Security Advancements at the Monastery

FISMA Reform: Lieberman, Collins, and Carper Introduce Bill

John Gerber — Thu, 10 Jun 2010 21:24:42 +0000

Today, a compromise has been met allowing FISMA reform to move forward in the Senate. Homeland Security and Governmental Affairs issued the press release, “Lieberman, Collins, Carper Unveil Major Cybersecurity Bill to Modernize, Strengthen, and Coordiante Cyber Defenses.” Key elements of the Protecting Cyberspace as a National Asset Act of 2010 include:

Creation of an Office of Cyberspace Policy in the Executive Office of the President run by a Senate-confirmed Director, who will advise the President on all cybersecurity matters. The Director will lead and harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic. The Director will oversee all related federal cyberspace activities to ensure efficiency and coordination.
Creation of a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to elevate and strengthen the Department’s cybersecurity capabilities and authorities. The Director will regularly advise the President on efforts to secure federal networks. The NCCC will be led by a Senate-confirmed Director, who will report to the Secretary. The NCCC will include the United States Computer Emergency Response Team (US-CERT), and will lead federal efforts to protect public and private sector cyber and communications networks.
Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. With strong leadership from DHS, these reforms will allow agencies to move away from the system of after-the-fact paperwork compliance to real-time monitoring to secure critical systems.
Requiring the NCCC to work with the private sector to establish risk-based security requirements that strengthen cybersecurity for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
Requiring covered critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
Creation of a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
Development of a comprehensive supply chain risk management strategy to address risks and threats to the information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
Requiring the Office of Personnel Management to reform the way cybersecurity personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cybersecurity effort and protect its own networks.

The Committee will hold a hearing on the legislation June 15, 2010.

Background

There has been a great deal of activity since I posted “FISMA: Paperwork Or Actual Security?” The House passed on a 229 to 186 roll call vote the 2011 Defense Authorization spending bill that includes measures to upgrade the Federal Information Security Management Act (FISMA). The authorization bill now faces reconciliation with the Senate version. The Senate version has yet to be considered on the Senate floor but did pass through the Senate Armed Services Committee. The House action put pressure on the Senate to act.

Action came from the US Senate Committee on Homeland Security and Governmental Affairs , who’s chairman is Senator Joe Lieberman (ID-Conn.), an original cosponsor of the bill. Lieberman had been talking about a comprehensive cybersecurity reform bill that would incorporate much of the language in the United States Information and Communications Act (S. 921) with the FISMA reform legislation introduced in April 2009 by Senator Thomas R. Carper (D.-Del). Many provisions of Carper’s bill mirror provisions in included in the House bill. Carper was pressing to include:

standardize Inspector Generals’ information security audits;
create a Chief Information Security Officer Council to establish information security best practices and guidelines, while strengthening the role of Chief Information Security Officers;
allow the Department of Homeland Security to conduct “red team” penetration tests against civilian agencies;
allow Congress to measure the effectiveness of agencies’ information security plans and procedures.

Lieberman wanted Senator Susan Collins (R-Maine), the ranking Republican on the Homeland Security panel, named on the bill. The problem was that Collins is on record opposing the top cybersecurity official in government being housed in the White House, believing the official should be quartered in the Department of Homeland Security. It looks like Lieberman and Collins were able to come to an agreement and move forward on the bill.

Thoughts

If you are interested in learning more and keeping up with FISMA, you will find Dan Philpott (twitter danphilpott) site FISMApedia interesting. It describes itself as “a collection of documents and discussions focused on Federal IT security. This site is a database of current guidance, laws and directives on how the Federal government secures its IT assets.” Philpott also posts to the Guerilla CISO.

Federal CIO Vivek Kundra, writing on the Chief Information Officers Council Blog concerning the new FISMA states “In the past, Federal agencies spent enormous time and money creating the old paper-based reports. The State Department alone, in the past six years, spent $133 million amassing 95,000 pages of security documentation for about 150 major IT systems. This works out to roughly $1,400 per page in reports that were often outdated days within being published.” Kundra goes on to state, “As we move away from the old-style reports and into a more real-time system of security data feeds, we are implementing solutions that actually help to protect the country rather than simply generate paperwork.”

For intelligent comments on FISMA, let us turn to a few folks who eat, sleep, and breathe FISMA. Michael Smith, aka rybolov, is the creator of the Guerilla CISO blog. Concerning the $1,400 per page cost, Smith in his post “A Funny Thing Happened Last Week on Capital Hill,” writes “If you buy into the State Department’s cost of $1400 per sheet, you’re absolutely daft.” Smith goes on to point out, “The cost of a security program divided by the total number of sheets of paper is probably right. In fact, if you do the security bits right, your cost per sheet will go up considerably because you’re doing much more security work while the volume of paperwork is reduced.”

Concerning allocating money towards red teams, Smith makes the point, “Do we really need penetration testing to prove that we have problems? In Mike Smith’s world, we’re just not there yet, and proving that we’re not there is just an excuse to throw the InfoSec practitioners under the bus when they’re not the people who created the situation in the first place.” Nicely put.

Smith’s recommendations to fix FISMA:

You have to start with workforce management. This has been addressed numerous times and has a couple of different manifestations: DoDI 8570.10, contract clauses for levels of experience, role-based training, etc. Until you have an adequate supply of clueful people to match the
demand, you will continue to get subpar performance.
More testing will not help, it’s about execution. In the current culture, we believe that the more testing we do, the more likely the people being tested will be able to execute. This is highly wrong and I’ve commented on it before. I think that if it was really a fact of people being lazy or fraudulent then we would have fixed it by now. My theory is that the problem is that we have too many wonks who know the law but not the tech and not enough techs that know the law. In order to do the job, you need both. This is also where I deviate from the SANS/20 Critical Security Controls approach and the IGs that love it.
Fix Plans of Actions and Milestones. These are supposed to be long-term/strategic problems, not the short-term/tactical application of patches–the tactical stuff should be automated. The reasoning is that you use these plans for budget requests for the following years.
Fix the budget train. Right now the people with the budget (programs) are not the people running the IT and the security of it
(CIO/CISO). I don’t know if the answer here is a larger dedicated budget for CISO’s staff or a larger “CISO Tax” on all program budgets. I could really policy-geek out on you here, just take my word for it that the people with the money are not the people protecting information and until you account for that, you will always have a problem.

More recently, Smith posted “How to Not Let FISMA Become a Paperwork Exercise” where he addresses and comments on the key criticisms of FISMA:

Reduce paperwork requirements. Yes, some is needed. Most is not.
Reduce cost. There is much repetition in what we’re doing now, it borders on fraud, waste, and abuse.
Increase technical effectiveness. IE, get from the procedural and managerial tasks and get down into the technical parts of security.

Smith offers advice on “how do you keep from letting FISMA cripple you or turn into death-by-compliance.” Go to the post and read his advice.

Off the same site Joe Faraone, aka Vlad, gives his take in the post “Machines Don’t Cause Risk, People Do!“. He disagrees with Alan Paller, director of research for SANS, when he writes, “At the risk of bashing Alan Paller yet again, I am often turned off by the approach of ‘being able to know the status of every machine at every minute,’ – as if machines by themselves cause bad security… It’s way too tactical (incorrect IMHO) and too easy to make that claim.” Faraone goes on to make the point, “Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration.”

Paller has been very vocal in his opinion against FISMA. He is frequently quoted (ex: “Sans founder slams ‘terribly damaging’ US cybersecurity law“). Paller has told the the House Committee on Oversight and Government Reform’s Subcommittee on Government Management, Organization and Procurement that FISMA, as it has been implemented and enforced until now has been more detrimental than helpful to government IT security.

FISMA was needed to get government moving in a security focus direction. Philpott in his post “The 10 CAG-egorically Wrong Ways to Introduce Standards” makes the point “Speaking as someone who scrambled to secure Federal systems before FISMA and NIST’s extensive guidance, having that documentation greatly improves my ability to efficiently and effectively secure systems.”

Statements painting FISMA as worthless, or detrimental, might grab headlines but are not real helpful. Nor are statements by Paller like, “US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.” Faraone calls Paller on this statement in the post, “When the News Breaks, We Fix It.”

Richard Bejtlich in this post “Thoughts on New OMB FISMA Memo” adds his opinion on FISMA reform when he writes “Long-time blog readers should know I’ve been writing about FISMA for five years, calling it a ‘joke,’ a ‘jobs program for so-called security companies without the technical skills to operationally defend systems,’ and other kind words. Any departure from the previous implementation is a welcome change.”

OMB issued “FY 2010 Reporting Instructions for the Federal Information Security” (M-10-15 ) on April 21, 2010. It identifies a three-tiered reporting approach which includes:

Data feeds directly from security management tools
Government-wide benchmarking on security posture
Agency-specific interviews

Bejtlich analyzes what is really changing for FISMA implementation and concludes, “It’s probably going to take .gov-savvy lawyer to really explain what these points mean, but private enterprise working with government data should probably take a close look at these new FISMA developments.”

Other Important Legislation

With more than 35 cybersecurity-related measures before Congress right now, take some time to review the presentation “Cybersecurity: The U.S. Legislative Agenda” by Melissa E. Hathaway, former acting senior director of cyberspace for the Obama administration who now runs Hathaway Global Strategies and has advisory roles at several IT companies. You might remember Hathaway from her work on the “Cyberspace Policy Review,” which was the result of a 60-day, comprehensive, “clean-slate” directed by the President to review and assess U.S. policies and structures for cybersecurity. To quote Hathaway concerning the nine key legislation to watch:

