Wednesday, November 28, 2012

Essential Definitions

[Added direct links to sources]

These definitions together as a group collectively represent important fundamentals - underpinnings - to cloud security, cloud audit, and cloud compliance. If you've heard me speak... you've heard me stick to this script. It hasn't changed. The message is the same. The application and context in which I use them happen to be cloud computing.

Security goals
The five security goals are confidentiality, availability, integrity, accountability, and assurance.
SOURCE:  SP800-27-RevA            
Security
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems.  Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise’s risk management approach.
SOURCE:  CNSSI-4009
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
SOURCE:  SP 800-53; SP 800-53A; SP 800-18SP800-27-RevASP 800-60; SP 800-37; FIPS 200FIPS 19944 U.S.C., Sec. 3542 
The property that sensitive information is not disclosed to unauthorized individuals, entities, or processes.
SOURCE:  FIPS 140-2 
The property that information is not disclosed to system entities (users, processes, devices) unless they have been authorized to access the information.
SOURCE:  CNSSI-4009
Availability
Ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-53; SP 800-53ASP800-27; SP 800-60SP 800-37FIPS 200; FIPS 19944 U.S.C., Sec. 3542 
The property of being accessible and useable upon demand by an
authorized entity.
SOURCE:  CNSSI-4009
Integrity
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
SOURCE:  SP 800-53SP 800-53ASP 800-18SP800-27SP 800-37SP 800-60FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
The property that sensitive data has not been modified or deleted in an unauthorized and undetected manner.
SOURCE:  FIPS 140-2 
The property whereby an entity has not been modified in an unauthorized manner.
SOURCE:  CNSSI-4009
Accountability
The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.  This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
SOURCE:  SP800-27
Assurance
Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or by-pass.
SOURCE:  SP800-27 
The grounds for confidence that the set of intended security controls in an information system are effective in their application.
SOURCE:  SP 800-37SP 800-53A 
Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
SOURCE:  CNSSI-4009
Information Security
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
SOURCE:  SP 800-37SP 800-53SP 800-53ASP 800-18SP 800-60CNSSI-4009  FIPS 200FIPS 199; 44 U.S.C., Sec. 3542 
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
SOURCE:  SP 800-66; 44 U.S.C., Sec 3542
Continuous Monitoring
The process implemented to maintain a current security status for one or more information systems or for the entire suite of information systems on which the operational mission of the enterprise depends.  The process includes: 1)  he development of a strategy to regularly evaluate selected IA controls/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of the enterprise in dealing with those events, 3) Recording changes to IA controls, or changes that affect IA risks, and 4) Publishing the current security status to enable information-sharing decisions involving the enterprise.
SOURCE:  CNSSI-4009

Monday, November 5, 2012

CoDeSys + digital bond + Shodan = US-CERT Warning


Big Picture:

[1] Company makes flawed code for control systems. [2] Security company exploits code and releases free tools. [3] Hacker search engine compiles list of more than 500,000 control systems. [4] Researchers identify increased activity attempting to exploit critical infrastructure.

Brief Details and Links:

CoDeSys is a development platform created by 3S. This package is used to program controllers in an impressive 261 companies. The products include everything from factory automation to critical infrastructure SCADA systems. An interested party, a SCADA security company named digital bond, created and released two tools. The first tool is a command-shell utility (codesys-shell.py).  This allows an unauthenticated user the ability to perform privileged operations, sans password. The second tool is a file transfer tool which allows for reading and writing files on controllers with a file system (codesys-transfer.py). Shodan, a powerful exploit search engine, has already identified more than 500,000 reachable Industrial Control System (ICS) devices. Given that the Shodan search engine can be scripted, how long do you think that it takes an interested python coder to identify, exploit, root, and establish control? Create a module for Metasploit?

Some Quick Lessons:
  •  Build secure access controls into sensitive systems.
  • Isolate sensitive systems from the Internet.
  • Have your products third-party tested by professionals.
  • Assume security measures you build into your products are going to be used by your customers. They will be tested. Hopefully by you.
  • Especially if security isn't your core competency or product set, have your products third-party tested by professionals. Even if it is.... have your products third-party tested by professionals.

