CNSSI 12-53: New Security Control Catalog for National Security Systems
July 2, 2009
New DIACAP Certification & Accreditation IA Controls
The DoD has had the same IA controls since DoD 8510.1-M, controls since DoD 8510.1-M, Department of Defense Information Technology System Certification & Accreditation Process (DITSCAP), July 31, 2000 – it was developed late last century.
The DoD has a total of 157 IA controls spread across 8 subject areas in 4 classes:
DC – Security Design & Configuration
IA – Identification and Authentication
EC – Enclave & Computing
EB – Enclave Boundary Defense
PE – Physical & Environmental
PR – Personnel
CO – Continuity
VI – Vulnerability
There is a huge change coming in certification & accreditation for the DoD coming. The IA controls are being expanded and changed. The last two DIACAP classes I’ve been to mentioned that there is a big change coming. Essentially, all the IA Controls (security controls, safeguards, countermeasures.. whatever your organization is calling them) are getting expanded. All federal organizations will have security controls that look more like what is in the National Institute of Standards and Technology Special Publication 800-53. This is all being placed in the Committee on National Security Systems Instruction (CNSSI) 1253. As of 25 June 2009, the CNSSI 1253 is still in draft.
The draft has 17 families & identifiers in three security control classes.
TABLE 1: SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS
IDENTIFIER FAMILY CLASS
AC Access Control Technical
AT Awareness and Training Operational
AU Audit and Accountability Technical
CA Certification, Accreditation, and Security Assessments Management
CM Configuration Management Operational
CP Contingency Planning Operational
IA Identification and Authentication Technical
IR Incident Response Operational
MA Maintenance Operational
MP Media Protection Operational
PE Physical and Environmental Protection Operational
PL Planning Management
PS Personnel Security Operational
RA Risk Assessment Management
SA System and Services Acquisition Management
SC System and Communications Protection Technical
The CNSSI has about 500 controls with pretty good granularity.
One of the really cool thing about 1253 was the security control mapping. It’s a table that matches up 800-53, DCID 6/3 and DODI 8500.2.
Popularity: 1% [?]
DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day 4 & 5
July 2, 2009
Days 4 & 5 bring the DIACAP/AFCAP Essentials Class to a close. The
biggest things I learned were: CNSSI 4009 is the the official glossary of DOD IA, there is a big difference between theory, policy and practice, Agents of the Certifying Authority (ACA) are official validators and there is a difference between acquisition Mission criticality and IA MAC levels.
Stuff I learned from people in the class:
-AFCA is changing its name (to what?)
DOD is going to put the new IA controls in NCSSI 12-53 (currently in draft)
-a lot of what I need in there is in NIST 800-53
Marines use something called Exacta
Site called securitycritics.org
33-202 is now completely irrelevant and obsolete (not even mentioned ONCE in the class)
800-30
Feds call Certification &Accreditation (C&A) “Security authorization”
NIST SP 800-37
Day 4:
Validator Activities & Issue Accreditation Decision
Prepare POA&M
Validate Results/Scorecard
Scorecard
Make certification determination
CA/DAA Package review
Day 5:
Validation procedures were discussed. On day five, we looked at how the validators look at a system.
I thought is was interesting. It should help me get through the EITDR/DIACAP process easier.
Maintain Situational Awareness
Maintain IA Posture
Conduct Review
R-Accreditation
Retire system
Popularity: 1% [?]
DIACAP Essentials + IA Control Validation Training (part 4): DIACAP/AFCAP Day3
July 2, 2009
Day 3 heats up a little. We start talking about what it take to actually get validated. The DIACAP Implementers Guide & the DIACAP Validators guide is opened up and reviewed. I think we all learned a little something during this discussion because there have been some challenges with this. Unfortunately, we don’t to far into the validator stuff.
Day 3:
DIACAP Structure
Terminology Review
Assemble DIACAP Team
Registered System/System Information Profile
Assign IA Controls
Initiate DIACAP Implementation Plan
Popularity: 1% [?]
