Sunday, October 30, 2016

2016 Controls Map - Indexed to NIST - Free Gift

Delivered to you with pleasure and as a courtesy of one of the best managers I have had. Jerry Breaud trusted me to run with my gut instinct and allowed me to work on a personal project designed from its initial conception to give as much to the community as it does to our company.

Thank you to VMware and Intel, both of whom supported this effort and allowed me to create, validate, and openly give this information back to the community so that others can benefit from this work product.

Download! 
You can find the mapping under the documents tab. Direct link here.

Look for 2016 Controls Map New_River_v5 CG (012).xlsm. Please note this is a macro-enabled spreadsheet. View the macro using [ALT]-[F11].

Quick Summary
The purpose of the build kit is to create a blueprint for a repeatable solution that is capable of meeting multiple compliance requirements. The objective is to build the solution properly the 1st time, and have the solution meet the technical control requirements for multiple regulations, standards, and best practices. While we have appreciation and understanding for administrative and physical controls, our focus is understandably on the technical configuration and setup of these complex virtual systems.

Challenge
We continue to see large multinational organizations struggling with the complexity of multiple regulations and required combined control frameworks. We have spoken with senior security and compliance executives from financials, defense, and many other entities with sensitive data. This is a serious and daunting problem – and we have good news.

Opportunity
The opportunity is to create a sustainable common controls baseline to address multiple regulations and standards. It's as simple as this. The result helps organizations quickly to a lowest common denominator set of technical configurations that collectively create a technical build gold configuration. This is a baseline set of configurations with a target of achieving 90+ % compliance for a majority of authoritative sources out-of-the-box aligned with NIST controls.

Execution
Someone recently looked at the body of work and made the assumption we simply borrowed from existing mappings. We looked. And were not satisfied with the accuracy and usefulness of the common existing mappings out there. This was several months of heads-down effort reviewing every single control and then getting two different third party audit firms to supplement the effort.
  • Review and complete where necessary control mappings from common regulations, standards, and best practices into NIST.
  • Identify any control gaps and create an effective control overlay. 
  • Independently validate results by at least 2 different consulting companies formally, and informally with a number of peers.

Deliverable
The incredible work NIST has done with bodies of work like NIST SP800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems by Dr. Ron Ross, Michael McEvilley, and Janet Carrier Oren greatly inspired our team. We borrowed generously from these materials.
  • Recommended common control alignment map to NIST with additional control overlays addressing multiple regulations and standards. 
  • Recommended product configurations, security solutions, and specific design requirements to create repeatable, compliant, secure systems.

But I didn't think PCI mapped directly into SP800-53?
It doesn't. Please allow me to introduce the concept of overlays in case you haven't run across them before. Taken from the summary document...

[...] To help ensure that selected and implemented controls are sufficient to adequately mitigate risks to organizational operations and assets, SP 800-53 Rev. 4 introduces the concept of overlays. An overlay provides a set of security controls, control enhancements, and supplemental guidance for community-wide use or to address specialized requirements, technologies, or unique missions and environments of operation. For example, the federal government may decide to establish a government-wide set of security controls and implementation guidance for public key infrastructure (PKI) systems that could be uniformly applied to information. [...]

Tuesday, October 4, 2016

Microsoft Throws Down!

First, I read this... https://techcrunch.com/2016/10/03/microsoft-expands-azure-datacenters-to-france-looks-to-beat-aws-on-image-of-trust/. Then I reviewed the Trust Center *once again*... to see if there have been any changes in the last couple weeks.

For those that are unaware of the great strides Microsoft has made in the world of audit attestation, pay close attention to the additions and greatly enhanced Microsoft Trust Center. You can search services, location, and/or industry for compliance adherence.

I know several people over at Microsoft, and it is with sincere pleasure that I'm excited about the way that Microsoft is executing on using trust as a competitive differentiator. My hat is off. Excellent work. The cloud competitive market has no option but to respond. The speed with which Microsoft has built parity with Amazon's compliance technical marketing should be noticed.

Microsoft is serious about compliance and fully intends to capitalize on the investment that went into appealing to a broad market shaken by shifting regulatory requirements and frequent security breaches. What they have done isn't cheap. Or easy. But it will surely pay off.

Monday, May 23, 2016

PCI DSS v3.2 Spreadsheet Format

PCI DSS v3.2 Spreadsheet loaded here: https://sites.google.com/site/cloudauditcontrols.

May not be used for commercial purposes.

Monday, May 2, 2016

NIST to PCI DSS 3.1 Raw Map

Raw map. Details will be provided later. We feel this draft was very close. It's currently undergoing review by another external QSA and we have found just a few things to update. 