Thursday, September 6, 2012

Smart Grid Security

This month’s HSDL release includes a smart grid security article from George Mason. If smart grid security is of interest, but you're not deep into it, then you may appreciate the volume of information out there. I'm posting this information here so that I have a short list in one spot.

Article:
Referenced Resources:
Additional of Interest: 

Tuesday, August 7, 2012

Black Hat Panel: Top Skills


Jennifer Granick moderated a panel containing many of our most respected peers in the industry. Jennifer was incredibly sharp as she guided Jeff Moss, Bruce Schneier, Adam Shostack, and Marcus Ranum through several topics ranging from information sharing, critical infrastructure, future attacks, and cyber insurance.

The topic that caught my attention began with: You're the CSO. What are you going to spend your money on in the next 10 years?

Across the board, the answer was to spend your money on your employees... and that quickly folded into the types of skill sets needed. The answers given? Malware analysts, generalists, forensic analysis, response, cloud security, contracts, legal. You need people that can see the big picture and understand how the pieces fit together.

My takeaway for my customers? Invest in your people.

And a special note for my students. Continue reading, expanding, learning, pushing. Make yourself valuable and marketable. Love what you do. I've spoken with a few of you lately that have hit rough spots or failed in a big way. Don't quit. Don't give up. Don't you dare stop now. And in particular to one student who stepped up to the plate... I'm proud of you. Keep it up.

Monday, August 6, 2012

Re-post: Spreadsheet: ISO PCI HIPAA 800-53 FedRAMP CSA SANS SCSEM CESG

Re-posting this because this spreadsheet is a popular item. I've been pulled into so many directions over the last couple months that contributing here has been difficult. My apologies for that... here is the information about the spreadsheet:

Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

...There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA |FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST |ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA |ISACA | OECD | CSA | ENISA


Sunday, June 3, 2012

Helping a Friend: Resetting Windows Password

Helping a friend. As mentioned previously... the purpose of this blog is to post information that's easily referenced. 

So... Rebecca.. Here are the steps for breaking the password... Call your closet hacker brother "J" with questions:) He knows what to do... 

Word document with pictures is located here: Word Doc: Resetting Windows Passord

1.      Download this: http://pogostick.net/~pnh/ntpasswd/cd110511.zip

a.      Comes from website: http://pogostick.net/~pnh/ntpasswd/

2.      This is a zipped up .ISO file and needs to be burned to a CD.

a.      Generally, most computers today have built-in burner software.
b.      Unzip the file anywhere and double-click the cd110511.iso file.
c.      Burn the image (.iso) file to a CD.

3.      Put the newly created CD into the computer to break the password.

a.      Power off computer with CD in the drive.
b.      Power on the computer and immediately starting hitting the [F-12] key every two second until the boot options menu comes up.
c.      Select boot from CD
d.      After the CD boots (into a LINUX micro-kernel…)

4.      Select the account and break the password:

a.      Initial Screen – Just hit the [Enter] key.

b.      Next you see the following line.  
Select: [1]Just hit the [Enter] key.

c.      Next you see [Windows/system32/config] Just hit the [Enter] key.

d.      Next you see [1]: Just hit the [Enter] key.

e.      Now you see [1] : again (for option Password reset…) – Just hit the [Enter] key.

f.       Next we select the account to change. 
[Adminstrator]Just hit the [Enter] key.

g.      Next we blank (clear) the password. Select: [q] > - Type 1 and hit the [Enter] key.

h.      Now it’s time to quit. 
Type ! and hit the [Enter] key. 
Type q and hit the [Enter] key.
Type y and hit the [Enter] key.
Type exit and hit the [Enter] key to exit program.

i.       Power off computer: Hold the power button for 6-8 seconds until it turns off.
j.       Power on and the password for the administrator account should be blank.

5.      The same steps can be followed for any account on the system.


Tuesday, May 22, 2012

Must Reads: Useful Books for Managers

Again - as stated in other places - this blog is my own little personal digital shelf. I can find easily direct others to information later. I will share this one a lot.

Life is incredibly short. In my 20s I laughed at the idea of a mid-life crisis. In my late 30s, quickly approaching 40... I sneezed, blinked, opened my eyes and 20 years flew by.

