Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

For a little perspective, remember back in August 2008, the Air Force suspended all efforts to the establishment of the Cyber Command. This was after the Air Force was hyping the Cyber Command capabilities on TV, in Web video advertisement, and in presentations. In September, the Pentagon decided that the US Strategic Command in Omaha, NE should create and run a version of the joint Cyber Command. Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

In October, top Air Force leadership decided to continue efforts to stand up the Cyber Command. At the time, Air Force Secretary Michael Donley made the statement, “The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena. We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Top military officials in May 2009 argued for a single joint command and went on to tell the media that a “Cyber attack could bring U.S. military response.” In June 2009, Defense Secretary Robert M. Gates in a memo Stated, “Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

The Defense Department failed to meet an Oct. 1 target launch date. There have been no confirmation hearing for the command’s first director. Nakashima is reporting that the project was delayed by “congressional questions about its mission and possible privacy concerns.”

NSA Deputy Director John (Chris) Inglis said “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.” The offensive measure lead to many policy and doctrinal questions involving cyber warfare. Nakashima goes on to report one official familiar with the Pentagon’s plans, who was not authorized to speak for the record, stated “The rules can vary dramatically depending upon under what authority you’re doing something. An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Offensive computing is a difficult topic to tackle. Remember Col. Charles W. Williamson III? He ran into a bit of controversy back in May 2008 when he posted “Carpet bombing in cyberspace: Why America needs a military botnet.” He stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” The problem will always be in cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations stated, “I don’t think there’s any dispute about the need for Cyber Command. We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Nakashima reports officials stated:

“The initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

Lt. Gen. Keith B. Alexander, director of the NSA, has been nominated by President Obama to be the director of the Cyber Command. Congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month. Once the staff are satisfied the understand the command’s purpose and operating place, the Senate Armed Service Committee can hold the confirmation hearing for a new director.

Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” Of course, Saint Bernard of Clairvaux would have cautioned, “Hell is full of good intentions or desires.” While there are many issues involved with the development of a US Cyber Command, steps are continuing to occur. Issues are being considered. Is it progress? I believe so. Stay tuned and we will all see what happens.

The Security Content Automation Protocol (SCAP) is an attempt to help defenders by providing a collection of XML schemas/standards that allow technical security information to be exchanged between tools. For example, SCAP can help organizations looking for a way to respond appropriately to new vulnerabilities and threats by helping prioritize, allowing the most significant ones to be addressed sooner. It can also benefit those looking to provide interoperability across system security tools. There is even an effort to “encouraging the use of SCAP as a de-facto standard across the ICT industry for deploying trusted cloud computing services.”

Background

To help understand what exactly SCAP is, let us turn to the U.S. National Institute of Standards and Technology (NIST) Special Publications (SP) 800-117, “DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP):”

SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintain the security of enterprise systems, such as automatically verifying the installation of patches, checking systems security configuration settings, and examining systems for signs of compromise.

NIST this month is looking for public comments on the first public draft of SP 800-126, “The Technical Specification for the Security Content Automation Protocol (SCAP).” Back in May, NIST released the draft for SP 800-117.

SCAP components consists of:

• Common Configuration Enumeration (CCE): provide unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
• Common Platform Enumeration (CPE): a structured naming scheme for information technology systems, platforms, and packages.
• Common Vulnerability Enumeration (CVE): a dictionary of publicly known information security vulnerabilities and exposures.
• Common Vulnerability Scoring System (CVSS): a vulnerability scoring system designed to provide an open and standardized method of rating IT vulnerabilities. NIST has even provided a calculator for creating CVSS vulnerability severity scores.
• eXtensible Checklist Configuration Description Format (XCCDF): a specification language for writing security checklists, benchmarks, and related kinds of documents. NIST has released the NIST Interagency Report 7275 Revision 3 “Specification for Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4.”
• Open Vulnerability Assessment Language (OVAL): an information security community standard to promote open and publicaly available security content, and to standardize the transfer of this information across security tools and services.

The National Checklist Program (NCP), outlined in NIST SP 800-70, is the repository for SCAP-expressed checklists. The checklists provide detailed low level guidance on setting the security configuration of operating systems and applications.

In June, MITRE hosted the Security Automation Developer Days conference, which focused on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP). MITRE has made the minutes available, which includes discussion on NIST SP 800-126. Michael Smith has provided some great highlights from the conference in his post, “Security Automation Developers Conference Slides.” The problem with Michael is that it is difficult not to quote his whole blog, which is bad web etiquette. Please follow the link for some real insight concerning the slides. You can also view below Michael’s presentation, “Security Content Automation Protocol and Web Application Security:”

Back in September 2008, NIST sponsored the Fourth Annual Security Automation Conference. The Presentations are available. Ian Charters attended and posted his thoughts, “NIST and SCAP; Busting a cap on intruders Part 1.” The 5th Annual IT Security Automation Conference will be held October 26-30th, 2009 at the Baltimore Convention Center.

Make sure to check out below the OWASP video talk from SnowFROC 2009 by Ed Bellis (from Orbits) on vulnerability management titled “Doing more with less? Automate or die.”

Ed’s has also written an article for CSO Online, “How SCAP Brought Sanity to Vulnerability Management.”

Possible Problems

Some may argue that SCAP is overly complicated and people are better off relying solely on their vendor’s products and reports. That assumes that a single vendor product is sufficient to meet tomorrow’s security needs. Some organizations buy into the platform simplification model where basically they purchase a single vendor line of products in order to avoid interoperability problems. The problems is that one vendor frequently only does a few things well. The agility of the organization to adapt to changes in the security world becomes dependent solely on that single vendor. After investing so much into that one vendor, organizations find that they are completely locked in. Probably that is not the best position to be in when facing a very volatile IT environment.

