Sunday, January 24, 2016

Quick Fly-by of Access Control Mechanisms (Models)

Reviewing NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, and created a quick illustration to show the differences between Mandatory Access Controls (MAC), Discretionary Access Controls (DAC), and Attribute-based Access Controls (ABAC). This is what I will use in class this week to help others navigate the differences. Enjoy!

Thursday, January 14, 2016

Cloud Infrastructure Auditing Essentials

This was a draft post from some time ago. Interesting how little has changed.

Security models, business alignment, capacity planning, and performance management are more important than ever before in virtual environments. Smaller environments may have a few virtually hosted servers running on a single powerful physical server, whereas larger environments support hundreds or thousands of virtually hosted servers and desktops running on a complex infrastructure of clustered servers connected to a massive Storage Area Network (SAN).

The scale may change the scope or approach to the audit, but the same business requirements and controls exist. Resource management and monitoring of each of the components separately and collectively enable the virtual environment to function. The hypervisor has control requirements similar to those found in a server, but it also has unique requirements to ensure that the hosted environment doesn't present additional control weaknesses to the guest operating systems. The guest operating systems have unique control requirements because of the necessity to keep appropriate segregation controls in place between servers processes, and to control its unique attack surface. Somewhat complicating this mix are different conceptual approaches to creating the virtual environment.

Great! I think. Where do I start? Now I have a cloud audit!

Start with scope. Identify exactly what you want to be part of the audit. Where does the data exist? What are the boundaries? Where's the management tools for that infrastructure? What systems access that scoped boundary?

Remember the basics. They don't change. They haven't changed for decades. Identity provisioning and deprovisioning, authentication mechanism and protocols, authorization grant/scope/enforcement, data protection, malware protection, malicious use detection/prevention, log management, change controls, backups, etc. Applies to nearly every single system directly or indirectly as an entity level control. Don't forget additional administrative controls, policies, documented procedures. Remember physical security and additional entity level controls. Finally, think about data and system lifecycle…

But this is a… [firewall/storage system/hypervisor/… etc.]. Excellent! Now let's look at the additional configurations and controls that are unique for each technology.

Documentation is everything. There's an art to documenting audit output and artifacts. What's the use case? Who will use the information? Internal use? External customer review? For example, how much information must be documented and to what level such that the purpose of an external review is satisfied while still protecting internal trade secrets? Maybe we don't trust the external party, or the security infrastructure of the external party to keep the data we provide to them confidential. Certainly understand that there are many times where we don't have a choice in this discussion – and I've been there many times – but if you have a choice in the matter then you should execute that choice. Not everyone agrees with me on this. This is my own opinion. I'm a fan of transparency, but not transparently providing potential attackers information that can be used to harm my infrastructure.

Help with the cloud! Okay, this is more complex because some of the technologies and architectures change the game. However, from a control objective perspective, that still hasn't changed. The objective is the same. Now, whether you own the technology or execution may have changed, and that's where you need to look into what visibility you have into your provider's enforcement of the controls. You have a certain risk profile/risk threshold and you have to make the call based on the situation whether you are comfortable with what contractual obligations they have to [1] enforce specific control objectives, [2] have them reviewed by an independent third-party, and [3] report the results to you.

Wednesday, January 13, 2016

Visual Profile Idea

Looking through my resume the other day and realized just about every company, technology, project, event, etc. has some sort of logo associated with it. Thought it would be interesting to put together on a single slide as a visual profile. Quite honestly I thought at first it was a little too much, but the feedback has been really positive from sales people. Still not likely to use it in a presentation except maybe as an introduction slide in a class. Maybe someone will find the approach interesting or useful.

File: Chris Davis Visual Profile 2016.pptx

Direct: https://sites.google.com/site/cloudauditcontrols/home/Chris%20Davis%20Visual%20Profile%202016.pptx?

Manipulating Graphics

  1. Crop - Select image | format | crop
  2. Resize - Right-click | Size and position | Size | check lock aspect ratio | height = 0.5 
  3. Format painter - Select an image that has been manipulated the way you like | select format painter | click new image to apply the format

Additional Ideas

  • List of technologies
  • List of products
  • List of authoritative sources
  • List of competencies
  • List of customers
  • List of verticals



Monday, January 11, 2016

Warrior Angels Foundation – Stories of Impact

This is outside the scope of this blog, but the reality is that we want to believe in something bigger than ourselves. Maybe this isn't true for everyone, but my experience has shown that the stronger the player, the more that they want to compete for something bigger than only themselves.

