Securing GovSpace

I received quite a few comments this past week following the publishing of California IT Policy Letter 10-01
which formally establishes "the use of Open Source Software (OSS) in California state government as an acceptable practice."  While many of my security colleagues offered words of caution following the announcement (and even a couple of "are you crazy" comments), most were pretty enthusiastic with remarks like, "Finally, enlightenment" and "It's about time government joined the 21st century."

As a security guy, I've been on both sides of the OSS fence at different times but I've come to the conclusion that anyone who doesn't think OSS has a place in today's business or government simply hasn't been paying attention.   While it should never be a casual decision, the organizational choice to adopt an Open Source Software policy should be made based on issues such as business need, reliability, ease-of-use, ROI and yes, security.  Being too cavalier can dangerous but it only means you've got to do your due diligence homework just like when you buy COTS.

I'm not saying that COTS shouldn't be part of our IT environment just that it's time to acknowledge the OSS elephant in the room.  We need COTS but should we really trust all COTS software just because it comes with a license from a reputable vendor?  Think about the regular (and irregular) patch cycles we go through before you answer that question.  Is there any question that the Linux OS, Firefox web browser or Apache web server are mature products delivering real value?  Of course not!  In fact they are the de-facto standards in many organizations?  In addition, there are dozens of excellent OSS security tools that many organizations depend upon to monitor and identify vulnerabilities within their IT environments.  Nessus, Snort, Nagios, Metasploit, OpenSSH, PuTTY, Nmap, and Wireshark are some of the OSS security gold standards but there are many, many others. 

Over time, the open source community has proven to be somewhat self-policing where the best products get adopted and widely used while the stuff that doesn't meet standards gets a well-deserved funeral.  It sems to me that thousands of developers and hackers beating up on open source code is a pretty efficient and transparent way of identifying software bugs and vulnerabilities in OSS.  Kind of like software market Darwinism where the strong survive. 

There are arguments against using OSS but I've heard the "there's no guarantee of future support" line so many times it makes me want to cry.  How many times and how many endless hours have you spent on-hold with tech support without getting the help you needed?  At least with the open source community one of the nice things is the worldwide support available almost any time of day. So while there are some criticisms, there's also some valid business rationale for using OSS.

I'm still accused of being overly paranoid (it's part of the job description), but in these challenging economic times, all of us need to be on the lookout for savings and OSS is a very logical option.   While not obviating the need to determine our own security risks, when large organizations like the Federal government and Department of Defense make policy decisions to use OSS, aren't we being overly irrational by saying we're too good or too important that we can't consider the same thing?

I'll bet there are a lot of personal and professional thoughts on OSS from my security colleagues so let's hear them!  While you're at it, tell me what are your favorite open source security tools and why?  Use this forum to share your insight and experience with other government security professionals.

It's official, we finally have national cybersecurity leadership.  Fulfilling the commitment he made in May of this year, it was announced on The Whitehouse Blog this morning that President Obama has selected Howard Schmidt as the White House Cybersecurity Coordinator. 

Rumors have been swirling for months now of people who were turning the job down because it was being positioned to report to two masters, the National Security Council and the National Economic Council.  That appears to have been resolved with Mr. Schmidt reporting to deputy national security adviser John O. Brennan but also having "regular access to the president."

In a video posted on the White House Blog, Mr. Schmidt said, "The President has directed me to focus on a several priority areas.  Developing a new and comprehensive strategy to secure American networks, ensuring an organized, unified response to future cyber incidents, strengthening public-private partnerships here at home and international partnerships with allies and partners, promoting research and development of the next generation of technologies, and leading a national campaign to promote cybersecurity awareness and education." 

Mr. Schmidt has a tremendous amount of security experience having spent time in the U.S Air Force, local law enforcement, the FBI, CSO at Microsoft, CISO at eBay, and also as special adviser for cyberspace security in the Bush Administration. Anyone who under-estimates that Howard Schmidt can enact change is in for a surprise.  He's got the rare combination of tangible security experience and significant visibility at the highest levels of government.  Having already spent time in the White House, he won't be too enamored with the pomp and cachet but will leverage that power to focus the national efforts and drive policy making.  This is a very good announcement for the holiday season.