CONTROLS CONTROL NAME        PCI DSS-MAP
AC-01 Access Control Policy And Procedures 1.1, 7.1, 7.1.4, 7.3, 8.4, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.5
AC-02 Account Management 1.1.5, 2.1, 6.3.1, 6.4.4, 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.3, 8.7, 8.1.4, 10.2, 10.2.5, 8.1.8, 8.5, 8.5.1, 8.6, 8.1.5, 10.6, 10.6.1
AC-03 Access Enforcement 7.1, 7.1.2, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.5, 8.3, 10.4.2, 1.1.5
AC-04 Information Flow Enforcement 1.1.3, 1.1.4, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8
AC-05 Separation Of Duties 6.4.2
AC-06 Least Privilege 1.1.5, 7.1, 7.1.2, 7.1.4, 10.4.2, 7.1.1, 7.1.3, 10.2.2, 10.2.5
AC-07 Unsuccessful Login Attempts 8.1.6, 8.1.7
AC-11 Session Lock 8.1.8, 12.3.8
AC-12 Session Termination 8.1.8, 6.5.10, 12.3.8
AC-17 Remote Access 8.1.5, 12.3.8, 12.3.9, 12.3.10, 12.5.5, 2.3, 7.1, 7.1.1, 7.1.2, 7.1.3, 12.3
AC-18 Wireless Access 1.1.2, 2.1.1, 4.1.1, 12.3
AC-19 Access Control For Mobile Devices 4.2, 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
AC-20 Use Of External Information  Systems 7.1.4, 12.8.2, 12.3, 4.2
AC-25 Reference Monitor 6.5.8
AT-01 Security Awareness And Training Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.6
AT-02 Security Awareness Training 12.6.1
AT-03 Role-Based Security Training 12.6.1, 6.5, 9.9.3, 9.10
AT-04 Security Training Records 12.6.2
AU-01 Audit And Accountability Policy And Procedures 10.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
AU-02 Audit Events 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, A-1.3
AU-03 Content Of Audit Records 10.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, A-1.3
AU-04 Audit Storage Capacity 10.7, 10.5.4
AU-05 Response To Audit Processing Failures DE-3.1, DE-3.3, DE-5.1
AU-06 Audit Review, Analysis, And Reporting 10.6.3, 12.10.1, 12.10.5, A-1.3, 10.6, 10.6.1, 10.6.2, 10.5.1, 10.5.2
AU-07 Audit Reduction And Report Generation 10.6
AU-08 Time Stamps 10.3.3, 10.4, 10.4.1, 10.4.3
AU-09 Protection Of Audit Information 10.5, 10.5.1, 10.5.2, 10.5.3
AU-11 Audit Record Retention 5.2, 10.7
AU-12 Audit Generation 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.1, 10.3, 10.3.6, 10.5.1
CA-01 Security Assessment And Authorization Policy And Procedures 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
CA-02 Security Assessments 6.3, 11.1, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2
CA-03 System Interconnections A-1.2, DE-2.2, DE-3.3, 1.2.1
CA-05 Plan Of Action And Milestones 6.2, 11.2, 11.3, DE-1.1, DE-3.2
CA-06 Security Authorization 6.4.5.2, 7.1.4, 12.3.1, 1.3.8, 3.5.1, 3.5.3, 6.4.5, 7.1
CA-07 Continuous Monitoring 11.2, 11.3, DE-1.2, DE-1.3, DE-3.3, 11.2.1, 11.2.2, 11.2.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-08 Penetration Testing 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-09 Internal System Connections 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.6
CM-01 Configuration Management Policy And Procedures 1.1, 2.5, 6.7, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
CM-02 Baseline Configuration 1.1.2, 1.2.2, 2.2, 2.2.4, 1.1.7, 6.4.5.4
CM-03 Configuration Change Control 1.1.1, 6.4, 6.4.5, 6.4.5.2
CM-04 Security Impact Analysis 6.4.5, 6.4.5.1, 6.4.5.3, 6.6, DE-2.1, DE-2.2, DE-2.2.1, DE-2.3, DE-2.4, DE-2.5, DE-3.3, 6.4, 6.4.1
CM-05 Access Restrictions For Change 6.4.2, 7.1.2
CM-06 Configuration Settings 2.2, 2.2.3, 2.2.4, 8.7
CM-07 Least Functionality 2.2.1, 2.2.2, 2.2.5, 6.6, 1.1.6
CM-08 Information System Component Inventory 2.4, 9.9.1, 11.1.1
CM-09 Configuration Management Plan 2.2
CP-01 Contingency Planning Policy And Procedures 12.10.1, 12.10.6
CP-02 Contingency Plan 12.10.1, 12.10.3, 12.10.6, 12.3.3
CP-03 Contingency Training 12.10.4
CP-04 Contingency Plan Testing 12.10.4
CP-09 Information System Backup 9.5.1, 12.10.1
CP-10 Information System Recovery And Reconstitution 6.4.5.4
IA-01 Identification And Authentication Policy And Procedures 8.1, 8.2, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.4
IA-02 Identification And Authentication (Organizational Users) 8.1.1, 8.2, 8.3
IA-03 Device Identification And Authentication 9.1.2
IA-04 Identifier Management 8.1.1, 8.1.2, 12.5.4, 7.1.4, 12.3.10, 8.5.1
IA-05 Authenticator Management 2.1, 2.1.1, 2.2, 6.4.4, 8.2.1, 8.2.2, 8.4, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 4.1, 6.3.1
IA-06 Authenticator Feedback 6.5.5
IA-08 Identification And Authentication (Non-Organizational Users) 8.5.1
IR-01 Incident Response Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.3
IR-02 Incident Response Training 12.10.4
IR-03 Incident Response Testing 12.10.2
IR-04 Incident Handling 11.1.2, 12.10.4, 12.10.6
IR-05 Incident Monitoring 12.10.6
IR-06 Incident Reporting 12.10.1