Data Breach Legislation (S. 139): It will normalize the 46 State Data breach laws into one national umbrella. It may be expanded to include more than Personal Identifiable Information (PII). One issue with this bill is that it would consolidate all reporting to the US Secret Service, which is not helpful for broader information sharing with industry or across government.
Data Accountability and Trust Act (H.R. 2221): It was voted out of the House of Representatives in early December 2009. It requires the ISPs to make victims aware of infection if seeing breach across network. I
believe the Comcast Denver, CO pilot program could be anticipatory market movement associated with this bill (to better understand costs). It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone. As you may know, Germany just passed a law requiring their ISPs to inform their citizens/consumers if they have been infected.
International Cybercrime Reporting and Cooperation Act (S. 1438 and H.R. 4692): This bill was introduced by Sen Gillibrand, and co-sponsored by Sen Hatch, which will give it strength in the Judiciary Committee. The bill requires the President to produce an annual report to Congress providing an assessment of every country’s level of ICT utilization and development; assesses how each country’s legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated 5 years of “bad behavior”. This Bill and any hearing around it will certainly draw attention to the recent Google/PRC debacle. It has a sister bill in the House of Representatives, H.R. 4692 mirrors the areas of focus. **Note Sen Kerry and Sen. Gillibrand have also introduced S. 3193 (International Cyberspace and Cybersecurity Coordination Act of 2010) to authorize the creation of a senior coordinator at the State Department, with the rank and status of Ambassador at Large.
Cybersecurity Enhancement Act (H.R. 4061): It passed the House of Representatives in February (2/2/10). In addition to providing additional responsibility to NIST, it creates an office for a national coordinator for
the networking and information technology research and development program to improve cybersecurity research and development and coordination between the federal government, academia and private sector. The NITRD office (within the Office of Science and Technology Policy) already coordinates all of the Cyber R&D which for this year is well over $4B. While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, its not clear how the new office will interact with the current OSTP responsibilities.
FISMA II (S. 921): It updates FISMA I from compliance driven (check-list) to measures that are performance based. It uses the State Department’s Risk Scoring tool which measures its systems on a continuous basis against known vulnerabilities and offers meaningful feedback in the form of actionable remediation techniques to the operators and high level feedback to senior managers to ensure accountability is one example that could serve as a model for the rest of government. It also affords the department and agency chief information security officer the focus and attention it need and deserve. Finally, it is possible that FISMA II will address procurement reform.
Intelligence Authorization Act (H.R. 2071): It strengthens and enhances America’s intelligence capabilities, and improves congressional oversight of our intelligence agencies. It provides our intelligence community
with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts, and more effectively prevent the spread of weapons of mass destruction. Contains multiple Congressionally Directed Actions for CNCI.
Cybersecurity Act of 2009 (S. 773): The bill combines audits, industry-developed and government-backed standards, increased information-sharing, and other mechanisms to bolster private sector cybersecurity. It
establishes a Cybersecurity Advisory Panel (Presidential Level) and a National Clearinghouse for information sharing. Additionally, it extends the Scholarship for Service program (increases to 1000 scholarships) and increases the National Science Foundation’s budget for R&D.
The Grid Reliability and Infrastructure Defense Act (H.R. 5026): The bill amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to mandate measures to protect against system “vulnerabilities” if it finds that the North American Electricity Reliability Corp. (“NERC) standards are insufficient. If passed, the legislation will provide a security framework for the Smart Grid.
Energy and Water Appropriations Act 2010 (Law): It appropriates additional funds for Cybersecurity: $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

Final Thoughts

The Committee will hold a hearing on the legislation next week, starting on June 15, 2010. Watch for analysis from the folks listed above. I am sure they will have interesting analysis as more details are released. This is going to be interesting.

Related Posts:

FedRAMP and Recent Changes Prepare Feds for Cloud Adoption

John Gerber — Tue, 01 Jun 2010 04:18:41 +0000

This month I had the pleasure of attending a talk given by Warren Udy, Director Information Assurance and Cyber Security at US Department of Energy. If you are in the Arlington, VA area on June 22, you should try to catch Warren at the “Cloud Computing Committee Meeting.” His presentation was not only very entertaining and enlightening on the new Federal Risk and Authorization Management Program (FedRAMP), but it also started me thinking about a few other recent developments on the federal cloud front. Before discussing FedRAMP, let us discuss the recent changes to FISMA, the desire for open government and the cloud, and the General Services Administration (GSA) reissuing the request for quote (RFQ) to Infrastructure as a Service (IaaS) vendors. We will conclude with examples of government cloud adaption going on today. Things are getting interested on the federal front.

Changes to FISMA

Last month the Obama administration announced new standards for agency reporting under FISMA as part of an effort to get agencies to shift from paper-based reports to real-time monitoring of systems. Vivek Kundra, the Federal Chief Information Officer, was interviewed by Federal News Radio in the post "OMB outlines shift on FISMA." Vivek expressed the vision that "What we need to do, when it comes to information security, is shift to a model across the federal government, with a focus that is much more of a real-time basis. And you'll see forthcoming, in terms of the FISMA reporting guidance, more centered on continuous performance monitoring and Cyberscope."

Ben Bain is reporting in the article, "NASA's new FISMA approach and what it means for you" that NASA’s Deputy Chief Information Officer for IT Security Jerry Davis is developing a new program for the security authorization process based on continuous monitoring, automated tools and reducing paperwork. NASA hopes to have it in place for fiscal 2011. “Security is still going to be done. Certification and accreditation will still be done, but the way we do it is going to change significantly and the frequency of it will change,” he said. “Instead of every three years, you’re really going to be doing it, in a sense, on like a weekly or monthly basis, you’re always going to be looking at those controls and adjusting them for changes."

Alan Paller, director of research at the SANS Institute is quoted on how the new approach will help to correct flaws in the original FISMA legislation, "It's a move toward being able to know the status of every machine at every minute. So that when something bad is coming at you, you know where you can target and where you can't so you can act quickly. It's a complete change from what we've had before. This started during the Clinton Administration, and it was the Senate that created it in the bill called GISRA, and then it became FISMA. It was an error made by people who didn't understand the threat, and the error was that you can manage fast-moving attacks with slow moving paper."

Joe Faraone, aka Vlad the Impaler, in his post "Machines Don’t Cause Risk, People Do!" warns that "continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view." Joe writes "Desiring to know everything about everything may seem to some to be a worthy goal, but may be beyond many organization’s budgets. *Everything* is a point in time snapshot, no matter how many snapshots you take or how frequently you take them. Continuous, repeatable security processes followed by knowledgeable, responsible practitioners are what government needs. But you cannot develop these processes without starting from a larger, enterprise view. Successful organizations follow this–dare I say it–axiom whether discussing security governance, or system administration."

Open Government and the Cloud

Effective security approaches being beyond many organization's budget might just be at the heart of the matter. Recall that Vivek Kundra statement that he sees two overarching trends now happening in computing:

The increasing use of mobile devices and the app ecosystems they support.
There's cloud computing, which can cut IT costs and drastically improve access to information.

With that in mind, it is not surprising that Nick Eaton reports in his post, "Obama's CIO ready to bring government tech up to speed" that the first two major tech initiative launched by the Obama administration consist of:

Data.gov, which is a depository for open government datasets that people can access to create applications, do scientific research and more. It launched with 47 datasets and it now includes more than 169,000. Since its launch in May 2009, New York, San Fransisco, Seattle and other local governments have launched similar services. Vivek has stated, that a big difference between public-sector and private-sector technology is that the commercial world is focused on front-end customer needs, whereas government IT is usually focused on the back end. Kundra wants to change that by creating accessible user interfaces to online government services, and as a result make "government cool again."
Apps.gov, which is hosted by the U.S. General Services Administration. It's a clearinghouse for hundreds of cloud-computing applications, both free and not, from mostly private vendors.

Cloud computing can be a solution that allow for continuous monitoring and a unified risk based approach across government agencies, all while reducing costs. A major stumbling block is achieving agencies compliance issues in respect to cloud vendors.

GSA Reissues RFQ

The GSA released the RFQ on its E-Buy mid-May asking for bids from IaaS providers on cloud storage services, virtual machines and cloud web hosting. Fed Cloud Blog interviewed Dave McClure, GSA’s Associate Administrator of Citizen Services and Communications, concerning the RFQ and the new contract. Dave discussed several of the differences:

We’re raising the security level to the moderate level. I think that’s where the public sector in general is headed — greater security in these cloud provisioning agreements. So, we’ve raised this up to the moderate level. I think that’s a significant improvement and difference from the prior RFQ. We also are making it much easier and clearer to map the industry offerings to the contract line items in this BPA instrument that we’re using. There was some confusion about whether specific services and prices for some of the industry offerings — how they’ve mapped to the contract line items in this BPA. We’ve gone back and actually cleaned that up and had conversations with industry on how that mapping process can work very effectively. So I think that will also create a much better instrument than what we had before. The third big difference is that things that are awarded off of this instrument will be candidates that will go into the FedRAMP centralized CNA approval process. I think that will make a difference, as well — knowing that your product or service will actually go through one CNA and then be usable across the entire government.

FedRAMP

This month FedRAMP was officially announced. Peter Mell, FedRAMP Program Manager, discusses the program in his presentation from last month. Peter explains FedRAMP is a government-wide initiative to provide joint authorizations and continuous security monitoring services. It provides a unified government-wide risk management and it will allow agencies to leverage FedRAMP authorizations (when applicable).

FedRAMP’s initial focus is on cloud computing with the program working with cloud vendors (currently Microsoft and Google are in pilot mode) to evaluate their overall security environment in relation to government security controls. The controls will be based on the new NIST security framework. There still will be some gaps between civilian, DoD and Intel agencies, so moving to cloud will still require some security work. The goal of FedRAMP is to create a unified risk management process that:

increases security through focus assessment.
eliminates duplication of effort and associated cost savings.
enables rapid acquisition by leveraging pre-authorized solutions.
provide agency vetted transparent security requirements and authorization packages.
facilitates multi-agency use of shared systems.
ensure integration with government-wide security efforts.

Peter states, "An advantage of this program is that [vendors] primary work with one security assessment and authorization body, or one risk management program, and they don't have to independently meet all of the security requirements of the many, many different agencies." In an interview with Eric Chabrow, Mell goes on to state, "Agencies, by leveraging FedRAMP authorization, will save a lot of money and enable rapid acquisition, but they're still in control. They get to choose whether or not they leverage it. They can choose if they want to do additional work to assure systems meet the security needs of their agency."

Mell believes the primary hurdle in securing the government adaption of cloud computing is the lack of government-wide authorization capabilities. Mell states:

Currently, with each federal agency independently doing risk management with these large outsourced systems in cloud computing you have got duplication of effort, but you have got incompatible policies being levied because the Federal Information Security Management Act is all about a framework by which agencies communicate or enforce their policies on a system. So you get 40 agencies together, enforcing their policies on a single system and the interception of those policies is likely not draftable. Likely, they will disagree on the finer points of server configuration, for example, and it just won't be possible and that is a source of great frustration for cloud vendors. It also means that acquisition is very slow, the lengthy compliance processes and then there is inconsistent application of these government-wide security programs.

To solve that, and I think this is common sense, I don't think we are doing anything unexpected or unusual here, it's certainly new, that the proposed solution is found within FedRAMP – the Federal Risk and Authorization Management Program. The idea is to create a government-wide, risk management program that has to be optionally used by the agencies. It provides joint authorization services and continuous monitoring services and again, I will stress that it is optional.

FedRAMP would perform assessment and authorization of these very large systems, these government-wide authorization then can be optionally leveraged by agencies so that they can adopt these services with a minimal of additional security effort required. FedRAMP would perform security, based on an agreed upon government-wide security baseline that agencies can leverage. That is what I mean by most of the work will be done because that baseline will have been assessed and authorized.

Agencies do have unique missions and risk tolerances and security needs, and so agencies are always welcome to do incremental additional security testing, require additional security controls to be implemented and so forth. But again, the idea is to complete the bulk of the work for the agencies; do it once and do it well and thereby reduce an enormous amount of duplication of effort and enable rapid acquisition by federal agencies, eliminate that concern of security requirements not being compatible when multiple agencies levied them on a particular resource pool cloud system. And lastly, ensure consistent application of federal government-wide security programs. The Trusted Internet Connection program or there is ITM, there is Einstein, and the list goes on

As to the question of authorization, Mell explains, "this fits perfectly within existing law, OMB policy, and even NIST security guidance. What we did do is in the new NIST risk management framework, in particular the NIST Special Publication 800-37, we added an Appendix s.6. That appendix talks about this notion of joint authorization being performed by the joint authorization board and then this concept of leveraged authorization where the agencies are leveraging the outcome of this joint authorization. We put the sort of foundational underpinnings of FedRAMP into the new NIST management framework. And by the way, FedRAMP is designed to follow that NIST risk management framework and focus a lot on that continuous monitoring aspect."