I had the opportunity to meet with the Warrior Angels Foundation cofounders Adam and Andrew Marr along with their father at Cracker Barrel for breakfast. My wife and I gave what we could because we believe in their cause.

The foundation was a glimmer in their eye, just getting off the ground, not even 2 years ago. Imagine my surprise and the tears I wept reading through the struggles and triumphs of 10 Warriors who fought the odds and the circumstances of a corrupt political system that wanted to use them while they still have value and then toss them to the curb. So you believe in the Wounded Warrior Project? Right. Go research how much money they consume as an organization before they spend any money on the people the foundation was created to help. Where do you think that money goes? This isn't a conspiracy theory. This is pure fact. Do the research.

I was in the military. I've been around hard men. Trust me when I tell you, the juxtaposition jumped at me between the resolution of Andrew's heart to overcome his own obstacles, driven desire to help others, contempt for the hundreds of inept programs, and something else… Something that reminded me of my own autistic little child. Hyper-aware. As if his fight-flight sympathetic response was on full-bore and he could not turn it off. Hundreds of nights I've sat with my bewildered little girl to calm her down and give her assurance that she can slip into silence and sleep. I would find out later that MRI brain scans of PTSD victims and autistic children look remarkably the same.

Here is Andrew's email in its entirety.

///

Chris,

I am a hard man but I wept as I put this together. I wept for the lives and families saved, I wept for the lives and families we have lost, I wept for the hundreds of thousands who still need support. The unseen wounds of combat have come at a great cost. There is hope, Warrior Angles Foundation (WAF) is only getting started.

Below you will find 10 stories containing a brief background and 2 candidly answered questions.

These life changing stories were made possible from your contributions. You can measure the value it has produced for yourself better then I could attempt to explain it. From the heart, thank you.

Please see WAF's 2015 year end review and future objectives after these heart warming stories.

1: I'm a married with four kids, a 24 year veteran of the US Army. I spent over half my career in the Special Operations community, and deployed in support of the war on terrorism and other overseas contingencies over 8 times. 

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Despicable, horrid, non-existent. I was just spinning my wheels and looking for a way out. Constantly fatigued, and lethargic, made me very depressed.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel better right now than I have in five years. I'm still going up hill, but I can see the top. I have the energy to make up for five years of physical and mental neglect. This protocol has put me in the appropriate mental state to get physical again and I am doing it! I am very grateful for the opportunity to receive this treatment. Before I knew that it existed (Joe Rogan Experience) I was literally loosing all hope, nothing I had tried was pushing me ahead. What I can attest to is that there are NO silver bullets out there; however, this protocol is the closest thing to it, because of the continued personal contact with Dr Gordon and Andrew Marr, I am a work in progress, yes, PROGRESS, which is more than I had been in the past five years. If it were not due to this protocol, I highly doubt I'd be here today, it has pushed me over the hump and got me going, saving my life! This is just a very small but meaningful thanks to all the supporters out there making a difference!

2: Just a regular special ops dude who now focuses on being a father.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) I didn't want to live. I was angered, depressed, and in pain. I had no quality of life.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel like me again. A person. Life is worth living. This foundation is amazing and I love that I received help and that they are helping others out there.

3: I'm 23 years old, I currently work in the Medical Marijuana Industry and compete in Brazilian Jiu Jitsu. I currently live in Orange County, CA. While in the military I was an 0311 Infantry Marine and stationed at Camp Pendleton.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Terrible. I was constantly depressed, anxious, and had zero control over my thoughts. My mind would constantly wander and think about the craziest things that never happened. I would wake up every day with sweaty palms and had the hardest time falling asleep. Constant bouts of uncontrollable anger were the most common occurrence for myself.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) There are no words to describe how positively my life has changed in less than a year. I have complete control of my anger now. I no longer live with anxiety or depression. I'm able to have healthy relationships & think thru situations clearly. Long story short, I'm a completely new person now. Thank you for everything. Because of this treatment I'm competing in Jiu Jitsu and operating one of the most successful MMJ deliveries in Orange County. I am forever grateful.

