As a federal government watcher, I get exposed to some happenings in Washington that few outsiders know about. One such initiative is the Consensus Audit Guidelines (CAG). Simply stated, CAG applies the old 80/20 rule to cybersecurity best practices by focusing on 20 high priority security controls since these controls are specifically designed as countermeasures for the most likely types of real-world attacks.
There are two primary knocks against CAG. First, many believe that it is completely redundant thanks to other security requirements and IT frameworks like ITIL and COBIT. Second, CAG is viewed as incomplete. The thought here is that stealthy or innovative security attacks could circumvent the 20 controls.
In my opinion, each of these criticisms is accurate. That said, I think these points are non-issues. Yes, CAG is redundant with other security and IT efforts, but most large organizations already face redundancy issues as they are forced to comply with HIPAA, SOX, PCI DSS, FISMA, etc. Sure, CAG has gaps–no one ever claimed it was exhaustive.
CAG ain’t perfect, but it does have several key strengths:
In the future, it is likely that the list of CAG controls will grow to accommodate new threats thus keeping CAG up to date. CAG may not be as comprehensive as other security models and it is certainly no panacea, but given its focus, it is a great way for overwhelmed CISOs to rationalize their security efforts and concentrate on high priority risks.
Tags: CAG, COBIT, Cybersecurity, ITIL, John Gilligan Posted in Uncategorized | No Comments »
Good news: Last Friday, 15 countries including the United States, Russia, and China agreed upon a set of recommendations to the United Nations secretary general that will serve as the basis for negotiating an International computer security treaty.
Bad news: Getting this far took far too long. While diplomats debated over wording and process, the state of cybersecurity severely degraded.
It seems that politicians and diplomats are long on protocol and thus missing the forest through the trees. Cybersecurity isn’t like physical border disputes or long-term efforts. Rather, threats morph and grow more dangerous every day. In the meantime, there are no international rules of engagement or agreements for cooperation — and no one nation can solve this problem alone.
What we need here is not long drawn out negotiations and formal agreements but a series of cooperative phases with measurable progress at each milestone.
The U.N. has a chance to really make a difference with cybersecurity. Let’s hope that diplomats realize that we are dealing with a real-time issue and respond with 21st century solutions rather than 19th century pomp and circumstance.
Tags: China, Cybersecurity, Russia, United Nations, United States Posted in Uncategorized | No Comments »
Earlier this week, I participated in the Symantec Government Symposium, an event dedicated to IT and security professionals in the U.S. Federal government. As part of her kickoff presentation, Symantec Federal GM, Gigi Schaum, asked for audience responses to three questions. Here are the questions and the interesting responses:
My take is as follows: Cybersecurity is worse than it was 12 years ago — there are more threats and the threats have become more sophisticated. The nation has been effectively treading water in that time frame so the gap continues to grow. President Obama’s focus on cybersecurity and his appointment of Howard Schmidt were positive moves but not enough.
I agree that hostile foreign nations represent the biggest potential threat but on a day-to-day basis, organized crime is picking our pockets. To some extent, this response concerns me because it casts security into a military category. It is also interesting that 39% said “lack of federal security standards.” These people were either looking myopically at the Federal space alone, or believe that the Feds haven’t stepped up with cybersecurity leadership. The former answer reflects insular Washington, the latter is absolutely true.
As for the final question, I couldn’t agree more. If 80% of the critical infrastructure is in the private sector as the President suggests, then industry must be a major part of the solution. This “public/private” partnership has also been lagging.
In total, these answers tell me that things are getting worse and we aren’t doing enough. Pretty scary stuff.
Tags: Cybersecurity, DHS, DOD, Federal Government, President Obama, Symantec Posted in Uncategorized | No Comments »
I’m just back from participating in the Symantec Government Symposium held yesterday in Washington DC. The event was extremely informative, with keynote presentations by Cybercoordinator Howard Schmidt and Director of Plans and Policies for the U.S. Cyber Command Major General Suzanne M. Vautrinot. For my part, I sat on a cyber supply chain security panel with folks from DOD, DHS, and HHS.
