NIST SP 800-53 Rev. 3 Final Draft
alt 

On June 3, 2009 NIST SP 800-53 Rev.3 'Recommended Security Controls for Federal Information Systems and Organizations' Final Public Draft was released. This will be a historic document as it will become the most comprehensive control catalog available to date. They have taken the controls used for federal agencies and added the controls used for national security. In addition NIST was working to establish specific mappings and relationships between the security standards and guidelines developed by NIST and the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001.
 
"The public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems." NIST SP 800-53 Rev3 Final Public Draft
 
Additional noteworthy changes:
 
A new Risk Management framework is introduced with the intent to create an enterprise-wide, near real-time risk management framework.
 
A new control family has been added. Program management under the Management class of controls. Program Management class provides controls for information security programs.
 
You can check the draft out and make comments until June 30. ETA on final release is July 31, 2009.
http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-53-Rev.%203

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Blind Peneration Tests Pros and Cons
alt

Who told everyone it is a good idea to start a security initiative with White Hat hackers doing a blind penetration test on your network? Or does it just sound cool and impressive?  Or is it really getting the cart in front of the horse.
 
I often see RFPs that ask for blind penetration tests. I wonder if they know what they are asking for. A blind penetration test will require us to blindly find vulnerabilities and then exploit those vulnerabilities to prove that a hacker could breach the system. There is a time and a place for this type of assessment. It however, is not the best assessment to have right out of the gate.
 
Let look at some semantics. 
 
Vulnerability scan is an assessment, usually non-intrusive, non-destructive scan of a set of systems to determine if any vulnerability can be discovered by the scanning service or device.
 
Penetration test is an assessment that is intrusive by nature. It starts with a scan to determine what vulnerabilities exist. It then will try to exploit the vulnerabilities. By its nature the scan is intrusive and potentially destructive.
 
A blind test can be either a penetration test or vulnerability scan where by the assessor does not know the addresses of the system to scan. A determination is made as to what the addresses could be and scans are then run against those addresses.
 
Pros and Cons
 
Vulnerability Scans
The pro, vulnerability scans are a must. Especially if you process payment cards as vulnerability scans are required by the Payment Card Industry Data Security Standard (PCI DSS). They are a common control in just about every other industry standard from NIST to ISO. Vulnerability scans give you view of what vulnerabilities a potential hacker could see. Generally the scans are run from a device that is outside the firewall, from the Internet. 
 
The con, whiles these scans provide a great picture of how an external hacker sees the system they do not paint a good picture of what vulnerabilities actually exist beyond the firewall. This is because the firewall is doing what it is designed to do, which is limit what access is granted from the Internet. However, the firewall does not generally protect form malicious internal users or malicious code that gets past the firewall. In order to get a complete picture we recommend external scans and internal scans of the Internet facing systems. In this way the organization has a complete picture of their vulnerabilities and can make risk based decisions.
 
Penetration Tests
The pros, penetration test allow an organization to see and know that the vulnerabilities can be exploited. Most external attacks require hackers to 'hop' their way in. The will compromise one system, hop from that system to compromise another and so on. A vulnerability scan will not confirm the vulnerability exists or that they can be exploited. A penetration test is proof that the vulnerability exists and can be exploited.
 
The cons, because the test exploits a found vulnerability it intrusive and potentially destructive in nature. The question remains do we need proof that the vulnerability can be exploited? Is it worth the risk a damaging or bring down a system to prove that a vulnerability is exploitable? Most of the known vulnerabilities have been tested, confirmed and indexed.
 
Blind Tests
The pros, the assessor does not have all the information so you get a good indication of what a hacker would be able to find if the hacker was only targeting that organization.
 
The cons are the blind test is really testing the ability of the hacker to find systems. Many hackers don't target a particular organization they simple sweep the Internet looking for vulnerable systems. Second, a blind test is really testing 'security by obscurity’; a security mind set most security professionals avoid. Just because you don't see a vulnerability does not mean it does not exist. 
 
In addition, a blind test could lead the assessor to scan a system that is not owned by the organization and could lead to ethical or legal issues.
 
Recommendation
I recommend that an organization start with adopting a security standard and conducting regularly scheduled vulnerability scans, internal and external. All the major standards require at least the following IT controls, patch management processes and vulnerability management. To simply test systems in an ad hoc fashion will not improve non-existent controls. If you don't have a process, every assessment you perform will indicate that you have vulnerabilities, which in turn just means you don't have a process.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
New Presidential Cyber Security Initiative
alt 

Today President Barack Obama presented a 10-point near-term action plan aimed at securing the federal government's and the nation's critical IT infrastructure. Why? Because "Acts of terror could come from a few keystrokes."
 
The 10 steps outlined are:
1. Appoint a cyber security official
2. Setup a national cyber security strategy
3. Make it a priority
4. Come up with a privacy and civil liberties official
5. Set up interagency mechanisms (Government teamwork)
6. Create national public security awareness program
7. Develop international collaboration (International teamwork)
8. Create a national incident response plan
9. Support research and development
10. Create a identity management system (keeping privacy and civil liberties in mind)
 
President Obama's final remarks, "But we need to remember: We're only at the beginning. The epochs of history are long - the Agricultural Revolution; the Industrial Revolution. By comparison, our Information Age is still in its infancy. We're only at Web 2.0. Now our virtual world is going viral. And we've only just begun to explore the next generation of technologies that will transform our lives in ways we can't even begin to imagine."
 
You may remember form one of my previous post that the National Cyber Security Alliance is working on raising awareness and literacy of information security. This works hand in hand with point 6 of Obama's new initiative.
 
The real question now is what is to become of the current information security landscape. I have a few ideas of issues that should be addressed.
 
1. Simplify legislation. Currently we have different sets of rules for different sets of date. SOX, HIPAA, Breach Disclosure and other laws can be simplified and combined. Why have one law for financial date (GLBA), one for health data (HIPAA), one for student data (FERPA), one for financial reporting (SOX) etc.. Create one law that covers personally identifiable information (PII) and data integrity regardless of type.
2. Continue to raise awareness public awareness.
3. Address jurisdictional issues with Internet based crimes.
4. Create incentives for business to 'do the right thing' positive and negative reinforcement.
5. Take the bureaucracy out of FISMA.
6. Extend a new FISMA to state and local governments. Extend the funding needed to implement for the state and local governments. State and local government maintain part of the infrastructure. The infrastructure is only as strong as the weakest link.
7. Understand security is a process not a goal.
8. Ensure security is implemented in a risk based fashion.
9. Protect privacy while protecting the infrastructure.
 
There are probably 100 other things that can be done. These are just a few that are top issues in my mind.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 3 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

Our Clients Include: Government Sector, Local government, Federal Government, Commercial Sector, Nonprofit, and Commercial.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.