There are real issues that need to be worked out as FedRAMP develops. For example, Michael Smith in his post, “NIST Cloud Conference Recap” shares his personal experience with a certifier that said, “we don’t recognize common controls so even though you’re just a simple web application you have to justify every control even if it’s provided to you as infrastructure.” Michael goes on to list several pieces that he has not seen FedRAMP addressed yet (follow the link and read his blog). I will add two more:

Vendor Lock in: if a cloud provider is authorized at some point but later stops meeting the security controls causing authorization to be revoked, how do agencies switch cloud providers without cost and/or loss of service?
Contamination Containment: when classified material leaks into the cloud, how is that dealt with? It does happen. Current requirements are to have the drives pulled and destroyed. That is not possible under current cloud configuration where the data is spread over thousands of drives.

So, everything is not rainbows and unicorns. It never is in security. There are real challenges to be faced. It is great that a discussion is taking place and folks are working hard at addressing these issues.

Federal Cloud Adoption

This past week, a new Federal CIO Council report, "The State of Public Sector Cloud Computing" was released. The executive summary states, "As we move to the cloud, we must be vigilant in our efforts to ensure that the standards are in place for a cloud computing environment that provides for security of government information, protects the privacy of our citizens, and safeguards our national security interests. This report provides details regarding the National Institute of Standards and Technology’s efforts to facilitate and lead the development of standards for security, interoperability, and portability." Kevin Jackson in his post, "Vivek Kundra – State of Public Sector Cloud Computing" describes how the report "not only details Federal budget guidance issued to agencies to foster the adoption of cloud computing, but it also describes 30 illustrative case studies at the Federal, state and local government level."

Deniece Peterson in the post, "Security, Standards and Budget Initiatives to Spark Cloud Computing Adoption" discusses the NIST forum and workshop she attended (slides are available). Deniece describe the the morning session as including a panel of industry representatives from Intel, Microsoft, the Cloud Security Alliance, Amazon.com and the Center for Democracy and Technology. The panelists' wish list consisted of:

Keep going with FedRAMP (security certification effort), but don't stop there.
Develop standards in collaboration with both industry and international stakeholders
Recognize that interoperability needs can vary case by case; no one size fits all
Don't stifle innovation by setting standards too quickly; focus on building the framework
ID management, access control and cryptographic key management are the main security issues surround cloud computing and can have a serious impact on scalability
Push vendors to be more transparent about their security controls
Traditional notions based on physical boundaries will need to change
SLAs must include meaningful metrics for performance and security

"We want to be pragmatic, but aggressive," Kundra told the Washington crowd, noting that the government's consolidation of federal data centers and several other "game-changing approaches" will further fuel the move to the cloud. Andrew R Hickey in his article, "Federal CIO Says Cloud Standards Needed For Government Adoption" describes how NIST has also started the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) initiative that will validate and communicate interim specifications to agencies in the areas of security, interoperability and data portability. "We're not trying to write cloud computing standards, but are trying to do some testing on reasonable system interfaces or specifications of systems and make the test results available so people can see something is absolutely possible because the the test results show it," NIST senior computing scientist Lee Badger said. NIST will also launch a publicly accessible Web portal to facilitate collaborative development of standards to support cloud computing requirements, Dawn Leaf, NIST senior executive for cloud computing, told attendees. Leaf expects the portal to be available sometime before the end of 2010. Currently, business use cases are now available on the CIO Web site.

Alex Howard reports that recovery.gov would be moving to Amazon's cloud. Earl Devaney, chairman of the recovery board, stated this move represents one of the "first bricks in the foundation that we're laying" throughout the federal government, in terms of cloud computing. Vivek would direct us to "look at the Department of Interior: The CIO is considering moving 80,000 emails to the cloud. Look at the investments made at GSA or a recent RFI [Request for Information] around email. Across federal government, you're seeing a number of agencies putting in a plan." J. Nicholas Hoover reports in his article "Gov 2.0: Google Readies Government Cloud" that customers Google already has for Google Apps are the city of Los Angeles and Lawrence Berkeley National Laboratory. In the federal sector, more than 100 federal agencies are already customers of Google's other products, including Google Earth, Google Maps, and Google Enterprise Search. Google Enterprise president, Dave Girouard reports "we have a lot of state and local interest, and, increasingly, with FISMA certification arriving soon, think we have an opportunity with the federal sector." Girouard said that in addressing the federal government's unique cybersecurity demands, the majority of Google's work thus far has centered around documenting, clarifying, and explaining Google's security rather than re-inventing or changing its security posture.

Final Thoughts

Mary Engelbreit, famous children's book illustrator, once wrote "If you don't like something change it; if you can't change it, change the way you think about it." Is the government making real challenges? If so, are these the kind of changes necessary to make cloud computing a reality in federal departments?

Lori MacVittie in her post, “Can the Cloud survive regulation?” points out that “we are just beginning to see the impact of what sharing and ‘international’ really means: an increasingly complex web of requirements and regulations. That may very well make the cloud a battle-zone unsuitable for any organizational use until the conflicts between security, regulations, reliability, and privacy are addressed.” Lori also considers that we might just “see the rise of regulated clouds; clouds within clouds specifically designed to meet the demanding needs of the myriad governmental and industry-specific privacy and data protection regulations. Regulated clouds set aside – at a premium of course – for those users and organizations who require a broader set of solutions to remain compliant even in the cloud.”

In the post “Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)” Chris Hoff offers the opinion, “the only thing that will budge the needle on this issue is how agile those who craft the regulatory guidelines are or how you can clearly demonstrate why your compensating controls mitigate the risk of the provider of service if they cannot.” Chris goes on to state, “We need the regulators and examiners to keep pace with technology — as painful as that might be in the short term — to guarantee our success in the long term.” Chris also recommends organizations “manage compliance, don’t let it manage you.” Novell has done a very funny short video based on the blog (along with other entertaining short videos you will want to check out):

I do not agree with everything that is going on in government. I believe solutions will be found through trained security professionals. Security tools can be empowering but are not the end all solution. A monkey with a computer, even if it is a high performance computer, is no William Shakespeare. Adding more monkeys will not make any difference; it just creates a zoo. I do believe in the possibilities created with change, especially when you find yourself in a place where things are not working. You build upon the knowledge of your people utilizing what does work.

What gives me greatest hope is that the federal government seems to be listening to experts like Chris, Deniece, Joe, Lori, Michael, etc. and making a solid effort to create an environment where it can foster the adoption of cloud computing. These are not just cosmetic changes focused on how we think about computing, but real changes in how we will operate. For those who like the challenges brought on by change, it is an exciting time to be in security.

Related Posts:

Google Visualization: An Example Graphing NVD CVE Data

John Gerber — Fri, 16 Apr 2010 15:54:42 +0000

Google visualization offers graphing abilities to any number of projects. Why should security professionals care? If you are going to have to collect and present security metrics, it is best to showcase them in the very best manner possible. Andrew Jaquith in his article, “Creating meaningful information security metrics” states, “For 2010, Forrester Research expects that overall security budgets will rise less than 5 percent over 2009 –higher than in the previous year, but not by much.” Andrew goes on to point out, “smart security managers, sensing sudden vulnerability in their budgets, seek better ways to measure and prove the value of what they do every day.”

In today’s work environment there is a need to show changes, potential risks, improved performance, etc. in all areas of the company’s operations. Security professionals need to be prepared to answer the basic question, “why should the CIO or CEO care about security?” CSO Online has a great quote from the post, “From the CIO: Why You Didn’t Get the CISO Job” that challenges us to consider our views when it comes to security. The post states, “laser focus on your speciality is great in middle management. It’s what we want. One of the really hard things about jumping from management to executive is a focus on the whole of the business. It’s a rare person who manages it quickly or easily.” That is basically the problem with metrics. It is a battle between generalization to the point of uselessness and details to the point of not being understandable or collectible. At the end of the day, something needs to be done because the security industry is currently leaving upper management in the position of not understanding what is going on within their business. That is a risk that not acceptable.

Andrew’s article discusses what kind of security metrics should be used. Additional sources of information on security metrics can be found in a previous post entitled “Security Metrics.” The post provides links to wonderful sources on security metric information. You might also want to take a look at the CIS Consensus Security Metrics v1.0.0 guide, NIST Special Publication (SP) 800-55 Rev 1 “Security Metrics Guide for Information Technology Systems”, NIST IR-7564 “Directions in Security Metrics Research”, “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance,” and “Metrics, measures & Myths.” Once you have start gathering metrics, you will want to present them in an easy to understand format. This is where Google Visualization can help.

Today’s post walks through an example using the data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD ) Common Vulnerabilities and Exposures (CVE) database. The purpose is to provide a working example from which you can learn and apply to the various metrics gathered at your organization.

Data Source

A previous post, “Standardization and Interoperability in Security,” discussed how the Security Content Automation Protocol (SCAP) is an attempt to help defenders by providing a collection of XML schemas/standards that allow technical security information to be exchanged between tools. SCAP components consists of:

Common Configuration Enumeration (CCE): provide unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.
Common Platform Enumeration (CPE): a structured naming scheme for information technology systems, platforms, and packages.
Common Vulnerability Enumeration (CVE): a dictionary of publicly known information security vulnerabilities and exposures.
Common Vulnerability Scoring System (CVSS): a vulnerability scoring system designed to provide an open and standardized method of rating IT vulnerabilities. NIST has even provided a calculator for creating CVSS vulnerability severity scores.
eXtensible Checklist Configuration Description Format (XCCDF): a specification language for writing security checklists, benchmarks, and related kinds of documents. NIST has released the NIST Interagency Report 7275 Revision 3 “Specification for Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4.”
Open Vulnerability Assessment Language (OVAL): an information security community standard to promote open and publicly available security content, and to standardize the transfer of this information across security tools and services.

We are going to make use of the data from NVD/CVE XML feed with the Common Vulnerability Scoring System (CVSS) mappings (version 2.0). NIST documentation states:

CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one’s systems.

NVD provides CVSS ‘base scores‘ representing the innate characteristics of each vulnerability. ‘Temporal scores,’ which change over time due to events external to the vulnerability, are not provided though NVD does provide a CVSS score calculator. This allows an organization to add temporal data and even factor in ‘environmental scores‘ customized to reflect the impact of the vulnerability on the organization. Please refer to the CVSS standards guide and the OWASP Risk Rating Methodology concerning factors involved in estimating the severity of risks to your business.