The Federal CIO Council's Information Security and Identity Management Committee (ISIMC), Web 2.0 Security Working Group just released a document that will come as a boon to government security folks struggling to develop social media policy.  The "Guidelines for Secure Use of Social Media by Federal Departments and Agencies" "Guidelines" was released on September 17, 2009 and states that "The goal of the IT organization should not be to say 'No' to social media Web sites and block them completely, but to say 'Yes, following security guidance,' with effective and appropriate information assurance security and privacy controls."  Isn't that beautiful?  More fundamentally, isn't that what information security has always been about?

The document validates what many of us have been saying for some time now that the decision to use social media technologies should be a risk-based business decision and not an IT security decision.  Further, it states that "The safe use of social media is fundamentally a behavioral issue, not a technology issue."  Everybody say 'Amen!  Not only do the "Guidelines" recommend developing organizational policy for the use of social media, but that the policy should focus on personal and professional user behavior when using government information.  The "Guidelines" call for, among other things, augmented training requirements for employees and additional security monitoring and configuration controls.  I can already see CISO's across the nation smiling.

The "Guidelines" aren't important so much for the content (although it is!) but also for the standard and stimulus it establishes for government organizations.  With "Transparency and Open Government" the name of the game and on the top of every CIO's agenda, the "Guidelines" acknowledge that social media is not without risk and that, unless actively managed, can introduce self-inflicted organizational wounds.  Read that again - social media is not without risk and that, unless actively managed, can introduce self inflicted organizational wounds.  Specifically, the "Guidelines" provide risk mitigation strategies and recommendations that include:  Policy Controls; Acquisition Controls; Training Controls; Network Controls; and Host Controls that, in concert, help to minimize social media cyber-threats.

These "Guidelines" are a good document that will give CISO's and security professionals at all levels of government the support necessary to justify a firm social media policy that focuses on security risk and user responsibility.  Read it and tell me what you think.

What the heck is going on?  Melissa Hathaway resigns as the White House's acting cybersecurity czar on Monday and today, only four days later, Mischel Kwon resigns as Director of US-CERT.

As I noted in SANS NewsBites today, http://www.sans.org/newsletters/newsbites/newsbites.php?vol=11&issue=62 this new resignation is regrettable because it appears that the momentum many of us thought was building in the federal government to prioritize cybersecurity may be waning.  While there was a lot of initial fanfare in mid-February with Ms. Hathaway being assigned to conduct a 60-day review of cybersecurity in the federal government, rumors of political interference were already beginning when the report wasn't released until the end of May.  It was then expected that the president would name a Cybersecurity Chief with the release of the "Cyberspace Policy Review" report http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf but that didn't happen and now here we are, another 60+ days down the road with no apparent movement.

There has been a lot of turmoil over the past few years in the cybersecurity community at the Federal level with among others, Amit Yoran, Greg Garcia, Rod Beckstrom, and now Ms. Hathaway and Ms. Kwon moving on. Mischel is the 4^th Direct of US-CERT in the past five years!  These are all good people and the list of those rumored to have turned down the new cybersecurity chief job is equally impressive.  

Why is the federal government having such a hard time with cybersecurity leadership?  Is the job not defined well enough?  To many masters to serve?  No authority over funding?  Probably a little of each.  Another reason might be that you can't just sprinkle pixie-dust on someone and make them a cybersecurity expert and on the other hand, most cybersecurity people are better at understanding technology than politics.  Whatever the reason, it's starting  to look like more business as usual in Washington.

One thing those of us who've spent any time in the security business know is that you either learn to deal with a flexible schedule or you change professions.  Dilbert called them "unplanned emergencies" but whatever you call them, they are a fact of our life.  So here I am, sitting in the Las Vegas airport on the first day of DefCon, headed back to California.  Right now I'm missing some great sessions at the Riviera but luckily, I was able to get registered this morning (albeit with a temporary plastic badge and no schedule of events...what's up with that Jeff?) and the CD with all the presentations so it wasn't a total loss. 