IR-07 Incident Response Assistance 12.5.3
IR-08 Incident Response Plan 12.10, 12.10.1, 12.10.3, A-1.4
MA-01 System Maintenance Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MA-02 Controlled Maintenance 1.1.1, 6.5.4, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, DE-2.2.1, DE-3.3
MA-04 Nonlocal Maintenance 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9
MA-05 Maintenance Personnel 12.8.3
MP-01 Media Protection Policy And Procedures 9.6, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MP-02 Media Access 9.7
MP-03 Media Marking 9.6.1
MP-04 Media Storage 9.5, 9.6.3, 9.7, 9.7.1
MP-05 Media Transport 9.6.2
MP-06 Media Sanitization 9.8, 9.8.1, 9.8.2
MP-07 Media Use 12.3, 12.3.5
PC-01 Limit Cardholder Data Storage 3.1
PC-02 Sensitive Authentication Data 3.2,3.2.1,3.2.2,3.2.3
PC-03 Displayed Primary Account Number 3.3
PC-04 Stored Primary Account Number 3.4,3.4.1
PC-05 Cryptographic Key Protection 3.5,3.5.1,3.5.2,3.5.3
PC-06 Cryptographic Key Management Processes 3.6,3.6.1,3.6.2,3.6.3,3.6.4,3.6.5,3.6.6,3.6.7,3.6.8
PC-07 Stored Cardholder Data Protection Policies 3.7
PC-08 Remove Common Coding Vulnerabilities 6.5,6.5.1,6.5.2,6.5.3,6.5.4,6.5.5,6.5.6,6.5.7,6.5.8,6.5.9,6.5.10
PE-01 Physical And Environmental Protection Policy And Procedures 9.10, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PE-02 Physical Access Authorizations 9.2, 9.3, 9.4, 9.4.1, 9.4.2, 9.4.3
PE-03 Physical Access Control 9.1, 9.1.1, 9.1.2, 9.1.3, 9.2, 9.9, 9.9.2
PE-04 Access Control For Transmission Medium 9.1.2, 9.1.3
PE-05 Access Control For Output Devices 12.3, 9.5, 12.3.3, 12.3.4
PE-06 Monitoring Physical Access 9.1.1
PE-08 Visitor Access Records 9.4.4
PL-01 Security Planning Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PM-01 Information Security Program Plan 12.1, 12.1.1, 12.5
PM-02 Senior Information Security Officer 12.5
PM-04 Plan Of Action And Milestones Process DE-3.2
PM-05 Information System Inventory 2.4, 9.9.1, 11.1.1
PM-08 Critical Infrastructure Plan 12.2, 12.3
PM-09 Risk Management Strategy 12.2
PM-10 Security Authorization Process 12.3.1
PM-11 Mission/Business Process Definition 12.2
PM-13 Information Security Workforce DE-1.3, DE-3.3
PM-14 Testing, Training, And Monitoring 12.10.4
PM-15 Contacts With Security Groups And Associations 12.5.2, 6.1
PS-01 Personnel Security Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PS-02 Position Risk Designation 7.1
PS-03 Personnel Screening 12.7
PS-04 Personnel Termination 9.3
PS-06 Access Agreements 12.3.5
RA-01 Risk Assessment Policy And Procedures 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
RA-02 Security Categorization 3.1, DE-2.5, DE-2.5.1
RA-03 Risk Assessment 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2, DE-2.2
RA-05 Vulnerability Scanning 6.3.2, 11.2, 11.2.1, 11.2.2, 11.2.3
SA-01 System And Services Acquisition Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SA-04 Acquisition Process 6.3
SA-09 External Information System Services 2.6, 8.5.1, 12.8, 12.8.2, 12.8.5, A-1, A-1.2, 12.8.3, 12.8.4, 12.8.1, 12.9
SA-10 Developer Configuration Management 6.3.2, 6.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4
SA-11 Developer Security Testing And Evaluation 6.3, 6.3.2, 6.5.3
SA-15 Development Process, Standards, And Tools 6.4.3
SA-18 Tamper Resistance And Detection 9.9, 9.9.2
SC-01 System And Communications Protection Policy And Procedures 1.5, 3.7, 4.3, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SC-02 Application Partitioning 8.7
SC-07 Boundary Protection 1.1.4, 1.2.3, 1.3.4, 6.6, 1.2, 1.1.2, 1.2.1, 1.3.1, 1.3.2, 1.3.3, 1.4, A-1.1
SC-08 Transmission Confidentiality And Integrity 4.1, 4.1.1, 6.5.4
SC-10 Network Disconnect 8.1.8, 12.3.8
SC-12 Cryptographic Key Establishment And Management 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8
SC-13 Cryptographic Protection 3.5, 3.6, 4.1, 4.2, 4.3
SC-28 Protection Of Information At Rest 3.4, 3.7, 6.5.3
SC-39 Process Isolation A-1.1
SC-43 Usage Restrictions 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
SI-01 System And Information Integrity Policy And Procedures 5.4, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SI-02 Flaw Remediation 6.1, 6.2, 6.5.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3.3
SI-03 Malicious Code Protection 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 6.6, 11.4, DE-5.1
SI-04 Information System Monitoring 6.6, 11.4, DE-5.1, 5.2, 12.10.5, 11.1, 10.6, 10.6.1, 10.6.2
SI-05 Security Alerts, Advisories, And Directives 12.5.2
SI-07 Software, Firmware, And Information Integrity 10.5.5, 11.5, 11.5.1, 10.5, 12.10.5
SI-10 Information Input Validation 6.5.1, 6.5.2, 6.5.7, 6.5.9
SI-11 Error Handling 6.5.5
SI-12 Information Handling And Retention 3.1