NVD CVE XML Schema

For our example, we will be using the data feeds nvdcve-2.0-2010.xml and nvdcve-2.0-2009.xml. Examining the CVE XML 2.0 Schema, we are particularly interested in certain vulnerability and CVSS scoring information. For example, for CVE-2010-1228, we will parse and pull the following kind of information:

 id="CVE-2010-1228">
  CVE-2010-1228
  2010-04-01T18:30:00.453-04:00
  
  2010-04-05T00:00:00.000-04:00
  
  
    
      10.0
      NETWORK
      LOW
      NONE
      COMPLETE
      COMPLETE
      COMPLETE
      http://nvd.nist.gov

Using Perl to Retrieve the CVE File

Initially we will read the nvdcve-2.0-2010.xml and nvdcve-2.0-2009.xml files. If we start retrieving the file regularly, we would want to change this to nvdcve-2.0-recent.xml. Of course, previous years can also be read in to provide a longer perspective on vulnerabilities. A simple example of a Perl subroutine to read the NVD CVE file and save it locally would be:

sub readpage {
   my($url,$nvd_file) = @_;
   my($proxy) = "http://your-proxy-server:proxy-port";
   my $ua = new LWP::UserAgent;
   $ua->proxy(http  => $proxy);
   $ua->proxy(ftp => $proxy);
   $ua->proxy(https => $proxy);
   # Go out and retrieve page
   my $req = new HTTP::Request('GET', $url);
   my $res = $ua->request($req);
   my $pjstatus = 1;
   # Check if the requested webpage is there and return results
   if ($res->is_success) { # Request successful
       open(OUTFILE,">$nvd_file") || ($pjstatus = 0);
       if ($pjstatus) {
          print OUTFILE $res->content;
       }
       close(OUTFILE);
   }
   else {
      $pjstatus = 0;
   }
   return($pjstatus);
}

Please substitute “http://your-proxy-server:proxy-port” with your site’s proxy server and port, if applicable.

Creating a MYSQL Table to Hold the Data

There is a great deal of information in the NVD CVE file. You will need to determine what information your organization will be interested in storing and graphing. For better or worse, folks have come to expect vulnerabilities to have a “Low,” “Medium,” or “High” score. NIST has stated concerning the NVD Vulnerability Severity Ratings:

NVD provides severity rankings of “Low,” “Medium,” and “High” in addition to the numeric CVSS scores but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.

While preferring quantitative over qualitative values, for this example I would like to create a stacked column chart. We will add a severity column which is based on the CVSS score. An example table follows:

CREATE DATABASE vulnerabilities;
USE vulnerabilities;
DROP TABLE IF EXISTS `nvdcve`;
CREATE TABLE `nvdcve` (
  `cve_id` varchar(13) NOT NULL,
  `published` datetime default NULL,
  `modified` datetime default NULL,
  `score` DECIMAL(5,2) default '0.0',
  `severity` varchar(6) default 'LOW',
  `vector` varchar(25) default NULL,
  `complexity` varchar(25) default NULL,
  `authentication` varchar(25) default NULL,
  `confidentiality` varchar(25) default 'NONE',
  `integrity` varchar(25) default 'NONE',
  `availability` varchar(25) default 'NONE',
  `summary` varchar(512) default NULL,
  PRIMARY KEY  (`cve_id`),
  INDEX (score),
  INDEX (vector)
)

Using Perl Populating the Database

Populating the database table is simply a matter of reading the file and adding the entries to the table. An example Perl subroutine follows:

sub readxml {
   my($nvd_file, $dbh) = @_;
   my $parser = XML::LibXML-> new();
   my $doc    = $parser-> parse_file($nvd_file);
   my $xc     = XML::LibXML::XPathContext-> new( $doc->documentElement() );
   $xc-> registerNs(
      def  => 'http://scap.nist.gov/schema/feed/vulnerability/2.0' );
   $xc-> registerNs(
     vuln => 'http://scap.nist.gov/schema/vulnerability/0.4' );
   $xc-> registerNs( cvss => 'http://scap.nist.gov/schema/cvss-v2/0.2' );
   for my $entry ($xc-> findnodes("/def:nvd/def:entry")) {
      my $cve = $xc-> find('vuln:cve-id',$entry);
      my $published = $xc-> find('vuln:published-datetime', $entry);
      my $modified = $xc-> find('vuln:last-modified-datetime', $entry);
      my $summary = $xc-> find('vuln:summary', $entry);
      my $skip = 0;
      my ($metrics) = $xc-> findnodes('vuln:cvss/cvss:base_metrics', $entry) or ($skip = 1);
      if (! $skip) {
         my $score = $xc-> find('cvss:score', $metrics);
         my $vector = $xc-> find('cvss:access-vector', $metrics);
         my $complexity = $xc-> find('cvss:access-complexity', $metrics);
         my $authentication = $xc-> find('cvss:authentication', $metrics);
         my $confidentiality =
            $xc-> find('cvss:confidentiality-impact', $metrics);
         my $integrity = $xc-> find('cvss:integrity-impact', $metrics);
         my $availability = $xc-> find('cvss:availability-impact', $metrics);
         my $severity = "LOW";
         if (int($score) >= 7) {
            $severity = "HIGH";
         }
         elsif (int($score) >= 4) {
            $severity = "MEDIUM";
         }
         my $sql = qq{ SELECT count(*) FROM nvdcve WHERE cve_id=? };
         my $sth = $dbh->prepare( $sql );
         my $rc = $sth->execute($cve);
         if ( $rc) {
            my($exist) = $sth->fetchrow_array();
            if (! $exist) {
                $sql = qq{ INSERT INTO nvdcve SET cve_id=?,
published=?, modified=?, score=?, severity=?, vector=?, complexity=?,
authentication=?, confidentiality=?, integrity=?,availability=?, summary=? };
               $sth = $dbh->prepare( $sql );
               $rc = $sth->execute($cve,$published,$modified,$score,
$severity,$vector,$complexity,$authentication,
$confidentiality,$integrity,$availability,$summary);
            }
         }
      }
   }
}

The Perl Program to Pull It All Together

The above subroutines use the Perl modules LWP::UserAgent, XML::LibXML, XML::LibXML::XPathContext, and DBI. A sample Perl program that calls the above subroutines to pull down the NVD CVE data and load it into a MySQL table would be:

#!/usr/local/bin/perl -w
use LWP::UserAgent;
use XML::LibXML;
use XML::LibXML::XPathContext;
use DBI;
BEGIN{push @INC, "/home/jgerber/projects/nvd/perl"}
use nvdsubs qw($db_host $db $mysql_user $mysql_passwd $mysql.sock
readpage readxml );
# Main
my $datadir = "/home/johngerber/projects/nvd/data";
my @timeData = localtime(time);
my $year = 1900 + $timeData[5];
my $prev_year = 1900 + $timeData[5] - 1;
my $url = "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" .
    $year . ".xml";
my $prev_url = "http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" .
    $prev_year . ".xml";
my $nvd_file = $datadir  . "/nvdcve-". $year . ".xml";
my $prev_nvd_file = $datadir  . "/nvdcve-". $prev_year . ".xml";
$db = "vulnerabilities";
local($dbh) = DBI->connect("DBI:mysql:mysql_socket=$mysql.sock;$db:$db_host",
$mysql_user, $mysql_passwd) || die "ERROR: Connecting: $DBI::errstr\n";
my ($pjstatus) = &readpage($prev_url,$prev_nvd_file);
if ($pjstatus) {
   &readxml($prev_nvd_file,$dbh);
}
$pjstatus = &readpage($url,$nvd_file);
if ($pjstatus) {
   &readxml($nvd_file,$dbh);
}
exit;

The nvdsubs.pm file will not be included in this post. The subroutines are defined and the only pieces missing are the MySQL database username and password. You don’t need mine. Add your own. At this point, we have everything we need to finally use Google Visualization to create a graph.

Google Visualization

We are going to create a Perl program that will read our MySQL nvdcve table and generate the JavaScript that will render our charts on the client’s browser. First, we want to define the JavaScript we want to produce. Just to alleviate some concerns, with Google Visualization your data is only shared between your server and the client connecting. This is unlike Google Charts where your data is sent to Google where it is made into a chart and the result is sent back. Google states concerning the logging of chart data (via Google Charts), “The chart data included in the HTTP request is saved in temporary logs for no longer than two weeks for internal testing and debugging purposes.” Every example in the Google Visualization Gallery will state the data policy. For Google Charts, stated at the bottom of the page for each gadget description the data policy:

While Google Visualization gadgets will have the following stated data policy:

Loading Google Libraries

The first thing the JavaScript needs to do is load the required libraries. This is accomplished with the lines:

Area Chart and Table

In this example we are going to create an column chart. In a later section, “Other Charting Options” (see below) we define different Google Visualization charting options.

JavaScript code for a sample column chart would be:

    <script type='text/javascript'>
      google.load('visualization', '1', {packages:['columnchart']});
      google.setOnLoadCallback(drawChart);
      function drawChart() {
        var data = new google.visualization.DataTable();
        data.addColumn('date', 'Date');
        data.addColumn('number', 'High');
        data.addColumn('number', 'Medium');
        data.addColumn('number', 'Low');
        data.addRows([
           [new Date(2009, 0, 30),92,97,3],
           [new Date(2009, 1, 27),168,142,25],
           [new Date(2009, 2, 31),141,165,9],
           [new Date(2009, 3, 30),132,203,12],
           [new Date(2009, 4, 29),158,153,8],
           [new Date(2009, 5, 30),200,199,22],
           [new Date(2009, 6, 31),190,195,11],
           [new Date(2009, 7, 31),127,139,14],
           [new Date(2009, 8, 30),233,208,14],
           [new Date(2009, 9, 30),163,167,18],
           [new Date(2009, 10, 30),129,172,8],
           [new Date(2009, 11, 31),200,211,19],
           [new Date(2010, 0, 29),157,139,14],
           [new Date(2010, 1, 26),137,143,12],
           [new Date(2010, 2, 31),252,242,18],
           [new Date(2010, 3, 13),92,118,17]
        ]);
        var chart = new google.visualization.ColumnChart(document.getElementById('s4graph'));
        chart.draw(data, {displayAnnotations:true, is3D: true, isStacked: true, min: 0,
          allowHtml: true, colors:[{color:'#E41B17', darker:'#C11B17'}, {color:'#FFA500', darker:'#E56717'}, {color:'#FFE87C', darker:'#C8B560'}]});
      }
    script>

The resulting image would be the following column chart:

Rendering the Table

When providing qualitative results, I like to back them up with more accurate numeric values. Let us include a table with links to the CVSS scores for each vulnerability.

    <script type='text/javascript'>
      google.load('visualization', '1', {packages:['table']});
      google.setOnLoadCallback(drawChart);
      function drawChart() {
        var data2 = new google.visualization.DataTable();
        data2.addColumn('date', 'Date');
        data2.addColumn('number', 'High');
        data2.addColumn('number', 'Medium');
        data2.addColumn('number', 'Low');
        data2.addRows([
           [{v:new Date(2009, 0, 30),
              f:'2009-01-30'}, 92,97,3],
           [{v:new Date(2009, 1, 27),
              f:'2009-02-27'}, 168,142,25],
           [{v:new Date(2009, 2, 31),
              f:'2009-03-31'}, 141,165,9],
           [{v:new Date(2009, 3, 30),
              f:'2009-04-30'}, 132,203,12],
           [{v:new Date(2009, 4, 29),
              f:'2009-05-29'}, 158,153,8],
           [{v:new Date(2009, 5, 30),
              f:'2009-06-30'}, 200,199,22],
           [{v:new Date(2009, 6, 31),
              f:'2009-07-31'}, 190,195,11],
           [{v:new Date(2009, 7, 31),
              f:'2009-08-31'}, 127,139,14],
           [{v:new Date(2009, 8, 30),
              f:'2009-09-30'}, 233,208,14],
           [{v:new Date(2009, 9, 30),
              f:'2009-10-30'}, 163,167,18],
           [{v:new Date(2009, 10, 30),
              f:'2009-11-30'}, 129,172,8],
           [{v:new Date(2009, 11, 31),
              f:'2009-12-31'}, 200,211,19],
           [{v:new Date(2010, 0, 29),
              f:'2010-01-29'}, 157,139,14],
           [{v:new Date(2010, 1, 26),
              f:'2010-02-26'}, 137,143,12],
           [{v:new Date(2010, 2, 31),
              f:'2010-03-31'}, 252,242,18],
           [{v:new Date(2010, 3, 13),
              f:'2010-04-13'}, 92,118,17],
        ]);
        var table = new google.visualization.Table(document.getElementById('s4graph_tab'));
        table.draw(data2, {showRowNumber: true, sortAscending: false, sortColumn: 0, allowHtml: true});
      }
    script>

The JavaScript code assumes there is a PHP program called cvealerts.php under the /nvd directory on your web server. Adjust to your environment. A sample PHP program that could be used for cvealerts.php is provided below. The resulting table chart would look like:

Handling Events: Interactions Between Graphs

We now have two different types of graphs representing the same data. We want to add interaction between the graphs so the viewer can see the relationship. With tables rows are selected when the user clicks, which correspond to the whole column of the stacked column chart. It is not a perfect fit, but it does demonstrate nicely use of adding interactions.