Consider the below list where NIST outlines areas SCAP validation will cover (Source: NIST Interagency Report 7511 “Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements (DRAFT)):”

• FDCC Scanner: the capability to audit and assess a target system to determine its compliance with the FDCC requirements.
• Authenticated Configuration Scanner: the capability to audit and assess a target system to determine its compliance with a defined set of configuration requirements using target system logon privileges.
• Authenticated Vulnerability and Patch Scanner: the capability to scan a target system to locate and identify the presence of known vulnerabilities and evaluate the software patch status to determine compliance with a defined patch policy using target system logon privileges.
• Unauthenticated Vulnerability Scanner: the capability of determining the presence of known vulnerabilities by evaluating the target system over the network.
• Intrusion Detection and Prevention System (IDPS): the capability to monitor a system or network for unauthorized or malicious activities. An intrusion prevention system actively protects the target system or network against these activities.
• Vulnerability Remediation: the capability to install patches on a target system in compliance with a defined patching policy.
• Misconfiguration Remediation: the capability to alter the configuration of a target system to bring it into compliance with a defined set of configuration recommendations.
• Asset Scanner: the capability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Asset Database: the capability to store and report on asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers.
• Vulnerability Database: a catalog of security-related software flaws labeled with CVEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of software flaws, references to additional information (e.g., links to patches or vulnerability advisories), and impact scores. The user-to-database interaction is provided independent of any scans, intrusion detection, or reporting activities. Thus, a product that only scans to find vulnerabilities and then stores the results in a database does not meet the requirements for an SCAP vulnerability database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about vulnerabilities, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Misconfiguration Database: a catalog of security-related configuration issues labeled with CCEs where applicable. This data is made accessible to users through a search capability or data feed and contains descriptions of configuration issues and references to additional information (e.g., configuration guidance, mandates, or other advisories). The user-to-database interaction is provided independent of any configuration scans or intrusion detection activities. Thus, a product that only scans to find misconfigurations and then stores the results in a database does not meet the requirements for an SCAP misconfiguration database (such a product would map to a different SCAP capability). A product that presents the user general knowledge about security-related configuration issues, independent of a particular environment, would meet the definition of an SCAP vulnerability database.
• Malware Tool: the capability to identify and report on the presence of viruses, worms, Trojan horses, spyware, or other malware on a target system.

It is difficult to imagine a single security product that is capable of doing all the above services well. There is a need to be able to share information between various systems performing these functions.

Game Changing Technology

Considering past statements by Aneesh Chopra, the first Chief Technology Officer of the United States, does not SCAP sound like an area that will be getting additional support by the U.S. government? ZDnet has posted a very interesting podcast of Chopra talking at the Computer History Museum. Chopra wrote a few months back:

If confirmed, I would emphasize a research program on “game-changing” ideas in cybersecurity, to find new ideas that might transform the nation’s information infrastructure to be more secure and simpler to understand and use. The goal is to make it “easy to do the right thing, hard to do the wrong things and easy to recover when the wrong thing happens anyway.”

Tim O’Reilly, one of the most insightful person around in respect to IT, wrote back in April “Why Aneesh Chopra is a Great Choice for Federal CTO.” Tim’s points out items that Chopra has accomplished in Virginia:

1. the first officially-approved open source textbook in the country, the Physics Flexbook;
2. integrating iTunes U with Virginia’s state education assessment framework;
3. the Learning Apps Development Challenge, a competition for the best iPhone and iPod Touch applications for middle-school math teaching;
4. a Ning-based social network to connect clinicians working in small health care offices in remote locations;
5. a state-funded “venture capital fund” to allow government agencies to try out risky but promising new approaches to delivering their services or improving their productivity;
6. a lightweight approval and testing process that allows the government to try out new technologies before making a full, expensive commitment.

Back in April 2007, Chopra was behind Virginia’s 95 agencies opening up their databases to the Google search engine, in order to make them widely accessible to the public. Chopra at that time stated the top priority of the state’s strategic plan for information technology, which was adopted last year, is increased access to government information. A great thing to do, provided security is insuring only the information you want is being accessed in the manner intended.

John Dvorak offers a different opinion of Chopra in his post “Special Report: Is US Chief Information Officer (CIO) Vivek Kundra a Phony?” Dvorak states, “It would be logical to assume that Kundra managed to get his buddy Chopra the CTO job despite the fact that Chopra’s technology background is essentially nil.” Whether O’Reilly or Dvorak is correct, Chopra needs to start reading the Guerilla CISO for great insight into security solutions. Michael outlines a plan on fixing government patch and vulnerability management through SCAP in the post, “Federated Vulnerability Management.” Here are a few of the ideas discussed in the post:

• Every IT asset reports into a patch management system of some sort. Group the assets allowing for identification of who is responsible when something has a problem.
• Do periodic network scanning.
• The orchestrator will correlate network scans with patch management status and gives a ticketing/alert/whatever where unmanaged devices are identified.
• The NVD feed is pushed down to the agencies/departments which are sent out as vulnerability alerts along with the checks to see if systems are vulnerable.
• Hardening guides are pushed from the agencies/departments in SCAP form and audit information is pulled of IT assets. Differences are automatically entered into a workflow and reporting system.

Imagine the additional possibilities when intrusion detection/prevention systems, patch remediation, asset scanner, and malware tools start sharing information.

SCAP and the Cloud

Aneesh Chopra should also read Christofer Hoff’s rational Survivability blog. In Hoff’s post, “Extending the Concept: A Security API for Cloud Stacks“, he considers building on the capabilities of SCAP to embed a “standardized and open API layer into each IaaS, PaaS and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.” Hoff goes on to write, “Further (HT to @davidoberry who reminded me about my posts on the topic) we could use TCG IF-MAP as a comms. protocol for telemetry.”