I heard a preacher say, "You will be the same person with the same problems 20 years from now. The only things that will change this are the books you read and the company you keep." Towards that end, I'm sharing a list of books created by Rob Davis, someone I know well and highly respect.
-----------

[Rob Davis] Below are a few books I've found very useful over the years.
MUST READ FOR FIRST LINE MANAGERS IN ANY FUNCTIONAL GROUP
First, Break All the Rules: What the World's Greatest Managers Do Differently
Influencer: The Power to Change Anything
The Effective Executive: The Definitive Guide to Getting the Right Things Done
What Management Is: How It Works and Why It's Everyone's Business
MUST READ FOR SECOND LINE MANAGERS AND ABOVE IN FIELD SALES
Developing The Leader Within You
Integrity: The Courage to Meet the Demands of Reality
The Extraordinary Leader : Turning Good Managers into Great Leaders
Good to Great: Why Some Companies Make the Leap... and Others Don't
The Channel Advantage

Monday, May 14, 2012

Spreadsheet: ISO PCI HIPAA 800-53 FedRAMP CSA SANS SCSEM CESG

Get the 'Common Authorities on Information Assurance' spreadsheet here. (xlsx)

[2016-02-03 Update]
-- PCIv3.1 controls spreadsheet
-- NIST SP 800-53A r4 spreadsheet

Just back from London... where the joke was for me to close a deal at Hogwarts:).

I had some time on the plane to clean and organize material into a single source document. I have much more interesting stuff than this, but alas, I can't share it unless you're a customer. And I like you. And you know how to get into Hogwarts.

There are different spreadsheets floating around with ISO, PCI, NIST, HIPAA, and more so that you can play to your heart's content. Here's mine. Why do I do this? It's fun for me and it forces me to digest to a certain extent what's in there.

We have vCM and Archer, real tools for managing compliance. It does make a quick, compelling view into exactly why a (good) compliance management tool can be sooooo helpful. :) Have fun! It's under the documents tab.

The most complete set of controls? 
Recently a customer asked my opinion about what I thought was the most complete set of controls. There are several I like, and some that are far too narrowly focused to build a comprehensive program. My answer? NIST SP800-53. Here's a look at some commonly referred to sources.

Common Regulations, Standards, Audit Practices and Guides: SOX | GLBA | FFIEC | Basel II | FCRA | HIPAA | NERC | NRC | CFAA | FISMA | FRCP | FISCAMPrivacy Act of 1974 | Safe Harbor | NYSE | PCI-DSS | COSO  | CESG | NIST | ISO 27001:2005 | ISO/IEC 27002-2005 | OGC ITIL | BCI | CobiT | ISACA | AICPA | ISACA | OECD | CSA | ENISA

Thursday, April 26, 2012

Getting Comfortable... ??

Now more than ever it's important to improve your technical, professional, and soft skills. The landscape is more competitive than ever, and the technologies shaping our world are evolving more quickly than at any other point in history.  This isn't a time to get comfortable with your knowledge set. Take the time to invest in yourself and reap the benefits.

Watch a Video!
Quickest way to get up to speed on a number of technologies? YouTube. Check it out! Seriously. For example, check out Chad Sakac's videos at http://www.youtube.com/user/sakacc.

Attend a Webcast!
Maybe you missed one? Want to check out topics that have presented before? Check out http://www.brighttalk.com

Try Hands on Labs!
Hands on Labs are growing in popularity because they can be managed easier with cloud platforms and reset instantly, allowing the resources used for someone else to be released as a baby-powder fresh clean slate for your learning pleasure.

Grab a book!
This is the list of books I've been giving students for years. Full disclosure - two of these are mine. They were written to give IT professionals a kickstart with a different skillset.

Wednesday, April 11, 2012

SP800-53A(3) Mapped to HIPAA

I reviewed NIST SP 800-66(R1) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. I've posted the enhanced version of that effort which includes additional links to VMware, Cisco, EMC, and RSA healthcare portals.  Download the spreadsheet under the Documents tab.

I reverse mapped HIPAA to SP800-53A(3) controls based on SP800-66 guidance. 800-53A withdrawn controls were remapped to the specified replacement controls. Ping me if you have any questions. You need additional guidance in order to appropriately implement the HIPAA security rule. This is not enough to stand on its own - BUT it is an interesting look at the similarities in controls across authorities.

