Archive for August, 2013
diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

DIACAP to DIARMF: Assessment Authorization

DIACAP to DIARMF: Assessment Authorization

With the move from certification and accreditation (C&A) to risk management framework, comes a few new terms.  “C&A” will be replaced with assessment and authorization.  Even though “information assurance (IA) controls” will be call “security controls”, the definition and work is still the same, but the hope is that its done continuously and more cost-effective.

 

Certification (NIST Assessment) – Comprehensive evaluation of an information system assessment of IA Controls/Security Controls to determine the extent to which the controls are implemented correctly and operating as intended. That means when evaluated, they produce the desired outcome.  An assessment is about gathering information to providing the factual basis for an authorizing official (Designated Accrediting Authority) to render a security accreditation decision

Accreditation (NIST Authorization) – Security accreditation is the official management decision to operate (DAA – Formal approval of the system). Authorization is given by a senior agency official (upper-management/higher head quarters/combat commander). The official should have the authority to oversee the budget and business operations of the information system explicitly accept the risk to operations, assets, individuals. They accept responsibility for the security of the system and are fully accountable for the security of the system.

The official management decision given by a senior organization“The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.”

– NIST SP 800-37 rev 1

March 14, 2014, UPDATE RMF – DoD IT:

DIARMF will be known as Risk Management Framework for DoD IT.

 

gmail security

gmail security

Gmail is one of my favorite email products.  Its free, its extremely good at collecting and organizing data (in-line with google’s vision of world information organization domination) and its so intuitive.

The gmail security features are kind of tucked away to bring the organization and search functions to the foreground.  But once you know where they are, its easy.

1. First, browse into your email and sign in.

 

2. Inside your email under your name, click privacy.

3. Under Account Privacy, hit Security and add alternate recovery email and mobile number.   This will allow gmail security to alert you of any suspicious activity such as someone attempting to access your account.

gmail security

gmail security

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

 

Who Created/Manages NIST 800?

Who Creates and/or Manages the NIST 800?

This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too.  It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005,  Information Security Management System (ISMS).

who-created-manages-nist-800

who-created-manages-nist-800

NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency  (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities.  This working group reviews and updates the following documents

  •      NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  •     NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
  •     NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
  •     NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001.  The JTFTI is made up of ODNI, DoD, CNSS.  This document is also publicly vetted.

Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004.  This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.

Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines.  It is the most powerful military organization in recorded history.

Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.

Sources: http://en.wikipedia.org/wiki/Committee_on_National_Security_Systems

Public (review and vetting) – the draft is posted online on NIST.gov

http://csrc.nist.gov/publications/PubsDrafts.html

 

sources:

FISMA JTFI

http://www.fismapedia.org/index.php?title=Joint_Task_Force_Transformation_Initiative

Scadahacker – mappings NIST to International

http://scadahacker.com/library/Documents/Standards/mappings/Mapping%20NIST%20800-53.pdf

 

diacap to diarmf: C&A vs RMF

DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

diacap-to-diarmf-ca-vs-rmf

diacap-to-diarmf-ca-vs-rmf

NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

  1. Revised process emphasizes
  2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
  3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
  4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems
diacap to diarmf: FISMA 2013

The Federal Information Security Amendments Act, H.R. 1163, Amends the Federal Information Security Management Act of 2002 (FISMA).

Main Points of FISMA 2002:

  • Cost-effectively reduce information technology security risks
  • Vulnerability Database  System
  • Maintain an inventory of major information systems
  • Security Categorization of Federal IS by risk levels
  • Minimum security requirements
  • System Security planning process
  • Annual review of assigned IS compliance
  • Risk Management

 

The amendment has a few big changes to the previous 2002 version that will affect federal agencies.  But two main ones the stood out for me is the emphasis on automation and the CISO position.

The FISMA Amendment was passed by the House of Representatives (4 April 2013) but must still pass the Senate and be signed into law by the President.

 

1 – Continuous monitoring / automation of Everything -FISMA 2013, requires continuous monitoring (automation) and regular cyberthreat assessments for better oversight to federal organizations.