        // Set a 'select' event listener for the table.
        // When the table is selected,
        // we set the selection on the line graph.
        google.visualization.events.addListener(table, 'select', function() {
          chart.setSelection([{row: table.getSelection()[0].row, column: 1}]);
         });
        // Set a 'select' event listener for the graph.
        // When the graph is selected,
        // we set the selection on the table.
        google.visualization.events.addListener(chart, 'select', function() {
           table.setSelection([{row: chart.getSelection()[0].row}]);
        });

Providing Detailed Information

When the table chart link is clicked, we would like to provide some detailed information about the vulnerability. For this example, we will do this with a simple PHP program placed in the /nvd directory on the web server. The program is called cvealerts.php.


session_start();
function db_connect($table) {
   $result = mysql_pconnect(":", "", "");
   if (!$result) return false;
   if (!mysql_select_db($table)) return false;
   return $result;
}
function do_html_header($title,$checkuser,$logpage) {
?>
  <html> <head> <title>$title?>title>head>
  <body bgcolor="#FFFFFF">

}
function do_html_footer() {
?>
<table>
<tr><td ALIGN=CENTER NOWRAP WIDTH="590">font>
<font face="Verdana, Arial, Helvetica" size=-2>Notice to Users: Use
of this system constitutes consent to security monitoring and testing.
<br>All activity is logged with your host name and IP address.font>
td>tr>
table>
body>
 html>

}
// Main
$dates= array();
$stringlist = "";
if (isset($_GET['date'])) {
    $passdates = explode(",",$_GET['date']);
    for ($index=0; $index<count($passdates); $index++) {
       array_push($dates, $passdates[$index]);
       $stringlist .= $passdates[$index] . " ";
    }
}
else {
  print("Confusion over how you arrived at this page.\n");
  exit;
}
$stringlist = preg_replace("/ $/", "",$stringlist);
do_html_header("Review NVD CVE Announcements for Month Ending $stringlist",1,1);
$nvd_host = "http://web.nvd.nist.gov/view/vuln/detail?vulnId=";
$conn = db_connect("vulnerabilities");
if (!$conn)
   logit("Could not connect to database vulnerabilities - please try later.\n",1);
for ($index=0; $index<count($dates); $index++) {
   $rule = $dates[$index];
   $sql = "SELECT cve_id,score,published,vector,severity,complexity,left(summary,50)
    FROM vulnerabilities.nvdcve
      WHERE date_format(published,'%Y-%m')='$rule'
       ORDER BY (score+0)";
   $result = mysql_query($sql,$conn);
   if (!$result)
       logit("Problem with $sql\n",1);
   print("
\n");for($count=1;list($cve_id,$score,$date,$vector,$severity,$complexity,$shortsum)=mysql_fetch_array($result, MYSQL_NUM);++$count){?><tr><td CLASS="plfieldhdrleft" WIDTH="20%" BGCOLOR='#F0F5FF'>  print("$cve_id"); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
        print($score); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
        print($date); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
        print($vector); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
        print($severity); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F9FCFF'>
        print($complexity); ?>
      td>
      <td CLASS="plfieldhdrleft" BGCOLOR='#F0F5FF'>
        print($shortsum); ?>
      td>
      tr>

   }
}
print("
Bulletin 
Impact 
Date 
Vector 
Severity 
Complexity 
Short Summary
            
        

      
      
");
do_html_footer();

The PHP program would generate a HTML table displaying the NVD CVE alerts for that month. The table would look like:

When the CVE link is clicked on, the user is taken to the NIST NVD site where additional information is available.

Using Perl to Create the JavaScript

The Perl code is rather simple now that we have the MySQL tables defined and the JavaScript we want to generate. Much of the code consists of the JavaScript listed above.

#!/usr/local/bin/perl -w
use DBI;
use Time::Local;
use POSIX qw(strftime);
use LWP::UserAgent;
BEGIN{push @INC, "/home/jgerber/projects/nvd/perl"}
use ornl_feds qw($db_host $db $mysql_user $mysql_passwd );
sub slide_nvd_alerts {
  my($min_date,$graph_name,$web_link,$dbh) = @_;
  my $slide = "";
  my $slide_head = qq!
    
!;
   if ($min_date eq "") {
      my $sql2 = qq{ SELECT min(published) FROM vulnerabilities.nvdcve };
      my $sth2 = $dbh->prepare( $sql2 );
      my $rc2 = $sth2->execute();
      if ($rc2) {
         $min_date = $sth2->fetchrow_array();
      }
   }
   my $table_data = "";
   my $graph_data = "";
   my $sql2 = qq{ select date_format(published,'%Y-%m'),severity,count(severity)
      FROM vulnerabilities.nvdcve where published >= ? group by date_format(published,'%Y-%m'),severity };
   my $sth2 = $dbh->prepare( $sql2 );
   my $rc2 = $sth2->execute($min_date);
   if ($rc2) {
      my ($change,$virgin,$ht,$mt,$lt,$mmax_date) = ("",1,0,0,0,"");
      while (my($snapshot_date, $severity, $pcount) = $sth2->fetchrow_array()) {
         my $sql3 = qq{ SELECT max(published) FROM vulnerabilities.nvdcve where
date_format(published,'%Y-%m')=? };
         my $sth3 = $dbh->prepare( $sql3 );
         my $rc3 = $sth3->execute($snapshot_date);
         $max_date =  $sth3->fetchrow_array();
         $max_date =~ s/ \S+$//;
         if ($change ne $snapshot_date) {
            if (! $virgin) {
                my($year,$month,$day) = split("-",$mmax_date);
                my $mmonth = $month;
                $month--;
                $graph_data .= qq!           [new Date($year, $month, $day),$ht,$mt,$lt],
!;
                $table_data .= qq!           [{v:new Date($year, $month, $day),
              f:'$mmax_date'}, $ht,$mt,$lt],
!;
                ($ht,$mt,$lt) = (0,0,0);
             }
             $change = $snapshot_date;
          }
          if ($severity eq "HIGH") { $ht = $pcount; }
          elsif ($severity eq "MEDIUM") { $mt = $pcount; }
          elsif ($severity eq "LOW") { $lt = $pcount; }
          if ($mmax_date eq "") { $mmax_date = $max_date; }
          if ($mmax_date lt $max_date) { $mmax_date = $max_date; }
          $virgin = 0;
      }
      my($year,$month,$day) = split("-",$mmax_date);
      my $mmonth = $month;
      $month--;
      $graph_data .= qq!           [new Date($year, $month, $day),$ht,$mt,$lt]
!;
     $table_data .= qq!           [{v:new Date($year, $month, $day),
              f:'$mmax_date'}, $ht,$mt,$lt],
!;
   }
   $table_data .= "        ]);\n";
   $graph_data .= "        ]);\n";
   $slide = $slide_head .  $graph_data . $slide_head_table . $table_data . $slide_tail;
   return($slide);
}
sub slide_body {
  my($graph_name,$title,$style) = @_;
  my $table_name = $graph_name . "_tab";
  my $table_text = "div id=\"$table_name\"";
  if ($style ne "") {
     $table_text .= " style=\'$style\'";
  }
  my $slide2 = "$title
\n";
  my $itext = "div id=\"$graph_name\"";
  if ($style ne "") {
     $itext .= " style=\'$style\'";
  }
  $slide2 .= qq{
    
    <$itext>
    <$table_text>
       
    
    
  };
  return($slide2);
}
# Main
my $web_link = "/nvd";
my $results_dir = "/data/html" . $web_link;
my $result_file = $results_dir . "/nvdcve_stats.html";
my $debug = 1;
my $db = "vulnerabilities";
local($dbh) = DBI->connect("DBI:mysql:$db:$db_host", $mysql_user, $mysql_passwd) ||
   die "ERROR: Connecting: $DBI::errstr\n";
$slides_data .= &slide_body("s4graph","NVD CVE Alerts","width:700px; height:400px;");
$slides_head .= &slide_nvd_alerts("","s4graph",$web_link,$dbh);
open(OUTFILE,">$result_file");
print OUTFILE "\nNVD CVE Statistics\n";
print OUTFILE "\n";
print OUTFILE $slides_head;
print OUTFILE "\n\n";
print OUTFILE $slides_data;
print OUTFILE "\n";
close(OUTFILE);
exit;

Other Charting Options

Google, Google users, and other companies have shared some JavaScript visualizations built on the Google Visualization API to help you get started. Below are some example:

	Annotated Time Line (GWT Integrated) An animated time series chart. By: Google
	Area Chart (GWT Integrated) Interactive area chart. By: Google
	Bar Chart (GWT Integrated) Interactive bar chart. By: Google
	Bars of Stuff Fun bar charts using images of trains, chocolate, worms, and more. By: The visapi project
	Bio Heat Map Heatmaps are a useful way to visualize matricies of data. Scientists often use green-black-red heatmaps to visualize gene expression data from microarrays. This visualization supports both three color heatmaps (ex: green to black to red) and two color heatmaps (ex: white to yellow). By: Institute for Systems Biology
	Column Chart (GWT Integrated) Interactive column chart. By: Google
	Drastic Treemap A dynamic treemap in Flash. By: DrasticData
	Dygraphs The dygraphs JavaScript library produces interactive, zoomable charts of time series. By: Dan Vanderkam
	Filters A Visualization that acts as a control over other visualizations. It is rendered within the browser using HTML. This visualization offers the ability to select some criteria to filter the DataTable used by the controlled visualizations. By: Institute for Systems Biology
	Gauge (GWT Integrated) Each numeric value is displayed as a gauge. By: Google
	Geo Map (GWT Integrated) A map of a country, continent, or region map, with colors and values assigned to specific regions. Values are displayed as a color scale, and you can specify optional hovertext for regions. By: Google
	Intensity Map (GWT Integrated) An intensity map that highlights regions or countries based on relative values. By: Google
	Line Chart (GWT Integrated) Interactive line chart. By: Google
	Magic-Table The Magic Table is a JavaScript library that allows you to see more in your data by applying some simple visual techniques to transform a table. The table is displayed in the browser by the canvas element. Internet Explorer is not supported. By: Greg Ross
	Map (GWT Integrated) An interactive map that uses the Google Maps API. By: Google
	Motion Chart (GWT Integrated) Motion Chart: A dynamic flash based chart to explore several indicators over time. Required columns: bubble name, time and 2 columns of numeric values. Optional columns: Numeric values or categories. By: Google
	Organizational Chart A GWT Integrated simple organizational chart. By: Google
	Parallel Coordinates Chart Parallel Coordinates is a method of visualizing multivariate data. An n-dimensional space is represented as n parallel lines. Works for browsers based on Gecko or Presto (does not work in IE). This is written in Javascript, no Flash required. By: Sri Harsha Allamraju
	Pie Chart (GWT Integrated) Interactive pie chart. By: Google
	Piles of Money Column chart made of of money bills. By: The visapi project
	Scatter Chart (GWT Integrated) Interactive scatter chart. By: Google
	Table (GWT Integrated) A highly customizable table with sorting, paging and selection capabilities. By: Google
	TermCloud A list of terms, where the size and color of each word is determined by a specified frequency value (typically the number of times it appears in some text). By: The visapi project
	Thematic Mapping API Enables visualization of data in Google Earth or other geobrowsers through the use of the Google Visualization API and KML. By: Thematicmapping.org
	WordCloud Displays all words in text with size and color based on the number of time each word appears. By: The visapi project