4: I'm a 30-year-old college student and former Army vet with 4 combat deployments. I left the Army after ten years as a SSG, I was an EOD team leader in a Special Ops unit.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) There was no quality of life before treatment, I simply no longer wanted to exist.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Quality of life has improved greatly, now I just struggle with regular day to day stresses. Whereas before I couldn't handle anything I was just numb to the world.

5: Served as a NCO through most of the 1980's in the 2nd Ranger Bn. and HQSTARC Texas National Guard. After 911 worked in the contracting world for the Department of State and private individuals. I currently work as an Estate Manager and Designer/Project manager. I have a fiance and son from a previous marriage.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Difficult... as a highly focused and disciplined person I was forcing my mind and body to perform regardless of how I felt physically or mentally. Physically I was finding it hard to recover from exercise and seemed t be in a chronic state of fatigue. Mentally I was finding it hard to focus, multi-task and modulate my emotional response.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) The above stated difficulties have greatly diminished or have gone completely away.

6: I was an Infantryman deployed to Afghanistan in 2009 and 2010. I am engaged and have a 1-year-old daughter and an 11 year old step son.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Lack of energy and motivation. Headaches, inability to focus and concentrate. Mental fog. Loss of strength and ability to recover from workouts

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I feel sharper mentally. My short term memory has improved.

7: Medically retired Senior Chief (SEAL) after 15 years of service in the Navy.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Mentally, it was actually getting much better from the BTC (treatment via the Brain Treatment Center), but physically still dragging.  Low energy, lack of motivation.

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Biggest improvement is the overall feel of being healthy again both physically and mentally.  I am currently off all medication I was taking upon exiting the military.

8:  I am a veteran, I have a family, infantry.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Terrible

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) God bless you guys for all the help. Huge part in saving my life.

9: I served in the Marines from 1991 to 2001 as longshoreman and admin clerk.  My wife is prior Air Force and now works at the VA in Blind Rehab.  We have three kids; our oldest is in the Marines and is stationed in Okinawa.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) I was very irritable, anxious, unsocial, and I tended to internalize my anger and frustrations.  The internalization was meant to protect my family from hurtful comments.  I was getting intolerant of people and mistakes, which drove me father away from interacting with anyone. 

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) I'm a little more calm and resilient.  While traveling to new areas, I'm significantly less anxious.  I go to bed later and wake earlier ready to start my day, versus wanting to just lay in bed.  I have more good days than bad days, as I don't perseverate on issues during the day. I find myself wanting to do more activities, versus just wanting to relax.  I find myself wanting to listen to a variety of music, rather than just the same playlists or radio stations while working.  I stopped drinking, drinking alcohol, anything with caffeine, excess sugar, and medical cannabis, to ensure the results of being on Dr. Gordon's regimen were legit.  So far, so good--you need only ask my wife and kids.

10: I am Hispanic male and I came from single parent household. Growing up it was just my sister and I. My mother sacrificed much of her life to ensure my sister and I never struggled, and for the most part she has succeeded. Growing up, I was an active kid, riding my bike or roller blades around the city. In high school, I wrestled all four years and played football my last three years. In the Marines, I was a machine gunner and I was in a CAAT unit (combined anti-armor team) and MAT unit (mobile assault team). I served two tours in Iraq and one domestic deployment in the states.

(Q) What was your quality of life like prior to starting your personalized protocols?

(A) Before my treatment, I was struggling to maintain focus, develop and hold new memories, and I isolated myself much from the world. My sleep quality was poor and I felt drowsy the next day. The VA had me on medication, but that did more harm than good. To help myself sleep I resorted to medical marijuana.  

(Q) How has your quality of life improved since your personalized protocol was implemented?

(A) Since my treatment, I have seen a cognitive change for the better. I am more aware of my conscious decisions and abilities. My energy level, while slowly improving, is definitely more natural rather than consumed stimulation such as coffee. While overall improvement is slowly progress, I am satisfied to see and notice the improvements. Thank you for everything y’all do. I have struggled for years (since 2008/9) to get help. After years of fighting, I am happy I am receiving help, especially help away from the VA. Thank you.