Hoff is another person who is difficult to quote without including his complete post. He makes the point that you gain “automated audit and security management capability for the customer/consumer and a a streamlined, cost effective, and responsive way of automating the validation of said controls in relation to compliance, SLA and legal requirements for service providers.” By doing so, Hoff points out, you are “not reinventing the wheel and we have lots of technology and standardized solutions we can already use to engineer into the stack.”

Update: Hoff pointed out (see comments area) some of the excellent work done by Iron Frog (Ben) in not only his post “Some thoughts for addressing the Assurance component of A6,” but also his series of post “Can we do the Security Stack API RESTfully? (parts 1, 2, 3, 4, and 5).”

Peter Mell, who recently changed positions at NIST from the SCAP validation program manager to the leader of the agency’s Cloud computing project, will likely agree with Hoff’s points. Expect NIST efforts in the Cloud to take SCAP into consideration.

Final Thoughts

As Michael Smith points out, in the Cloud one faces the same problems as a managed service provider, mainly how to allow the auditing of systems and the underlying infrastructure. An API could allow a managed services environment making security tasks much easier to customers. To quote Michael Smith, “we have in SCAP is Common Platform Enumeration (CPE) which allows you to specify the hardware and software (ie, how the infrastructure that you don’t know about is built) and eXtensible Configuration Checklist Description (XCCDF) which specifies the audit/compliance checks. Package them together and you have a way of describing what the infrastructure looks like and the technical auditing standard to go along with it.” Sounds like some game changing ideas that could transform the nation’s information infrastructure, helping it be more secure. I hope you are listening, Aneesh Chopra.

What I hope people reading Cory’s post walk away with is the recognition that sects exist. We all have various fanatics at each of the organization where we work. Many are good people earnest and true in their desire to do their jobs well. Yet, they could not be more different in their solutions to the problems facing their organizations. They may fall into the high priests or heretics camps, or a dozen other camps.

Let us talk about some of the divisions within IT and security. Richard Bejtlich points out in his post, , “Steve Liesman on Inputs vs Outputs,” two camps. Richard is continuing an argument he previously made in “Controls Are Not the Solution to Our Problem.” He argues that too much time and resources are being spent on auditing controls that are far too input-centric. Instead, Richard feels controls should become more output-aware and recommends directing attention away from inputs and devoting more energy to outputs. Included are some real world examples that management could understand and relate to. Steve Liesman is quoted in relation to our current economic crisis, “It’s not what you’re doing that matters; it’s whether or not it works.” Consider the following questions. Within your security organization, who focuses on controls/inputs and who focuses on output? How much of a division exist between these groups? Where do the auditors fit in?

To point out other divisions within security, take a look at Jeremiah Grossman recent post, “Quick Wins and Web Application Security.” To quote Jeremiah paraphrasing a recent conversation with Joseph Feiman (Gartner):

During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security to which the Gartner analysts made their cases for these three disciplines. The catch was the budget could not be shared between them and must be prioritized into a single initiative. The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences’ decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.

Gary McGraw was recently interviewed by James McGovern for the SilverBullet podcast. They discuss the recent release of “Building Security In Maturity Model (BSIMM).” In the interview, Gary was asked about the leaders of the enterprises that “have a clue in making their security posture better.” While the leadership that helped develop the BSIMM had very diverse backgrounds, James asked, “It sounds like they are all from a technical background at some level. Are there IT executives out there that understand software security that are just business people?” Gary responded, “I don’t know the answer to that. I really don’t know any. I will say this about these people, they are the sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth. Right now it appears that they might be necessary to cause software security initiatives to be a success. Hopefully, we will gain enough experience and write down enough empirical science that won’t be the case in the future.”

It is not a great surprise to learn that a major divide exists between the IT and the business camp. Recent frameworks often include governance components in an attempt to help bridge the gap between the two camps. As an example, the IT Governance Institute® (ITGI™) recently released v0.1 of risk based framework based on the principles of enterprise risk management standards/frameworks such as COSO ERM2 and AS/NZS 4360,3. The framework is called Risk IT. ITGI would argue that existing IT risk guidance documents tend to focus solely on IT security. Risk IT is meant to cover all aspects of IT risk. ITGI also develops the Control Objectives for Information and related Technology (COBIT), which is focused on “providing a comprehensive framework for the delivery of information technology-based services.” Risk IT and COBIT are meant to compliment each other. COBIT is a set of good practices which provide the means of risk management; while Risk IT is meant to set good practices for the ends by “providing a framework for enterprises to identify, govern and manage IT risk.” Recall Richard Bejtlich argument concerning the division between the controls/inputs and outputs.

All these different sects make effective security most difficult. A layered approach to security fails to work when the layers operate in isolation. Gary McGraw gets an “amen!” for describing leaders of the enterprises that understand security as a “sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth.” On top of having an understanding that reaches into areas throughout the organization, they need to be leaders.

Rob Goffee and Gareth Jones wrote an article, “Leading Clever People.” Goffee and Jones will be publishing a book with the same title late in 2009. An audio interview is available from the London Business School. Goffee and Jones conducted over a 100 interviews with leaders at major organizations and report the relationships effective leaders have with their “clever people” can be shaped by seven shared characteristics:

1. They know their worth—and they know you have to employ them if you want their tacit skills.
2. They are organizationally savvy and will seek the company context in which their interests are most generously funded.
3. They ignore corporate hierarchy; although intellectual status is important to them, you can’t lure them with promotions.
4. They expect instant access to top management, and if they don’t get it, they may think the organization doesn’t take their work seriously.
5. They are plugged into highly developed knowledge networks, which both increases their value and makes them more of a flight risk.
6. They have a low boredom threshold, so you have to keep them challenged and committed.
7. They won’t thank you—even when you’re leading them well.

Now you may be thinking, “I am security, not the CEO of the company. I am not even their project manager. Why are you talking about leadership? What should I care about business? If users just did what I told them, life would be good.” It is important to note that a characteristic not listed above is “empathy.” Folks in your organization are not going to try and see things from security’s point of view. They want to do their job and if security appear to be a road block, they will go around. We need to avoid having each sect doing their own thing. As what occurs in many religions, an “us verses them” attitude will develop. If you want people to follow, you must first lead. To lead “clever people” you must understand those people.

