VMware Common Criteria Update

As I've stated before, I use this blog to share interesting bits of information, and additionally make sure that I don't lose stuff that I find. Eric Betts is the man behind the curtain at VMware responsible for Common Criteria and FIPS 140-2 certifications. A few months ago, he wrote an update that he posted publicly on his blog. Fantastic information.

From Eric, "…  I maintain the following page and blog on security certs from a VMware perspective...

• https://www.vmware.com/support/support-resources/certifications.html
• http://blogs.vmware.com/security/2013/04/vmware-common-criteria-update-april-2013.html

 

Hacking Exposed: Computer Forensics Update

We've been asked to update Hacking Exposed: Computer Forensics and bring out a 3rd edition in 2014.

Here's the proposed chapter layout:

Part 1 Fundamentals
1 The Forensics Process
2 Computer Fundamentals
3 Forensic Lab Environment Preparation

Part 2 Evidence Collection
4 Forensically Sound Evidence Collection
5 Enterprise Forensic Collections

Part 3 Forensic Analysis
6 Malware
7 Microsoft Windows Systems Analysis
8 Linux Analysis
9 Macintosh Analysis
10 Cloud Forensics
11 Memory Analysis
12 Defeating Anti-forensic Techniques
13 Enterprise Server and Storage Analysis
14 Email Analysis
15 Internet History Analysis
16 Mobile Forensics

Part 4 Presenting your findings
17 Documenting the Investigation
18 Investigations in the US Legal system
19 investigations in the Euro Legal system
20 Investigations between legal systems

Part 5 Advanced Forensics
21 External Device Analysis
22 Tracking the cloud
23 Enterprise Networks
24 Server Side Application Forensics
25 Source code analysis

Appendix
A Searching Techniques

vSphere 5.1 Hardening Guide – Official Release

This is slowly making the rounds.
http://blogs.vmware.com/vsphere/2013/04/vsphere-5-1-hardening-guide-official-release.html.

Excellent job to Mike Foley. Love that it's released in a spreadsheet only format. That's efficiency.   And it's helpful, useful.
The guide is available here.

Cisco Security Intelligence Operations RSS Feeds

Thinking about one of my favorite feeds, the Cisco Cyber Risk Report, and wanted to make sure to capture the relevant links. Sample report delivered every week contains a synopsis of information covering Cisco vulnerabilities, legal information, trust analysis, geopolitical issues, and upcoming security relevant events such as conferences.

 

Here is the list of feeds offered on Cisco's Security Intelligence Operations RSS Feeds webpage along with the direct links:

• Cisco Security Advisory
• Cisco Security Response
• Cisco Security Notices
• Threat Outbreak Alerts
• Cyber Risk Reports
• Cisco Event Responses
• Cisco IPS Threat Defense Bulletins
• Cisco Applied Mitigation Bulletins

 

Looking for Security Product Manager to Join VCE

Looking for an extremely technical Security Product Manager to join our highly focused team. This is the best place I've worked in a decade. Great challenge, work-life balance, excellent comp, outstanding benefits, and access to EMC, VMware, and Cisco training.

What we DO want: Excellence. Experience. Execution. Collaboration. Purpose. People who want to take part in massive industry transformation. The scope of our customers and impact frankly stuns me.

What we DON'T want: Ego. Fiefdom builders. People looking for something to "try".

Learn more about the position and apply here: http://rfer.us/VCEJvww2y.

I'm part of the team. Contact me for any additional information.

Chris Davis
Senior Consultant - Security and Compliance
Product Management Office
Chris.Davis@vce.com
www.linkedin.com/in/christopherdavis

InnoTech Conference Dallas Presentation

Here's the presentation from last Thursday's Innotech Conference.

Title: No Gimmicks. Build Assurance into Cloud Computing.

Abstract: More than 150 conversations with top level executives responsible for global enterprise and government organizations have shaped this message. The situation is that every level of business and government operations are converging and streamlining infrastructure to manage cost and efficiency. The complication is that organizations must translate existing physical security controls into dense virtual infrastructures. The question is how do you manage risk exposures without compromising your security and compliance requirements. We will discuss how a secure and compliant virtual platform can enable your business with secure separation, compliance visibility, and easier management.

Reverse Mapped SANS 20 Critical Controls to FISMA

Greatly appreciate contact from the author of Tech-Wreck Blog who said, "I am trying to make the SANS 20 Critical Controls a bit more "fun"/interactive…"

I really like what he has done. Nice work. It's in that vein that I'm sharing a reverse mapping of the SANS 20 Critical Controls into FISMA (800-53r3) controls, using FISMA as the baseline.