Wednesday, April 20, 2016

Quick and Dirty Cloud Assessment

Some of you guys have insane resources, capital, people, that you can throw at the problem until it's solved.

Unfortunately, that's not all of you. Or maybe it IS you, but you're not going to spend anymore time than necessary to make sure that you have the basics covered.

Here's the short list.

1. Review the following list of security solutions and make sure that you have answers for each one of the security solutions/products that apply to you.

http://www.cloudauditcontrols.com/p/requirements-checklist.html

2. Find the hardening guide for each one of the products that you have installed and make sure you focus on reducing the attack surface and exploitability of the systems by implementing moderate to complete hardening on the systems.

3. Ensure that you have basic segmentation implemented to protect multitier applications.

4. Implement traffic filtering for external-facing applications. I'm a big fan of these guys. No affiliation whatsoever. Look at some of the other offerings that they have as well.

https://www.incapsula.com/website-security/https://www.incapsula.com/website-security/

If you want one of the best peer-reviewed security standards that I believe is actionable and reasonable to implement, consider PCI DSS. There is some overlap between some of the requirements. It still requires a moderate amount of interpretation. I've done a tremendous amount of work in and around the standard, and I'm not speaking flippantly or borrowing from someone else's opinion when I state these things.

Here's a short blog post that contains distilled requirements that I consider must-haves:

http://www.cloudauditcontrols.com/2012/03/practices-for-protecting-management.html

5. Final additional considerations not required specifically by most regulations and standards. [a] Consider Network Behavior Anomaly Detection such as Fire Eye. [b] Consider white listing, sandboxing, persistence, and other measures to limit attack surface, attack vectors, escalations, attack persistence.

This is typically when I tell organizations that are uncomfortable making product decisions to engage a reputable security-focused reseller. Of course I have my favorites for different situations. But I don't know your environment. My brother founded and runs https://www.criticalstart.com. I've used some of his guys in the past for different assessments. Good work. Another couple that I like are https://www.redlegg.com and https://depthsecurity.com. Both founded by stand-up guys that care about the customer and care about getting it right.

Tuesday, April 5, 2016

CVE Analysis Spreadsheet - 2015 through 2016 Q1


Here's a dump of the CVE's from January 2015 through March 2016 with a quick search feature. Simply input minimum CVSS score, any search terms under description, vendor, or product, and it immediately counts combined matches. For example, the number of vulnerabilities from Microsoft with a CVSS score greater than 4 is 628. Apple has 613.

Simply navigate to the documents tab and look for CVE Analysis spreadsheet.

Wednesday, March 9, 2016

Controls Spreadsheet NEI 08-09 [Rev. 6] Cyber Security Plan for Nuclear Power Reactors

Controls spreadsheet under Documents tab. Look for NEI08-09r6.ver ... .xlsx under Authorities.

Friday, February 19, 2016

NIST Cyber Security Framework (CSF) Excel Spreadsheet

NIST Cybersecurity Framework Excel Spreadsheet

Go to the documents tab and look under authorities folder. Contains properly split-out table, database import sheet, search, and blind reverse map to 800-53r4.

Document: NIST Cybersecurity Framework.ver.xx
Documents Site: https://sites.google.com/site/cloudauditcontrols 

Wednesday, February 17, 2016

Excel Spreadsheet: HHS-ONC Security Risk Assessment Tool & HIPAA Security Rule Toolkit

Posting Excel spreadsheets of the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool (https://www.healthit.gov/providers-professionals/security-risk-assessment-tool) and the NIST-provided HIPAA Security Rule Toolkit (http://scap.nist.gov/hipaa/).

You can download Controls_HIPAA.ver.01c.xlsx under the Documents tab which takes you here: https://sites.google.com/site/cloudauditcontrols/.

Friday, February 5, 2016

Why you need to read the Summary of NIST SP 800-53 Revision 4

This is the most concise list of answers I've seen to the most commonly asked questions and misconceptions my customers, peers, and students have about NIST SP800-53r4.

http://csrc.nist.gov/publications/nistpubs/800-53-rev4/sp800-53r4_summary.pdf

Just read the table of contents for a readout on those topics... It will look as if someone is reading my email! Nice work Kelly, Greg, and Doug.

Summary of NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
Kelley Dempsey
Computer Security Division Information Technology Laboratory
Greg Witte
Doug Rike G2, Inc. Annapolis Junction, MD
February 19, 2014
Table of Contents

1 Introduction
2 NIST SP 800-53 Revision 4 and the Risk Management Framework (RMF)
3 Control Baselines and Tailoring
4 Documenting the Control Selection Process
5 Assurance
6 Security Controls
7 International Information Security Standards
8 Overlays
9 Privacy

Here's how I loosely explain it.
  • [Introduction] 800-53 was put in place to define controls for federal systems. Controls keep bad things from happening.
  • [RMF] This assumes the use of the Risk Management Framework. You cannot get away from this. Learn and use it. Repeatedly.
  • [Baselines and Tailoring] The baselines are not meant to be blindly applied. They must be tailored for your situation.
  • [Documentation] Document everything.
  • [Assurance] Systems assurance helps you sleep at night.
  • [Controls] Security controls enable you to protect your systems from bad stuff.
  • [International] Yes!! There is a tremendous amount of overlap between these recommendations and international ISO-IEC recommendations. Look at how they line up! Perfectly? No. But wave your hands and explain it away. Don't do that... that's a joke. Seriously. Don't do that.
  • [Overlays] NIST understands they don't cover every situation and expect you to document additional protections they don't cover. Call these overlays.
  • [Privacy] Here's an example overlay.
On my wish list is a NIST for Dummies explained using Legos...