James Parker, Southwest Airlines ex-CEO, offers some advice. He has written a fascinating book titled “Do the Right Thing.” One story particularly interesting concerned a manager who didn’t succeed despite being very intelligent and ambitious. “When this person finally left, I asked one of his former employees why she thought everybody disliked her former boss so much. She summed it up: ‘Because he was the kind of person who kissed up and spit down.’ ” When problems arose at American, “the primary focus of communications was blaming and avoidance of blame – in contrast, when something went wrong at Southwest, the focus of communications was problem-solving,” Parker quotes from the book, “The Southwest Airlines Way“.

James Parker and Barbara Stocking, Chief Executive of Oxfam GB, discuss below “Leadership in an Age of Uncertainty” with moderator Deborah G. Ancona. The discussion focuses on the need for distributed leadership. A key point made is that companies need “employees doing things outside the narrow scope of their job responsibilities, to contribute to the success of overall operations.” This is the cornerstone of the concept of “relational competence.”

The world continues to get more complicated. In response, more specialization occurs, which leads to less understanding of other groups. The history of religions have shown us how difficult things can get when various sects develop. In the corporate world communication breaks down, the focus on the mission is lost, and the relational competence of a company dissolves. I started this post with the statement that I come bearing no answers, only questions. While that is true, I have pointed to some very intelligent people who discuss the various sects and offer possible ways to coexist. Security professionals cannot exist in their own camp, separate from the rest of the organization, dictating how people should do their jobs. In such an environment, it will not matter if every pronouncement is the embodiment of wisdom and truth. Failure is inevitable. Abraham Lincoln offered these wise words when he addressed the Washington Temperance Society on February 22, 1842:

If you would win a man to your cause, first convince him that you are his sincere friend. Therein is a drop of honey that catches his heart, which, say what you will, is the great high-road to his reason, and which, when once gained, you will find but little trouble in convincing his judgment of the justice of your cause. If indeed that cause really be a just one.

On the contrary, assume to dictate to his judgment, or to command his action, or to mark him as one to be shunned and despised, and he will retreat within himself, close all the avenues to his head and his heart; and though your cause be naked truth itself, transformed to the heaviest lance, harder than steel, and sharper than steel can be made, and though you throw it with more than herculean force and precision, you shall be no more able to pierce him, than to penetrate the hard shell of a tortoise with a rye straw.

Amen, brother Abraham.

Gregory C. Wilshusen, Director, Information Security Issues at GAO offered a different interpretation, when he stated, “Despite the progress reported by agencies, they continue to confront longstanding information security control deficiencies that limit the effectiveness of their efforts in protecting the confidentiality, integrity and availability of their information and information systems.” GAO has released a report, “Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.” Quoting from the report, a few statistics of particular interest:

• Data from the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, showed that, as of February 6, 2008, there were about 29,000 security vulnerabilities or software defects that can be directly used by a hacker to gain access to a system or network. On average, close to 17 new vulnerabilities are added each day. Furthermore, the database revealed that more than 13,000 products contained security vulnerabilities.
• The percentage of certified and accredited systems government wide reportedly increased from 88 percent to 92 percent. Gains were also reported in testing of security controls – from 88 percent of systems to 95 percent of systems – and for contingency plan testing – from 77 percent to 86 percent.
• In their fiscal year 2007 performance and accountability reports, 20 of 24 major agencies indicated that inadequate information security controls were either a significant deficiency or a material weakness.
• Our analysis determined that 19 of 24 major federal agencies had not fully implemented agency-wide information security programs.
• The number of incidents reported by federal agencies to US-CERT has increased dramatically over the past 3 years, increasing from 3,634 incidents reported in fiscal year 2005 to 13,029 incidents in fiscal year 2007, (about a 259 percent increase).

Niels Provos, Google’s Anti-Malware Team, cited a recent paper by researchers at Google. The paper revealed that more than 1.3% of Google search results now contain at least one malware-serving website – a number that has quadrupled in the past nine months. The graph shows the increase ratio of search results containing a URL labeled as harmful:

In government, while the percentage of certified and accredited systems is increasing, a much greater increase occurs in the number of reported incidents. OMB found a 60 percent rise in the number of reported incidents from 2006 to 2007. Evans attributed the increase in large part to improved reporting. Tim Bennett, president of the Cyber Security Industry Alliance, has a different opinion. Bennett feels the increases are real and blames the increase on a shift from attacks by lone hackers to those launched by organized crime and state-sponsored organizations.

Adam Dodge took a look at the information security breaches that occurred in 2007 at colleges and universities around the world, as reported in the news. Dodge released his results in the report “The Educational Security Incidents (ESI) Year in Review – 2007.” The report found a 67.5% increase in the number of reported incidents over 2006. This increase is in line with what the government agencies experienced.

Chris Walsh provides some interesting insight by comparing the number of reported breaches in the US and Great Britain. In the posting “Reporting on Data Breaches: US and Great Britain.” Walsh shows that both countries have seen a dramatic increase in reported breaches:

The US-CERT annual report for fiscal year 2007 reported the following number of incidents that were reported to DHS incident response center:

Alan Paller, director of research at SANS Institute, explains that the increase in both certified and accredited systems and reported data breaches has occurred because “the government has made progress in writing reports.” Paller goes on to state that the government has made, ”no progress in improving the security that matters – keeping the wrong people out.” Michael Smith (aka rybolov), manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, writes in his posting titled, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive:”

GAO used exactly what was reported to OMB but came up with different conclusions. Some of that is to be expected, it’s the same doers v/s the auditors conflict that’s been going on since the beginning of time, but wow, there is a huge disparity here that we need to account for.

