Wednesday, August 31, 2011

Solution Security

This is a short post that's going to have to be expanded later. There are too many questions that a seasoned professional would ask about this model without having the background and scope of the model clearly defined. There are clearly shortcomings in this model as-is. However, it has also provided a fantastic simplified background for discussion to view security from more than one perspective, and to appreciate the breadth of controls that work together to provide information protection. Thank you Charles Benagh for your excellent help with this. It was during our conversations that this finally came together. (You can click on the image to expand it)

Specific to Solution Security, there is far too much than I have time for right now to address in any real detail. Here is an overview:

Monday, August 22, 2011

Compliance for the Masses - Simplified Models

This functional illustration shows how standards and regulations correlate with specific requirements, policies, controls, and audit points. I created a version of this illustration for a group of RSA SEs learning Archer as a way to quickly bridge the gap between authority documents (standards and regulations) and audits while keeping important details.

Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?

This is a simple compliance model. There is a different model and view of security of which this becomes a component.

PCI-DSS Example
  • Authority: PCI-DSS is the authority document created by the PCI-SSC.
  • Requirement: (10.6) Review logs for all system components at least daily.
  • Policy: Monitoring Policy – States logs will be reviewed at least daily.
  • Control: RSA enVision provides real-time monitoring for all system components.
  • Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.

Authorities to Audits

Thursday, August 11, 2011

Federal Information Assurance: The DoD IA Policy Chart

DoD IA Policy Chart
The Information Assurance Technology Analysis Center (IATAC) publishes a helpful chart that you may not know about unless you work with Federal accounts. The DoD IA Policy Chart does a great job illustrating the staggering number of regulations, standards, and guidance documents created by our government.

From the website: "The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. [...] At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right hand side of the IA Policy Chart, there are boxes, which cover the legal authority for the policies, the federal/national level of IA policies, as well as operational and subordinate level documents that provide details on securing the GIG [Global Information Grid] and its assets. Links to these documents can be found in the Chart."

To the team of people to put this together: Awesome job. Thank you for the hard work.

Here is the list of resources used in the creation of the chart:

Thursday, August 4, 2011

Security Topics of Interest – Check all that apply


I joined the InterSeC community some time ago because of a banner they have on ISC2's website. The registration process includes questions about your security interests across 62 topical areas.... Have you ever wondered why it's so hard to be an expert in everything? :)

Here are the 62 security topics listed on the InterSec website: 

Access Control , Analysis & Monitoring , Anti Malware , Application Security , Audit , Authentication , Business Continuity & Disaster Recovery , Cloud Computing , Compliance Management , Computer Forensics , Configuration/Patch Management , Content Filtering , Cybercrime , Data Leakage Protection , Database Security , Denial of Service , DIACAP , Digital Certificates , Digital Forensics/E-Discovery , Digital Rights Management , DOD IA , Education/Training , Encryption/Key Management , Endpoint Security , Enterprise Security , Firewalls , Fraud , GRC (Governance Risk and Compliance) , HIPAA , Identity Management , Identity Theft , IDS/IPS (Intrusion Detection/Prevention Systems , Incident Response , Managed Security Services , Messaging Security , Mobile Security , Network Protocol Security , Password Management , PCI , Penetration Testing , Physical Security , PKI , Policy Management Enforcement , Privacy , Professional Certification , Provisioning , Remote Access , Risk Assessment & Management , Secure File Transfer , Secure Virtualization , Security Consulting , Security Metrics , SIEM , Single Sign On , Software Code Vulnerability Analysis , SOX , Storage Security or Secure Storage , VoIP Security , VPN , Vulnerability Assessment , Web Filtering , Wireless Security

Wednesday, August 3, 2011

The Best Kept SMB Secret: Cloud WAF

Allen Mohler's Gym... Kids learn discipline and work ethic.
A legend in Mixed Martial Arts (MMA) sat with me on a long flight last week. I was immediately struck by his easy going demeanor that exuded confidence. I learned that he has his own MMA gym with 500+ fighters.  His specialty is Brazilian Jiu-Jitsu, and there was no doubt he can take care of himself.

But can he take care of his website?

He's not focused on protecting his website. He's teaching boys how to be men. He needs a simple and cost effective solution to stop malicious attacks. 

Proxied web application firewalls have been around for a few years now, but surprisingly few SMBs know about them, or know how cost-effective they can be to stop malicious attacks.  

Enter the Dragon: Cloud services like Incapsula (SMB friendly) and Imperva (Commercial and Enterprise) drop malicious attacks before they hit your website. Incapsula even has a free service for websites that don't serve SSL traffic. Now, instead of having to worry about an appliance to take care of his web traffic... he can focus on taking care of his favorite students.