(Oh, and just another quick note on terms – I know that some people out there have an issue with any use of the term “cyber.”  With all the issues out there I think this one is perhaps the most worthless.  Personally I don’t care what we call it but it appears that “cyber” has caught on and therefore I will use it until another word tends to dominate.  Arguments and debates over semantics serve no purpose other than to distract us away from the real issues.  If you really want to debate that then let me know and I’ll start another thread for that.)

After seeing a tip from Bob Gourley on an article over at Government Computer News (GCN) I went over to read it.  Bob, and his blog, CTOVision are great sources to keep abreast of the goings on of the federal government especially from the National Security/Intelligence Community perspective. 

The article, entitled “Cyber threat calls for flexibility in command model, general says” offers great insight into the problem of cyber warfare as well as the general problems that everyone faces with threats from the Internet.  The article is rather short but it brings up a lot of issues that would take a great amount of space to really explore. 

Running the risk of oversimplifying things let me say that the issues that we face with the Internet both from a Cyberwar as well as a Cyberthreat perspective is that it are never static.  Attacks can come from anywhere and most often not directly from an attacker.  A device or network that is safe today won’t necessarily be so tomorrow or even five minutes from now.  Now I’m no military strategist by any stretch of the imagination but to the laymen it appears that the natures of cyber warfare and cyber threats are more akin to guerilla warfare than a traditional battlefield. 

The article talks about how the command and control structure should be established within the U.S. Military to deal with the threat.  It cites Lt. General William Lord, Chief of Warfighting Integration and Chief Information Officer of the Office of the Secretary of the Air Force.  One of the quotes I find most telling:

“We need to operate without heavy restrictions.  There are enormous restrictions in the offensive domain.  The biggest problem isn’t the enemy, the biggest problem is us.”

There is so much contained in that short three sentence quote that we could talk for days. 

The problem is that Cyberspace is global as well as local.  It involves both the physical devices that transmit information in the electromagnetic spectrum and the electromagnetic spectrum itself.  There are physical boundaries (network, national, and international) in some respects but in others there are no boundaries at all.  Any action taken within this realm has the potential for global ramifications.  Achieving cyber superiority may not be as easy and straightforward as it seems. There are a confusing array of laws and international agreements that deal with the free flow of communications between countries.  These add layers of complexity to an already complex issue. 

We have hemmed ourselves in with the laws and agreements we have made and have chosen to operate by a code of conduct that our adversaries do not have to follow.  This is how we have chosen to organize ourselves as a society and there is no doubt that it sometimes puts us at a disadvantage when pitted with an adversary who rejects our conventions.

I don’t believe that we can ever eliminate all risk or all threats.  I believe that these are just part of the world we live in.  We can chose to manage them and we can find ways to reduce them to levels with which we are comfortable (acknowledging that comfort levels can also change over time.)

As the article suggests, we must above all else remain flexible in order to meet the challenges that face us.  We must be learn to fight the next war, not the last one.

http://www.cutter.com/content/itjournal/fulltext/2009/08/itj0908a.html

I’m also trying to get a link to a PDF version of the article and will post it here as soon as I do.

Just an FYI – I don’t earn any income from the Cutter IT Journal so if you do decide to purchase a subscription I won’t benefit in any way from it.  Basically I get a free subscription by having my article accepted for publication that is about it.  That said I’ve enjoyed this issue so far (aside from my article of course) so if you do decide on purchasing a subscription you will probably enjoy it.

I’ll close this poll at midnight on 9/11/2009

You can find the second dialogue at http://www.homelandsecuritydialogue.org/dialogue2/

Thanks

As I milled this over an analogy came to mind.  It was that Information Security is a lot like professional cooking.  Part One basically set things up and this part (Part Two) will begin the analogy by showing how standards are a lot like professional recipes.  In Part Three I will broaden the image by relating what we do to working in a professional kitchen.

As some of you know when I first graduated from college I went to culinary school.  The school I went to focused on technique and we spent every day in the kitchen learning and refining what we have learned.  I went on to work in some fine dining restaurants and while I later came to the realization that life in a professional kitchen wasn’t for me, I learned quite a few life lessons during that experience. 

