diarmf risk management of information security

diacap to diarmf: manage information security risk

Risk Management Framework is implemented throughout an organization.

NIST 800-39, Manage Information Security Risk, describes how to implement risk within t three layers (or tiers) of of an organization:

Tier 1: Organization level
Tier 2: Mission/Business Process level
Tier 3: Information System level

diarmf risk management of information security

Tier 1: Organization Level risk management
Tier one addresses security from the organizations perspective. The activities include the implementation of the first component of risk management, risk framing. Risk framing provides context of all the risk activities within an organization, which affects the risk activities of tier 1 & 2. The output of risk framing is Risk Management Strategy. In tier 1 the organization establishes and implements governance structure that are in compliance with laws, regulations and policies. Tier 1 activities include establishment of the Risk Executive Function, establishment of the risk management strategy and determination of the risk tolerance.

Tier 2: Mission/Business Process Level risk management

Tier 2 risk management activities include: 1) defining the mission/business processes to support the organization. 2) Prioritize the mission/business process with respect to the long term goals of the organization. 3) Define the type of information needed to successfully execute the mission/business processes, criticality/sensitivity of the information and the information flows both internal and external of the information.

Having a risk-aware process is an important part of tier 2. To be risk-aware senior leaders/executives need to know: 1) types of threat sources and threat events that could have an adverse affect the ability of the organizations 2) the potential adverse impacts on the organizational operations and assets, individuals, the Nation if confidentiality, integrity, availability is compromised 3) the organization�s resilience to such an attack that can be achieved with a given mission/business process

Tier 3: Information System risk management

From the information system perspective, tier 3 addresses the following tasks:
1) Categorization of the information system
2) Allocating the organizational security control
3) Selection, implementation, assessment, authorization, and ongoing

Chapter 3 focuses on the step to have a comprehensive risk management program. The tasks discussed include:
Risk Framing
Risk Assessing
Risk Response
Risk Monitoring

 

For more information go to: http://elamb.org/training-certification800-39-manage-information-security-risks/

 

gmail security

gmail security

gmail security

Gmail is one of my favorite email products.  Its free, its extremely good at collecting and organizing data (in-line with google’s vision of world information organization domination) and its so intuitive.

The gmail security features are kind of tucked away to bring the organization and search functions to the foreground.  But once you know where they are, its easy.

1. First, browse into your email and sign in.

 

2. Inside your email under your name, click privacy.

3. Under Account Privacy, hit Security and add alternate recovery email and mobile number.   This will allow gmail security to alert you of any suspicious activity such as someone attempting to access your account.

gmail security

gmail security

diacap diarmf

diacap to diarmf: intro

DIACAP to DIARMF: Intro

diacap diarmf

image of diacap to rmf

DoD Chief Information Officer (formerly Assistant Security Defense), in collaboration with the Department of the Navy CIO, has developed a DoDI 8500.2 to NIST SP 800-53 IA control mapping (2010). More DIACAP Knowledge Service.

DIACAP Knowledge Service

On the DIACAP Knowledge Service goto “C&A Transformation”. This page introduces some of the coming changes from Certification & Accreditation changes to the Risk Management Framework seen in NIST SP 800-37.

DIACAP has “Risk Management Framework Transformation Initiative” underway that provides information on use of NIST SP 800-53, NIST SP 800-37, CNSS Instruction 1253.

The site introduces changes being made to DoDD 8500.01, DoDI 8500.2, DoDI 8510.01 and other documents that will be aligned with NIST 800 and FISMA 2013. They will feature an attempt to keep up with new arising cyberthreats, vulnerabilites and security incidence using real-time, “continuous monitoring” technologies such as HP ArcSight, McAfee ESM, ePO, NSP, Retina, Nessuss and other near real-time active monitoring systems.

diacap to diarmf

road to diarmf

Why DIACAP to DIARMF?

Federal government has gotten more serious about security.  They realize that enterprise level security and process is a continuous and expensive business.  The old certification & accreditation process is not only long and expensive but so slow that it cannot keep up with the constant changes of information technology.

Risk based/cost effective security means creating security systems and policies that focus on “adequate security”.  The Executive Branch Office of Management and Budget (OMB) defines as adequate security, or security commensurate with risk, to include the magnitude of harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information.  The feds are also attempting to make the process of implementing and evaluating security controls by creating as much paper-less automation as possible.

note IMHO: Since technology is changing at a rate of what Ray Kurzweil calls “accelerating returns” I think for governments and organizations stuck in “static policy” based systems there is no way they can ever keep up with information technology without revolutionary shift in thinking.  Google is probably the closest to understanding what is actually happening.  The best any of us can do is observe.

 Source documents for all U.S. Federal information security:

OMB A-130 – Management of Federal Information Resources

FISMA – Federal Information Security Management Act of 2002

Federal Information Security Management Act of 2002 (FISMA, 44 U.S.C. § 3541) enacted as Title III of the E-Government Act of 2002 (Public Law 107-347)

Required for all government agencies  to develop, document, and implement an agency-wide information security program to provide information security for the information and systems that support the operations and assets of the agency Applies to contractors and other sources.

