Having said that, I do want to give credit to NIST for taking on the task of researching and creating guidance documents - notably Special Publications 800-37and 800-53. If you take a quick gander at NIST Special Publication 800-53A, Revision 1 - Guide for Assessing the Security Controls in Federal Information Systems and Organizations - you will immediately notice that the document is 399 pages long and you will cry. Good work – but one wonders who in their right minds is going to read and implement the guidance. Federal agencies of course will have to and many state agencies will as well.

In my work as a security professional, I have only used NIST guidelines for reference, to figure out how to map real security to compliance requirements, not the other way around. The only usefulness I have found is to be able to say “our organization is compliant with FISMA; we follow NIST guidelines”, etc. It looks good on paper and we can check the compliance box. But, trust me, a document means nothing if the network can be penetrated, a critical system compromised, or someone can download classified information and post it on a website somewhere or sell it.

In the world of FISMA compliance, a few things have changed recently and maybe, just maybe, there is hope. The White House has released new standards for reporting under FISMA in an effort to move away from a paper-based system to a real-time reporting system. I don’t know what will happen to the paper-pushers, but I wish the Feds would move that money into hiring real security professionals who don’t need a NIST guideline to harden a system or network.

Real security is about skills and technology with a liberal dash of common sense. I was quite amazed when I discovered that many government (federal and state) Information Security Officers were administrative personnel. That blew my mind. You mean to tell me that the person responsible for security only knows how to write reports and manage projects? Well, I guess that’s an important function. How about that person actually understanding real security so it’s impossible to blow smoke up her skirt? But, I digress…

The new FISMA requires agencies to implement real time data feeds that will be directed to the Department of Homeland Security. DHS will utilize a toy, uh tool, called CyberScope, which will correlate the data and hopefully produce the big security picture in a dashboard type of environment. I actually like this idea. It sounds like technology will be given emphasis rather than binders full of documentation.

Event correlation is not a novel idea. As a matter of fact, the technology is fairly mature at this point. It will be interesting to see how DHS handles capacity issues once agencies start sending data feeds over. It will also be interesting to see which agencies are going to be able to comply with the new requirements. The agencies that hired real security professionals and implemented security technologies are going to be well poised to comply. The agencies that focused on paper check lists and random sampling of systems will not do so well.

The right technology for the right reason can go a long way towards compliance. As an IBM Premier Business Partner, PROVISTA can help you determine what exactly you need to fill in the FISMA gaps. I’ve provided some links below to IBM’s key compliance products, but what you really ought to do is hire a real security professional and implement real security. Drop me a line.

IBM Tivoli Security Information and Event Manager

centralizes security information and event and compliance policy management providing visibility to the enterprise-wide security posture. It includes centralized log management, event correlation, a policy compliance dashboard and comprehensive reporting capabilities.

IBM Tivoli Security Policy Manager

delivers next generation, standards-based security management to help reduce complexity and cost of securing access to applications and web services in heterogeneous IT and SOA environments

IBM Tivoli® Key Lifecycle Manager

helps IT organizations better manage the encryption key lifecycle by allowing them to simplify, centralize, automate and strengthen key management processes across the computing environment.

IBM Tivoli Security Compliance Manager

protects businesses against vulnerable and out-dated software configurations by identifying security vulnerabilities and security policy violations for small, medium and large businesses.

IBM Tivoli zSecure suite

improves organizations’ ability to facilitate security compliance, monitor and audit incidents and automate routine administrative tasks for the mainframe.

IBM Rational AppScan

provides automated Web application scanning and testing for common vulnerabilities including WASC threat classification – such as SQL-injection, cross-site scripting, cross-site request forgery and buffer overflow – and intelligent fix recommendations to ease remediation.

IBM Rational Policy Tester

is a leading automated online compliance solution to assess quality, privacy, and accessibility compliance issues across corporate Web properties.

IBM Proventia Network Scanner

helps reduce network security risk by accurately identifying, prioritizing, tracking and reporting network vulnerabilities all while saving time through automated and continuous scanning.