Tuesday, April 3, 2012

The Psychology of Acceptable Risk

Let's keep this simple.
Consider residual risk and acceptable risk. Controls are put in place to address known and unknown risk. Your remaining risk that isn't covered is called Residual Risk. If it's not small enough, you add more controls until it gets to the point you are willing to accept the residual. The threshold for the acceptable amount of risk is called Acceptable Risk. Now that that's covered, note the relationship between assurance and acceptable risk.
Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application.
(NIST SP 800-37 and SP 800-53A)
What influences your risk tolerance? 
There are lots of interesting angles here. Think about this for a minute. What is it about an environment, a product or solution, that builds enough confidence that you are willing to accept the residual risk and place it into operation?

Can a vendor affect how much risk you are willing to accept?
I believe quite simply, the answer is yes. What other influential factors affect how you feel about a product or solution? Is it *right* that security can be subjective? Certainly, there are additional measures that build your confidence in a particular system such as third party reviews, configuration to *someone's* best practices, penetration testing, or borrowing trust from another system's ability to manage the new system's risk. We often tell others you have to meet a certain stringent, concrete standard to be considered secure. Well, yes, that's right, but there's also the influence of a vendor's history, reputation, communications, sales team, support, engineers, and more that drive your trust in a product or solution to meet your needs.

Where did this come from? 
I thought about this while walking the floor of RSA several weeks ago. It was interesting how much credibility I gave certain products because of their track record, despite any real experience with a particular platform. My biases crept into the picture, thinking about how company "X" *always* seems to deliver sub-par solutions, and company "y" always seems to deliver results. Even if testing of X demonstrated marked gains, my gut is to hesitate and prefer the trusted partner to "get it right". 

Thursday, March 29, 2012

The Organized Auditor: Document Tagging


Tabbles = Tagging Data
Here's an interesting concept. Tagging has been around for quite some time. There are tagged file systems for Linux, and tags for everything in social media. I started looking at ways to tag my data sets to solve - or help solve - the efficiency problem. I want to use my time thinking and processing with data. I'm a knowledge worker, and my effectiveness is tempered by how quickly I can find information. I depend on my formal and informal relationships every day because I have multiple avenues for getting answers. Tagging data provides another avenue for finding information I've already taken the time to collect. I clearly see the problem. So did a cool little company calling themselves Yellow blue soft that put up a website at http://www.tabbles.net. Their about page says it all. "We are a small, dynamic and international team who is wondering why file-management is lagging 30 years behind and no one seems to care or even notice. We do."

Messy Data.
How do you organize your documents? Organizational Behavior was the best class I've ever taken. I had no idea how often I would refer to the simple precepts we learned to understand how data and people naturally organize themselves. One interesting aspect of this organizational problem (i.e. information organically organizing itself) is that the relational complexity of the data set exponentially grows from their interconnected geometric relationships. 

Enterprise Content Management. 
You've created and enforce the best folder hierarchies on your hard drive... and transferred them to a file share for others to also use. It makes perfect sense to you, but for some reason others feel the need to change it. Over time, it becomes unwieldy and difficult to navigate. Entering stage left, Enterprise Content Management (ECM). That's great for the enterprise. What about your personal data? Is there a way to help identify and tag relationships between data sets?

Unstructured vs. Semi-Structured vs. Structured Data.
Call it what you want. There's a wealth of information about this online. Here's a simple example of the business problem. Consider your repository of [1] compliance information organized by authorities [2] vendor information organized by company, [3] customer information organized by the internal or external customers, [4] projects organized by your internal or external projects, and [5] technology information organized by subject. This is an example of the unstructured data problem. Tagging documents facilitates reviewing content I've tagged as containing specific information regardless of where it sits in my folder structure. It's a question of efficiency. It's not that you can't manage what you have. You've hacked through it for years. The question to consider is whether you can do it more efficiently. 

Monday, March 26, 2012

CAESARS Framework Extension: Continuous Monitoring

You may be familiar with Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report (CAESARS). Trolling through older draft posts I created a few months ago, I ran across this little gem. On the face of it, you might think, "cool!"... until you realize how difficult it *really* is technically to make all of this work. I personally think it's a matter of time. The market needs _something_ delivering real time feedback.

