Sunday, April 22, 2007

What Should cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Feds Do

Recently I discussed Federal digital security in Initial Thoughts on Digital Security Hearing. Some might think it's easy for me to critique cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Feds but difficult to propose solutions. I thought I would try offering a few ideas, should I be called to testify on proposed remedies.

For a long-term approach, I recommend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps offered in Security Operations Fundamentals. Those are operational steps to be implemented on a site-by-site basis, and completing all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal government would probably take a decade.

In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 short term (over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next 12 months) I recommend cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following. These ideas are based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plan cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force implemented over fifteen years ago, partially documented in Network Security Monitoring History along with more recent initiatives.

  1. Identify all Federal networks and points of connectivity to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. This step should already be underway, along with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next one, as part of OMB IPv6 initiative. The Feds must recognize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope and nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to protect. This process must not be static. It must be dynamic and ongoing. Something like Lumeta should always be measuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nature of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Federal network.

  2. Identify all Federal computing resources. If you weren't laughing with step 1, you're probably laughing now. However, how can anyone pretend to protect Federal information if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 systems that process that data are unknown? This step should also be underway as part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IPv6 work. Like network discovery, device discovery must be dynamic and automated. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very least passive discovery systems should be continuously taking inventory of Federal systems. To cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 extend active discovery can be permitted, those means should also be implemented. Please realize steps 1 and 2 are not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as FISMA, which is static and only repeated every three years for known systems.

  3. Project friendly forces. You can tell cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se steps are becoming progressively difficult and intrusive into agency operations. With this step, I recommend third party government agents, perhaps operated by OMB for unclassified networks and a combination of DoD and ODNI for classified networks, "patrol" friendly networks. Perhaps cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y operate independent systems on various Federal networks, conducting random reconnaissance and audit activities to discover malicious parties. The idea is to get someone else besides intruders and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir victims into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fight at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se sites, so an independent, neutral third party can begin to assess cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of enterprise security. The Air Force calls this friendly force projection, which is a common term but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are performing it now on AF networks.

    This step is important because it will unearth intrusions that agencies can't find or don't want to reveal. It is imperative that end users, administrators, and managers become separated from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 decision on reporting incidents. Right now incident reporting resembles status reports in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Soviet Union. "Everything is fine, production is exceeding quotas, nothing to see here." The illusion is only shattered by whistleblowers, lawsuits, or reporters. Independent, ground-truth reporting will come from this step and from centralized monitoring (below).

  4. Build a Federal Incident Response Team. FIRT is a lousy name for this group, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should be a pool of supreme technical skill available to all Federal enterprises. Each agency should also have an IRT, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y should be able to call upon FIRT for advice, information sharing, and surge support.

  5. Implement centralized monitoring at all agencies. All agencies should have a single centralized monitoring unit. Agents from step three should work with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se network security monitoring services to improve situational awareness. Smaller agencies should pool resources as necessary. All network connectivity points identified in step 1 should be monitored.

  6. Create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Digital Security Board. As I wrote previously:

    The NDSB should investigate intrusions disclosed by companies as a result of existing legislation. Like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NTSB, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NDSB would probably need legislation to authorize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se investigations.

    The NDSB should also investigate intrusions found by friendly force projection and centralized monitoring.


None of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se steps are easy. However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re appears to be support for some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. This is essentially cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 formula cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force adopted in 1992, with some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 steps (like friendly force projection) being adopted only recently. I appreciate any comments on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se ideas. Please keep in mind cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are 30 minutes worth of thoughts written while waiting for a plane.

Also -- if you read this blog at taosecurity.blogspot.com, you'll see a new cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me. Blogger "upgraded" me last night, removing my old cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me and customizations. I think most people use RSS anyway, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 change has no impact. I like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 availability of archives on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right side now.

Update: I added step 6 above.

11 comments:

Unknown said...

I couldn't agree more with your points. I think that we're noticing that PCI may be headed down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FISMA track as well, which is also a worrisome trend. Lots more security standards to comply with, lots more work for auditors to do, and not necessarily an improvement in overall security.

Is it unavoidable that regulations related to security/compliance go down this path?

burma jade said...
This comment has been removed by a blog administrator.
burma jade said...
This comment has been removed by a blog administrator.
Anonymous said...

Spot on with #1 and #2. You'd be surprised how you lose control of your PoPs within a large organization. In my previous position, we actually contracted out blackbox discovery of our PoPs. Although we tried to keep track of all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, when you operate in 55 different countries you were always surprised by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results. Of course, as you get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reports, you close cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loopholes that enabled unknown PoPs.
WRT #2, for all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 NSM data we collected, and events we traced back, our biggest headache was finding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 box and an owner to mitigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation. At almost every mid to large company I've been with, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is always a problem with inventory.