Rybolov goes on to offer one possible explanation for the disparity:

Now as far as the contradicting reports, let’s do a hasty analysis of the current political situation in DC, shall we? The Executive Branch is controlled by the Republicans (and has been for 7 years), the Legislative Branch is controlled by the Democrats (for only a year), and oh yeah, it’s an election year. You would expect the Congress-owned GAO to sing songs of woe and the President-controlled OMB to sing songs of praise.

Even if rybolov is correct, and there is an element of politics in government operations, the perceived risk has grown large enough that all sides see the wisdom of taking action. As the old expression goes, it has come time for the government to put up or shut up. The government has responded by “putting up” in terms of money. Jason Miller, from Washington Technology, reports in his article, “‘09 budget request has IT spending on the rise” that in the White House’s request, agency IT spending would be $70.9 billion, up from a 2008 request of $66.4 billion. That would be a 6.3 percent increase. Congress appropriated $68 billion for 2008, which makes for a 3.8 percent change when comparing actual to requested dollars. IT security is a major piece of the proposed spending increases for agencies. Information security requests have increased 73 percent since 2004. In the 2009 request, security account for 10.3 percent of the overall $71 billion funding.

How will the money be spent? There are no easy answers. Still, it is good that Senator Tom Coburn, Karen Evans, Gregory C. Wilshusen, and others are debating how the government should do its business, while agreeing the business of security must be done.

I do not normally do news summaries, but I was sent an interesting article concerning the Trusted Internet Connections (TIC) initiative. Curious, I started to pull up other news items and found that the Office of Management and Budget (OMB) has been very active lately. First there is the OMB memo from Clay Johnson III. If you have not heard the name before, he is reported to be one of President Bush’s closest friend. His job is not an easy one. He has been tasked with reforming the government in order to make it more effective and efficient. The bottom line is that his words, and memos, are to be taken very seriously. With folks in government, it is wise to read exactly what is stated. With that in mind, here is the complete memo:

M-08-05
MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
FROM: Clay Johnson III
SUBJECT: Implementation of Trusted Internet Connections (TIC)

I am announcing the Trusted Internet Connections (TIC) initiative to optimize our individual network services into a common solution for the federal government. This common solution facilitates the reduction of our external connections, including our Internet points of presence, to a target of fifty.

Additionally, the role of the US-CERT will be enhanced to improve our response capabilities. Each agency will be required to develop a comprehensive plan of action and milestones (POA&M) with a target completion date of June 2008. Initial agency POA&Ms must be sent to the Department of Homeland Security’s (DHS’s) National Cyber Security Division (NCSD) by January 8, 2008, for review and agreement with OMB, DHS, and the agency.

To discuss this initiative further, we are planning a government-wide meeting on Friday, November 30, 2007. I have asked Karen Evans, Administrator of the Office of Electronic Government and Information Technology and Robert Jamison, Deputy Under Secretary for National Protection & Programs Directorate, DHS, to ensure adequate collaboration among the various interested parties such as the Chief Information Officers and Chief Acquisition Officers.

Karen will be sending out the details for the government-wide meeting, including the agenda, to your Chief Information Officers and I will be inviting the President’s Management Council to attend the meeting as well.

With the work completed to date in the Lines of Business (LOB) initiatives for Information Systems Security and IT Infrastructure, the General Services Administration (GSA) award of the NETWORX contract for telecommunications service, and your current initiative to implement the secure desktop configurations (i.e. Federal Desktop Core Configuration – FDCC), we are presented with a unique opportunity to optimize our network delivery capabilities. I ask for you to devote people from your agency to work on the development and implementation of TIC throughout the federal government.

Information assurance and cyber security are important priorities and a responsibility shared by all officials. If you have any questions, please contact Karen Evans at 202-395-1181.

The Federal Computing Weekly (FWC) site is reporting an interesting move on OMB’s part in an article titled, “OMB to Limit Number of Internet Connection for Agencies” by Jason Miller. Normally I do not copy complete articles, but this article has major implications, so please bear with me:

The Office of Management and Budget wants to reduce the number of Internet connections across government to 50 by June. Under a new Trusted Internet Connections initiative, which OMB will kick off with a government wide meeting Nov. 30, agencies will have to develop a plan of action and milestones by Jan. 8 on how they will reduce the number of Internet connections.

Clay Johnson, OMB’s deputy director for management, announced the new program Nov. 20 in a memo to agency leaders. He wrote that the Trusted Internet Connections initiative will “optimize our individual network services into a common solution for the federal government.”

Johnson said with the progress made under the Security Line of Business initiative, the General Services Administration’s award of the Networx telecommunications contract and the Federal Desktop Core Configuration
implementation project, agencies have a unique opportunity to improve their network delivery capabilities.

The memo also will require agencies to use the Homeland Security Department’s U.S. Computer Emergency Response Team Einstein program to improve their response capabilities. The White House requested an additional $115 million Nov. 6 to expand the Einstein program under the DHS fiscal 2007 appropriations bill.

“This is an essential step because the Federal Information Security Management Act-based defenses have failed to stop the attackers from getting inside agencies,” said Alan Paller, director of research at the SANS Institute. “Once they are inside, only very sophisticated monitoring can hope to find the infections.”

Warren Suss, president at Suss Consulting, said he is not sure if the new initiative is what agencies need right now. “OMB must be careful with the new initiative to avoid layering yet one more mandate on agencies who are working hard to address a very real security threat,” Suss said. “Centralization is not necessarily the answer because agencies have needs for redundancy for the Internet and can have unique requirements. To limit the number of Internet connections to a target of 50 could be an overreaction to the cybersecurity problem and it has potential to create more problems than it solves.”

He added that agencies have network design and architecture challenges that could be limited under this program.

Agencies already are trying to meet the June deadline to implement IPv6 on their networks’ backbone. OMB officials also have touted IPv6 has a way to improve agencies’ defenses against cyberattacks.