Before heading to the airport, I was able to sit in on the first hour and hit Rod Beckstrom's "The Economics of Networks (and Beckstrom's Law)" presentation.  Rod is the former Director of the National Cyber Security Center at DHS and was recently named the CEO of ICANN.  He's also the co-founder of an acquired software company and the author of the best selling "The Starfish and the Spider" book which describes a new theory for organizational strategies. 

The thrust of the Rod's presentation today was to introduce Beckstrom's Law and establish that while economics of networks do matter, rather than use the number nodes on a network to determine value, the real key is the number of transactions conducted and the value added by each.  Beckstrom's Law solves the valuation problem by looking at how valuable the network is to each individual user.  One of the key, and hard, things about Beckstrom's Law that Rod readily points out is that you must either have access to the transaction data or be able measure it.  Depending upon the size of your organization, wrapping your brain around that might be a challenge.

Rod posits that while the economics of the basic security model are Value = Benefits - Cost, the more fundamental risk management model calls for minimizing costs which requires additional variables that include SI (Security Investment) and L (Losses) and the new equation V = B - C' - SI - L.  It's a little too detailed for this blog but you can get the Wikipedia description here wikipedia - Beckstroms Law and see the entire presentation here The Economics of Networks  If you spend some time with Beckstrom's Law and have thoughts or comments, I'm sure Rod would be happy to hear from you.

It's been a pretty interesting week on the cybersecurity front with the DDOS attacks on South Korea and the United States making the most headlines.  I've been trying to keep up with all of the regular media and blogs and quite frankly, it's a bit overwhelming.  There's a lot of intrigue to this story but I'm beginning to wonder now if it's been over-blown a bit because a couple of things just don't seem to add up.

The first interesting thing that jumped out at me was that, while the attacks apparently began on July 4, there wasn't any mention in the media until July 9.  This is interesting because it appears that something getting so much attention by the affected organizations wasn't even noticed publicly for at least four days.  Doesn't that sound amazing when the media is so quick to jump on anything that sounds sexy like a "cyber attack"?  From what I've been able to determine based upon dozens and dozens of "unofficial" media reports and blogs, five U.S. websites were initially assaulted by a DDOS on July 4 and that number grew to more than 35 over the next few days that included both South Korea and U.S government and private sector company websites.  Wow!

What does that really mean?  Well, the estimates I've read put the botnet at around 60,000 bots.  While it appears that the attacks were actually targeted attacks and certainly not trivial, 60,000 is also not a large botnet.  So the second puzzle is that, if the botherder was truly a professional wanting to do harm, why would they distribute the attack from a relatively small botnet across over 35 websites?  That's lots of sizzle but no steak.  I read one blog that said this attack was "more like arming a troupe of girl-scouts with water-balloons and Nerf guns."  Seriously though, while there's no doubt that the attack caused some outages, a professional cowboy botherder would have either mustered up a bigger botherd or just attacked a small number of the most of significant targets.

Here's the real perplexing question to me though - why would someone wanting to cause any real damage use a variant of the old Mydoom worm family?  This thing has been around for five years and every anti-virus vendor in the world has a signature available for it.  That doesn't pass the smell test for someone trying to do real harm...unless the DDOS was simply a diversion for some other really bad stuff going on somewhere else (but that's for those with more official intel.)

While I'm positive there is a lot more information, probably classified or at least very sensitive, that I don't have access to, on the surface this appears to be a somewhat amateurish hack that took advantage of some organizations that may not have been as prepared as they thought they were.

There are certainly some tools you can and should deploy to mitigate and deflect a DDOS (IPS at the edge, router ACL's) but the bottom line is that if you get enough traffic, from enough distributed sources, in a short enough period of time, you are going to have problem.  Among the things (the top three in my opinion) you need to have in place BEFORE a DDOS are:

1.     Know who your carrier is and have a relationship with them so they can begin upstream filtering and be able to bump up your bandwidth (your BCP should address this) if you are under attack

2.     Have staff that are trained and know how to read logs and determine what IP's are causing the problem and need to be blocked.  If your staff is not technically prepared to understand what is going on, no amount of planning will be enough.