Getting back to the that standards are much like recipes, let me share with you one of the base recipes from my time in culinary school:

Mediterranean Fish Soup

(Serve with rouille on croutons)

Olive Oil

Scallions – FC

Onion – C

Garlic – FC

Tomato – C

White Wine

Fish Stock

Season

Saffron

Thyme

Fish in 1” pieces

(Salmon, Red Snapper, Scallops, Clams/Mussels, etc)

That’s it.  Most professional recipes are like this one.  Some even have less detail.  Now if you know what you are doing then this is really all you need. 

The Chef who taught me to cook was from France and he taught us as he was taught.  No recipes – just technique.  We didn’t have recipes, cook times, or for the most part cook temperatures (Pastry and baking is a whole different world.  In order to do pastry and baking you need all of those things.  I’m talking savories not pastry and baking.)  When asked how long to cook something Chef’s response was: “Until it’s done.”  When we pushed him further he told us to start cooking and we would see. 

What he didn’t want us doing was blindly following a recipe.  He wanted us to think about the food; how it was cooking; what was happening in the pan; how this flavor blended with that one; how they blend differently depending on the cooking technique being used, etc

By teaching us the technique he was developing in us the skill to understand how different ingredients interact to create a dish.  We could then experiment to create our own dishes and creations (later outside of class of course). 

Now standards (such as PCI, HIPAA, GLBA, FISMA, DIACAP, etc) are very much like professional recipes.  Some have more detail than others but they are a basic set of instructions and all imply a certain baseline of knowledge to make heads or tails of them. They take someone with skill to apply them if they are going to result in something.  And by something I mean a soup that is so memorable that it brings you back to the restaurant time after time. 

Take the above recipe.  If you throw everything that I listed in a pot and cook it you’ll end up with garbage (much like blanket applying a standard or baseline set of controls).  The vegetables will take longer to cook than the fish.  Some fish will take longer to cook than other fish.  So you could end up with a soup with overcooked mushy vegetables and fish that will range from being overcooked to raw. 

Here’s the thing: you followed or rather were “compliant” with the recipe but you still ended up with garbage (or at least not something worthy of a fine dining restaurant).  Sound familiar?

Put this recipe in the hands of a trained/experienced cook however and you will have something. (WARNING – minor digression here.  We throw around the term “Chef” too loosely in this country.  There is really only one Chef in a kitchen – everyone else is a cook.  IMHO, you must earn the title “Chef” and shouldn’t get it just because you put on a white jacket and stand next to a stove.) A trained/experienced cook will take the finely chopped scallions and onion and sweat them down in a little olive oil. Just as they are tender and translucent the garlic will be added for a minute or two – that way it doesn’t burn.  Next in will be some chopped and seeded tomato.  This will be cooked down until the pan is somewhat dry but the tomatoes are moist.  At this stage you’ll need to keep your eye on the bottom of the pan.  You are looking for a little caramelization of the sugars from the scallions, onion, garlic and tomato to occur.  Don’t burn it though.  As the caramelization occurs, add in some white wine to deglaze the pan.  When that cooks down to the point that it is gone, add the saffron followed by the fish stock and some fresh thyme. 

Now you have your fish soup base.  To this you will be adding several types of fish/shell fish.  The problem is that even though you will cut them all to the same size, they won’t all cook the same.  Some will take longer than others.  Here is where experience comes in again.  What some people do is that once they have a huge pot of the base, they take a cup or two of it and put it in a smaller pot or pots.  They use these pots to cook the fish to order and return the cooking liquid back to the soup base after each go.  That means that the base will pick up the flavors and oils from the fish and actually get better throughout the night.  The base is kept at a simmer all night too so you can quickly cool it down and refrigerate it for use the next day too.  

Now in this analogy the cook was able to use the elements of the recipe to create a pretty good basic fish soup.  Can you alter the ingredients to create something else – of course you can.  You can substitute shallots for the onions and some of the garlic.  You can add in Leeks or other vegetables too and you would treat them slightly different depending upon how the soup was going to be served.  I won’t go into all that here as I’ll get too far away from the analogy but once the basic technique is learned a lot can be done from that basic starting point.

That is what standards are – basic starting points.  In the hands of a skilled professional they can take us a long way towards securing our networks but they are by no means an end unto themselves. 

Now that I’ve run a bit long on that I’ll wrap this up by saying that now that we have an idea how standards fit into professional cooking we can move on to how managing security in a network is akin to professional cooking.  That will be next time of course.

 So, I want people to go to data.gov’s “request a dataset” page and request the following:

Complete responses from the Departments and Agencies to the FISMA reporting requirements for FY2004-2009 based on OMB Memoranda 04-25, 05-15, 06-20, 07-19, 08-21, and 09-29.

