased. He let me feel what a 45-volt shock would be like: a slight tickle. I asked the learner if he was willing to do this and why he didn’t have any questions. He said, “Let’s try it.” With some trepidation on my part, we began the experiment.

Link to ‘Resisting Authority’ (via MeFi).

Visualizing Nessus Working Harder For You

via Tenable Network Security on 5/8/08

Recently, several images were uploaded to the SecViz – Security Visualization web site which visualize how hard the Nessus, Saint and Retina vulnerability scanners actually work. Default scans for each scanner were performed in full view of a Snort sensor and the alerts from Snort were sent to Prelude for visualization with “pig“. The visualization allows understanding of how many different and unique techniques are performed by each scanner. Below are screen shots for the results from each scanner:

Saint Results	Retina Results	Nessus Results

When I first saw these results, I didn’t think they were entirely relevant. The visualization is using Snort events, which means that all of the scanners might be trying techniques that Snort might not detect. For example, when Nessus performs a variety of non-credentialed Windows checks over ports 445 and various Windows RPC services, Snort generates some events, but it does not generate a unique event for every custom probe. However, after the author of these posts to SecViz contacted me and pointed out some of the test results, I thought it was a good blog topic. The raw results for Nessus included 1019 alerts, 166 alerts for Saint and 76 alerts for Retina which was fairly significant.

read more

US State Department Loses 1,000 Laptops

via Liquidmatrix Security Digest on 5/8/08

Ouch!

From vnunet:

An audit at the US State Department has revealed the loss of over 1,000 laptops, some of which held security information.

Around $30m worth of computing hardware is “unaccounted for”, the bulk of it laptops. These include over 400 from the Anti-Terrorism Assistance Program, some containing security material.

Nita M. Lowey, a representative on the House Appropriations subcommittee that oversees State Department operations, told Congressional Quarterly that she is “concerned” about the security revelations.

Sigh.

Article Link

See more of John’s shared items …

]]> http://blog.securitymonks.com/2008/05/08/google-reader-share-with-notes/feed/ 0 http://blog.securitymonks.com/2008/03/17/fisma-paperwork-or-actual-security/ http://blog.securitymonks.com/2008/03/17/fisma-paperwork-or-actual-security/#comments Mon, 17 Mar 2008 06:42:41 +0000 John Gerber http://blog.securitymonks.com/2008/03/17/fisma-paperwork-or-actual-security/ “How much of FISMA is paperwork vs. actual security?” was the question that Senator Tom Coburn, R-Okla. had at a Senate hearing on Wednesday. Karen Evans, Administrator of E-Government and Information Technology Office of Management and Budget (OMB), responded “That depends on how an agency goes about doing its work. FISMA has put together a framework, but if [an agency] does it just for compliance, then it’s purely a paperwork exercise.” OMB has issued the report, “Fiscal Year 2007 Report to Congress on Implementation of The Federal Information Security Management Act of 2002.” Below is a summary from the report on the overall progress in meeting selected government-wide IT security goals from fiscal years 2002 to 2007:

Gregory C. Wilshusen, Director, Information Security Issues at GAO offered a different interpretation, when he stated, “Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems.” GAO has released a report, “Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.” Quoting from the report, a few statistics of particular interest:

• Data from the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, showed that, as of February 6, 2008, there were about 29,000 security vulnerabilities or software defects that can be directly used by a hacker to gain access to a system or network. On average, close to 17 new vulnerabilities are added each day. Furthermore, the database revealed that more than 13,000 products contained security vulnerabilities.
• The percentage of certified and accredited systems government wide reportedly increased from 88 percent to 92 percent. Gains were also reported in testing of security controls – from 88 percent of systems to 95 percent of systems – and for contingency plan testing – from 77 percent to 86 percent.
• In their fiscal year 2007 performance and accountability reports, 20 of 24 major agencies indicated that inadequate information security controls were either a significant deficiency or a material weakness.
• Our analysis determined that 19 of 24 major federal agencies had not fully implemented agency-wide information security programs.
• The number of incidents reported by federal agencies to US-CERT has increased dramatically over the past 3 years, increasing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007, (about a 259 percent increase).

Niels Provos, Google’s Anti-Malware Team, cited a recent paper by researchers at Google. The paper revealed that more than 1.3% of Google search results now contain at least one malware-serving website – a number that has quadrupled in the past nine months. The graph shows the increase ratio of search results containing a URL labeled as harmful:

In government, while the percentage of certified and accredited systems is increasing, a much greater increase occurs in the number of reported incidents. OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. Evans attributed the increase in large part to improved reporting. Tim Bennett, president of the Cyber Security Industry Alliance, has a different opinion. Bennett feels the increases are real and blames the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations.

Adam Dodge took a look at the information security breaches that occurred in 2007 at colleges and universities around the world, as reported in the news. Dodge released his results in the report “The Educational Security Incidents (ESI) Year in Review – 2007.” The report found a 67.5% increase in the number of reported incidents over 2006. This increase is in line with what the government agencies experienced.

Chris Walsh provides some interesting insight by comparing the number of reported breaches in the US and Great Britain. In the posting “Reporting on Data Breaches: US and Great Britain.” Walsh shows that both countries have seen a dramatic increase in reported breaches:

The US-CERT annual report for fiscal year 2007 reported the following number of incidents that were reported to DHS incident response center:

Alan Paller, director of research at SANS Institute, explains that the increase in both certified and accredited systems and reported data breaches has occurred because “the government has made progress in writing reports.” Paller goes on to state that the government has made, ”no progress in improving the security that matters – keeping the wrong people out.” Michael Smith (aka rybolov), manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:”

GAO used exactly what was reported to OMB but came up with different conclusions. Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

Rybolov goes on to offer one possible explanation for the disparity:

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we? The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year. You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

Even if rybolov is correct, and there is an element of politics in government operations, the perceived risk has grown large enough that all sides see the wisdom of taking action. As the old expression goes, it has come time for the government to put up or shut up. The government has responded by “putting up” in terms of money. Jason Miller, from Washington Technology, reports in his article, “‘09 budget request has IT spending on the rise” that in the White House’s request, agency IT spending would be $70.9 billion, up from a 2008 request of $66.4 billion. That would be a 6.3 percent increase. Congress appropriated $68 billion for 2008, which makes for a 3.8 percent change when comparing actual to requested dollars. IT security is a major piece of the proposed spending increases for agencies. Information security requests have increased 73 percent since 2004. In the 2009 request, security account for 10.3 percent of the overall $71 billion funding.

How will the money be spent? There are no easy answers. Still, it is good that Senator Tom Coburn, Karen Evans, Gregory C. Wilshusen, and others are debating how the government should do its business, while agreeing the business of security must be done.