From a security manager’s point of view, the mission is simple. It’s about preserving the Confidentiality, protecting the Integrity, and ensuring the Availability, of information assets – the CIA triad. Showing a return on investment is something of a mystery to most of us. We know what needs to be done and in what order. It becomes about convincing someone higher up the food chain that certain security initiatives are critical and must be accomplished. For the most part, we have no idea what the return on investment is and we don’t really care. Horrors! Did she say that? Yes, she did.

We care about preventing a security breach. Period.

Some people like to compare security investments to a life insurance policy. In fact, there are companies springing up to offer “breach insurance” (Midlands Management Launches Data Breach Coverage). It’s the cost of doing business, right? After presenting your security program and associated budget, end by offering the idea of insurance in lieu of protective measures. Maybe that will get their attention.

When I’m asked to build a security budget, I just curl up in a ball and whimper. It’s not a top down thing – it’s a bottom up thing. You have to understand what you are trying to protect against, assess what you have in place and the effectiveness of those controls, and budget for filling in the gaps. The only way to get to that point is to have a comprehensive security assessment done.

Security is very emotional for me – it’s a chick thing – or maybe not. Most of my friends and colleagues are of the opposite gender and they are emotional about security too. Part of that is because we know what can go wrong and we know how to fix it, and no one is listening. Oh, kind of like our government.

The truth is that security is an investment, or if you like, a cost center, but one that will pay off. It’s like planning for retirement. If you don’t do it, you might be living in your kids’ basement when you are old and gray, microwaving mac and cheese for dinner. Planning for retirement can be uncomfortable. You may not get to take the annual vacation, buy a new car, or pay for your kids’ college education. And it costs money. Real, hard earned dollars have to go into that savings plan, every single paycheck.

With security, it’s the same idea. You have to plan for the future; plan for the “what if’s”; plan for future insecurities – the unknown. There are plenty of retirement calculators to help you through the retirement planning process, but not so for security. Budgeting for security has been a problem and always will be one. The ROSI calculations are not simple. The plaguing questions are:

What should I target first?

How much money and time do I have to put into this?

How will I know when enough is enough?

How do I measure results?

As a starting point, let’s assume you have performed a comprehensive security assessment or someone has done one for you. You understand where your weakest links are. Your people have come to you with detailed recommendations for security technologies that will solve the issues. How, now, to convince the bean counters that they will see a return on investment.

I’m not sure you have to. Enough “monkeying around” with the numbers has been done by people far brighter than me, so I won’t take you there. I can refer you there if you want to go and you can spend the next 2 quarters figuring out what the ROSI might be for your budget proposal. But, trust me, the assumptions you make will determine the outcome of your numbers and from my point of view, it’s a huge waste of time. Send your assumptions over to the Congressional Budget Office and see what they come up with – they’re supposed to be independent thinkers, indifferent to political points of view, right?

You will need to come up with some numbers to back up your “what if” scenarios. Start with IBM Security Solutions X-Force® 2009 Trend and Risk Report: Annual Review of 2009. The top threat categories may fit into your plans:

· Vulnerabilities and Exploitation

· Malware and the Malicious Web

· Spam and Phishing

For example, according to the report, there has been a “massive increase in Web application vulnerabilities, so much so that these vulnerabilities make up more than half of the disclosed vulnerabilities since 2006”.

Hopefully, web application security is on your list of things to do, and this report will help you quantify the types of single loss exposure (SLE) and potential annual rate of occurrence (ARO) in order to calculate your risk exposure so that you can then derive your annual loss expectancy (ALE). From there you will have to show how the technology is going to mitigate x% of vulnerabilities and there’s more math involved, yadda, yadda, yadda. Oh, and don’t forget to include in your report that if the technology is configured properly it should work.

As you can see, I’m not a fan of ROSI calculations. I am a fan of comprehensive security assessments and a fan of hiring really good security people. One security manager I know has a really simple plan. He requires that 10% of the capital budget be devoted to security. I like it.

There’s no such thing as total security. I don’t care what you pay for it or who you hire to assess the security of your infrastructure; security is not a sure thing.

As a security professional and practitioner, I can tell you that all it takes is one mistake by one person to open a gaping hole in your defense structure. However, there are things you can do to be proactive and aid your existing staff in becoming compliant and maintaining compliance.