Additional Information

Below is the talk that Itai Raz, the lead engineer for the Visualization API product at Google, gave at Google I/O 2009 titled “Using the Visualization API with GWT:”

Additional Possibilities

The work above is meant only to serve as a starting point. There is a great deal more information to expand upon. For example, we began this post pulling some information from the XML schema for CVE-2010-1228. One field we did not pull out from the XML file is:

The Common Weakness Enumeration (CWE) represents vulnerability types and NIST provides a CWE Cross Section Mapped into by NVD table. In the above example, we see an entry:

Name	CWE-ID	Description
Race Conditions	CWE-362	The state of a resource can change between the time the resource is checked to when it is accessed.

Clicking on the link will take us to the MITRE site that provides a great deal more information on CWE entries. It is easy enough to expand on the above program to harvest this information for a richer information database.

Another possibility is to expand the above program to pull additional information on the CVE entry. In additional to the data in the NVD CVE XML file, we could pull information from the NVD site. Using CVE-2010-1228 as an example, we could have the program pull down the page:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1228

Notice the line:

CVSS v2 Base Score:10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)

The (AV:N/AC:L/Au:N/C:C/I:C/A:C) provides values that were used in determining the base score. If you follow the link, you will see the values used in the calculations:

CVSS Base Score: 10
- Impact Subscore: 10
- Exploitability Subscore: 10
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
Overall CVSS Score: 10

NVD has made available the equations used in calculating the CVSS base score, temporal score, and environmental score.

Three other pieces of information that might provide interesting groupings are:

Access Complexity: Low **NOTE: Access Complexity scored Low due to insufficient information
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

What information is of interest and how it is used will be dependent on your organization. There is a great deal of information available and many directions you start examining.

Final Thoughts

I am often reminded of the old phrase, “Trust us, we are from the government.” No one really trusts anyone, especially when it comes to matters they do not understand. Just because you are from the security group at your organization, is that reason enough for the CEO to give you unlimited money and authority to do what you see fit? Of course not. While management might trust you, they may not believe that you are capable of seeing the big picture. That is after all their job.

Another great old saying is that “the devil is in the details.” Those details will likely fall in the security domain. In organization across the planet there is a tug of war between the details and the big picture with multiple groups adding in their opinions and views. You need to make the details understandable to your higher management to effectively argue your view. Finding effective metrics and finding clear representation is essential in today’s business. Google Visualization can be a useful tool in accomplishing this task.

COBIT 5 Joins Together COBIT 4.1, Risk IT, and Val IT 2.0

John Gerber — Tue, 23 Mar 2010 17:13:16 +0000

ISACA just announced the release of COBIT® 5 Design (Exposure Draft). COBIT 5 will consolidate and integrate the COBIT 4.1, Val IT 2.0 and Risk IT frameworks and also draw significantly from the Business Model for Information Security (BMIS) and ITAF

ISACA does a great job of mapping COBIT to other standards. It will be interesting to see how much alignment there is between COBIT 5 and the recent work being done by the National Institute of Standards and Technology (NIST). Just last month, NIST released Special Publication 800-37 Rev. 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.” To quote Dan Phillpott over on the Guerilla CISO site, “This document describes the central processes involved in the authorization of information systems that support the federal government. Notice I didn’t say Certification and Accreditation? That’s because C&A is deader than a sheep at a wolf convention. Want to know what replaces it?” Dan suggest picking up a copy of NIST SP 800-37 Rev 1.

Much of the recent focus on risk management is fueled by the need to deal with changing technologies. NIST SP 800-37 rev 1 is not the first NIST document concerning risk management and it certainly will not be the last. Later this year NIST will release SP 800-39 Rev. 1, “Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View” and NIST SP 800-30 Rev. 1, “Guide for Conducting Risk Assessments.” Dr. Ron Ross presented NIST’s view of the next generation of risk management in his talk, “Next Generation Risk Management Information Security Transformation for the Federal Governmen” at the 5th Annual Security Automation Conference.

Quoting from the “Changing Technologies and the Effects on Information System Boundaries” section of NIST SP 800-37 Rev 1.:

Changes to current information technologies and computing paradigms add complications to the traditional tasks of establishing information system boundaries and protecting the missions and business processes supported by organizational information systems. In particular, net-centric architectures (e.g., service-oriented architectures [SOAs], cloud computing) introduce two important concepts: (i) dynamic subsystems; and (ii) external subsystems. While the concepts of dynamic subsystems and external subsystems (described in the following sections) are not new, the pervasiveness and frequency of their invocation in net-centric architectures can present organizations with significant new challenges.

Focusing back to COBIT 5, the planned primary improvements will consist of:

Aligning COBIT 5 with ISACA’s TGF initiative as well as recent global governmental and market-driven enterprise and IT governance initiatives, such as sustainability and green IT.
Consolidating COBIT 5 into a single overarching framework and knowledge base, providing one consistent and integrated source of guidance.
COBIT 5 will be described in a high-level framework publication, providing an explanation of the objectives, scope, format and usage of COBIT 5 and enabling enterprises to strategically plan adoption of COBIT 5 and how to migrate to the new framework.
COBIT 5 will consist of a set of publications providing:
- The content of COBIT 5 required for enterprise implementation and assurance activities
- Focussed guidance publications on functional, responsibility and organisational views to help
  COBIT users with a specific area of interest to better understand how COBIT can support their role.
Clarifying the distinction between governance and management with a revised process model that distinguishes between these domains while also showing how they relate to each other, and with processes integrating both business and IT responsibilities.
Aligning with the latest management practices as well as strengthening areas such as decision making, organisational structures, skill requirements, human factors, culture and change enablement. The new structure will be flexible, allowing future ISACA and non-ISACA standards, frameworks, regulations, etc., to be factored in.

If you want to learn more about risk management, a previous post “Risk Assessment: A Starting Point” provides a good starting point with links to some great information sources. Luke O’Connor over on Scribd, has provided some very nice graphics representation titled “How to Assess and Mitigate Risk” (a.k.a. “Six Risk Management Myths“):

ISACA is looking for feedback by the close 12 April 2010. There is also a LinkedIn Group setup by Grzegorz Albinowski where you can discuss and stay informed on COBIT 5 developments.

OMB Says Bring on the Clouds: Frightening or Funny?

John Gerber — Mon, 18 Jan 2010 23:13:04 +0000

Jason Miller, Executive Editor for FederalNewsRadio, write in his article, “Agencies to justify not using cloud computing to OMB” that OMB “will require agencies to develop an alternative analysis discussing how they could use cloud computing for all major technology projects for the fiscal 2012 budget.” This is according to an internal budget documents obtained by FederalNewsRadio. The document details OMB’s plans for such high-profile initiatives such as data center consolidation and the use of cloud computing and cybersecurity spending.

Miller goes on to report that OMB will require “agencies launch a series of cloud computing pilots across the government in 2010 using the E-Government Fund.” In 2013, Miller reports, agencies must provide OMB “a complete alternatives analysis for mixed life cycle projects where agencies are spending new money-known as development, modernization and enhancement-and steady state or operations and maintenance funding for how they could move to cloud computing.”

Miller quotes a former government official as saying, “They are not saying use it, but are pushing us to look at it and do an analysis of alternatives and make a decision based on our business needs. They are pushing us to look at it, yet giving us the ability to decide whether it makes sense.”

How well does your organization understand cloud computing? How will security be handled? What can you do to prepare? During this time of tight budgets, maybe you do not have the funds and/or time to attend conferences and training events. Fortunately, presentations are being posted regularly to the web, allowing you to keep informed on technological challenges. For example, the ZISC Workshop on Security in Virtualized Environments and Cloud Computing, held September 10-11th in Zurich, recently posted all their presentations:

Welcome note	Bernhard Plattner and Diego Zamboni
Talk 1: Not Every Cloud has a Silver Lining	Gunter Ollmann, Damballa Inc., Atlanta GA, USA
Talk 2: Virtualization and Cloud Computing: Security’s Golden or Gilded Age	Kevin Skapinetz, IBM Internet Security Systems, Atlanta GA, USA
Talk 3: Using virtualization technology for fault and intrusion tolerance	Hans P. Reiser, University of Lisbon, Portugal
Talk 4: A survey of current security-related operating systems research	Timothy Roscoe, ETH Zurich, Switzerland
Talk 5: Of Cold Steam, Mist and Vapour: A View from the Inside of the Cloud	Dirk Kuhlmann, HP Labs Bristol, UK
Talk 6: New Cloud Computing challenges: the security impact in the “social” world.	Massimo Villari, University of Messina, Italy
Talk 7: Paradigms in virtualization based host security	Tal Garfinkel, VMware Inc., Palo Alto, CA, USA / Stanford University, Palo Alto CA, USA
Talk 8: Cloud Computing and Security: a Googley Perspective	Peter Dickman, Google Inc., Zurich, Switzerland
Talk 9: A NIST Perspective on Cloud Computing	Tim Grance, National Institute of Standards and Technology, USA
Talk 10: ENISA Risk Assessment of Cloud Computing – Preliminary Results	Giles Hogben, ENISA, EU
Talk 11: Attack Graphs + Mechanically Generated Constraints	Lee Badger, National Institute of Standards and Technology, USA
Wrap-up and end	Bernhard Plattner and Diego Zamboni

Following NIST’s involvement in an area like cloud computing can help you judge the direction the government is heading. Tim Grance presented at the 5th Annual IT Security Automation Conference and Expo Presentations and the presentations have been made available. Grance presented on the Security Content Automation Protocol (SCAP) (see my previous post “Standardization and Interoperability in Security” for additional information on SCAP). A cloud computing track consisting only of slides (no video) was also posted. If lack of video does not concern you, the following conferences have posted slides on cloud security:

CCSW 2009: The ACM Cloud Computing Security Workshop, held November 13th, 2009 in Chicago.
Digital Government Institute’s Cloud Computing 2010: Focus on Operational Efficiency and Security, held December 9, 2009.
Cloud Interoperability Roadmaps Session held in Long Beach, CA on December 10, 2009.