Security Incidents –  Security incidents are automatically detected with tools like McAfee Network Security Platform (IPS), Source Fire SNORT (IDS), McAfee ePO and Cisco IDS.  With the right people to manage the signatures and the configuration, theses are great products.  Once they are detected you can then do incident handling with something like Remedy.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for detecting, reporting, and responding to security incidents, consistent with standards and guidelines issued by the National Institute of Standards and Technology”

Information Systems Security – Vulnerability scanners such as Retina and Tenable’s Nessuss are great with automatically detecting security controls and policies within an agency.  Change Auditor and other tools can detect changes the GPO’s within a domain.  FISMA 2013: “with a frequency sufficient to support risk-based security decisions, automated and continuous monitoring, when possible, for testing and evaluation of the effectiveness and compliance of information security policies, procedures, and practices, including…” Security controls

Risk Level & Impact of Harm – McAfee ESM and ArcSight are good and pulling in the data from security tools that detect security events, evaluating the risk level and giving an measurement of the possible harm of and asset.  FISMA 2013: “automated and continuous monitoring, when possible, of the risk and magnitude of the harm that could result from the disruption or unauthorized access, use, disclosure, modification, or destruction of information and information systems that support the operations and assets of the agency;

Detection/Correlation – this one could be grouped in with Security Incident, but Security Incident gets more into incident handling.  Also, ArcSight, McAfee, LogRythm, LogLogic, AlienVault and other Security Incident Event Managers do Correlation automatically.  FISMA 2013: “efficiently detect, correlate, respond to, contain, mitigate, and remediate incidents that impair the adequate security of the information systems of more than one agency. To the extent practicable, the capability shall be continuous and technically automated.”

2 – CISO positions and responsibilities backed by Law – The amendment requires each department head to be held accountable for IT.  In DoD Information Assurance Risk Management Framework (DIARMF) this department director is known as the Authorizing Official (aka Designated Authorizing Authority in DIACAP).  FISMA 2013 require the AO to have an Chief Information Security Officer.  This is a position that is already assigned under Risk Management Framework.  The DoD has referred to this position as Senior Information Assurance Officer in DIACAP.  Under FISMA 2013, CISO/SIAO must have must have qualifications to implement agency-wide security programs for which they are responsible
and report directly to the AO.

The CISCO/SIAO will also have responsibility of Automated Security systems.  The CISO will be responsible for development, maintaining and overseeing these automated systems.

FISMA 2013 is targeted to minimize the risk of cyberattacks by conducting pentesting.

Overall, they made automation a requirement, which is the direction the field of information security has already been following and put some more emphasis on the CISO.  The amendments highlight the changes from DIACAP to DIARMF as many of the changes are already in the NIST 800 series that DIARMF is based on.

source:
http://beta.congress.gov/bill/113th/house-bill/1163/text

Create User: Windows 7

Create Users on Windows 7 in a few easy steps.

Creating separate user accounts is important to the security and privacy of your personal computer.  Once you create another user you should also password protect each account and disable the guest account if you are not using it.

1. Click Start then go to Control Panel.

 

2. Under Control Panel, click User Accounts and Family Safety.

create user Win7

Windows 7 – Create User

(Must be Administrator)

3. In User Accounts, hit Add or Remove user accounts.

Create User Windows 7

Create Windows 7 User

4. Below the list of the User accounts. Hit create new accounts to add a new account.

Make sure you create a password as well.

create User Windows 7

create User Windows 7

Select what type of account you want it to be:  Standard or Administrator.  Remember that a standard user is much safer.  And its perfect if you are making an account that does not require installations and modifications to the operating system.  Standard user account is great for  friends and family.  Be stingy with the administrator account because its susceptible to viruses and misconfigurations.  Only the owner of the system should have an Administrator account.

 

Approved System

Information Assurance is based on obtaining a high level of confidence on information’s confidentiality, integrity, and availability.  Some organizations that deal with “critical information”.  Critical information included things like banking transactions, classified data, information that is evidence in an ongoing investigation.  Companies, unions and government that handle this kind of information usually have a lot of exposure because they are handling public data, share holder data, employee data and are doing a lot of translation across the un-trusted networks such as the Internet.  With critical information and high exposure these organizations MUST have “approved processes” for vetting, testing and validating “approved software” and “approved systems”.

For example, in the Department of Defense there are many lists that have approved software.  These lists are per command within larger organizations.  One over arching process/list is the Common Criteria:

Common Criteria is an international standard for validating technical security built in to security feature of information systems.  The international standard is known as ISO/IEC 15408.

This standard is used by many large organizations all over the world that serve the public:

www.commoncriteriaportal.org

www.commoncriteria.com

Each organization has there own specific security needs so most of the time they have many levels of application approval and process:

NSA / DOD / US Gov – www.niap-ccevs.org – National Information Assurance Partnership (NIAP) uses Common Criteria Evaluation and Validation Scheme (CCEVS) to ensure that only approved Information Assurance (IA)  and IA-Enabled Information Technology (IT) products are used

Canadian Trusted Computer Product Evaluation Criteria
UK – www.cesg.gov.uk/servicecatalogue/ccitsec‎

Commercial organizations that want their products used by organization processing and storing critical information must submit to common criteria as well:

Apple – https://ssl.apple.com/support/security/commoncriteria/

Microsoft – www.microsoft.com/en-us/sqlserver/common-criteria.aspx‎

xeroxCommon Criteria

Citrix – www.citrix.com/support/security-compliance/common-criteria.html‎

CiscoCisco Common Criteria 
Emc – EMC – Common Criteria

Organizational units also have their own criteria for approved applications and systems:

US ArmyArmy Chess

US Air ForceAF E/APL – Certified Air Force Evaluated Approved Product List

 

 

8 Tips Protect Privacy

8 Tips to Protect Privacy: from those using your computer or account

2013 has been a big year for privacy issues.  There is a lot of talk about the government’s spying on citizens and usurping certain civil liberties.  While this is definitely a concern regardless of what country/state you live in, a more immediate threat to your personal privacy are the people actually using your computer and or accounts.  Friends, family and co-workers that are using the same computer you are using, for example, can do more damage just from seeing something they are not supposed to see.  At the very least, it can just be embarrassing.

Whether they are just borrowing your system and you trust them is not the point.  TRUST is not the point.  Access is the main concern.  After all they may ACCIDENTALLY see something they are not meant to see.  Or a trusted friend might allow someone ELSE that you Do NOT trust to use your system.  So it is really not a matter of TRUST but ACCESS.  If its easy to access the data then you must assume that they already have or will access, copy, modify this important private data.  If you value your data and if you are security minded then you must control access.

Here are 8 tips to protect privacy of personal data.  

privacy tips

courtesy of cubicle chick – privacy tips

1. Create multiple password protected accounts 

Your local system should have multiple accounts even if you are sure no one else will log-in directly to the system.  Multiple accounts allow you to have separate roles.  An administrator role to install, upgrade and configure and a normal account for surfing the web, creating documents and doing day to day stuff.  You should not surf the web with your administrator account.  Each account should be password protected.  If you surf the web with an admin account you risk your system being compromised by malware that will run as the admin account you are using.

 –> Create Users 

2. Delete Browser History & Cache

Why delete you browsers cache and history?  And how can deleting that info protect privacy?  Your browser track all your browsing activity by default.  So, if for example, your mom or dad jumps on your computer (and your computer is wide open with no accounts or passwords).  They use YOUR account and YOUR computer to quickly search information about “dictionaries”  As your mom/dad types “Di “ and the word “dick” auto-completes and is something you previously typed.  An innocent search can reveal all the places you have gone if you don’t regularly clear the history and cache from all browsers.

 

3. Lock Mobile Device

As of 2013, cell phones, tablets, smartphones and some laptop are the biggest gapping whole in protecting privacy.  Mainly because its fairly new to many people.

If you have a mobile device, chances are high that they have a direct access into your email account.  You must put a automatic lock on your phone so that if you are away from your phone for more than a few minutes.  Or if you lose your mobile device at least whoever finds it won’t have access to all your emails and online accounts.

 4. Use Separate Emails for Separate Uses

To minimize the risk of professional life leaking into personal life (and vice-versa), use separate email accounts for work and home life.  Especially if the email is tied to a social network.  If you have a business, you should keep its email traffic separate as well.  This keep contacts separate, social network posts and the professional and personal life in their own lanes.

5. Encrypt or Delete Files You don’t want Others to See

protect privacy

congress weiner privacy ?

If you have nude photos of yourself its really none of anyone’s business but those you wish to share it with.  Do you have nudes of your significant other? Do you have a drunken video of your BFF’s birthday party?  You should put them in a folder that only you know about and encrypt them.  Better yet, keep them off your computer and encrypted on removable media (thumb drive, CDROM etc).  DO NOT send half nude selfies, titty pictures, nudes or ANYTHING like that over the Internet especially if you have a high profile job.  You really cannot trust anyone to protect your data.  No one cares more about your privacy than you.  If you don’t mind others, your kids, your parents and coworkers seeing your amazing body, then its fine.  Case in point, NY-Congressman Weiner sent very personal pictures of himself to twitter under a different name.  Unfortunately, his opponents found out and used it to get him publicly shamed.  He eventually had to resign as  congressman.   It’s best not to send pictures or sexually explicit text out to anyone.

6. Password protection

Don’t give out your password.  Use strong password (at least 8 characters, UPPER/lowercase, special characters, numbers all mixed in).  Change you passwords immediately if you feel it has been compromised.  Don’t use the same password for every account.

7. Log off

You may need to log-in to your social media website or email from a public or work computer that others will need to use.  You must get in the habit of logging off.  If you can, set up the account to automatically lock or log out.

8. Auditing Your Accounts

privacy audit logs

picture of logs from a computer important in privacy courtest  terminal services log.smartcode.com

Social network accounts allow you to audit the account and send you a message if someone attempts to access your account from a different location or if they              mis-authenticated over and over.  You need to know when someone is attempting to access your personal information.