On the plus side, the feds have a lot of good work going. There is a lot of government brainpower focused on scoping problems, evaluating funding priorities, changing cultural barriers, and defining security solutions. Kudos are well deserved.
With all of this effort, however, it is time to discuss a fundamental problem between the public and private sector: communications. The feds have a language all of their own, one chock full of agency-specific acronyms and a military flavor. Information security is called “cybersecurity” and there are lots of references to missions, objectives, command-and-control, etc. The word “assurance” is used constantly: software assurance, information assurance, cyber supply chain assurance, and so on. This is just the tip of the federal language iceberg.
In his famous May 2009 cybersecurity speech, the President proclaimed that:
For these things to happen, the federal government must realize that it needs to drop the inside-the-Beltway lingo and speak to the rest of us in common language. We don’t care which agency owns which initiative with acronym ABC. We don’t speak to each other about missions and battlefields and assurance. Many experienced IT and security professionals have no idea what NIST is or what it is doing. Like it, understand it or not, this is the truth.
The information security challenges we face are real and could be extremely damaging to the country, the economy, our way of life, and confidence in the government. We NEED the feds to step up, but we shouldn’t have to learn a new language or culture to make this happen. I already see the influence of this communications gap as most of the private sector has no clue about all the work going on in Washington–this is wasteful and a shame.
In his new book, Cyberwar, Richard Clarke does a great job of translating Washingtonese to common language. Good effort by Clarke, but the fact that he had to do this should be a red flag for all of us. If we can’t understand each other, we are doomed from the start.
Tags: Cybersecurity, Cyberwar, Howard Schmidt, President Obama, Richard Clarke Posted in Uncategorized | No Comments »
While it may seem like cybersecurity issues have taken a back seat in Washington, there is actually a lot of work happening on Capitol Hill. Senate majority leader Harry Reid (D, NV), is pushing all Senate committees with any type of cybersecurity or industry oversight to get on their legislative horses and address the existing mess.
To that end, Senator Joseph Lieberman (I, CT) is working with colleagues Susan Collins (R, ME) and Thomas Carper (D, DE) on a fairly comprehensive cyberseurity bill called the Protecting Cyberspace as a National Asset Act. The bill seeks to revamp the paper-centric FISMA Act of 2002, centralize cybersecurity management in DHS, and establish a more proactive public/private partnership for cybersecurity risk management.
The essence of the bill is certainly welcome. We need to address cybersecurity issues ASAP like President Obama promised he would do more than a year ago. Unfortunately, the Lieberman bill has a few significant flaws, in my opinion. One major problem is with the bill’s link to federal procurement. The Lieberman bill seeks to legislate security in federal IT spending by “creating a system that requires acquisition officers in the federal government to have the knowledge that they need about the vulnerabilities in products.” This in itself is a good idea but:
I don’t claim to be an expert on the Lieberman bill but it seems to me that we are falling into the old Washington scapegoat mentality of looking for a villain (i.e., the IT industry). Don’t get me wrong, lots of vendors should be called to task for unacceptable security practices but these provisions seem overly simple or impossible to enforce to me.
While the Feds figure out the next act in the cybersecurity play, it is really up to the IT industry to step up and establish its own security best practices and self-certification methodology. Strong examples already exist from vendors like , HP, IBM, and Oracle. While some folks will certainly flame me for saying so, Microsoft’s SDL is also a model for the rest of the industry.
Legislators are caught between a rock and a hard place. They have to do something but these are uncharted and highly technical waters. This being the case, the IT industry has to do a better job of stepping in and demonstrating leadership. If this doesn’t happen, the U.S. IT industry will face difficult, costly, and confusing legislation that could impact financial results for years to come.