“Agencies at some point need to take responsibility for security and the management of their technology,” Suss said. “There are very serious threats out there and I don’t mean to minimize them, but forcing yet another constraint on the solution may do more harm than good.”

On November 13th, Exec. Order 13450 “Improving Government Program Performance” was passed. The order requires federal agency heads to set clear annual goals, devise specific plans for achieving those goals, and designate performance improvement officers (PIOs) to assess progress, use performance data in budget requests and set up Web sites that describe “the successes, shortfalls and challenges of each program” and efforts to improve them. The order directs agencies to appoint a PIO who will coordinate “sufficiently aggressive” goals and plans for programs. It also requires that PIOs be a member of the Senior Executive Service or equivalent service. It requires the creation of a Performance Improvement Council (PIC) to consist exclusively of the OMB Deputy Director for Management (Clay Johnson III), serving as Chair, and:

• such agency Performance Improvement Officers, as determined by the Chair; and
• such other full-time or permanent part-time employees of an agency, as determined by the Chair with the concurrence of the head of the agency concerned.

Robert D. Behn, a performance-management expert who teaches at Harvard’s Kennedy School of Government, points out “You never know from an executive order. They can do something or not do something. Who knows?” For additional analysis, Stephen Barr, columnist for the Washington Post wrote a very interesting article titled “From Bush, an Order for Agencies to Track Progress.”

Just to emphasize these numbers. The Bush administration is seeking $154 million in new cyber security spending as part of the the $436 million package to increase Homeland Security and Justice departments new cybersecurity and counterterrorism programs. Additional numbers from the President’s 2008 DHS budget is available off the OMB site, though the document lacks any real details. Jonah Czerwinski over on Homeland Security Watch filed the report, “New White House Cybersecurity Initiative Underway.” Homeland Security Watch is an interesting site featuring “breaking news, rigorous analysis, and informed commentary on the critical issues in homeland security today.” I have mentioned the site before in my posting, “Security Data Visualization” while discussing “The National Strategy for Homeland Security“.

The administration has also asked for $115 million to enhance DHS’ ability to deploy the Einstein program through the U.S. Computer Emergency Readiness Team. In case you are unaware of the Einstein program, Federal Computing Weekly provides a description:

Einstein monitors about 13 participating agencies’ network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information summaries at agency gateways, Einstein gives US-CERT analysts and participating agencies a big-picture view of bad activity on federal networks.

Alan Paller, Director of Research for the SANS Institute, is quoted as saying, “They know monitoring works and they want more monitoring. The money will be used to get out more monitoring more quickly and do more analysis of the data. That is useful and necessary because what they discovered is the federal perimeter is broken. One of few ways to find bad guys in [the] perimeter is a more intent analysis of traffic coming out of the computers.”

To put these numbers in perspective, the American Association for the Advancement of Science (AAAS) provides some interesting budget numbers. As of FY 2007, the overall federal investment in research and development (R&D) was nearly $137 billion. The funding levels actually appropriated to federal IT R&D is at $3.0 billion. That funding is controlled through multi-agency enterprise called the Networking and Information Technology Research and Development (NITRD) program, which is coordinated by the Interagency Working Group (IWG) on Information Technology Research and Development of the National Science and Technology Council (NSTC). NITRD is the successor of the High Performance Computing and Communications Program established in 1991. NITRD program would increase 0.4 percent in the President’s FY 2008 request.

NITRD agencies coordinate research in eight Program Component Areas (PCAs):

• High End Computing Infrastructure and Applications
• High End Computing Research and Development
• Human Computer Interaction and Information Management
• Large Scale Networking; Software Design and Productivity
• High Confidence Software and Systems
• Social, Economic, and Workforce Implications of IT
• Software Design and Productivity
• Cyber Security and Information Assurance.

The 2008 budget broken down by PCA is available off the NITRD site. The National Science Foundation (NSF) is the lead agency in NITRD. The NSF and the National Security Agency (NSA) are the only agencies that are looking at significant increases to their computing research efforts under the President’s 2008 plan.

Since the NSF is the lead agency, it is important to try and understand the agency’s vision for cyber security. In November 2003, the Computing Research Association (CRA) convened an invitation only workshop on the “Grand Challenges” in digital security the National Science Foundation should concentrate a decade of funding on. The results were four grand challenges:

• No further large scale epidemics
• Enable Trusted Systems for Important Societal Applications
• Develop Accurate Risk Analysis for Cybersecurity
• Secure the Ubiquitous Computing Environments of the Future

While 2003 might be ages ago in computing time, the four grand challenges are at work today. Back in September, Siobhan Gorman from the Baltimore Sun reported in the article “NSA to defend against hackers” that the NSA was going to “helping protect government and private communications networks from cyberattacks and infiltration by terrorists and hackers.” The article went on to state:

The plan calls for the NSA to work with the Department of Homeland Security and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the “Cyber Initiative.” Details of the project are highly classified.

The NSA appears to be working towards “Secure the Ubiquitous Computing Environments of the Future” challenge in relation to the network. Concerning securing the systems, and the “Enable Trusted Systems for Important Societal Applications challenge,” OMB this week told agencies that use Microsoft Windows XP or Vista to begin using the government’s approved secure desktop configuration by February 2008. OMB hinted that the Windows operating system was only the beginning of a more extensive program. Once more, quoting Alan Paller, “Vendors who compete with Microsoft saw the White House announcement as a threat. OMB was not standardizing on Microsoft and said they would talk to others to ensure their products are secure, too.” Paller said that once NSA gives its blessing to a vendor’s product, it would make sense for non-Defense Department and intelligence agencies to follow NSA’s lead. Exec. Order 13450, appears to be moving towards addressing the challenge to “Develop Accurate Risk Analysis for Cybersecurity.”