You can find it here: Reverse Mapped SANS 20 Critical Controls to FISMA.

Requirements Driven – Mandatory Solutions

Common Required Solutions

[Update: Added source mapping and original spreadsheet]

Click on the worksheet below to view a compiled checklist of mandatory security solutions, an ecosystem if you will, that supplement and enable the comprehensive technical control set required by common regulations and standards.


Requirements Mapping

Very importantly, this is 100% requirements driven and not intended to be a comprehensive approach to protecting your data. However, this solution set is a great start. The authority documents from which this solution set is derived are written with the objective of protecting data relative to their domain. That doesn't mean the objective has been successfully met. Your particular use case may fall outside of the normative expectations for which the authority documents were written. Your particular operational mission and/or risk profile may drive additional technology solutions. For example, additional monitoring tools, network management,  e-discovery, network forensics, etc.

Solution Set Requirements Map 
(Click image below to see full-size) (PDF Version)

Common Required Technical Security Solutions



US Intelligence Community – Worldwide Threat Assessment – March 2013

Anyone remember the days of using bulletin boards? Prodigy? Something happened to this simple Texas boy who suddenly realized there was an entire world of people out there. An entire world of thought. Suddenly, I understood the power of gathering multiple points of reference to solve problems because it gave me tremendous clarity and multiple contextual views.

Your system security suffers when you fail to cover your bases and take in multiple information sources to create context. Effectiveness requires a comprehensive approach.

 

I subscribe to the weekly Homeland Security Digital Library digest. This week included the Statement for the Record, Worldwide Threat Assessment of the US Intelligence Community, Senate Select Committee on Intelligence, James R. Clapper, Director of National Intelligence, March 12, 2013.

 

Two things of interest here. First is that cyber security is the first threat listed, and the primary concern of the authors of this report. Second is the recognition of the importance of gathering and compiling information across multiple sources, and the subsequent call to arms. "In this threat environment, the importance and urgency of intelligence integration cannot be

overstated. Our progress cannot stop."

Author: Clapper, James R. (James Robert)

Publisher: United States. Office of the Director of National Intelligence
Date: 2013-03-12
Copyright: Public Domain
URL: https://www.hsdl.org/?view&did=732599

 

There's another interesting article referenced in the digest covering border protection using complexity theory. Interesting to note similar findings. The thesis written by Michael J Schwan at the Naval Postgraduate School, while controversial in its findings, addresses concerns over current security endeavors that are "compartmentalized, fragmented, and poorly coordinated."

 

Author: Schwan, Michael J.
Publisher: Naval Postgraduate School (U.S.) 
Date: 2012-12
Copyright: Public Domain
URL: https://www.hsdl.org/?view&did=732181

Privacy Primer: Fair Information Practice Principles

Today while reading through a blog post by Michael Daniel, titled Improving the Security of the Nations Critical Infrastructure, I was drawn into the Privacy and Civil Liberties Protections section of the Executive Order on Improving Critical Infrastructure Cybersecurity. Michael says, "the executive order directs departments and agencies to incorporate privacy and civil liberties protections into cyber security activities based upon widely-accepted Fair Information Practice Principles, and other applicable privacy and civil liberties frameworks and policies."
Clicking the link to see the Fair Information Practice Principles, I read through the 2008 privacy policy guide that I frankly have never seen nor read before this. I found the guide to be a very interesting read. The eight Fair Information Practice Principles are: Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing.

I thought it would be interesting to replace DHS with ORGANIZATION and read it again. Result? A short primer to privacy safeguards.

• Transparency: ORGANIZATION should be transparent and provide notice to the individual regarding its collection, use, dissemination, and maintenance of personally identifiable information (PII).
• Individual Participation: ORGANIZATION should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII.  ORGANIZATION should also provide mechanisms for appropriate access, correction, and redress regarding ORGANIZATION’s use of PII.
• Purpose Specification: ORGANIZATION should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
• Data Minimization: ORGANIZATION should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).
• Use Limitation: ORGANIZATION should use PII solely for the purpose(s) specified in the notice. Sharing PII outside the Department should be for a purpose compatible with the purpose for which the PII was collected.
• Data Quality and Integrity: ORGANIZATION should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
• Security: ORGANIZATION should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
• Accountability and Auditing: ORGANIZATION should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.