Tags: Cybersecurity, EMC, FISMA, HP, IBM, Microsoft, Oracle, Senator Joseph Lieberman Posted in Uncategorized | No Comments »
I recently finished Richard Clarke’s new book, Cyber War, and I have but two words for the former cyber czar: thank you.
I’ve probably read as much about this subject as Washington insiders and in my opinion, Clarke’s book immediately leapfrogs numerous other overly technical or Washington-wonky volumes. As such, it is a must read for security professionals, legislators, and business executives–especially in the 18 industries designated by Washington as “critical infrastructure.” Heck, anyone interested in cybersecurity should read this book to understand the current threats, possible cyber war scenarios, and where our tax dollars are and aren’t going.
When reading this book, get ready to self-translate several subculture languages including security technology, military acronyms, and Washingtonese. That said, Clarke does a great job explaining these terms in simple English and even includes a glossary to help newbies along.
I can’t possibly provide a synopsis of Clarke’s book in a blog, but the primary take-aways are:
Clarke lays out a plan to get us started in the right direction. I don’t agree with all of his suggestions, but they are certainly a good start.
Whether we like to admit it or not, we all may wake up one day with the power cut off and the banking system in total disarray. Naysayers dismiss this threat, but it has happened on a limited scale around the world and will happen in a much bigger way if the U.S. continues to manage cybersecurity with its head in the sand.
Clarke clearly articulates the threats, vulnerabilities, and real risks we face in any type of sophisticated cyber warfare. He also balances his wake up call with some sound and cogent advice on what we should do. I suggest that anyone with an interest or stake in this topic read the book and join Dick Clarke to get the federal government to listen and act as soon as possible. As someone who has been preaching this same message, I can tell you that it is a lonely crusade–we need all the help we can get.
Tags: Cyber War, Cybersecurity, Richard Clarke Posted in Uncategorized | No Comments »
After finishing Joseph Menn’s book, “Fatal System Error,” a few months ago, I blogged about the book’s value. This is a no-nonsense profile of the world of cybercrime that anyone associated with cybersecurity policy or practice should read. I’ve heard similar things about Richard Clarke’s new book, “Cyberwar,” and am awaiting the shipment of my copy soon.
As far as the list of “must read” books about cybersecurity goes, allow me to submit another entry — “The Illusion of Due Diligence” by my old friend Jeff Bardin. Jeff is a veteran security professional with experience in both the public and private sectors.
Throughout Jeff”s career, he has been extremely diligent about finding risks, threats, and vulnerabilities and then candidly articulating the details to business managers. In his investigations, Jeff has also uncovered evidence of past breaches that were either never discovered or simply swept under an organizational rug. When approaching senior management, Jeff pulls no punches about problems but also tends to accompany the bad news with a detailed plan for risk reduction.
Jeff”s book uncovers a sad and serious problem that most security professionals are all too familiar with. Unfortunately, security risk and remediation is often a political hot potato. After hearing about security issues from someone like Jeff, some managers ignore the risks or claim that the problems only apply to IT and not the business. Even worse, other CEOs blame the security staff and then mandate that they keep silent. Still others fudge their compliance reporting.
In his book, “The Illusion of Due Diligence,” Jeff describes this disconnect between security and business management with stories of some of the worst abuses he has seen throughout his career. It’s pretty scary stuff but almost any security professional will tell you it happens all the time.
Hopefully this report from the corporate security trenches will shake some corporate boards and legislators up. With the fragile state of cybersecurity, we should be doing everything we can to protect our digital assets. When pros like Jeff tell the CEO that they have big problems, you’d think they would respond with immediate action but many simply look the other way. In my view, this type of blatant neglect is as bad as a hacker’s criminal intent.
Jeff’s book won’t get the publicity or distribution of Richard Clarke’s and Joseph Menn’s but I believe it is worth digging around, finding a copy, and passing it on to the CEO, CIO, and CISO at your organization. While Clarke and Menn describe a sophisticated foe, Bardin points out that corporate greed, ignorance, and neglect may be the enemy within.