REVIEW OF WAF'S 2015
In a relatively short time WAF has gone from 0 to 1, creating something where there was nothing. Our system allows us to treat Veterans anywhere taking personalized medicine to a level never before realized, separating WAF from the 40,000 plus other military/veteran support organizations (charitywatch.org).

This has allowed Dr. Gordon and WAF to converse with senior legislators, the secretary of the Veterans Administration, key agents with the Department of Defense, countless medical providers, and other military and veteran support organizations.

In WAF’s first year over $100,000 has been raised aiding in the treatment of over 30 service members and veterans, but its not time to celebrate. We have a combined waiting list with over 600 veterans. The VA does not offer this treatment nor will they pay for it, yet. There is still much to be done.

The Future:
We will continue to use disruptive technology and tactics to improve quality of life for Veterans with Traumatic Brain Injuries (TBI) and Post Traumatic Stress (PTS) while working to secure our endorsed evaluation and treatment process within the Department of Defense (DoD) and the Veterans Administration (VA) or until new technology dematerializes, demonetizes, and democratizes the current health care system.

To free the medically oppressed,

Because families can’t and the VA won’t.

Andrew Marr
Warrior Angels Foundation Co Founder and CEO

PS. If this compelled you in any way please share it with those who are unaware of our efforts.

\\\

Tuesday, January 5, 2016

Security vs.Compliance

Snippet from a recent exchange where I was having fun. Content was dictated... Forgive obvious errors.

Security
Compliance
Driven by fear, pain
Driven by fear, pain
Because of security operations, business management, customers
Because of auditors/Assessors, business management, customers
Because of news stories, threats, previous compromises, 60 Minutes, bogeyman, contract requirements
Because of assessments, legal requirements, contract requirements/agreements, organizational policy
Because no one wants to lose their job
Because of regulations and standards such as HIPAA, CJIS, FedRAMP, PCI DSS
PRIMARY OBJECTIVE: Protect Data.
WHO?: Similar stakeholders involved. They may not see it that way, but they are.
WHAT?: Same data involved. Financial information, Intellectual property, credit card data, electronic patient healthcare information, plans for the death Star version 2.0, rocket ships, music tracks for Adele’s next album.
WHEN?: All the time. Continuous compliance is the new black. Typically/traditionally annual review, but this is changing.
WHERE?: Primary focus and scope is always where data is stored, processed, or transmitted because these are the places that you have direct access. Includes everything layer 2 adjacent. Location doesn't matter. Public/private – don't care. Secondary focus is always on the supporting infrastructure and security/operations management infrastructure for the primary scope. Includes any system that directly accesses primary scope. There are some exceptions.
WHY?: Protect Data. Same objective.
FAQ
Compliance and security are different animals with completely different objectives. How can you say that if you meet compliance objectives then you are secure?
A vast majority of the regulations, standards, and best practice frameworks directly address the requirement of an active risk management program. Risk management is the identification of potential threats, prioritization, cost analysis, and threat mitigation through the use of safeguards. Another word for safeguards is controls. They are synonymous.
 
Therefore, you must effectively address all security risk (subjective qualitative and quantitative) before you can attest to meeting risk management control objectives for compliance.
No seriously. Compliance is not security.
That's correct. Security is an outcome of compliance executed properly. Compliance is how the football team executes the offense. Security represents the offensive linebackers. The Dallas Cowboys had arguably the best offensive line in football. Unfortunately, nothing else worked. We will not discuss the outcome of the season.
But my customer asked me a question that sounded a whole lot like a security question…
Perhaps it was.. Or perhaps if you dig a little bit deeper then you will find the security requirement is driven by a compliance requirement/objective.
My customer said they only care about security.
Sometimes this is true. Other times, you may find that management has a different viewpoint.
 
Healthcare, financials, anyone dealing with money, customer information, trading/reporting publicly, global operations, public sector, critical infrastructure, high risk operations looking for DOD equivalent, defense, federal, foreign governments, consumer transactions, B2B transactions, service providers, etc. Pretty sure that includes most of the Fortune Global 500. http://fortune.com/global500
Are you sure you know what you're talking about?
<Drop the mic..>