If you prefer to listen and do not need to see slides, Tim Grance can be heard on Dana Gardner’s BriefingsDirect podcast, “Panel Discussion: Is Cloud Computing More or Less Secure than On-Premises IT?.” The discussion includes a panel of all stars from the cloud security community, including Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Christofer Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; and Dr. Richard Reiner, CEO of Enomaly. The podcast was recorded at the Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto on July 20-22, 1009, along with:

Jericho Forum Aims to Guide Enterprises Through Risk Mitigation Landscape for Cloud Adoption where Dana interviews Steve Whitlock, a member of the Jericho Board of Management.
Cloud and Security Join Boundaryless Information as Top-of-Mind Issues for The Open Group where Dana talked with Allen Brown, president and CEO of The Open Group.
XDAS Standard Aims to Empower IT Audit Trails from Across Complex Events where Dana talks with Ian Dobson, director of the Security Forum for The Open Group, as well as Joël Winteregg, CEO and co-founder of NetGuardians. XDAS is an open-source standard that is hopefully going to help in compliance and regulatory issues and in the automation of heterogeneous environments.
New Era Enterprise Architects Need Sweeping Skills to Straddle the IT-Business Alignment Chasm where Dana is joined by James de Raeve, vice president of certification at The Open Group; Len Fehskens, vice president, Skills and Capabilities at The Open Group; David Foote, CEO and co-founder, as well as chief research officer, at Foote Partners, and Jason Uppal, chief architect at QRS.
Cloud Pushes Enterprise Architects’ Scope Beyond IT into Business Process Optimization Role where Dana is joined by Tim Westbrock, managing director of EAdirections; Sandy Kemsley, an independent IT analyst and architect; and John Gotze, international president for the Association of Enterprise Architects.

For more video presentations on the cloud security, awhile back I posted “CERT, CERIAS, the Academy, and Google Video: Training Online.” Two other sources include the SecurityTube and O’Reilly Webcasts. Below are a few examples of the presentations available:

The Belgian Beer Lovers Guide to Cloud Security (Brucon 2009) Tutorial by Craig Balding at Brucon 2009: In this presentation Craig covers why talking about “cloud” is akin to walking into a Belgian bar and asking for “beer”; the common cloud architectures and their implications for you – the security dude; what the beer brewing Trappist Monks can teach us about cloud security; attacking clouds (aka getting free beer); and dealing with the hangover: cloud incident response & forensics.
Evolution of Security (Fsecure) Tutorial by F-Secure: an animated series on the various threats out there on the Internet and also talks about their state of the art AV (self promotion) They also talk about “cloud security” and how the next generation AV will be in the cloud and not isolated.
Cloud Security and Privacy by Tim Mather, Subra Kumaraswamy, Shahed Latif: discusses cloud computing’s SPI delivery model, and its impact on various aspects of enterprise information security (e.g., infrastructure, data, identity and access management, security management), privacy, and compliance. Security-as-a-Service and the impact of cloud computing on corporate IT is also discussed.
Architecting Applications for the Cloud by Jorge Noa: This presentation analyzes aspects of the Amazon EC2 IaaS cloud environment that differ from a traditional data center and introduces general best practices for ensuring data privacy, storage persistence, and reliable DBMS backup.
Cloud Computing: The Next Frontier for Open Source by Bernard Golden: discusses how the trends of open source and cloud computing reinforce one another, and why cloud computing is a significant driver of enterprise open source adoption.
Getting Started with Amazon Web Services by Cloud Security Deep Dive by Subra Kumaraswamy, Shahed Latif, Tim Mather: will take a deep dive into cloud security issues and focus on three specific aspects: (1) data security; (2) identity management in the cloud, and; (3) governance in the cloud (in the context of managing a cloud service provider with respect to security obligations). Each of these three topics will be covered in a 30 minute segment that will include a presentation and Q&A with the audience.
Cloudburst (Hacking 3D and Breaking Out of VMware) Blackhat 2009 by Kostya Kortchinsky: VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
Virtualization: Resource Coupling and Security across the Stack by Dennis Moreau, Configuresoft: The session briefly addressed extension to the cloud and utility computing infrastructures to address how to use configuration and behavioral information to address the increased complexity of security, compliance and risk assessment in virtualized environments.

Other BruCON Security Conference (held September 18-19, 2009) videos are available at their vimeo channel. O’Reilly maintains on YouTube an O’Reilly Media Channel along with an area to sign up for future webcasts. Blackhat DC 2009 video, audio, whitepapers, and slides are also available. Content is ever changing, so keep checking the sites.

Remember that Vivek Kundra, Chief Information Officer (CIO) of the United States of America, outlined as his team’s priorities:

Innovation
Lowering the cost of Government
Transparency
Engaging Citizens
Ensuring a safe computing environment

In response, FedScoop! started hosting one event each quarter around these pillars. On October 14 at the Newseum, they did their first event bringing together executives in the White House and federal CIO’s, CTO’s, and decision-makers to talk about lowering the cost of government with technology. Check out the video of the Cyber Security Panel. Since one of the topics was cloud computing, FedScoop! scheduled a follow-up event. On December 9th, 2009, they hosted and posted the “Cloud Computing Shoot Out.”

FederalNewsRadio has posted a three part video series on secure cloud computing. The panelists include Jim Flyzik, President of the Flyzik Group; Henry Sienkiewicz, Technical Program Director, Computer Services, Defense Information Systems Agency; Ronald Bechtold, Army Architecture Integration Center at Headquarters, Department of the Army, Chief Information Office/G6; Curt Aubley, Chief Technology Officer CTO Operations & Next Generation Solutions, Lockheed Martin Information Systems & Global Services; Dale Wickizer, Chief Technology Officer-Public Sector, NetApp, Inc.; and Aileen Black, Vice President of Public Sector VMware Inc.

CNET’s editor of Webware, Rafe Needleman and senir writer Stephen Shankland talked with Christofer Hoff on the Reporters’ Roundtable podcast about the “Dangers of Cloud Computing.” Chris also presented at Microsoft’s BlueHat, “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure.” Any presentation with such a great title must be watched. There is a short interview with Chris from Bluehat.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855 where Lincoln was one of Manny’s lawyers. Lincoln basically was pushed aside and humiliated. After the trial, he told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

Change is coming. If you try just to get along, the future will overwhelm you. While we do not live in a world of unlimited funds for conferences and training, people are sharing a wealth of information. Take advantage of it and get ready for whatever might be heading your way.

Suricata: A Next Generation IDS/IPS Engine

John Gerber — Wed, 06 Jan 2010 03:33:41 +0000

Last Thursday, I was very glad that the Open Information Security Foundation (OISF) released the first public beta version of Suricata. It has been three years in the making. Several new releases are expected this month culminating in a production quality release shortly thereafter. OISF describes Suricata an “an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field.” It is looking very promising.

The Suricata Engine and the HTP Library are available to use under the GPLv2. The new engine supports “Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards”. GPU integration allows the use of graphic cards to accelerate operations. Mike Cloppert in his post, “Detection, Bandwidth, and Moore’s Law” pointed out:

It appears the authors well understand the point in this post, and the corresponding state of the art in solving parallel computing problems. GPU’s are emerging as a good commodity solution to parallel processing. This is covered in depth by a number of recent publications discussing parallelism, and I am by no means an expert in this field, so I will simply leave follow-up on this point as an exercise for the reader.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic, creator of Mod Security and author of the soon to be released book “ModSecurity Handbook“. This integrates and provides very advanced processing of HTTP streams. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. Additional details have been provided by Ivan in his post, “HTTP parser for intrusion detection and web application firewalls.” Ivan writes concerning the development, “For the first release of the parser the goal is to be able to parse HTTP streams reliably. In the subsequent versions I will work in the parser’s security properties (such as the ability to see through evasion attacks).”

New Ideas and Concepts

Quoting from the OISF announcement, some of the next generation capabilities include:

Multi-Threading: so very necessary.
Automatic Protocol Detection: the engine has keywords for IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB. Users can write rules to detect a match within a stream regardless of the port the stream occurs on. This is important for malware detection and control. Detections for more layer 7 protocols are being developed.
Gzip Decompression: the HTP Parser will decode Gzip compressed streams.
Independent HTP Library: the HTP Parser will be usable by other applications such as proxies, filters, etc. The parser is available as a library under GPLv2 for easy integration ito other tools.
Standard Input Methods: support for NFQueue, IPFRing, and the standard LibPcap to capture traffic. IPFW support will be available soon.
Unified2 Output: support for standard output tools and methods.
Flow Variables: it is possible to capture information out of a stream and save that in a variable which can then be matched against later.
Fast IP Matching: the engine will automatically use a special fast matching preprocessor on rules that are IP matches only (such as the RBN and compromised IP lists at Emerging Threats).
HTTP Log Module : HTTP requests can be automatically output into an apache-style log format file for monitoring and logging activity completely independent of rulesets and matching.

A few features to look forward to in a few weeks:

Global Flow Variables: the ability to store more information from a stream or match (actual data, not just setting a bit) over a period of time allowing comparing values across many streams and time.
Graphics Card Acceleration: using CUDA and OpenCL to make use of the processing power of even old graphics cards to accelerate the IDS. Offloading the very computationally intensive functions of the sensor will greatly enhance performance.
IP Reputation: will allow sensors and organizations to share intelligence and eliminate many false positives.
Windows Binaries: will be released once there is a reasonably stable body of code.

Folks Behind It

The team is listed on the OISF site. It is an all star cast including Matt Jonkman, Victor Julien, Will Metcalf, Nathan Jimerson, Margaret Skinner, Josh Smith, Brian Rectanus, Breno Silva Pinto, Anoop Saldanha, Gurvinder Singh Dahiya, Jason MacLulich, Jason Ish, Kirby Kuehl, Dennis Henderson, Martin Solum, Ivan Ristic, Pablo Rincon, and Gerardo Iglesias Galvan.

I also wanted to point out some of the heavy hitting organizations involved. The initial funding for OISF comes from the US Department of Homeland Security (DHS), the US Navy’s Space and Warfare Command (SPAWAR), and a number of private companies that participate in the OISF Consortium. The OISF is a part of the DHS Homeland Open Security Technology (HOST) program. OISF works with Open Source Software Institute and has received legal guidance from the Software Freedom Law Center.

OISF is a US nonprofit, a 501c(3) and will not commercialize, sell, patent, copyright, or profit from the engine. OISF Consortium members are donating coders, equipment, and financial support in exchange for the ability to commercialize the engine. The important take away is that OISF has long term support for future development of Suricata.

Final Thoughts

Suricata is a very exciting and promising IDS/IPS engine. It has a great group of people behind it and future development appears secured. It is a project that is in the early stages. Do not expect to download it and simply install on a production environment. For testing the software and providing feedback, the engine and the HTP Library are available for download. To keep apprised of the latest developments join the oisf mailing lists where you discuss and share feedback. The blog of Victor Julien, Suricata’s lead developer, is another great source for the latest news and information.