Automate the security assessment and compliance process with sophisticated tools. If you don’t, you will have to beef up your security staff to keep a watchful eye on every part of your infrastructure. While you can’t replace the human brain and security experience, you can help yourself by employing the right toolset.

Consider the issues:

· Email and messaging encryption

· Encryption for data at rest

· Knowledge of where all the data resides

· Segregation of duties

· Access controls

· Network segregation (isolation of PCI networks)

· Myriad firewall rules with no business justification

· Undocumented policies and procedures

· Un-patched systems

· Storing sensitive data on tape

These issues are not just an IT problem. They are a people and process problem to boot. Where to begin?

The Payment Card Industry Data Security Standard (PCI DSS) requirements, “the digital dozen”, must be met annually to maintain PCI compliance.

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data sent across open, public networks

5. Use and regularly update anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12. Maintain a policy that addresses information security

You understand the issues and you understand the requirements. You have capable staff, or maybe you are under-staffed. But, in every case, the security environment is complex and essentially you can’t hire enough people to cover all the bases. You must automate what you can.

You may be thinking, “That’s going to cost the big bucks!” Yes it is. But, consider for every tool you employ, you will hire less people to ensure the security and safety of your network and data. That is, if you want to have the absolute best security possible. What’s it worth to your business?

There’s no going back. We live in a highly mobile, networked world. It is what it is.

So, you must do something to get things under control, and that something is about finding the right technologies and processes to put in place. Too bad there’s not a one-stop shop to go to. There hasn’t been until now. IBM is now the leader in Security. And trust me; they don’t pay me to say that. Let me explain.

IBM has a five-phased approach to achieving PCI compliance:

1. Assessment

2. Design

3. Deployment

4. Management and Support

5. Education

IBM offers software, hardware, managed services and professional services to meet the requirements of the PCI DSS “digital dozen”. PROVISTA, as an IBM Premier Business Partner, can offer all that IBM has to offer at a reduced cost combined with the personal and dedicated attention you need.

What we have to offer to meet the “digital dozen” requirements:

1. Firewall

• IBM Proventia Server Intrusion Prevention System (IPS)
• IBM Proventia Network IPS

2. No default passwords or security parameters

• Tivoli Access Manager
• IBM Proventia Network Multi-Function Security (MFS)

3. Protect stored cardholder data

• Tivoli Storage Manager
• Proventia Server IPS
• IBM PKI services
• Guardium database activity monitoring

4. Encrypt transmission

• IBM data encryption for IMS and DB2

5. Anti-virus software

• IBM Proventia desktop endpoint security
• IBM Proventia network enterprise scanner

6. Secure systems and applications

• IBM software development platform
• Tivoli CCMBD
• IBM Rational AppScan

7. Restrict Access

• IBM Tivoli Access Manager
• Tivoli zSecure Admin
• Tivoli Compliance Insight Manager

8. Unique IDs

• Tivoli Identity Manager
• Tivoli Federated Identity Manager

9. Restrict physical access

• IBM digital video surveillance
• IBM biometric access control

10. Monitor access

• Tivoli Compliance Insight Manager
• Tivoli Security Operations Manager
• IBM Proventia Server IPS

11. Test security systems and process

• IBM ISS products and services
• Tivoli Security Compliance Manager
• IBM Proventia Network Anomaly Detection System (ADS)

12. Security policy

• PROVISTA/IBM services
• IBM software automated compliance reporting

Even if you deployed all of the above, how can you be assured that there will actually be a return on investment? Stay tuned and email me at cjkelly@provista.com.

I, however, never use Google apps for any personal information.  I don’t want my most sensitive documents stored online for any reason.  There is always a case for that position.  With that being said, many do use the amazingly compatible and accessible Google apps for all kinds of online collaboration.  What is the risk?  Simply this – any data put online is at risk and all online applications are at risk.

Problem statement: We live in an online world, so how can we minimize risk?  Strong passwords.

How does one construct an easy to remember, yet complex password?  Try this method –

Create a passphrase – one that is particularly significant to you personally, that others will not know is significant to you.