3.     Most important and most often neglected - have up to date contact information.  Trying to track someone down, whether it's your ISP, a vendor, or your own staff on a Saturday 4^th of July holiday when your site is down and you don't have a name and telephone number can be one of the most frustrating events of your life.

Bonus #4 - If you have externally hosted web sites, know where they are, who manages them, and how to get in touch with them...on a holiday!

John Mellencamp sang about the walls tumbling down and this week's press release by the U.S. Army telling bases to stop blocking Twitter, Facebook, and Flickr Army Allows Access To Social Media Websites should be proof enough for anyone.  Following the US Navy US Navy Web 2.0: Utilizing New Web Tools and the US Air Force's New Media and the Air Force lead, it appears that the US military has realized the value of social media not only as a tool for boosting morale but also "to facilitate the dissemination of strategic, unclassified information." 

Wow.  Who would have ever thought that the stodgy old military would get on board with something so...hip and revolutionary?  What's next, Elvis is really alive and Robert Plant is singing country music (thanks Mike)?  Actually, I'm not all that surprised.  The military has always been out in front with technology, it's just the "non-traditional" stuff like allowing Sailors, Airmen, Soldiers, and Marines to communicate in informal channels using the evolutionary brilliance of user generated content that breaks tradition.  Should we be scared?  I don't think so.  Web 2.0 technologies provide a different means of communicating and distributing information but the risks have always be there, they're just a little more "out there" now.

One thing the military is great at is training and I think they'll be very proactive in making sure members of the military understand their responsibilities when Tweeting, blogging, and posting up on Facebook.  The challenge now will be to instill discipline in communications to everyone, not just those with a security clearance.

While the military is the latest non-traditional organization to publicly endorse social media, throughout government it's become business de jour and it's all about transparency. President Obama's (our) new federal CIO Vivek Kundra built his professional reputation on breaking out of the traditional IT mold and using new technologies to share information with his constituents.  In California, Governor Schwarzenegger has appointed a "New Media Director" to broaden and improve the state's way of communicating with the public.  Across the country, states and local governments are rushing to give the public more of what they want...information, and Web 2.0 technologies are how they are doing it.

Anyone who thinks social media is just a fad isn't paying attention.  It's a trend and it would behoove those of us in the security business to jump on the train and start thinking of solutions to the existing security issues and the new ones that are coming.  If security becomes the party pooper (thanks Dan) on implementation of social media in our organizations, it will be disastrous for our profession.  The horse has already left the barn, we just need to make sure the saddle's tight.  What do you think?

Last Friday, President Obama followed up on a promise he made last July during a speech at Purdue University when, as then-candidate Obama, he said "As President, I'll make cybersecurity the top priority that it should be in the 21st century. I'll declare our cyber-infrastructure a strategic asset, and appoint a National Cyber Advisor who will report directly to me."  In a speech at the White House on Friday morning, President Obama declared that 21^st century challenges can't be met without a digital infrastructure and said that, "the world of cyberspace is a world we depend on every day."  I was encouraged to hear him say that the security of our nation's infrastructure is a matter of America's economic competitiveness.

The President then went on to outline the results of the 60-day review of cybersecurity in the federal government" that Melissa Hathaway and her team completed in mid-April.  The resulting document, titled the Cyberspace Policy Review, is 76 pages of how the federal government is going to take a leadership role in "anchoring and elevating leadership for cybersecurity-related policies at the White House."

While he didn't name the "Cyber Czar" during the press conference, it is the number one item in the "Near-Term Action Plan" of the Cyberspace Policy Review and importantly, the document calls for the White House to lead the way forward.  How's that for leading with your chin?  I also think it was incredibly telling that the President plans to include staff to address privacy and civil liberties.  In fact, he specifically called out that the plan would not include monitoring private sector networks.

What does it mean?  From my view in the cheap seats, I'm ecstatic just to see security getting such high-level visibility.  We've been anticipating the president's actions for a while now and from my perspective, it's very good news to see him follow through.  

I plan to spend some time analyzing the Cyberspace Policy Review document and provide my perspective on it in a few days.  If you've already read and digested it, I'd love to hear your thoughts.