I've moved my blog to a new location. If you want to learn the latest in the human issues of information security, including building an effective security awareness program, please visit me at the URL below.
09 May, 2010
01 January, 2008
In the coming weeks I'll share with you my thoughts and experiences with these tools.
Posted by Lance Spitzner at 11:51
15 December, 2007
- First, I really think the organizations that can adapt most easily to Cybewarfare are intelligence organizations. Cyberwarfare is about information, intelligence is about information. If you want to take out a computer, you have to know things about that computer. If you want to infiltrate networks, you have to know things about the network. If you want to steal or modify data, you have to know things about that data. This is going to be hard for combat arms folks to deal with, for example people who fight on tanks or from jet fighters. Those folks are taught to blow things up as fast as possible and as violently as possible. See target, destroy target. In the cyber world there is often nothing to blow up. In fact, when you have achieved your goal and you have successfully attacked your target, you often don't want the enemy to know it. Also, in combat arms you are trained that their is a definite beginning and definite end, which brings me to my second point.
- Just like in intelligence, in Cyberwarfare there is no beginning or end, just levels of intensity. We are already fighting a global Cyberwar. Its not officially declared, there are no official sides, but its already happening and will continue to happen. There may be times when conventional warfare is fought along with it, but Cyberwar is here and now. In fact, many people today view Cyberwarfare as supporting conventional war, but I feel in the future it may be the other way around, conventional weapons will be supporting Cyberwarfare.
- Last, I really think things are going to get messier. There have already been several well written articles about the ‘asymmetric’ approach of Cyberwarfare. How one side can attack and there is nothing for the defender to strike back at. There have also been discussions on how Cyberwarfare is the great equalizer. What value are having 12 aircraft carrier groups when someone with a 128Kbps connection to the Internet can theoretically shut those systems down, or the systems supporting the carrier groups. As I said, I think things are going to get worse. Historically there has been one thing constant in warfare since the dawn of time, mercenaries. Soldiers for hire to the highest bidder. Now a third world country can theoretically take out a first world country, not because they have the weapons or expertise, but simply because they happen to have a big bank account at that time and can hire some talent to do the job. The talent for hire is already out there, the underground cyber/criminal economy. The question is, what nations are now taping into that talent not from crime, but to get the jump ahead in Cyberwarefare. Think about it, what better way to hide your Cyberwarfare/intelligence attacks then make it look like common cyber crime.
Posted by Lance Spitzner at 21:22
12 December, 2007
- What happens with this method when your new security program mitigates incidents you never detected in the first place? For example, lets say you counted 400 incidents in your organization last year, but there were really 500. When you implemented your new security measures your incidents drop to zero. Your delta is off by 100 incidents. I'm nit picking here, but your security program actually has far greater ROI. The reason I'm concerned about this is because a good security program mitigates threats/vulnerabilities you did not know about.
- However, what I'm even more concerned about is good security includes good detection. Now, what happens if you start with 400 incidents, then implement security controls which includes good detection. Now all of the sudden you are detecting many more incidents you never would have detected before. Even though the total incidents could have gone down, because of your improved detection capabilities management perceives they have gone up.
I commend Intel for what appears to be a great start. However, I just can't believe ROSI is as simple as counting incidents and measuring deltas. Just look at TJX, all they have had is just one security incident in the past 3 years (that we know about).
Posted by Lance Spitzner at 14:23
03 December, 2007
1. First, they break metrics down into 3 different categories. This is something I never thought of, there are big differences between areas that can be measured. These are identified on page 15 as follows:
- IMPLEMENTATION: This is the one that I see most commonly used, but I feel has the least value. It tracks how much as been done. For example, how many accounts have a unique identity tied to it, how many desktop computers have been configured to a security standard, or how many end users have received security awareness training.
- EFFECTIVENESS: Now this is where the rubber meets the road and things get harder. How do you demonstrate the effectiveness of your security? This is what interests me the most also, what can I do to improve?
- IMPACT: For a NIST document, I was impressed to see this metric definition. It is the attempt to measure the impact to your business, your ROI. As discussed on various other blogs and publications, this is easily the hardest thing to measure. In fact, it is often argued if security can even be considered ROI, or is it simply loss prevention.
2. The second thing I liked were the examples in the appendix. If SP800-80 only broke down metrics into three categories, I would not have been overly impressed. Where the magic happens is they have examples of these metrics in the 18 different control domains identified in SP800-55 (IS0 27001/AnnexA has 11 such control domains). In addition, what I found very helpful was each security domain not only has metrics, but the overall strategic goal and information security goal of the controls.
All in all, I found this to be one of the most helpful SP800 documents I have read so far for ISMS approach. Even though its FISMA specific (as all SP800 documents are) it can apply to other models as well. However, if you are short on time I suggest skipping all the noise and going straight to the appendix on page 22 where the examples are. That is the true value of this document.
Posted by Lance Spitzner at 11:15
28 November, 2007
Readability: First, how easy is it to read and understand the overall documentation and model? ISO 27000 wins this hands down. First, its ordered in a relatively easy to understand fashion. You start with 27001 which is the overall plan (called an ISMS). You then move onto ISO 27002 which gets a bit more detailed (controls, but at a high level). You then have several other 2700X documents to help you (such as with risk assessments). These have not been officially approved yet by ISO. FISMA unfortunately is much more haphazard. NIST has just published SP800-39 to help give an overview, but then you also need to read FIPS-199 and FIPS-200. There are also various other SP800 documents you can read to help get things started. The other problem is how they are written. I'm sure the fine folks at NIST meant well, but their documentation is written in painful government/academic speak, something I've never worked well with. ISO 27000 in comparison is written from a business perspective, much simpler and cleaner. ISO 27000 wins here hands down.
Availability: Okay, this is where NIST shines. Everything is organized by one organization, at one location, and its all for free! ISO 27000 on the other hand, while developed and approved by ISO, is not for free. Each ISO document costs several hundred dollars and can be purchased at various locations (I find the ANSI site to be the cheapest, its in American dollars :). NIST wins this one.
Strategic: This is where I really like ISO 27000. ISO 27001 focuses on how you will manage your strategic security plan (Plan, Do, Act, Check), ISO 27002 is your strategic plan. The NIST documentation simply jumps right in and has you start with IMPACT assessments on your information and information systems. They call it their Risk Management Framework, but its not. There is no analysis of risk, only impact. There doesn't seem to be any real high level plan, strategic goals, organizational reviews, etc. Its confusing and too tactical focused. Its also highly structured, its almost as if the authors do not trust the security professionals involved. ISO 27000 gives much more trust and flexibility. ISO 27000 wins this one.
Tactical: This is where I think NIST shines. While I'm not impressed by its strategic approach, it has a wealth of tactical knowledge. There are numerous SP800 documents (almost a hundred) that focus on just the technical details and recommended controls, such as mobile forensics, intrusion detection systems, or wireless. These standards can greatly help organizations. Also, NIST is just now kicking off their checklist series of documentation. The US government is moving to standardized, secure builds. While the concept of standardize builds is not new, what makes this VERY exciting is the US government is forcing all vendors to support these builds. You want the US government to buy your software, you have to support secured systems. This has already been done for WinXP and Vista and takes effect early next year. NIST wins here.
So, overall which is better? Neither. My preference is use ISO 27000 model for a strategic approach. However, once you get into the details the SP800 series can help. However I suggest staying away from SP800-39, FIPS-200, FIPS-199 I really think that their strategic approach is taking people down the wrong path. I'm interested in your input. Let me know if you agree or disagree with this assessment, and if so why. What is your preferred model or strategic approach to information security?
Posted by Lance Spitzner at 07:53
27 November, 2007
Posted by Lance Spitzner at 17:51