Raw incident data for years 2005-2007 as reported to OMB and summarized in their report to Congress on FY2007 FISMA performance and published at http://www.whitehouse.gov/omb/inforeg/reports/2007_fisma_report.pdf

Raw incident data for years 2007 and later in any type and format similar to the Verizon Data Breach Incident Report available at http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

This information is necessary for researchers to study the effectiveness of information security management techniques and regulatory schemes and for industry to propose changes to national-level information security management frameworks and legislation such as FISMA.  This information for the most part has been released in a summary format to Congress and the release of the complete dataset on data.gov would greatly aid the information security community.

I’ve put in a request already.

Hear from Dr. Ron Ross directly concerning the new changes and how they will come into play in the comming year. 

I will probably not be speaking at this seminar directly but am involved in the development of the material.  I’m working hard to make sure the material is relevant and allows you to take the material back and put it in practice immedately. 

The details are as follows:

New NIST Security Controls:
NIST Special Publication 800-53 Rev 3
 Training Workshop for Government & Industry
 
Recommended Security Controls for Federal Information Systems and Organizations
Implementing The New NIST Unified Controls for the Civilian, DoD
and Intelligence Agencies 
 
September 15, 2009 

 Willard InterContinental Hotel
Washington, D.C.

 Analysis and Discussion of the New Revision 3 of the NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations
(The new 800-53 R3 Integrates  Intelligence, DoD and Civilian Government Controls)

 Keynote Speaker and Overview NIST SP 800-53 r3
Dr Ron Ross
Project Leader,
Joint Task Force Transformation
Initiative Interagency Working Group and
Leader, FISMA Team
Computer Security Division
NIST
—
Learn about Civilian, DoD and Intelligence Community Collaboration on New ControlsWhat is new
What has changed
What YOU need to know
to implement the new controls
and why 

  What you will learn

• The background and need for a Unified Information Security Framework
• The organizational responsibilities set forth in NIST 800-53 Revision 3
• How new, changed and withdrawn security controls in NIST SP 800-53 Revision 3 will affect your organization
• How to select and apply NIST 800-53 controls across the enterprise, in external environments, and in legacy systems
• How to tailor and scope security controls for your environment
• How security controls fit into an organizational perspective on risk management
• How to use the new recommended “Priority Code” assigned to all NIST SP 800-53 security controls
• How to implement the new Program Management controls
• Perspectives from both the Defense and Intelligence Communities. 

Practical Training from the Recognized Leader in
Government IT Security and FISMA Training
Our 6th Year of C&A, FISMA and Government
Security Training 

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

That was about 10 years ago and since then I have learned quite a bit about communicating effectively.  That isn’t to say that I don’t backslide on occasion or that I’m some sort of expert in effective communication.  I’m not but am lucky to know someone that is.  His name is Michael Santarcangelo and if you live near enough to Fairfax, Virginia you have a treat in store for you.

In addition to being a lifelong security professional, Michael is a professional speaker (as in member of the National Speakers Association and not some guy who gets to speak in public occasionally like me).  That means that he has refined the ability to communicate effectively and quickly something that is very important in these days of bullet point meetings and decreased budgets. 

Michael has put together a program to teach others to effectively communicate the value of security and is just about ready to roll it out in an upcoming 15 city tour.  All he needs to do is give it a test run and that is where this amazing opportunity comes in. 

On Saturday July 25^th (This coming Saturday), Michael will be giving a preview of the Communicating the Value of Security Seminar at George Mason University in Fairfax, Virginia.  He has worked with GMU and their Cauldron project to deliver this seminar.  Better still since it is on a Saturday he is offering a pool party and BBQ for the attendees and their families (provided courtesy of Cauldron).  The price is $12.75 per person/family. 

That means that you can pay to attend the seminar and then have your family meet you for the pool party and BBQ for only $12.75.  Now where are you going to be able to feed your family for that price?  I use to live in the DC area and can tell you that you won’t fine anyplace around where you could feed a family of four for under $15.  Even if you consider yourself a master communicator, you can always pick up a tip or trick and at this price can you afford not to go?  The normal seminar will probably be quite a bit more expensive and probably won’t include BBQ and a pool party. 

Check out Michael’s site for a description of the seminar and a link on where you can register.  Please spread the word too.   It is always important to support those in our community that are working to make our jobs easier and Michael is definately one of those.