Michael Posner from the GovernmentExecutive.com site in an article titled, “America already is in a cyber war, analyst says” states “currently there are 1,300 avenues in all federal agencies for possible cyber terrorists.” The Trusted Internet Connections initiative plans to reduce the number of “trusted” Internet connections to below 50 across government. The article quotes Andrew Palowitch, a former CIA official, during a talk to a Georgetown University’s Center for Peace and Security Studies, as saying that the United States is in the midst of an active cyber war and is now implementing still-secret security plans for protection. Palowitch might be referring to the “2006 National Military Strategy for Cyberspace Operations” classified document, which is reported to be the blueprint for the military defining both defensive and offensive measures. Maybe in that document I could finally find out what the “1,300 avenues in all federal agencies for possible cyber terrorists” and “reducing below 50 the trusted Internet connections” is suppose to mean.

To help us understand the reduction of trusted Internet connections, Karen Evans, OMB’s administrator for e-government and information technology, explains, “The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner. While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale.” A follow up post in FWC by Jason Miller titled “OMB directs agencies to close off most Internet links” sites Roger Baker, former chief information officer at the Commerce Department who is now chief executive officer at Dataline, as pointing out that having a limited number of Internet connections will mean that agencies must become shared-service providers for field offices outside of headquarters, which will add an unwanted level of complexity. “It will be hard to agencies to agree on a standard security policy for connections,” Baker said. “What they need to do is set that security policy across government and then audit every organization to ensure they are abiding by it.” Baker added that the key to solving many federal IT security challenges will depend on how well agencies have architected their Internet connections. Several letters to FWC editor, to quote FWC, “warned about unintended consequences of OMB’s initiative. Both teleworkers (‘Closing Internet links will lead to more unauthorized telecommuting‘) and satellite offices (‘Closing Internet links will hurt satellite offices‘) would suffer, several readers said. Another suggested that the policy could hamstring some research and development efforts (‘Closing off Internet links will hurt R&D‘).”

In September, as part of an expanding mission to prepare for war in cyberspace, the US Air Force established a provisional Cyber Command. According to Major General Charles Ickes, it is expected that the provisional command will, within a year, create the the full Air Force Cyber Command with the mission to “train and equip forces to conduct sustained global operations in and through cyberspace, fully integrated with air and space operations.” Air Force officials report as many as 40,000 Air Force personnel are assigned to cyber-tasks. It is reported that those officials envision an emerging breed of warrior who fights with a computer and keyboard. Dr. Lani Kass, special assistant to Gen. T. Michael Moseley, Air Force chief of staff, told a recent seminar that this new breed of warrior is expected to be as formidable as soldiers with guns. She goes on to say, in relation to developing an offensive cyber capacity, that the Air Force needs “not a bunch of geeks, I want a bunch of trained killers who understand that non-kinetic does not mean non-lethal.” While she has a point, I cannot let that statement go without comment. I would recommend Dr. Lani Kass read Rob Goffee and Gareth Jones article titled, “Leading Clever People.” Better yet, read my posting discussing managing clever people titled, “Herding Cats.” It contains many good sources that can help the Air Force effectively manage the Cyber Command personnel. Otherwise, I fear the Air Force will always be reliant on purchasing, and not developing, solution from geeks who do not carry guns.

Possibly adding to political need for action is the US-China Economic and Security Review Commission, which was released last week. The report addressed the “scope of China’s military buildup and the extent to which it is aimed at defeating the U.S. in any conflict over Taiwan.” The report states, “China has developed capability to wage cyber-warfare and to destroy surveillance satellites overhead as part of its tactical, asymmetrical warfare arsenal.” Gen. James Cartwright, commander of the U.S. Strategic Command, told the commission, “I think that we should start to consider that regret factors associated with a cyber-attack could, in fact, be in the magnitude of a weapon of mass destruction.” The general was referring to the psychological after affects of disruption of services. China has denounced the charges and characterized the “wild accusations” as smacking of a bygone era. Wang Wenfeng from the ChinaDaily addresses the report in the article “Commission’s report full if inaccuracies.” On the heels of the report, the Times of London reported Jonathan Evans, the director-general of MI5, has sent out a confidential letter to 300 executives and security chiefs at banks, accountants and legal firms this week warning them that they were under attack from “Chinese state organisations.” Alan Paller called the MI5 warning “the most vibrant example of how the British are doing a better job of cybersecurity leadership. You cannot ask people to act unless they understand the problem. The British have consistently been willing to speak the truth.” In contrast, Paller said the United States has relied on a failed paperwork policy built around the Federal Information Security Management Act and “vapid guidance” from the National Institute of Standards and Technology. Bruce Schneir, a security consultant with BT Counterpane, said he found it significant that both Evans and Cartwright decided to identify China as a serious cyber threat. Despite reports of Chinese attacks this fall against government and military networks in the United States and U.K. as well as Australia, Germany and New Zealand, top leaders in those countries have not publicly identified China as the culprit until now. Chinese Foreign Ministry spokesman Qin Gang denied the report, saying China opposed computer hacking and that it was cooperating with British authorities. He also accused the British media of spreading inaccurate information. The Pittsburgh Tribune, in the article “Confronting Confucius“, points out that “the same day the commission’s study was published, another was released by two respected Wall Street companies. It showed in detail how half the venture funding for Chinese business and consumer services came from America, particularly seed capital for the critical information services and technology industries.”

Antivirus software company McAfee stated in its annual Virtual Criminology Report released at the end of November that 120 nations worldwide have started to develop cyberattack commands, with China well ahead of the others. Bob Brewin, of GovernmentExecutive.com, in his artcile “U.S., British officials target Chinese as source of cyberattacks” states the McAfee report also “fingers the Chinese government as the source of widespread cyberattacks. James Mulvenon, director of the Center for Intelligence Research and Analysis at the Defense Group Inc. in Washington, told McAfee that ‘the Chinese were the first to use cyberattacks for political and military goals….Whether it is as battlefield preparation or hacking networks used by the German chancellor, they are the first state actor to jump feet first into 21st century cyberwarfare technology. This is becoming a more serious and open problem.’” The report goes on to state that China is not along in its military exploitation of cyberspace. Peter Sommers, a computer security expert at the London School of Economics, said there are signs that intelligence agencies around the world are constantly probing government networks for signs of weakness, and countries he did not identify “are gearing themselves up to launch all-out online attacks.” The McAfee report predicted that over the next few years, governments will pursue “punitive action” against cyberattackers and “will … go after them, regardless of their location.”

Rightly or wrongly, the mood in Washington appears to be to do something. No matter what the motive, efforts to implement some form of the four grand challenges in trustworthy computing on a national level may be under way. This would result in some major changes in how government agencies do business. Personally, I look forward to additional details and explanations on the Trusted Internet Connections initiative. In the end, I have to agree with Robert Behn, when he said, “They can do something or not do something. Who knows?“

Way back, before blogs existed, when there was only the cartoon version of The Hobbit, J. R. R. Tolkien was teaching children of my generation how to write good security plans. Many resources are available, to the point where it can be a bit overwhelming. What gets included in a security plan will depend on your organization. Fortunately, most organizations provide guidelines. Security policies will differ depending on the business of the organization. Different laws will be applicable depending on many considerations, such as does the organization having to do with government, medical, business, the European Union, Germany, etc.

There is no “one plan fits all.” Just as in life, everything depends. Having provided myself that disclaimer, I wanted to provide a few sites/documents that I find useful.

COBIT Security Baseline

This is a document put out by the Information Systems Audit and Control Association (ISACA). There will be a revised version coming out in July which will update the baseline to COBIT 4.1. The structure will otherwise remain the same. Here is a basic description:

COBIT Security Baseline is based on Control Objectives for Information and related Technology (COBIT), issued by the IT Governance Institute and now in its third edition. COBIT is a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. COBIT covers security in addition to other risks that can occur with the use of IT. This publication helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework. It then presents key control objectives and suggested minimum control steps for each, cross-referenced to the COBIT processes and detailed COBIT control objectives. A mapping to related control objectives in ISO 17799 is included as well.

Normally, I deal with open source software and documents. In this case, registration is required. Anyone can buy the book, but if you become a member you can get access to this and many other books for free.

NIST SP Guides

NIST documents reference each other. A good overview of how everything fits together is found in the Guide to NIST Information Documents. In relation to security policies, the following documents are particularly helpful:

• 800-100: Information Security Handbook: A Guide for Managers. To quote the document, “This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.” This document helps define what elements should be part of the security program.
• 800-53A: Recommended Security Controls for Federal Information Systems. To quote the document, “The purpose of this publication is to provide guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” This documents helps evaluate the controls that are in place.
• 800-12: An Introduction to Computer Security: The NIST Handbook. This document is a little older. To quote the document, it “provides assistance in securing computer-based resources (including hardware,
  software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.” This document is good to review in order to make sure everyone is on the same page in terms of concepts and terminology.
• 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems. This document is more of a reference document. Like NIST SP 800-12, it is a foundation document meant to make sure concepts and elements of security are understood.

Other NIST documents will be applicable depending on what technologies are used within your organization.

The SANS Security Policy Project

This SANS security project site contains alot of information, including primers and templates, to help one with security policies. To quote SANS, “The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies.”

The Information Security Forum’s (ISF’s) Standard of Good Practice

You do have to register, but it is free. ISF describes the document as addressing “information security from a business perspective, providing a practical basis for assessing an organization’s information security arrangements. It focuses on the arrangements that should be made by leading organizations to keep the business risks associated with critical information systems under control in today’s dynamic and competitive environment.”

Open Compliance & Ethics Group (OCEG)

OCEG is a great organization, focusing on “integrating governance, risk management, compliance and culture.” They have collaborated with Compliance Week to produce the GRC Illustrated Series. OCEG produces the Foundation “Red book”. To quote OCEG, it “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.”

Federal Agency Security Practices (FASP) Site

The FASP site contains agency policies, procedures and practices; the CIO pilot Best Security Practices (BSPs); and, a Frequently-Asked-Questions (FAQ) section. Below are two documents specifically of interest:

• Sample Security Policies and Procedure document
• Sample Information Systems Security Program (ISSP) Handbook

State of Texas Department of Information Resources

This site provides policies, standards and guidelines along with examples of policies, standards, and guidelines. Of particular interest is the security policy template overview.

The Open Web Application Security Project (OWASP)

OWAPS can provide information on application security. They have been developing a guide, whose latest version unfortunately is not available to the public. You can still view version 3’s table of content. The public can pull down version 2.0.1 of the guide.

Institute for Security and Open Methodologies (ISECOM)

ISECOM is an open,collaborative, security research community that produces the Open Source Security Testing Methodology Manual (OSSTMM). The document is a peer-reviewed methodology for performing security tests and metrics. ISECOM is about to come out with version 3 of OSSTMM. Currently, version 3 is only available to gold or silver membership. Version 2 is available to the public.

The Security Portal for Information System Security Professionals

This site contains a large number of links on all topics on information security. Good for filling in areas.

Samples

There are plenty of samples, but these two looked interesting.

1. Business and Financial Bulletin IS-3: Electronic Information Security
2. The University of Auckland, New Zealand

Final Remarks

Lacking information on how to do things is not the problem. It is how to organize it. I tend to favor NIST publications because there is plenty of supporting NIST document being actively developed. When you come down to it, the most important thing is to follow any guidelines or directives your organization may have. Your security policies will be reviewed by auditors. Understand what the auditors will be expecting so you can provide the information in a clear and concise manner. Finally, make sure your policies deal with the dragons in your kingdom. Wise words from a wise man.