Unable to create directory-parent directory writable? wordpress 2.7
June 28, 2009
I was having uploading images on one of my Wordpress 2.7 & 2.8 blogs. It gave me the following error:
Unable to create directory /home/username/server/wp-content/uploads/20XX/MM/ Is it parent directory writable by the server?
After a long time searching I found this solution from http://www.cyriac.me
Step 1: Log into your admin panel
Step 2: Go to Settings>>Miscellaneous
You will see two options,
Store uploads in this folder
Full URL path to files
Most probably you will see/home/.boogee/XXXXX/XXXXXXX/wp-content/uploads
in the first field.
Step 3: Edit that to just
wp-contents/uploads
Some people were suggesting that you solve the problem my making the folders permissions 777, meaning anyone can do anything to that particular folder. As a security guy, I knew this was a bad idea (and it also did work for me 
). I kept searching and ran into that solution.
Worked like a charm! thanks cyriac for putting solution on the blog.
Popularity: 1% [?]
DIACAP Essentials + IA Control Validation Training (part 2): DIACAP/AFCAP Day1
June 22, 2009
DIACAP/AFCAP Day 1.
This is the second installment of the DIACAP Essentials journal.
In the first day of class we’ve taken a high level look at the big picture of the Department of Defense Information Assurance Certification & Accreditation Process (DIACAP) and Air Force Certification & Accreditation Program (AFCAP). It is a very valuable tool for a beginner.
Since I’ve gone through the entire process (with a legacy system) more than once through all the growing pains of Air Force C&A from DITSCAP to DIACAP, I found that I knew about 90% of everything taught. I don’t mind having a refresher, though and quite frankly, I need the CPE’s for my CISSP .
There were a couple of golden nuggets that I’ve been able to get out of some of the old timers. I learned some interesting things about how the Navy, Marines and Army do things.
Navy (as weird as their dumb ass rank system.. yep, I said it.. its dumb) have like three systems: DITPR-DON, DA-DUMB and some other BS, Marines have something called Exacta and the Army has APMS (Army Profile Management System). Also learned cool off topic stuff like history of eMass.
I must admit I’m looking forward to day two.
pros of day 1: Good solid start on basics GREAT for beginners. SecureInfo gets mad props for have a great instructor John M.(don’t know if he wants his full name published.. but he’s highly, highly knowledgeable and very positive).
cons of day 1: Right off the bat I am noticing a huge hole in the training… a lack of in depth teaching of EITDR, which is how the Air Force implements, manages and maintains the entire DIACAP/AFCAP process. I don’t really see how you can teach one without the other these days. I guess contractually, SecureInfo can not touch it since some other company has the contract. But unfortunately, the folks that are new to this are going to suffer. Because if they goto this class without knowing the EITDR they will know why but now how, and if they go to the EITDR class without knowing the DIACAP they will know how but not Why.
Popularity: 1% [?]
Jeff Moss + DHS = Super Security
June 9, 2009
“Godfather of Hackers” Jeff Moss, founder of the Black Hat and Defcon hacker and security conferences, was sworn in as one of the new members of the Department of Homeland Security’s Advisory Council (HSAC). And we think it’s a shrewd and thoughtful move. Obama seems to be getting serious about cyber security now by hiring “Dark Tangent.”
on gizmodo
Jeff Moss is not only a celebrity in the world of hacking, he is also a powerbroker. He is a respected force to be reckoned with. I am not going to say that I think he is some sort of cyber mafia boss but I will say that he could destroy just about anyone with a 100 word post on a forum. Getting “street cred” in the hacker world is something that must be truly earned usually by technical expertise proven by hundreds or even thousands of your hacker peers validated by published technical papers, famous/infamous system infiltrations, the discovery of 0-day exploits that make major corporations take notice, or some combination of these.
Jeff has his finger on the pulse of the entire spectrum of hacking.
Jeff is now going to advise the president.
Now that is good judgement.
Popularity: 2% [?]
DIACAP Essentials + IA Control Validation Training (part 1)
June 9, 2009
I’ve been scheduled to go to DIACAP Essentials + IA Control Validation training. It is the same training that is given to validators at AFCA, so I guess it is pretty serious stuff. I was very reluctant to go until I realized that I actually really need the CPE’s to maintain my CISSP.
Since I’ve been doing the DIACAP stuff for about 2 years now, I’m not certain there is any new information for me to learn.
DIACAP Essentials
The Department of Defense Information Assurance Certification and
Accreditation Process (DIACAP) Essentials course blends lecture and hands-on
exercises to introduce students to DIACAP policy (to include FISMA
requirements of a comprehensive, repeatable, and auditable Information
Security process).
IA Control Validation In-Depth - 3 Days
The IA Control Validation In-Depth course takes the students DIACAP
education and turns the view from an implementor to a Validator perspective
and involves the students in the validation process for the IA Controls
(DoDI 8500.2).
What I am hoping to get from the course is a better handle on the FISMA process.
I don’t feel like I really have a handle on what is supposed to happen with it.
Popularity: 3% [?]
I always feel like GOOGLE is watching meeee
June 2, 2009
If Google was woman I would make sweet passionate love to her. And she’d be a psycho-stalker.
I love Google, but it conflicts with my finely honed skill of not trusting. I use Google for just about everything knowing they have a dangerous amount of information about me and everything else readily available in a search friendly little package.
Google showed up as the most conspicuous tracker on third-party sites. Google Analytics, a free product that allows online publishers to gather statistics about visitors to their sites, was used on 81 of the top 100 sites. Cookies from the advertising company DoubleClick, which is owned by Google, were present on 70 of those sites. When combining trackers from those two services, Google had a presence on 92 of the top 100 sites. Others weren’t far behind. Cookies from Atlas, Microsoft’s DoubleClick rival, appeared on 60 sites, and trackers from two other analytics companies, Quantcast and Omniture, showed up on 54 sites.
– Ny time
I still love Google and I still believe, perhaps foolishly, that they are not evil. Even so, one day I think Google will turn evil, not unlike any empire that has become too powerful. The culture of the company will change in a generation and a new dynasty will reign using personal information as a weapon rather than a useful tool for making better searching. I hope I am very, very wrong.
Popularity: 3% [?]
GET BACK TO US: WESTERN UNION MONEY TRANSFER scam
May 31, 2009
*SCAM*
Send Money Worldwide
Dear Sir/Madam,
There is an issue with the WESTERN UNION MONEY TRANSFER in the amount of $850,000.00 USD directed in cash credited to file UNP/9066336466/08, at the owner of this email address.
The International Monetary Fund in collaboration with the Government of this country contacted us for your compensation a couple of hours ago due to your allocated security code which your email address was selecetd with an automated machine that selects email addressess through internet.So we require some more information in order to complete this transfer.
FULL NAME:
FULL CONTACT ADDRESS:
MOBILE PHONE NUMBER:
OCCUPATION:
MARITAL STATUS AND AGE:
In order to resolve this problem,please email via Western Union Solicitors Fund Verification Department:
Name: Mark Wilson
Email:mw2764773@googlemail.com
TELEPHONE:+233249841613
As soon as this information is received,and you have Complied with the requirements of payment of the western union charges,payment will be made to your nominated bank account or at the counter directly from The Western Union Transfering Bank.
When emailing,please use reference number 72912 for our mutual convenience.
THE MANAGEMENT OF WESTERN UNION MONEY TRANSFER OFFICE.
Sincerely,
MR.Morris Edward
Western Union Payments
As we focus on making a difference in people’s lives, people focus on
Western Union and acknowledge the possibilities we offer to those we
serve
Popularity: 3% [?]
You Hack US, We Nuke You!
May 28, 2009
The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.
During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –
I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.
I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.
I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.
Popularity: 4% [?]
