“60 Minutes” Video: Sabotaging the System

Several people have mentioned the 60 Minutes episode that aired last Sunday night.  I watched it and was fascinated by a lot of it.

First, it’s very rare that the government will talk about possible threats against its infrastructure.  To hear people talking about how you could manipulate the programming of a power generator to get it to self destruct was much more information than I’m used to seeing on tv – especially prime-time.

Second, the discussion about how other governments have very likely already infiltrated our government’s systems was amazing.

I agree that all of this has very likely already happened, but I was surprised to see it discussed so openly.  I’m torn – is it a good thing to raise awareness about these types of issues?  Maybe.  I suppose it might help increase the funding around protection mechanisms, etc.  Is it better to not talk about it?  Maybe.  That means the attackers don’t know what we know and it also makes it more difficult for new attackers to identify these vulnerabilities.

My opinion is that these vulnerabilities and potential exploits need to be kept somewhat secret.  There are a select set of people who could help defuse the problem if they are “in the know”, but making it public is very risky.  I look at what happened around the Kaminsky vulnerability and, more recently, the SSL MitM hole.  For a while, these issues were kept very secret while a select set of organizations and individuals labored to resolve them. Obviously, they didn’t stay totally secret.  But I think something along those lines is the better way to handle these threats than to expose them on tv.

In case you want to see what the government is talking about on tv, you can watch the 60 Minutes video here.

November 15, 2009 Posted by Laura Mather | Detection, Fraud, Investigation, information security | attack, Fraud, government | No Comments Yet

Making the 20 Controls for Effective Cyber Defense Approachable

SANS has published “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.  I must admit, I was pleasantly surprised by what was published.

My biggest concern prior to reading the draft was that since this document was supposed to be all-encompassing and was very likely “written by committee”, the guidance would end up being too complicated to understand, let alone implement.  I was wrong. 

The power in the document is that the recommendations are boiled down to 20 simple sentences.  Here they are:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

Of course, “Boundary Defense” is not as simple as those two words imply and there are a multitude of details behind each one of these “controls”.  There is definitely a lot to be proven out about whether or not most organizations (government and industry) will be able to make sense of these directives.  But I applaud the authors for at least attempting to make the initial pass at the document un-intimidating.

Security is a complex, acronym-laden practice that can be especially difficult for the uninitiated to approach, let alone tackle.  By keeping the initial steps of this directive relatively simple, the authors have taken the right approach: make people understand the task can be accomplished when they first start. 

And that’s another strength to the structure of the document.  Since it is presented as a webpage, when you get to the bottom, there are links to separate pages for each control.  As a CISO or CTO is working through the plan, they can look at one control at a time and determine how to move forward with it without being overwhelmed by the entire document.

This may be an advantage of the internet – we hide the complexity by making a 100 page book look like a 5 page website with a few links at the end.  If this helps people feel like the task at hand is attainable, that’s a good thing.

February 26, 2009 Posted by Laura Mather | Compliance, Data Loss, General, Prevention | Compliance, controls, government, SANS, security | No Comments Yet