To finally answer the burning question: why the name Suricata? According to the OISF site, Suricata comes from the Latin genus name for the meerkat and “the Meerkat takes security and vigilance as a life or death responsibility. There is always at least one individual on guard, watching, ready to alert the entire organization. Very much like an IDS sensor. It is always watching, always ready to alert you to danger. Or something like that…”

Movement on the US Cyber Command

John Gerber — Tue, 05 Jan 2010 06:46:09 +0000

The US Cyber Command has been an interesting story to watch. Similar to the old Charlie Brown comic strips where he continuously tried kicking the football only to have Lucy pull it away at the last minute. Now Ellen Nakashima, from the Washington Post, is reporting that “Pentagon computer-network defense command delayed by congressional concerns.” Still, movement is occurring. The Pentagon hopes to brief lawmakers this month to clear the way for confirmation hearing of the Cyber Command’s new director.

For a little perspective, remember back in August 2008, the Air Force suspended all efforts to the establishment of the Cyber Command. This was after the Air Force was hyping the Cyber Command capabilities on TV, in Web video advertisement, and in presentations. In September, the Pentagon decided that the US Strategic Command in Omaha, NE should create and run a version of the joint Cyber Command. Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

In October, top Air Force leadership decided to continue efforts to stand up the Cyber Command. At the time, Air Force Secretary Michael Donley made the statement, “The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena. We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Top military officials in May 2009 argued for a single joint command and went on to tell the media that a “Cyber attack could bring U.S. military response.” In June 2009, Defense Secretary Robert M. Gates in a memo Stated, “Our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

The Defense Department failed to meet an Oct. 1 target launch date. There have been no confirmation hearing for the command’s first director. Nakashima is reporting that the project was delayed by “congressional questions about its mission and possible privacy concerns.”

NSA Deputy Director John (Chris) Inglis said “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.” The offensive measure lead to many policy and doctrinal questions involving cyber warfare. Nakashima goes on to report one official familiar with the Pentagon’s plans, who was not authorized to speak for the record, stated “The rules can vary dramatically depending upon under what authority you’re doing something. An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”

Offensive computing is a difficult topic to tackle. Remember Col. Charles W. Williamson III? He ran into a bit of controversy back in May 2008 when he posted “Carpet bombing in cyberspace: Why America needs a military botnet.” He stated, “America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.” Richard Bejtlich’s post, “Mutually Assured DDoS” points out several of the problems with a af.mil robot network. Sean Sullivan from F-Secure also did a thoughtful response titled “US Air Force Colonel Proposes Skynet.” The problem will always be in cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations stated, “I don’t think there’s any dispute about the need for Cyber Command. We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Nakashima reports officials stated:

“The initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

Lt. Gen. Keith B. Alexander, director of the NSA, has been nominated by President Obama to be the director of the Cyber Command. Congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month. Once the staff are satisfied the understand the command’s purpose and operating place, the Senate Armed Service Committee can hold the confirmation hearing for a new director.

Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” Of course, Saint Bernard of Clairvaux would have cautioned, “Hell is full of good intentions or desires.” While there are many issues involved with the development of a US Cyber Command, steps are continuing to occur. Issues are being considered. Is it progress? I believe so. Stay tuned and we will all see what happens.

Soon-To-Be Classic: A Geek Christmas Story

John Gerber — Wed, 23 Dec 2009 23:35:33 +0000

Folks have their favorite stories from the season. According to a Harris poll America’s two favorite holiday movies are “A Christmas Story” and “It’s a Wonderful Life” (21% each). A close third is “Miracle on 34th Street” (17%) followed by “National Lampoon’s Christmas Vacation” (13%) and “The Santa Clause” (9%). The favorite animated movie is”Rudolph the Red-Nose Reindeer“.

Thanks to Angry Alien Productions for providing links to 30-Second Bunnies Theatre. If you have never watched these collection of movies re-enacted by animated bunnies in 30 seconds, more or less, follow the links. If you enjoy the episodes, support the creative effort by buying the recently released DVD through Amazon.

For geeks, and those who love them, Kreg Steppe and Douglas E. Welch have written a story that you are going to love, “A Geek Christmas Story.” To quote the site, it is the story of “Mattie Stevens, a young boy of the early 80’s, dreams of owning a Commodore 64. He sets out to convince everyone this is the perfect gift. But, along the way runs into opposition from his parents and everyone around him including old Santa Claus”

Take a look at the all star cast of players from the podcasting community:
Narrator: Kreg Steppe – Technorama
Harvey Stevens: Dad – Kevin Devin
Mandy Stevens: Mom – Susie Murph – How to Grow your Geek Podcast
Mattie Stevens: Son – Daniel Devin
Sandy Stevens: Little Brother – Spencer Holden
Curtz Eisenberg: Friend to Mattie – Harrison Steppe
General Beringer: General – Douglas E. Welch
Lieutenant: Steve Holden – Tech News Radio
Mrs. Little: Katie Floyd – Mac Power Users Podcast
Santa’s Helper: Chuck Tomasi – Chuckchat.com
Santa: Larry Pesce – Pauldotcom.com Podcast
Judge: Victor Cajiao – Typical Mac User Podcast – Typical Shutterbug Podcast
Andrew Carnagie: Andy Helsby – Absoblogginlutely!
J.P. Morgan: Grant Bichocco – Mr.Grant.com
UPS Guy: Paul Asadoorian- Pauldotcom.com Podcast
Skipper: Rylie Starcher

Not to leave anyone out, because they have all done such a great job, the show was produced by:

George Starcher – Typical Mac User Podcast
Victor Cajiao – Typical Mac User Podcast - – Typical Shutterbug Podcast
Steve Holden – Tech News Radio - Jersey Boys Podcast – AztecMedia.net

The folks at FiT do fantastic, creative, stories around Halloween and Christmas (Server Room of Horrors – Halloween 2005; A Geek Christmas Carol – Christmas 2005; Server Room of Horrors – Halloween 2006; Lucky the Reindeer and the Island of Misfit Geeks – Christmas 2006; It’s the Great Server Chuck and Kreg! – Halloween 2007). Take the time to listen to this year’s Christmas story. You won’t be disappointed.

Santa’s Secrets Leaked

John Gerber — Mon, 21 Dec 2009 22:00:11 +0000

In a stunning possible security breach, Gregory Mone reveals in his book, “The Truth About Santa: Wormholes, Robots, and What Really Happens on Christmas Eve” some of the sensitive data loss that has been occurring in Father Christmas‘ organization. Answers to questions that have plagued human kind since the first report of the jolly old elf are beginning to appear on the Internet. Through heavy research and interviews with scientists and other field experts (management consultants, Berkeley astrophysicists, Navy SEALs) Mone was able to discover that Baba Noel accomplishes the seemingly impossible annual mission using advanced science and technology. Mone claims no information was obtained through disgruntled elves.

On a mission to reveal the truth behind Pere Noel, Mone took time for an interview on NPR’s Morning Edition and did an one hour lecture at MIT. Shaula Clark reporting for the Boston Phoenix on the MIT lecture, exposed some of Babbo Natale’s trade secrets:

Kanakaloka is not immortal, but retains his jolly vigor with the help of organ printers.
Swiety Mikolaj does not, in fact, leave toys under the tree; instead, he comes bearing complex chemical reactions — toys assemble themselves in their packaging.
Ded Moroz’s Christmas Eve rounds are actually accomplished via several teams of Santa-recruited lieutenants, a series of short-distance wormholes, and time travel.
Papai Noel’s base of operations (actually in Greenland, not the North Pole) is greatly threatened by global warming — to keep his unfathomably large server farm cool, he needs the Arctic chill. Papai Noel’s own green initiatives include planting trees and cloning his elves (“because he wouldn’t want [them] breeding on their own”).

According to Mone, Sinter Klaas uses tools that are hundreds of years beyond what we have at our disposal. For example, “Santa’s suit is laden with what are called metamaterials, which have the effect of bending light around a person so that they turn invisible” — which can come in handy if there are curious children peeking during his Christmas deliveries.

Questions on the Internet have been raised as to where Mone may have obtained his information. At the beginning of the month, Mone traveled to Google allegedly to take part in the Authors@Google series. During the talk Mone discussed how implanted listening devices in the ornaments help Hoteiosho keep the naughty and nice kids straight. Also discussed was the use of cloning and wormhole technology to help Baba Chaghaloo get to every household. A few posts on the Internet question whether Google could be providing information to Shengdan Laoren through advance data mining in exchange for some of the advance technologies.

Could the US government also be involved? Those Internet posts point to the partnership between Google and NORAD (the North American Aerospace Defense Command), a bi-national United States and Canadian organization. NORAD and Google are helping children track the journey of Jolasveinar around the world using Google Maps and Google Earth. In a possible attempt to gain patents and disrupt Google market shares, there are even rumors that Gaghant Baba’s workshop has been purchased by Bill Gates. Could a secret message exist behind the Microsoft Bing commercial about Daidi na Nollag?

Google maintains that they take user privacy very seriously. In this case, I believe them. If there is trickery, Tomten would likely be behind it. How can one trust a person who goes by so many names? And what exactly is his past? Every country provides a different story. If he is a jolly old elf, there are reports that elves have used trickery as a means to an end. Local and federal governments across the world have gift policies limiting the the value and number of gifts that can be given to government employees. Gifts can be used as bribes. One could begin to wonder if the gift bearing holiday might be a cover for a massive yearly bribery event. More troubling, attempts to trace those questioning Internet posts lead back to ISPs in Greenland. Maybe Jack Bauer is needed to get at the truth.

I am not saying Chimney John is not a jolly nice fellow. I am just not a great believer in security through obscurity. There is a great deal we don’t know about Samichlaus. As security minded people, we need to be always questioning. Video of Mone’s Google talk has been made available. View it below and judge for yourself:

Wishing you a great holiday, wherever you may be and whatever you may believe.

Learning from the Drone Hacking Case

John Gerber — Thu, 17 Dec 2009 16:56:45 +0000

Siobhan Gorman, Yochi J. Dreazen, and August Cole have broken the story “Insurgents Hack U.S. Drones” in today’s Wall Street Journal. The story provides several interesting points that could provide valuable lessons. Quoting from the article:

The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter.
The militants use programs such as SkyGrabber, from Russian company SkySoftware. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” Andrew Solonikov, one of the software’s developers said by email from Russia.
The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes.
Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.
The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.
Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.

What lessons are applicable to your organization? Three points to think about:

Design, cost, and risk. There is no doubt that there are many difficulties with adding encryption to drones. Design of these systems involves many factors (power, weight, security, transmission rates, etc.). The problem is that the risk of snooping due to the lack of encryption has been known about since the 1990s. With each drone costing $10-12 million, and the Air Force expected to buy 375, that is a sizable investment. When making design decisions, organizations can expect to have to defend their choices.
Developing with standards. Future development with possible different contractors seems unlikely if widely used encryption systems are not readily compatible with the current contractor’s proprietary communications technology. Companies should want to foster flexibility and avoid vendor lock-in. It is also unlikely that sharing information will be possible with allies unless widely encryptions systems can be used.
Being realistic when assessing the risk. Companies need to avoid reports that they failed to understand the risk. In this article, the worse statement is that the “Pentagon assumed local adversaries wouldn’t know how to exploit it.”

Underestimating risk is a constant threat in security. It is wise to remember the words of Sun Tzu from The Art of War, “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”