Example:  My Bonnie Lies Over The Ocean

Concatenate the phrase.

Example: MyBonnieLiesOverTheOcean

Substitute letters with symbols and numbers.

Example:MyB0nn13L13s0v3rTh30c3@n

We have substituted the letters “o” with the numeral zero “0”, the letters “I” with the numeral “1”, the letters “e” with the numeral “3” (because a 3 is a backwards E), and the letter “a” with the “@” sign.

I know this looks rather complicated, but select a passphrase and begin interchanging the letters consistently (to make it easier to remember) with numbers and symbols.  Practice it and use it.  If you practice, you will be amazed at how quickly your fingers fly over the keyboard with regular use.

It is also important to not use the same passphrase for all your applications or logins.  And that is the usual problem for most people.  Too many passwords to remember.  But, think for a moment how you can categorize your passwords.  Think in terms of levels of data risk. 

High Risk – data you would not even want your best friend to see let alone the entire world

Medium Risk – company data that is not classified or highly sensitive, but company confidential nonetheless

Low Risk – information that might be shared anyway and of little to no value if compromised

Select your passphrase, not only in accordance with the level of risk, but also based on the location of data or the type of data.

Maybe your bonnie lies over the ocean when you are at work, but lies over the sea when you are working at home (i.e., bank accounts).  The higher the risk, the longer the passphrase should be.

Other ideas at creating passphrases:

Use the opening line of your favorite book – “Scarlet O’Hara was not beautiful.”

Example:  Sc@r13t0’H@r@w@sn0tb3@ut1fu1

Maybe something shorter, like the title of a song – Memories

Example: W3w0r13z

Notice in the above example, we flipped some letters upside-down and around, as well as the usual substitutions, where m=w and s=z.

There are many ways you can be creative in generating memorable and complex passwords.  The trick is to spend the time creating them and associating them mentally to level of risk and location (work, home, on the road) and type.

High risk data must be protected with a long passphrase.  The longer the passphrase, the more difficult to crack, hack, or guess.  Shorter passphrases may be used for less sensitive data access.  However, beware that if you are using a “single sign-on” type application that leads to various risk levels of data, selecting the long passphrase is your best bet.

How to make this terribly irritating exercise fun?  Think up the most hilarious passphrase that you can, and substitute the numbers and symbols.  You will remember it and get the giggles when you use it.

Now go and have fun.

What is a botnet?  It is a network of zombie computers, all infected with malicious code designed to attack a target.  In this case, the target was high profile government websites that include the U.S. Secret Service, the U.S. Department of Treasury, the U.S. Department of Homeland Security, the U.S. Department of State, the New York Stock Exchange, the Nasdaq, the Washington Post, the White House, the Federal Trade Commission, and the Transportation Department, as well as websites in South Korea. 

The type of attack is categorized as a distributed denial of service (DDoS).  The intent of the attack is to overwhelm resources in such a way as to make them unavailable to users of the system.  In South Korea, the situation was even more widespread as reported here. 

“The so-called distributed denial-of-service (DDoS) attacks hit 25 Internet sites, including 11 domestic ones, shutting them down for hours, KISA said.  Other government agencies attacked include the National Assembly and the Ministry of Defense, with the websites of major lenders Shinhan Bank and Korea Exchange Bank brought down by the attack as well… The cyber attacks also affected the country’s No. 1 portal Naver’s e-mail service and online auctioneer eBay’s South Korean site Auction.com, the agency said.”

If this was a nuisance and not a real threat, then what was or is the purpose?  This is a political statement most likely.  It is very difficult to track the source of these types of disruptions to any particular responsible party.  Is this cyber warfare?  No.  It reminds me of North Korea’s current efforts to frighten the world by blasting off missiles and posturing about.  Could the attacks have originated from North Korea?  Maybe… but again, hard to prove. 

The media is making a big deal out of this, but it’s the usual Internet chaos that occurs on a minute by minute basis.  The embarrassing bit about all this is that United States’ government web  sites were affected! We have technology that is available to prevent these kinds of disruptions and it’s somewhat of a disgrace that the appropriate technology has not yet been implemented.   And I leave you with that thought.