Anonymous said...

I can vouch for #1. I once did some work for a large civilian agency that had lots of University research agreements. Local on-site network admins were constantly figuring out how to bridge university networks to our corporate net. (As if anything bad could *possibly* exist on a U network!)

Anyway, just keeping those routes shut down was like playing whack-a-mole. Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fun article.

Anonymous said...

Let me add anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r one:

Do not use personal identifiers (such as a Social Security Number) as a login ID.

Some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .MIL networks do this. If your wondering how I know, it's from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 backdoor logs of a trojan. Multiple users, multiple logins, multiple access locations.

Erika said...

Hi! Sorry for trying to contact you through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments section of your blog but I have an article that might interest you. Please, contact me in e.erika.brown (at) gmail.com

Richard Bejtlich said...

No thanks "Erika"

Joel Esler said...

Well said Rich. Well said. I agree. But don't we already have a CERT? Even in DHS? Shouldn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y be given more authority/resources/accountability?

DanPhilpott said...

Glad to see some constructive criticism regarding federal security. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 name of constructive dialog I'll respectfully disagree with, dispute and/or question most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

First, what I agree with:

Idea three, 'Projecting Friendly Forces' is a good idea. Random penetration testing and pop reviews are needed. IG's already can do this a bit under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 FISMA process but a regular independent organization is a better solution. There are downsides of course, to survey cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network in its natural state you need to do it unannounced. So ISSO's will be having heart attacks until informed later of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test. That means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing is an effective blind to real network attacks. While 'Projecting Friendly Forces' has that sense of bravado and militarism so popular cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days I can think of anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r term for it: policing.

Idea five, centralized monitoring on a per agency basis is also a good idea, but a bit amorphous as cast. What is meant by an agency? What do you mean by monitoring? Who reacts to problems? Who gets informed of problems when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are detected? What is being monitored? Are we talking strictly network security? Is network monitoring particularly important given where data breaches typically occur? What if whole agency monitoring makes for a less effective system than distributed monitoring? How do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 monitors stay abreast of all network access points given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ease by which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can be established?

Idea 4 is CERT. I imagine it is an idealized and improbable CERT, but still CERT.

Now for where I disagree:

In general cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se recommendations seem aimed squarely at external threats, 'bad guys' out on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internet. These 'bad guys' weren't behind most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 massive data breaches recently. The 'good guys' on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 firewall, who lost laptops and storage devices were responsible. Not to say that external threats should be ignored, only considered in proportion to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r threats. It is to say that network security is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole of security.

Idea 6 is possible but potentially dangerous. Do you really want or need anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Federal agency to investigate things and making jurisdictions murkier? Hard to imagine it becoming anything but a cyber-FBI.

Ideas 1 and 2 are being done via standard security practice in support of FISMA. See my nitpick below regarding your statement that FISMA is some static and periodic activity.

And some individual nitpicking:

Your Security Operations Fundamentals map closely to components of FISMA. I wrote it out but it's probably more detail than you are interested in. There are differences, mainly because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 former is focused on network security while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 latter approaches security in a holistic manner where network security is a component.

Idea 2's last sentence states FISMA is static and happens every three years. That's inaccurate in fact and in characterization. It's like saying that public companies reporting to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SEC once a year (okay, quarterly plus) means cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't do accounting or auditing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rest of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time. By law every year each agency must perform an independent evaluation of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 InfoSec program (FISMA §3545(a)(1)), report those findings (FISMA §3545(e)(1)) and have those findings reported to Congress (FISMA §3543(a)(8)). The SP-800-37's Certification and Accreditation process takes place every three years, but those are two phases followed by a Continuous Monitoring phase. It's more accurate to think of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 periodic evaluations and C&A phases of FISMA as points where government InfoSec people are forced to think through security systematically as opposed to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day-to-day reactive way everyone deals with security.

Finally:

I think my major disagreement here is with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network security focus. I can't say it often enough, network security is not all of security. It's an important part but it should be given consideration proportionate to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 demonstrated importance of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r parts. Creating good security means looking at everything through a process of risk mitigation to determine cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 points where you can affect maximum security benefit at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least cost, in function and resources, for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system.

Richard Bejtlich said...

Network-centric security is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only approach that scales, that is vendor-neutral, and that applies to all devices on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network. Host-centric fails on all three counts. That's not to say a host-centric approach shouldn't be tried. Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r, starting with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network gives cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most value for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 least cost.