Wednesday, February 3, 2016

DRAFT Automation Support for Security Control Assessments

Here is a draft release that came out tonight for public review. This is solid. Well-thought out. Really looking forward to where this goes, and I'm going to be following this closely.

\\

**NIST IR 8011: DRAFT Automation Support for Security Control Assessments**
http://csrc.nist.gov/publications/drafts/nistir-8011/nistir_8011_ipd-draft_vol1_overview.pdf

[From Executive Summary]
Evolving threats create a challenge for organizations that design, implement, and operate complex information systems containing many moving parts. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods has become impractical and unrealistic for most organizations due to the sheer size, complexity, and scope of their information technology footprint. Additionally, the rapid deployment of new technologies such as mobile, cloud, and social media brings with it new risks that make ongoing manual procedural assessments of all controls impossible for the vast majority of organizations. Today there is broad agreement in the information security community that once an information system is in production, automation of security control assessments1 is needed to support and facilitate near real-time information security continuous monitoring (ISCM).

[From Introduction]
Automated assessments have the potential to provide more timely data about security control defects (i.e., the absence or failure of a control), better enabling organizations to respond before vulnerabilities are exploited. Additionally, automated security control assessment has the potential to be less expensive and less human resource-intensive than manual procedural testing. Any realized savings could free up resources to be used on other activities, for example, investing in additional safeguards or countermeasures or responding to security defects and incidents in a more timely manner.

[Planned Volumes]
Volume 1 Automation Support for Security Control Assessments
Volume 2 Hardware Asset Management (HWAM)
Volume 3 Software Asset Management (SWAM)
Volume 4 Configuration Settings Management
Volume 5 Vulnerability Management
Volume 6 Boundary Management (Physical, Filters, and Other Boundaries)
Volume 7 Trust Management
Volume 8 Security-Related Behavior Management
Volume 9 Credentials and Authentication Management
Volume 10 Privilege and Account Management
Volume 11 Event (Incident and Contingency) Preparation Management
Volume 12 Anomalous Event Detection Management
Volume 13 Anomalous Event Response and Recovery Management

Tuesday, February 2, 2016

SP 800-53A Revision 4 controls, objectives, CNSS 1253 Excel Spreadsheet

Here's a cleaned up and combined Excel spreadsheet version of Special Publication 800-53A r4 containing controls, objectives, and CNSS 1253 parameter values.

https://sites.google.com/site/cloudauditcontrols/

File: Controls_800_53r4_ver02e.xlsx
Direct: https://sites.google.com/site/cloudauditcontrols/home/Controls_800_53r4_ver02e.xlsx?

There are 3 spreadsheet tabs. The 1st one is organized by control enhancements, and the 2nd one is organized by controls. As a bonus, there is a simple search sheet in there. You can delete the table contents and paste any table contents and it will still work. Simply change the terms to search your spreadsheet.

XML download at NVD contains 2 parts, one labeled controls, and the other one is objectives: https://web.nvd.nist.gov/view/800-53/home. The spreadsheet available under downloads contains the information from both.

The original document can of course be found here: http://csrc.nist.gov/publications/PubsSPs.html.

PCI DSSv3.1 Controls, Guidance, Testing Procedures – Excel Spreadsheet

Go to the documents tab and you can download the spreadsheet containing the PCI DSS version 3.1 control requirements, guidance, and testing procedures.

Includes Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers and the new PCI DSS v3.1 Designated Entities Supplemental Validation.

https://sites.google.com/site/cloudauditcontrols/

File: Controls_PCIv3_1.xlsx

Direct: https://sites.google.com/site/cloudauditcontrols/home/Controls_PCIv3_1.xlsx?

There are now 3 different tabs. The 1st tab is organized by the requirements as you see them inside of the Data Security Standard. The 2nd tab is organized by testing procedures. The 3rd tab can be used for searching. You can sort largest-smallest any of the columns to see which controls have the highest hit rate. You can then reorganize by primary key (PK). Enjoy! :-)

Sunday, January 24, 2016

Quick Fly-by of Access Control Mechanisms (Models)

Reviewing NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and created a quick illustration to show the differences between Mandatory Access Controls (MAC), Discretionary Access Controls (DAC), and Attribute-based Access Controls (ABAC). This is what I will use in class this week to help others navigate the differences. Enjoy!

Thursday, January 14, 2016

Cloud Infrastructure Auditing Essentials

This was a draft post from some time ago. Interesting how little has changed.

Security models, business alignment, capacity planning, and performance management are more important than ever before in virtual environments. Smaller environments may have a few virtually hosted servers running on a single powerful physical server, whereas larger environments support hundreds or thousands of virtually hosted servers and desktops running on a complex infrastructure of clustered servers connected to a massive Storage Area Network (SAN).