The federal government has created various acts/laws to implement to changes to the C&A process to a more risk management approach and emphasize a risk-based policy for cost-effective security. These acts include (but are not limited to):

  •  Federal Information Security Management Act of 2002 (amended as of 2013 April)
  • The Paperwork Reduction Act of 1995
  • The Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) supported by Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources

 

who-created-manages-nist-800

Who Created/Manages NIST 800?

Who Creates and/or Manages the NIST 800?

This NIST 800 is a well thought out set of federal security standards that DoD and the Intel world is moving too.  It aligns with International Organization for Standardization (ISO) and International Electotechnical Commissions (IEC) 27001:2005,  Information Security Management System (ISMS).

who-created-manages-nist-800

who-created-manages-nist-800

NIST 800 is updated and revised by the following organizations:
Joint Task Force Transformation Initiative Interagency  (JTFTI) Working Group National Institute of Standards and Technology (NIST)
JTFTI is made up of from the Civil, Defense, and Intelligence Communities.  This working group reviews and updates the following documents

  •      NIST Special Publication 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
  •     NIST Special Publication 800-39, Enterprise-Wide Risk Management: Organization, Mission, and Information Systems View
  •     NIST Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
  •     NIST Special Publication 800-53A, Revision 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

These core documents are a standard on how to implement FISMA. The organization has done a good job of keeping NIST 800 inline with international standards of ISO 27001.  The JTFTI is made up of ODNI, DoD, CNSS.  This document is also publicly vetted.

Office of the Director of National Intelligence (ODNI)
The DNI is a position required by Intelligence Reform and Terrorism Prevention Act of 2004.  This office serves as adviser to the president, Homeland Security and National Security Counsil as well and director of National Intelligence.

Department of Defense (DoD)
DoD is composed of (but not limited to) the USAF, US Army, DON and Marines.  It is the most powerful military organization in recorded history.

Committee on National Security Systems (CNSS)
This committee was created to satisfy National Security Directive 42, “National Policy for the Security of National Security Telecommunications and Information Systems“,
the group has represtatives from NSA, CIA, FBI, DOD, DOJ, DIA and is focused on protecting the US crititcal infrastructure.

Sources: http://en.wikipedia.org/wiki/Committee_on_National_Security_Systems

Public (review and vetting) – the draft is posted online on NIST.gov

http://csrc.nist.gov/publications/PubsDrafts.html

 

sources:

FISMA JTFI

http://www.fismapedia.org/index.php?title=Joint_Task_Force_Transformation_Initiative

Scadahacker – mappings NIST to International

http://scadahacker.com/library/Documents/Standards/mappings/Mapping%20NIST%20800-53.pdf

 

ia awareness training

Information Assurance Awareness Training


NIST Special Publication 800-50, is a regulation dedicated to IA Awareness Training



NIST SP 800-5, Building an Information Technology Security Awareness & Training Program


The 800-50 includes guidance on development and sustainment of an awareness & training IT Security (aka information assurance training) program for all users, employees and supervisors within an organization. Having a training program is mandated by the Federal Information Security Act of 2002.

IA Awareness Training – Roles & Responsibilities

Agency heads – must ensure that high priority is given to effective security awareness and training for employees. Appoint a CIO
CIO Establish overall strategy, funding, tracking and report is in place for the IT security awareness and training program
IT Security Program Manager tactical deployment, development and maintenance of the IT security & awareness program.
Managers responsible for complying with IT security awareness program. Work with CIO and IT Security Program Managers to share responsibility. Ensure all users are trained to fulfill their security roles before access is giving. Promote professional development and certification of the IT staff.
Users largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors.


800-50 calls learning a continuum. The continuum of learning starts awareness and builds into education.
Awareness awareness is not training. Awareness focuses on security concerns to ensure users are mindful of basic rules and issues in a given environment.


Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – 800-50

Training is a formal focused method to develop a skill for job performance.
Training strives to produce relevant and needed security skills and competencies 800-50


Education combines multidisciplinary areas into a common body of knowledge.



Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge . . . and strives to produce IT security specialists and professionals capable of vision and pro-active response. –800-50

More GMAIL Problems

This was news I could not ignore because I really, really like Gmail. These hacks are ridiculous. I hope that google is getting a handle on this. It looks like the accounts are getting hacked with some sort of script that runs from a site or email while gmail is opened:

According to David Airey & gnucitizen.org:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
gnucitizen

As many of you already know on November 2nd, MakeUseOf.com’s domain was stolen from us. It took us about 36 hours to get the domain back. As we have pointed out earlier the hacker somehow managed to get access to my Gmail account and from there to our GoDaddy account, unlock the domain and move it to another registrar.

You can see the whole story on our temporary blog makeuseof-temporary.blogspot.com/

I wasn’t planning to publish anything about the incident or cracker (person who steals domains) and how he managed to pull it off unless I was completely sure about it myself. I had a good feeling it was a Gmail security flaw but wanted to confirm it before posting anything about it on MakeUseOf. We love Gmail and giving them bad publicity is not something we would ever want to do.

Now the thing is the domain name domainsgames.org is protected by Moniker and they hide all the contact info for it.

Domain ID:D154519952-LROR
Domain Name:DOMAINSGAME.ORG
Created On:22-Oct-2008 07:35:56 UTC
Last Updated On:08-Nov-2008 12:11:53 UTC
Expiration Date:22-Oct-2009 07:35:56 UTC
Sponsoring Registrar:Moniker Online Services Inc. (R145-LROR)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:MONIKER1571241
.
.
.
.
Name Server:NS3.DOMAINSERVICE.COM
Name Server:NS2.DOMAINSERVICE.COM
Name Server:NS1.DOMAINSERVICE.COM
Name Server:NS4.DOMAINSERVICE.COM

More at Makeusof.com

The Google Fix

Forensics & Security of Memristor

2008 April: A new type of electronics has been created that will allow flash memory to retain system state data. In other words, you could be in the middle of typing a document, all the power could shut down and when you were able to get the system back up, you’d be exactly where you left off. This is not the same as some sort of application based data recovery that saves periodically to a temp file on the hard drive (such as MS Word document recovery) we are talking about your entire system’s state being instantly saved (remembered) by a memristor computer. So the memristor is more like the human brain. That also means your system could have an instant “light switch” type boot exactly where you left off.

Scientists Create First Memristor: Missing Fourth Electronic Circuit Element
For the former, Williams says scientists can now think about fabricating a new type of non-volatile random access memory (RAM) – or memory chips that don’t forget what power state they were in when a computer is shut off.

That’s the big problem with DRAM today, he says. “When you turn the power off on your PC, the DRAM forgets what was there. So the next time you turn the power on you’ve got to sit there and wait while all of this stuff that you need to run your computer is loaded into the DRAM from the hard disk.”

With non-volatile RAM, that process would be instantaneous and your PC would be in the same state as when you turned it off.

Scientists also envision building other types of circuits in which the memristor would be used as an analog device.

Indeed, Leon himself noted the similarity between his own predictions of the properties for a memristor and what was then known about synapses in the brain. One of his suggestions was that you could perhaps do some type of neuronal computing using memristors.

But this got me thinking, what does this mean for forensics? Won’t it be easier to know exactly what a criminal was up to before the cops busted his door down? How long does the data say in the memristor RAM? I’m certain there would be ways to erase the memristor RAM memory at intervals.. maybe even encrypt the memristor data. One might even be able to use normal RAM as a front end and the memoristor an optional back up. There might also be really cool (scary) spy equipment planted in your system or clamped easily to a bit of wire on your CAT5 LAN cable that would capture all packets.

How I got into Security

Martin McKeay over at the Network Security Blog asks “How did you get into Security?”  That is a good question.  Its something that I’ve been asked and what I like to ask others in the business.

Up until recently, I’ve done security my entire adult life very reluctantly.  I started off in the military as Security Policemen (now called security forces).  I was a security specialist and was groomed into law enforcement.  The description sounded like special forces.  And even though security forces do some pretty cool stuff its NOT usually doing anything even close to what combat controllers, pararescue, Force Recon, Navy Seals and Delta Force do.  Instead its like the Air Force version of infantry (when I was in we even trained with the Army infantry at Ft Dix).

I had about five years learning every aspect of physical security.  I later “cross trained” into communications expecting to do some hardcore technical stuff.  And I did, but while I wanted Routers I got the help desk and later pure security (firewalls, IDS, C&A packages, COMSEC, EMSEC) a little of everything.  My experience in the military made it easier for me to pass the CISSP which covers a little of everything.

These days I teach certification classes and do auditing, policies, consulting as well as certification and accreditations. 

Security+ Instructor: Communications Security domain

Today, I did my first certification lecture.

As I think about how many common public speaking mistakes I made out of nervousness, it makes me laugh. I repeated things like “um”, “and what not”, “that kind of stuff”. I studdered and stammered.

I did my best so I still feel good about what I did. It is actually volunteer work for the local ISSA chapter as well as a way to get “CPEs” or Continued Professional Education points toward my CISSP certification (have to get 120 in the course of 3 years).

It was actually a really good refresher course for me. I love helping people so it was a pleasure to put out some helpful material to fellow Information Security professionals, but I need to get better at public speaking.

Our local Information System Security Association Chapter here in the Springs puts on certification classes a few times a year for Comptia Security+ and the CISSP. I hope that they eventually drum up enough interest for certified ethical hacker course.

Training on Security+

I will be doing training on the Security+ for the ISSA-COS.  I'm
traing the Communcation Security portion of the test.  This is one
of my favorite sections. 

I told the ISSA guys I'd do it as long as I didn't have to train on Crypto which is one of my weaker subjects. 

I'm excited about the training because I feel like I will really be
able to help people ace this test.  Most security professionals
who have been IT for more than a couple of years won't have a problem
studying for it and passing it. 

It really is just basic technical information security
stuff.   There is also a lot of support on the Internet for
this test: practice tests, guidance on what to study, and
encouragement. 

Don't sweat this test.  Especially if you've studied.

1 2