Lately I've been speaking with people about continuous monitoring using the analogy of SAP's answer to ERP. Walmart's real-time view into their supply and distribution systems are legendary. Hiccup? They're on it.

Remember the 90s? Remember the large scale SAP implementations that failed? Remember _why_ the implementations failed and how much money it cost the companies that tried? What about the ones that were able to succeed and how much SAP helped with a competitive advantage?

I believe there are lessons to be learned from those times. Remember the buzz acronym BPR? Business Process Re-engineering. Some of the challenges are technical. Some are business related. Alignment, execution, focus, scope, roles, expectations. You may ask, "Are we discussing SAP or CAESARS?" ... Yes.

Now... take a peek into the NIST IR-7756 Continuous Monitoring Framework at http://csrc.nist.gov/publications/PubsDrafts.html. This is very interesting work that is moving in the direction of continuously assessing and providing assurance and remediation for your critical infrastructure. The authors of this version (Peter Mell, David Waltermire, Larry Feldman, Harold Booth, Alfred Ouyang, Zach Ragland, and Timothy McBride) have done a fantastic job of visually communicating the process and integration points.


Friday, March 23, 2012

Faster than a speeding bullet, more powerful than a locomotive, able to leap tall buildings in a single bound!

Superman's 1941 release opened famously with, "Up in the sky, look: It's a bird. It's a plane. It's Superman!" before going into the narration explaining the origins of the world's favorite superhero. I recently read through the opening narrative thinking about a baby Vblock growing up to be the superhero... Overactive imagination? Time for a vacation? :)

Several people have asked me questions about VCE's Vblock platform. Why is it any different than just buying each of the components and building it yourself? This video explains what happens behind the scenes to build a Vblock. Why does this matter to auditors? Repeatable process = Repeatable results. That's Super. 

Tuesday, March 20, 2012

EMC Acquires Pivotal Labs

Why Auditors Care: This is another step in the right direction to tackle the challenge of complex data analysis characterized by our IT infrastructures. Developers need tools to engage large disparate data sets and create solutions. My discussion is on the data produced by the infrastructure components, not the data housed by the infrastructure, which tends to be the focus of 'Big Data' discussions.


Excerpt from Full Story:
Pivotal Labs enhances EMC’s powerful portfolio of products and services, which are designed to enable organizations to store, analyze and take action on ‘Big Data’ – datasets so large they break traditional IT infrastructures.  Earlier this year EMC introduced the Greenplum Unified Analytics Platform (UAP) that delivered, for the first time, a scale-out infrastructure for analyzing both structured and unstructured data. Today EMC announced general availability of Greenplum Chorus – another industry first, delivering a Facebook-like social collaboration tool for Data Science teams to iterate on the development of datasets and ensure that useful insights are delivered to the business quickly.  EMC brought Data Science and its chief practitioner – the Data Scientist – to the fore a year ago at the world’s first Data Scientist Summit.  With the addition of Pivotal Labs, EMC can now take datasets perfected in Greenplum Chorus and enable customers to rapidly build out Big Data applications using modern programming environments such as Ruby on Rails.


News Summary:
  • EMC has acquired San Francisco-based Pivotal Labs, a privately-held provider of agile software development services and tools. 
  • EMC will invest to expand Pivotal’s reach on a global scale, bringing Pivotal’s agile consulting services expertise to an even greater number of both emerging start-ups and the world's largest businesses looking to embrace Cloud, Big Data, Social and Mobile in developing next-generation applications. 
  • Pivotal’s agile project management tool (Pivotal Tracker) is currently used by over 240,000 developers around the world. EMC plans to continue to invest in Pivotal Tracker to accelerate innovation in the platform and increase adoption. 
  • With the addition of Pivotal, EMC adds to its portfolio the gold-standard in agile software development for customers building ‘Big Data’ analytic applications. 
  • The all-cash transaction is not expected to have a material impact to EMC GAAP or non-GAAP EPS for the full 2012 fiscal year.
  • An online event titled “Social Meets Big Data: Live Webcast ” with executives from EMC and Pivotal Labs will be broadcast today, Tuesday, March 20 - 9:45 A.M. Pacific, 12:45 P.M. Eastern and 4:45 P.M GMT.  Event details can be found at http://bit.ly/qduws  or at EMC.com.