The scale may change the scope or approach to the audit, but the same business requirements and controls exist. Resource management and monitoring of each of the components separately and collectively enable the virtual environment to function. The hypervisor has control requirements similar to those found in a server, but it also has unique requirements to ensure that the hosted environment doesn't present additional control weaknesses to the guest operating systems. The guest operating systems have unique control requirements because of the necessity to keep appropriate segregation controls in place between servers processes, and to control its unique attack surface. Somewhat complicating this mix are different conceptual approaches to creating the virtual environment.

Great! I think. Where do I start? Now I have a cloud audit!

Start with scope. Identify exactly what you want to be part of the audit. Where does the data exist? What are the boundaries? Where's the management tools for that infrastructure? What systems access that scoped boundary?

Remember the basics. They don't change. They haven't changed for decades. Identity provisioning and deprovisioning, authentication mechanism and protocols, authorization grant/scope/enforcement, data protection, malware protection, malicious use detection/prevention, log management, change controls, backups, etc. Applies to nearly every single system directly or indirectly as an entity level control. Don't forget additional administrative controls, policies, documented procedures. Remember physical security and additional entity level controls. Finally, think about data and system lifecycle…

But this is a… [firewall/storage system/hypervisor/… etc.]. Excellent! Now let's look at the additional configurations and controls that are unique for each technology.

Documentation is everything. There's an art to documenting audit output and artifacts. What's the use case? Who will use the information? Internal use? External customer review? For example, how much information must be documented and to what level such that the purpose of an external review is satisfied while still protecting internal trade secrets? Maybe we don't trust the external party, or the security infrastructure of the external party to keep the data we provide to them confidential. Certainly understand that there are many times where we don't have a choice in this discussion – and I've been there many times – but if you have a choice in the matter then you should execute that choice. Not everyone agrees with me on this. This is my own opinion. I'm a fan of transparency, but not transparently providing potential attackers information that can be used to harm my infrastructure.

Help with the cloud! Okay, this is more complex because some of the technologies and architectures change the game. However, from a control objective perspective, that still hasn't changed. The objective is the same. Now, whether you own the technology or execution may have changed, and that's where you need to look into what visibility you have into your provider's enforcement of the controls. You have a certain risk profile/risk threshold and you have to make the call based on the situation whether you are comfortable with what contractual obligations they have to [1] enforce specific control objectives, [2] have them reviewed by an independent third-party, and [3] report the results to you.

Wednesday, January 13, 2016

Visual Profile Idea

Looking through my resume the other day and realized just about every company, technology, project, event, etc. has some sort of logo associated with it. Thought it would be interesting to put together on a single slide as a visual profile. Quite honestly I thought at first it was a little too much, but the feedback has been really positive from sales people. Still not likely to use it in a presentation except maybe as an introduction slide in a class. Maybe someone will find the approach interesting or useful.

File: Chris Davis Visual Profile 2016.pptx

Direct: https://sites.google.com/site/cloudauditcontrols/home/Chris%20Davis%20Visual%20Profile%202016.pptx?

Manipulating Graphics

  1. Crop - Select image | format | crop
  2. Resize - Right-click | Size and position | Size | check lock aspect ratio | height = 0.5 
  3. Format painter - Select an image that has been manipulated the way you like | select format painter | click new image to apply the format

Additional Ideas

  • List of technologies
  • List of products
  • List of authoritative sources
  • List of competencies
  • List of customers
  • List of verticals



Monday, January 11, 2016

Warrior Angels Foundation – Stories of Impact

This is outside the scope of this blog, but the reality is that we want to believe in something bigger than ourselves. Maybe this isn't true for everyone, but my experience has shown that the stronger the player, the more that they want to compete for something bigger than only themselves.

I had the opportunity to meet with the Warrior Angels Foundation cofounders Adam and Andrew Marr along with their father at Cracker Barrel for breakfast. My wife and I gave what we could because we believe in their cause.

The foundation was a glimmer in their eye, just getting off the ground, not even 2 years ago. Imagine my surprise and the tears I wept reading through the struggles and triumphs of 10 Warriors who fought the odds and the circumstances of a corrupt political system that wanted to use them while they still have value and then toss them to the curb. So you believe in the Wounded Warrior Project? Right. Go research how much money they consume as an organization before they spend any money on the people the foundation was created to help. Where do you think that money goes? This isn't a conspiracy theory. This is pure fact. Do the research.

I was in the military. I've been around hard men. Trust me when I tell you, the juxtaposition jumped at me between the resolution of Andrew's heart to overcome his own obstacles, driven desire to help others, contempt for the hundreds of inept programs, and something else… Something that reminded me of my own autistic little child. Hyper-aware. As if his fight-flight sympathetic response was on full-bore and he could not turn it off. Hundreds of nights I've sat with my bewildered little girl to calm her down and give her assurance that she can slip into silence and sleep. I would find out later that MRI brain scans of PTSD victims and autistic children look remarkably the same.

Here is Andrew's email in its entirety.

///

Chris,

I am a hard man but I wept as I put this together. I wept for the lives and families saved, I wept for the lives and families we have lost, I wept for the hundreds of thousands who still need support. The unseen wounds of combat have come at a great cost. There is hope, Warrior Angles Foundation (WAF) is only getting started.

