Ascension Blog

Rybolov over on the Guerilla CISO put up a great post about the need for more data in our industry along with a request that you go to data.gov and “request a dataset.”   I think this is a wonderful idea and urge you to request the following per Rybolov’s suggestion:

 So, I want people to go to data.gov’s “request a dataset” page and request the following:

Complete responses from the Departments and Agencies to the FISMA reporting requirements for FY2004-2009 based on OMB Memoranda 04-25, 05-15, 06-20, 07-19, 08-21, and 09-29.

Raw incident data for years 2005-2007 as reported to OMB and summarized in their report to Congress on FY2007 FISMA performance and published at http://www.whitehouse.gov/omb/inforeg/reports/2007_fisma_report.pdf

Raw incident data for years 2007 and later in any type and format similar to the Verizon Data Breach Incident Report available at http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf

This information is necessary for researchers to study the effectiveness of information security management techniques and regulatory schemes and for industry to propose changes to national-level information security management frameworks and legislation such as FISMA.  This information for the most part has been released in a summary format to Congress and the release of the complete dataset on data.gov would greatly aid the information security community.

I’ve put in a request already.

If you are involved in the Federal Government or servicing the Federal Government you will want to get up to speed on the latest revision of the security control set contained in NIST Special Publication 800-53 Rev 3. 

Hear from Dr. Ron Ross directly concerning the new changes and how they will come into play in the comming year. 

I will probably not be speaking at this seminar directly but am involved in the development of the material.  I’m working hard to make sure the material is relevant and allows you to take the material back and put it in practice immedately. 

The details are as follows:

New NIST Security Controls:
NIST Special Publication 800-53 Rev 3
 Training Workshop for Government & Industry
 
Recommended Security Controls for Federal Information Systems and Organizations
Implementing The New NIST Unified Controls for the Civilian, DoD
and Intelligence Agencies 
 
September 15, 2009 

 Willard InterContinental Hotel
Washington, D.C.

 Analysis and Discussion of the New Revision 3 of the NIST Special Publication 800-53: Recommended Security Controls for Federal Information Systems and Organizations
(The new 800-53 R3 Integrates  Intelligence, DoD and Civilian Government Controls)

 Keynote Speaker and Overview NIST SP 800-53 r3
Dr Ron Ross
Project Leader,
Joint Task Force Transformation
Initiative Interagency Working Group and
Leader, FISMA Team
Computer Security Division
NIST
—
Learn about Civilian, DoD and Intelligence Community Collaboration on New ControlsWhat is new
What has changed
What YOU need to know
to implement the new controls
and why 

 

  What you will learn

• The background and need for a Unified Information Security Framework
• The organizational responsibilities set forth in NIST 800-53 Revision 3
• How new, changed and withdrawn security controls in NIST SP 800-53 Revision 3 will affect your organization
• How to select and apply NIST 800-53 controls across the enterprise, in external environments, and in legacy systems
• How to tailor and scope security controls for your environment
• How security controls fit into an organizational perspective on risk management
• How to use the new recommended “Priority Code” assigned to all NIST SP 800-53 security controls
• How to implement the new Program Management controls
• Perspectives from both the Defense and Intelligence Communities. 

Practical Training from the Recognized Leader in
Government IT Security and FISMA Training
Our 6th Year of C&A, FISMA and Government
Security Training 

I’ve been a bit lax with the blog lately and for that I’m sorry.  The reason will be clear in a few weeks when I hope to be able to make an announcement.  For now though I’d like to just provide my apologies.

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

Tags: Compliance, CSO Magazine, Data Breach, developers, Heartland Payment Systems, information risk management, insider threat, PCI, PCI DSS, professional cooking, professional kitchen, QSA, recipes, risk management, Robert Carr, SQL Injection, standards

Get involved in the National Dialogue on the Quadrennial Homeland Security Review.  Go to http://www.homelandsecuritydialogue.org/

Have you ever left a meeting frustrated that you didn’t get your point across?  Have you ever wondered why other people don’t “get it” when it comes to security?  I certainly know that I have and it was a moment like this that initially caused me to look at the problem differently.  I decided to turn the question around and began asking myself what I was doing that got in the way of other people getting it.

That was about 10 years ago and since then I have learned quite a bit about communicating effectively.  That isn’t to say that I don’t backslide on occasion or that I’m some sort of expert in effective communication.  I’m not but am lucky to know someone that is.  His name is Michael Santarcangelo and if you live near enough to Fairfax, Virginia you have a treat in store for you.

In addition to being a lifelong security professional, Michael is a professional speaker (as in member of the National Speakers Association and not some guy who gets to speak in public occasionally like me).  That means that he has refined the ability to communicate effectively and quickly something that is very important in these days of bullet point meetings and decreased budgets. 

Michael has put together a program to teach others to effectively communicate the value of security and is just about ready to roll it out in an upcoming 15 city tour.  All he needs to do is give it a test run and that is where this amazing opportunity comes in. 

On Saturday July 25^th (This coming Saturday), Michael will be giving a preview of the Communicating the Value of Security Seminar at George Mason University in Fairfax, Virginia.  He has worked with GMU and their Cauldron project to deliver this seminar.  Better still since it is on a Saturday he is offering a pool party and BBQ for the attendees and their families (provided courtesy of Cauldron).  The price is $12.75 per person/family. 

That means that you can pay to attend the seminar and then have your family meet you for the pool party and BBQ for only $12.75.  Now where are you going to be able to feed your family for that price?  I use to live in the DC area and can tell you that you won’t fine anyplace around where you could feed a family of four for under $15.  Even if you consider yourself a master communicator, you can always pick up a tip or trick and at this price can you afford not to go?  The normal seminar will probably be quite a bit more expensive and probably won’t include BBQ and a pool party. 

Check out Michael’s site for a description of the seminar and a link on where you can register.  Please spread the word too.   It is always important to support those in our community that are working to make our jobs easier and Michael is definately one of those.

Tags: communication, corporate culture, Free BBQ, Michael Santarcangelo, perception, Prioritization, risk management, security awareness, Trust, value of security