RealSecurity

Hey, where did you buy that router? Do you know who made the components, wrote the drivers, or the embedded code that makes it tick? Or how about the chipset in that new server or smart meter? Com'on, be honest, you know squat. Well, no biggie, right? It's just a chip, some basic instructions to process a few bits through a pile of transistors. Sorry to burst your bubble, but the bad guys know better.

Carnegie Mellon University's CyLab, the largest university-based research and education center for computer security, in collaboration with author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company, produced a survey report titled, "Governance of Enterprise Security: CyLab 2010 Report" demonstrating enterprise boards are losing focus on security. I've read this report and wanted to provide additional perspective.

I vividly recall the movie in 1979 about a nuclear power plant on the verge of self-annihilation that upon catastrophic failure would melt a hole to China. Of course, adding to the movie’s popularity was its ominous reflection of life as the Three Mile Island Nuclear Generating Station in Pennsylvania suffered a cooling system failure twelve days after the movie was released. Interestingly, the device that ultimately failed was called the “12 valves” that controlled coolant flow to the core. For reasons I cannot fully explain, every time I read another story about China hacking other countries, especially the US, I think about that movie and the fear that resonated with the public so deeply for decades. If China doesn’t change their policy on how they approach other nations concerning these attacks, it will dramatically change their future and undermine their potential.

There is much hoopla concerning advanced persistent threats (APT) that has found a home in an industry abuzz with increasingly sophisticated hackers. APT is a new acronym and concept that is receiving enormous attention as if it was something completely fresh and enlightening, and it isn’t. I have come to the conclusion that it isn’t the threat that is necessarily changing, but rather our acceptance and acknowledgement of the change.

Today we have the reemergence of discussion concerning side channel attacks. Although the discussion is surfacing once again (with almost Cicada-like predictability), the topic has been the bane of security since communications left paper for the ether. The core issue is the ability for attackers/eavesdroppers to discern informative details of a communication channel that is presumably secure. It’s interesting to me that this problem still exists and I think few in the industry speak of it regularly – me included. It’s a huge security problem and the advent of the cloud will only make it much worse.

Before you unplug your computer, hop off the grid, and go buy that S&W M&P 15 you’ve been eyeing at the local gun store because you’re convinced the government couldn’t stop a thirteen year old with an iPhone, let’s look at this result a little deeper.

It is one thing to talk about securing a system, but quite another when determining how much and to what depth security should be applied. All too often we talk about securing something, but do not necessarily do so in a proactive manner based on a consistent model. Moreover, one that takes into consideration of the entire system, not just the server, but the network, interactions with other systems, applications, and data stores. DIACAP is an evolutionary approach to certification an accreditation that sets a common criteria of security that takes into account the broad, interconnected nature of today’s technology infrastructures.

I consistently hear people say they’ve been in the security industry for 25 years or more and they’re in their late 30’s or early 40’s. I find many people encompass all things security into their experience, which on the surface seems to make sense, but I’m not sure it does, or at least worth further discussion. It can be argued that security is the second oldest profession, but that doesn’t mean what was done 20, 50, or 100 years ago is applicable today. However, how do we balance applicability with experience… the difference between knowledge and wisdom?

DIACAP is fundamentally a security governance model. It is a collection of processes, procedures, tools, methods, and trained people with specific roles and responsibilities targeted at managing the full security lifecycle of a system. Let’s take a high-level look at the DIACAP processes and how these can related to the enterprise. DIACAP is founded on five activities, also known as phases.

This is a multipart series looking at how the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) can be valuable to traditional, private enterprise organizations. It’s not all that common to propose that an enterprise adopt government processes. However, within the context of security many organizations are performing some of these DIACAP activities organically, but not to a level of granularity in management found in the DoD, which I feel is a missed opportunity. My goal for this series it to introduce the basics of DIACAP and how enterprise organizations can greatly benefit from it.

First up – sorry to my regular readers for the week or so without a recent post. I’ve directed much of my writing time towards my book, which is coming along nicely, but a huge undertaking nonetheless. The complexity of the topic has been challenging and time consuming. Now that’s out of the way… the security of data is arguably the root of security and no doubt the one of the most difficult things to wrap your arms around.

Since the advent of SATAN the question of tool verses whitehat has permeated the security industry. The question is founded on the effectiveness of a tool in finding system vulnerabilities when compared to what a human can do. How does all this play into application testing?

Earlier this week NSA’s Schaeffer stated in a meeting with Congress that the NSA collaborated with Microsoft in the development of Windows 7 by leveraging their “…unique expertise and operational knowledge of system threats and vulnerabilities…” As one would expect there are a number of mixed reactions in the security industry.

Throughout parts 1, 2, and 3 we talked about threats, defined a test and artificial threats, and ultimately about ensuring alignment between threats and controls. Although these basic concepts are applicable to all types of security testing, it is social engineering that raises the most interesting interactions between threats, controls, testing, and the business. In this part we round out the topic by touching on when to push the edges of the test and when not to. Lastly, I’ll cover the value of a test to the business.

In part 2, we dove into what is a test and the two basic approaches: identification and exploitation. From there we reviewed the artificial nature of a test and the inherent and imposed limitations that make it impossible to fully mimic a real threat. We ended with exposing that through business and security processes we’ve identified addressed threats (part 1) and that any misalignment between the test’s representation of a threat relative to a control designed for that threat will render the test meaningless. And the fact that within the context of social engineering this is very likely if not orchestrated effectively. In this part, we will discuss why this is the case.