Below you will find 10 stories containing a brief background and 2 candidly answered questions.

These life changing stories were made possible from your contributions. You can measure the value it has produced for yourself better then I could attempt to explain it. From the heart, thank you.

Please see WAF's 2015 year end review and future objectives after these heart warming stories.

1: I'm a married with four kids, a 24 year veteran of the US Army. I spent over half my career in the Special Operations community, and deployed in support of the war on terrorism and other overseas contingencies over 8 times. 

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Despicable, horrid, non-existent. I was just spinning my wheels and looking for a way out. Constantly fatigued, and lethargic, made me very depressed.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel better right now than I have in five years. I'm still going up hill, but I can see the top. I have the energy to make up for five years of physical and mental neglect. This protocol has put me in the appropriate mental state to get physical again and I am doing it! I am very grateful for the opportunity to receive this treatment. Before I knew that it existed (Joe Rogan Experience) I was literally loosing all hope, nothing I had tried was pushing me ahead. What I can attest to is that there are NO silver bullets out there; however, this protocol is the closest thing to it, because of the continued personal contact with Dr Gordon and Andrew Marr, I am a work in progress, yes, PROGRESS, which is more than I had been in the past five years. If it were not due to this protocol, I highly doubt I'd be here today, it has pushed me over the hump and got me going, saving my life! This is just a very small but meaningful thanks to all the supporters out there making a difference!

2: Just a regular special ops dude who now focuses on being a father.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) I didn't want to live. I was angered, depressed, and in pain. I had no quality of life.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel like me again. A person. Life is worth living. This foundation is amazing and I love that I received help and that they are helping others out there.

3: I'm 23 years old, I currently work in the Medical Marijuana Industry and compete in Brazilian Jiu Jitsu. I currently live in Orange County, CA. While in the military I was an 0311 Infantry Marine and stationed at Camp Pendleton.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Terrible. I was constantly depressed, anxious, and had zero control over my thoughts. My mind would constantly wander and think about the craziest things that never happened. I would wake up every day with sweaty palms and had the hardest time falling asleep. Constant bouts of uncontrollable anger were the most common occurrence for myself.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) There are no words to describe how positively my life has changed in less than a year. I have complete control of my anger now. I no longer live with anxiety or depression. I'm able to have healthy relationships & think thru situations clearly. Long story short, I'm a completely new person now. Thank you for everything. Because of this treatment I'm competing in Jiu Jitsu and operating one of the most successful MMJ deliveries in Orange County. I am forever grateful.

4: I'm a 30-year-old college student and former Army vet with 4 combat deployments. I left the Army after ten years as a SSG, I was an EOD team leader in a Special Ops unit.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) There was no quality of life before treatment, I simply no longer wanted to exist.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Quality of life has improved greatly, now I just struggle with regular day to day stresses. Whereas before I couldn't handle anything I was just numb to the world.

5: Served as a NCO through most of the 1980's in the 2nd Ranger Bn. and HQSTARC Texas National Guard. After 911 worked in the contracting world for the Department of State and private individuals. I currently work as an Estate Manager and Designer/Project manager. I have a fiance and son from a previous marriage.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Difficult... as a highly focused and disciplined person I was forcing my mind and body to perform regardless of how I felt physically or mentally. Physically I was finding it hard to recover from exercise and seemed t be in a chronic state of fatigue. Mentally I was finding it hard to focus, multi-task and modulate my emotional response.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) The above stated difficulties have greatly diminished or have gone completely away.

6: I was an Infantryman deployed to Afghanistan in 2009 and 2010. I am engaged and have a 1-year-old daughter and an 11 year old step son.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Lack of energy and motivation. Headaches, inability to focus and concentrate. Mental fog. Loss of strength and ability to recover from workouts

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel sharper mentally. My short term memory has improved.

7: Medically retired Senior Chief (SEAL) after 15 years of service in the Navy.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Mentally, it was actually getting much better from the BTC (treatment via the Brain Treatment Center), but physically still dragging.  Low energy, lack of motivation.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Biggest improvement is the overall feel of being healthy again both physically and mentally.  I am currently off all medication I was taking upon exiting the military.

8:  I am a veteran, I have a family, infantry.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Terrible

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) God bless you guys for all the help. Huge part in saving my life.

9: I served in the Marines from 1991 to 2001 as longshoreman and admin clerk.  My wife is prior Air Force and now works at the VA in Blind Rehab.  We have three kids; our oldest is in the Marines and is stationed in Okinawa.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) I was very irritable, anxious, unsocial, and I tended to internalize my anger and frustrations.  The internalization was meant to protect my family from hurtful comments.  I was getting intolerant of people and mistakes, which drove me father away from interacting with anyone. 

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I'm a little more calm and resilient.  While traveling to new areas, I'm significantly less anxious.  I go to bed later and wake earlier ready to start my day, versus wanting to just lay in bed.  I have more good days than bad days, as I don't perseverate on issues during the day. I find myself wanting to do more activities, versus just wanting to relax.  I find myself wanting to listen to a variety of music, rather than just the same playlists or radio stations while working.  I stopped drinking, drinking alcohol, anything with caffeine, excess sugar, and medical cannabis, to ensure the results of being on Dr. Gordon's regimen were legit.  So far, so good--you need only ask my wife and kids.