Tags: cybercrime, Cybersecurity, Cyberwar, Fatal System Error, Jeff Bardin, Joseph Menn, Richard Clarke, The Illusion of Due Diligence Posted in Uncategorized | 2 Comments »
On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”
With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:
If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!
Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.
Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.
Tags: cybercrime, Cybersecurity, Cybersecurity coordinator, DHS, Federal Government, Howard Schmidt, President Obama, Stephen Chabinsky Posted in Uncategorized | 1 Comment »
Here at the FOSE show in Washington DC, cybersecurity and cybercrime are hot topics of conversation.
I attended a keynote presentation by Steven R. Chabinsky, Deputy Assistant Director, Cyber Division of the FBI yesterday. Mr. Chabinsky did not soft sell cybersecurity and cybercrime; rather, he described the current situation in very stark terms. First, he stated that cybercrime is one of the FBI’s top three priorities. Chabinsky described the threat as follows: “A serious cyber attack is a potential game changer. It represents an existential threat, one that threatens our nation.”
So are we vulnerable? According to Chabinsky, “a determined adversary with enough time and resources will always be able to penetrate a targeted system.” The result? “Everything is being stolen–wholesale.”
Chabinsky did a good job of describing cybercriminal organizations, breaking down the division of labor, specialties, and sophistication associated with these groups. He also went through a few extreme examples. A global cybercrime syndicate broke into an encrypted file containing ATM passwords. Within 24 hours, the group had created 400 phony ATM cards in 287 countries and made over 14,000 ATM transactions. In one day, they stole over $10 million.
Very scary stuff, but Mr. Chabinsky also described some of the progress being made by the FBI. The FBI Cybersquad is now in place in 56 FBI field offices around the world. Every new FBI agent must go through cybercrime and cybersecurity training at Quantico. Combined with international partners, the FBI has 60 legal attache offices around the world and it made 230 arrests last year.
In spite of the progress, the overall picture painted by Chabinsky was pretty scary. To his credit, he didn’t shy away from this reality. He ended his keynote with a plea to the security community recommending that audience members be vocal and vigilant, point out security vulnerabilities, question vendors, and constantly look to improve cyber defenses. Chabinsky stated, “there is a need for a public dialogue–our economic and national security is at stake.”
Tags: cybercrime, Cybersecurity, FBI, Steven Chabinsky Posted in Uncategorized | No Comments »
When I left home for the RSA Conference last Monday, I was already aware of the types of cyber threats we are up against. After speaking with security research leaders from Bluecoat, Symantec, and Trend at RSA, I am even more convinced that we are way behind the enemy and need to react quickly before we are completely overwhelmed.
Since one way to drive action is increased cybersecurity visibility and knowledge, I strongly suggest that anyone associated with IT, cybersecurity, privacy, national defense, or law enforcement read the new book, Fatal System Error, by Joseph Menn.
Now I have absolutely no financial interest in this book, nor do I know the author. In other words, I have nothing personal to gain by this recommendation. My goal here is to educate decision makers and the public at large about just how pervasive and sophisticated the cyber threat landscape has become.
Menn’s book demands some level of technical knowledge, but he does a great job of explaining things in a cogent and clear way. The book highlights:
My hope is that those who read this book (author’s note: again, everyone should) become as concerned as I am and demand immediate action. We need things like public awareness campaigns, K through 12 education, information sharing, and global law enforcement agreements, and we need them now. Time is not our ally.
Joseph Menn and those that helped him with this book deserve a lot of credit. I hope it drives immediate action. If it doesn’t, I’ll join Menn in saying, “I told you so” to the industrialized world as we struggle to rebuild our digital economy.
Many, including the DHS, believe that the damage from a cyber attack could be much greater than what we experienced from 9/11. We need to act before it is too late.
Tags: Cybersecurity, Fatal System Error, Federal Government, Joseph Menn Posted in Uncategorized | No Comments »
Your email: