Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

• CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
• Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
• Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

• Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
• Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
• XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
• New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
• Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

• The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
• Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
• Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
• Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
• Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
• Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
• Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
• Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

1. Innovation
2. Lowering the cost of Government
3. Transparency
4. Engaging Citizens
5. Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

For help with forensics, Jim points out, “SANS instructor, Rob Lee points us to a couple of new cheat sheets for doing forensics on USB keys under XP or Vista/Win7.” There is also the Memory Analysis Cheat Sheet for Microsoft Windows XP SP2 by Pär Österberg and Andreas Schuster. If you have a SANS Portal Account, you can access the SANS Forensic Analysis Cheat Sheet.

The below table provides links to other security cheat sheets I have found very beneficial. Some are better described as condensed references, verses short 1-2 page cheat sheets. That is noted below.

Since security does not exist in a vacuum, Raj helps us out with his post, “145 Useful cheat sheets for some of the most widely used tools on the web.” To quote Raj, the post provides “145 quick cheat sheets for some of the most widely used tools on the web.” Dave Child has also posted several valuable cheat sheets for commonly used Internet and development tools (Python, Subversion, Regular Expressions, mod_rewrite, PHP, MySQL, Javascript, Ruby on Rails).

Hilde Torbjornsen has also posted “Mega Collection Of Cheatsheets for Designers & Developers” where she list more than one hundred cheat sheets and reference cards for the following topics:

To assist on the operating side, Scott Klar posted “Linux-Unix cheat sheets – The ultimate collection.” The post provides a links to approximately 70 cheat sheets for Linux users. Scott has also posted, “Windows cheat sheets compilation“, “Networking cheat sheets“, and links in various other areas (C, CPP, C#; Gimp; Designer color; Vi & vim; Emacs; Photoshop; Apache; Perl; Python; Ruby and Ruby on Rails; Regular Expressions; MySQL; XML-XSLT-RSS; PHP; CSS; Javascript/Ajax; HTML and Xhtml).

Finally, there is always the Cheat-Sheets, DevCheatSheet (over 1,500 so far) , and TechTarget sites. These two sites offer very large number of links to various cheat sheets on all sorts of topics. If you know of any other good cheat sheets relating to security, please let me know.

I am including a video of Dr. Eric Cole, SANS instructor, developer of the course material, and President of Secure Anchor, providing a course description.

While I tend to prefer more technically focused courses, DoD directive 8570.1M convinced me that becoming a CISSP would be useful. Below is a chart showing the certification requirements for 8570.1M.

SANS offers information on SANS courses that align with the 8570 Baseline and with CND & IASAE. If it sounds like I favor SANS a bit, I do. Over the past few years, I have had to work with a very limited security training budget. SANS has offered options allowing me to pick up certification while keeping costs low. I really appreciate that. Plus, SANS instructors are well trained and of the highest caliber. If you are on a budget, two low cost options are available:

• The SANS Work Study Program. The program allows the volunteer to pay a fee of $700, which is applied towards tuition and certification costs. The volunteer works the selected event and in exchange they can attend the course and all other events at the conference (SANS@Night events, BoFs, Lunch & Learns, etc.).
• The Community of Interest in Network Security (COINS) program. If you are a member of an OWASP chapter, ISSA, ISACA, InfraGard, HTCIA, ECTF or other local security organization, the COINS program offers you a 50% tuition discount for this or any other SANS @Home course.

I decided to take the SANS GISP exam first because SANS makes it so much easier to schedule the exam when compared to (ISC)2. The closest CISSP exam was over a 4.5 hour drive away from where I am currently residing. SANS allowed me to take the proctored at a local test center. Unlike the CISSP, SANS exams provide immediate results. For those not familiar with SANS certifications exams, they are given electronically. As you answer the questions, you are told whether you answered correctly.

A word of warning: The GISP is a 5 hours exam. Initially, the local test center stated they were only setup for maximum 3 hour exams. The test center was trying to avoid having to monitor the test takers over lunch. The good news is that SANS can resolve this problem, but you will have to ask them to do so.

Ted Demopoulos, over at SecurITyCerts.org, did one of the better posts, “CISSP versus SANS GISP Certification.” Unlike many writers on this subject, Ted was one of the few who had taken and passed both exams. Otherwise, I encountered people who had taken only one exam and tended to discuss how that exam was superior.

I will hold off offering an opinion as to how the exams compare until after I pass the CISSP. Since I plan on doing DoD work, the fact that the CISSP fulfills the certification requirements for half of the DoD categories makes the certification choice pretty obvious. In the future, SANS may be better represented under DoD directive 8570.1. Generally speaking, security professionals will be aware of SANS and will respect the GIAC certification. People in business and IT, but outside of security, are more likely to know about the CISSP. You will likely find yourself in a position where you need to impress both groups. If you have the option, consider taking both exams.

Google represents a challenging environment consisting of many very intelligent users who are operating in a diverse development environment. It is also an environment where if anyone tried to impede the developers’ work, these inventive employees would find ways to go around. Heavy handed policies will not work. A technical solution that helps developers get their work done is the only possible workable solution. Along this line, check out James Governor’s post, “You have to treat your employees like customers.”

Staying with Google, for my second major mention, Google has made available the videos and slides from Google I/O. This gathering occurred May 28-29th and consisted of “in-depth, technical sessions on how to build the next generation of web applications with Google and open technologies.” I have added these sessions to the “Presentations” section of this blog. To save some clicking, and pique your interest, the sessions are listed below.

If you are interested in additional slides and videos for training, please check out my previous post, “CERT, CERIAS, the Academy, and Google Video: Training Online.”

The Center for Education and Research in Information Assurance and Security (CERIAS)

CERIAS provides a very informative area for finding information on security. The information can ranges from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them. The research available on the site is centered on eight subject areas:

• Risk Management, Policies, and Laws
• Trusted Social and Human Interactions
• Security Awareness, Education, and Training
• Assurable Software and Architectures
• Enclave and Network Security
• Incident Detection, Response, and Investigation
• Identification, Authentication, and Privacy
• Cryptology and Rights Management

The site offers news, blogs, papers, and podcasts. Of particular interest to me are the podcasts, because mostly they are vidcasts. Here are a few recent postings:

• “What are CSO’s thinking about? Top information security initiatives for 2008 and beyond …” by Anand Singh, Target Corporation
• “Electronic Voting: Danger and Opportunity” by Edward W. Felten
• “Tor: Anonymous communications for government agencies, corporations, journalists… and you” by Paul Syverson & Roger Dingledine
• “Security in a Changing World” by Eric Cole
• “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations” by Ventkat Venkatakrishnan
• “Wireless Router Insecurity: The Next Crimeware Epidemic” by Steve Myers
• “Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess While the Board is Disappearing” by Richard Thieme

The research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus, all being made available for free. CERIAS offers a great opportunity to keep well informed on all security subject areas.

CERT Coordination Center (CERT/CC)

Off the CERT site, you can find the most up-to-date material on security issues. Like CERIAS, information is available in whatever form you prefer (documents, podcasts, video, research tools). In short, it is a fantastic source for security information. I wanted to draw particular attention to the CERT Virtual Training Environment (VTE). It is a resource for information assurance and incident response and computer forensic training. The site contains over 500 hours of material. Some of the VTE material requires membership or affiliates to certain organizations. Still, there is a great deal of video content available for free. VTE “blends classroom instruction with self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through the Internet“. Here are a few of the most recent publicly available courses:

• FAA 2008 IT/ISS Conference presentation slides
• IPv4-IPv6 Comparison
• IPv6 Addresses
• Vulnerability Remediation
• Vulnerability Assessment Reporting
• Best Practices for VA Tools
• Vulnerability Assessment Best Practices
• Errors During Vulnerability Analysis
• Vulnerability Analysis
• Vulnerability Assessment Methodology
• Vulnerability Assessment Basics
• DEMO: Hack Calculations

I cannot help by point out that CERT also provides some great podcasts in the areas of governing for enterprise security, measuring security, privacy, risk management and resilience, security education and training, threat, trends and lessons learned, and tips from the trenches: areas of practice. I have posted links off this site on a few of these top notch security podcasts.

The Academy

Andrew Hay, a Canadian security professional and co-author of the upcoming book OSSEC Host-Based Intrusion Detection Guide, recommended I check out the Academy. I am glad he did. Registration is required to view the videos. The site brings together videos from various security sources, such as TippingPoint, SANS, IronPort, OSSEC, Cisco, Insecure, Tenable, Nokia, and FortiNet. The Academy current videos cover the following security subjects:

• Anti-Spam – contributions by IronPort
• Content Filtering – contributions by FortiGate
• DLP – contributions by McAfee DLP
• Firewall – contributions by CheckPoint, Cisco PIX & ASA, Nokia, FortiGate
• IDS/IPS – TippingPoint, OSSEC
• Network Access Control (NAC) – Insecure
• SANS Institute
• VA/Pen Testing – contributions by Nessus, Nmap
• Wireless – FortiGate

Key contributors are Peter Giannoulis, Adam Winnington, Andrew Hay, and Jason Ingram. SANS is sponsoring the site. The academy does request that “if you have an idea for a video please forward it to us or simply make the video yourself and send it through. Contact peter@theacademy.ca for a list of guidelines to follow when creating your contribution. If you believe you have something to say please send in an article submission for posting on the website. Any security related topic will do.” The site has some talented security professionals and a great security organization backing it. To quote Andrew, “The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field.”

Google and the Rest of the Web

Of course, I should point out that SecurityMonks does have a presentation area where slides and videos done by experts in the field are posted. On the LifeHacker site, Wendy Boswell has done a posting “Technophilia: Get a free college education online” in case you are interested in subject matters other than IT security. For each his own, though I can see taking a break now and then. In which case, the University of California, Berkeley has posted a few their classes on Google Video. There are plenty more from various universities. To access, simply type “lecture genre:educational” into the video search box. Google has several genres, if you have a specific interest.

To return to the more geeky side of life, if you are interested in lectures given at the Googleplex, Google have made those available. There are TechTalks, designed to “disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts.” Authors@Google is a “speaker series where thought-provoking, Zeitgeist-making, trend-setting authors come to the Googleplex to read from their works and share their thoughts.” You can view those videos on Google Video, or YouTube Talks@Google area. Finally, there are also miscellaneous videos that include marketing videos, recruiting videos, lectures, and more.

To return to the genres of educational security, type into the video search box: “genre:EDUCATIONAL IT security.”

Google, to help folks learn how to use Google Code, has posted some courses under “Google Code for Educators.” There are a few security video lectures:

• “Introduction to Web Security” by Neil Daswani
• “How to Break Web Software” by Mike Andrews
• “What Every Engineer Needs to Know About Security and Where to Learn It” by Neil Daswani

Of course there are many more fine sites. SecurityDistro, started by Spyro contains a tutorial section that has some very good material. Of course there is the SANS Webcasts archive area. I just came across the “Learn Security Online” site that offers free and paid membership levels. Even TechVidSite has video presentations on security topics, if you can navigate through the site. A search on “IT” and “Security”, for example returned over 7k matches, while “metasploit” returned 25. The above information and links are meant only as a starting place. I hope I have managed to stay true to Einstein and provided the conditions in which we may all learn a little more about the world of information security.