10: I am Hispanic male and I came from single parent household. Growing up it was just my sister and I. My mother sacrificed much of her life to ensure my sister and I never struggled, and for the most part she has succeeded. Growing up, I was an active kid, riding my bike or roller blades around the city. In high school, I wrestled all four years and played football my last three years. In the Marines, I was a machine gunner and I was in a CAAT unit (combined anti-armor team) and MAT unit (mobile assault team). I served two tours in Iraq and one domestic deployment in the states.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Before my treatment, I was struggling to maintain focus, develop and hold new memories, and I isolated myself much from the world. My sleep quality was poor and I felt drowsy the next day. The VA had me on medication, but that did more harm than good. To help myself sleep I resorted to medical marijuana.  

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Since my treatment, I have seen a cognitive change for the better. I am more aware of my conscious decisions and abilities. My energy level, while slowly improving, is definitely more natural rather than consumed stimulation such as coffee. While overall improvement is slowly progress, I am satisfied to see and notice the improvements. Thank you for everything y’all do. I have struggled for years (since 2008/9) to get help. After years of fighting, I am happy I am receiving help, especially help away from the VA. Thank you.

REVIEW OF WAF'S 2015
In a relatively short time WAF has gone from 0 to 1, creating something where there was nothing. Our system allows us to treat Veterans anywhere taking personalized medicine to a level never before realized, separating WAF from the 40,000 plus other military/veteran support organizations (charitywatch.org).

This has allowed Dr. Gordon and WAF to converse with senior legislators, the secretary of the Veterans Administration, key agents with the Department of Defense, countless medical providers, and other military and veteran support organizations.

In WAF’s first year over $100,000 has been raised aiding in the treatment of over 30 service members and veterans, but its not time to celebrate. We have a combined waiting list with over 600 veterans. The VA does not offer this treatment nor will they pay for it, yet. There is still much to be done.

The Future:
We will continue to use disruptive technology and tactics to improve quality of life for Veterans with Traumatic Brain Injuries (TBI) and Post Traumatic Stress (PTS) while working to secure our endorsed evaluation and treatment process within the Department of Defense (DoD) and the Veterans Administration (VA) or until new technology dematerializes, demonetizes, and democratizes the current health care system.

To free the medically oppressed,

Because families can’t and the VA won’t.

Andrew Marr
Warrior Angels Foundation Co Founder and CEO

PS. If this compelled you in any way please share it with those who are unaware of our efforts.

\\\

Tuesday, January 5, 2016

Security vs.Compliance

Snippet from a recent exchange where I was having fun. Content was dictated... Forgive obvious errors.

Security
Compliance
Driven by fear, pain
Driven by fear, pain
Because of security operations, business management, customers
Because of auditors/Assessors, business management, customers
Because of news stories, threats, previous compromises, 60 Minutes, bogeyman, contract requirements
Because of assessments, legal requirements, contract requirements/agreements, organizational policy
Because no one wants to lose their job
Because of regulations and standards such as HIPAA, CJIS, FedRAMP, PCI DSS
PRIMARY OBJECTIVE: Protect Data.
WHO?: Similar stakeholders involved. They may not see it that way, but they are.
WHAT?: Same data involved. Financial information, Intellectual property, credit card data, electronic patient healthcare information, plans for the death Star version 2.0, rocket ships, music tracks for Adele’s next album.
WHEN?: All the time. Continuous compliance is the new black. Typically/traditionally annual review, but this is changing.
WHERE?: Primary focus and scope is always where data is stored, processed, or transmitted because these are the places that you have direct access. Includes everything layer 2 adjacent. Location doesn't matter. Public/private – don't care. Secondary focus is always on the supporting infrastructure and security/operations management infrastructure for the primary scope. Includes any system that directly accesses primary scope. There are some exceptions.
WHY?: Protect Data. Same objective.
FAQ
Compliance and security are different animals with completely different objectives. How can you say that if you meet compliance objectives then you are secure?
A vast majority of the regulations, standards, and best practice frameworks directly address the requirement of an active risk management program. Risk management is the identification of potential threats, prioritization, cost analysis, and threat mitigation through the use of safeguards. Another word for safeguards is controls. They are synonymous.
 
Therefore, you must effectively address all security risk (subjective qualitative and quantitative) before you can attest to meeting risk management control objectives for compliance.
No seriously. Compliance is not security.
That's correct. Security is an outcome of compliance executed properly. Compliance is how the football team executes the offense. Security represents the offensive linebackers. The Dallas Cowboys had arguably the best offensive line in football. Unfortunately, nothing else worked. We will not discuss the outcome of the season.
But my customer asked me a question that sounded a whole lot like a security question…
Perhaps it was.. Or perhaps if you dig a little bit deeper then you will find the security requirement is driven by a compliance requirement/objective.
My customer said they only care about security.
Sometimes this is true. Other times, you may find that management has a different viewpoint.
 
Healthcare, financials, anyone dealing with money, customer information, trading/reporting publicly, global operations, public sector, critical infrastructure, high risk operations looking for DOD equivalent, defense, federal, foreign governments, consumer transactions, B2B transactions, service providers, etc. Pretty sure that includes most of the Fortune Global 500. http://fortune.com/global500
Are you sure you know what you're talking about?
<Drop the mic..>