A couple weeks ago, NASA announced it was all but done with certification and accreditation (C&A), calling it “cumbersome and expensive.” Many were intrigued by such a statement – not because it was wrong, but because it represented a potentially interesting shift in the status quo, done in a somewhat rebellious manner. NASA instead favors a “risk-based approach” that relies more heavily on continuous monitoring. NASA also cited significant cost savings from cutting back C&A activities.

Seemingly in direct response to this outburst, NIST has now released an update to their continuous monitoring FAQ, specifically pointing out that C&A activities are a necessary component of risk-based management of systems, and highlighting that continuous monitoring alone is insufficient.

One of the true oddities of the NASA statement is that continuous monitoring is only one component of the overall NIST Risk Management Framework (RMF). It’s unclear how they concluded that they could just pick one box out of the overall process and claim it covers everything – especially considering their claim to be seeking a risk-based approach.

Of course, in the end it may not matter at all. The House has passed FISMA reform this past week in it’s national security spending bill (also see this Information Week article; didn’t we used to call it “Defense appropriations”? anyway…). The bill also calls for the establishment of a “National Office of Cyberspace” to have better authority than Howard Schmidt currently has in his White House cabinet position. Similarly, the Senate is also pushing through reform, including yet another hare-brained attempt to give the federal government broad, sweeping powers over private critical infrastructure in “emergency” situations. This time around, the bill seeks to authorize DHS with such powers, whereas previous attempts focused on authorizing the President directly. We’ll see what becomes of this, but suffice to say that the move has not gone unnoticed in the security community.

The FTC released a statement last Friday indicating that they would push back enforcement of the FACTA Red Flag Rules to the end of the year. This is just the latest delay in enforcement, with the previous enforcement deadline having been June 1st. The delay comes as professional organizations continue to chafe at their inclusion in the scope of action. Courts have already ruled that the American Bar Association (ABA) and its membership are to be excluded from enforcement. The American Institute of Certified Public Accountants (AICPA) and the American Medical Association (AMA) have also filed cases protesting their inclusion.

From the FTC press release:

“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

For more information, please check out the following links:

• Wikipedia: Fair and Accurate Credit Transactions Act (FACTA)
• FTC Business Alert: New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft
• Legal analysis by The InfoLawGroup on the Red Flag Rules

Today, in advance of the 2010 RSA Conference, I had the benefit of attending the 10th CSO Council Bay Area Round Table: The Last Mile: The End of Paper. It has been an interesting exercise with a mock trial (moderated by two Judges) involving three wills signed with three different technologies: ink signature, closed system electronic signature, and digital signature.

You would think this would be an easily decided scenario; the digital signature is a superior and more trustworthy technology, right?  Well, not when you change the rules a bit. Basically they made the strength of process the inverse of the strength of the technology.  Here are the key points from today’s trial, and I’d like your suggestions on which one you’d pick.

• Will 1: Ink Signature: happened a long time ago, seems to be in order but there are no surviving attesters to the signature. Gives the entire estate to his wife, and if she predeceases him, his son.  As of today, the wife did predecease him, and his son has become estranged, will #2 being part of the reason.
• Will 2: Electronic Signature: signature is just a hash of the user name and the document being signed.  Gives 1/2 the estate to Stanford University, and the other 1/2 to his son.  The signature was not attested to by any other individuals.  There are no security controls over the log files and no way to prevent modification. However, everything seems to be in order with the signature.
• Will 3: Digital Signature: signature uses the internal PKI of a legal firm which stores private keys on USB memory sticks (not cryptographic devices). A paralegal of the firm who helped create the PKI process is the sole beneficiary.  The signature was counter-signed by two other individuals.  The paralegal (“Bubbles”) administers the PKI system and theoretically could have recreated signatures or digital IDs.

So, if you had to vote for one of these as a juror, which one would you choose?  Personally? I think all 3 are terrible and I fear the entire estate may need to go to probate.  Let us know what you would choose as a juror in the comments.

SearchCompliance.com has posted an article detailing important regulatory compliance trends that will affect IT in 2010. The trends that were listed include:

• Automation of compliance processes
• More regulation en route
• FISMA compliance reform
• More enforcement for noncompliance
• Federal data breach and privacy laws emerge
• Cloud computing complicates compliance
• SOX compliance for small companies
• Migration to risk management

I was quoted in a couple parts of the article with my visions of the future related to FISMA and risk management. It’s worth a read and a comment if you think they missed anything, or if my predictions are way off!

Dan Kaminsky posted on twitter the following:

http://eprint.iacr.org/2010/006.pdf Is it time to deprecate 1024bit RSA for, say, 1276bit? (2048 has perf issues.)

The link Dan provided is a research paper which reports the successful factorization of the 768-bit number from the original 2001 RSA challenge. I responded to him that NIST had already deprecated the use of 1024-bit RSA in the government, and it was time for industry to follow suit. Since I posted that, I’ve been surprised that a number of people don’t understand the upcoming changes in key lengths and algorithm strengths that have been mandated by NIST. So, this post offers some information about why I can confidently say the U.S. government has deprecated certain algorithms and key lengths.

(more…)

As a recent slashdot article points out, Amazon has honestly admitted that it is impossible to attain PCI Level 1 compliance on an application built on their EC2 (computing) and S3 (storage) services.

It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers.

We wrote a short whitepaper covering a brief security overview of cloud computing, and this is one of the topics we have been concerned about.  I’m currently en route to perform an on-site assessment of a service provider for a customer of ours.  This type of assessment provides my customer a great deal of confidence that they can trust their business partner.  If the provider of cloud services either won’t let you (or your auditor) visit their data centers, or can’t tell you which one to visit (because your data is unpredictably stored in many different locations), then it is impossible to get the same level of confidence that your data is being stored and protected.

Cloud computing isn’t for everything. It’s not going to be a good fit when you need compliance with PCI or similar standards, or your security policies require on-site assessments. Kudos to Amazon for admitting that.

On Wednesday, while the virtualization and cloud computing topics were continuing to see a lot of coverage, I began to focus my attendance in some different areas. The first Wednesday keynote included a brief discussion of the 60-day cybersecurity review by Melissa Hathaway, Acting Senior Director for Cyberspace for the Obama administration. While she did not tip her hand regarding what would be in the final report, she spent a lot of time discussing the importance of the report and the work which will come out of it. You can read her speech by following the word document link on this article in The Atlantic.

Also on Wednesday was a panel discussion on the increasing prominence of legal and audit concerns in security featuring two federal judges and two lawyers. The presence of two federal judges at the RSA conference should be viewed as good news, as it clearly demonstrates that the legal system is taking note of and participating in a dialog with the security industry as a whole. Also there was an individual talk in the Governance-Legal track in the same thread, “eDiscovery Cooperation Workshop for Attorneys and Technologists”. Meaningful information security-related laws and regulations can only be developed and enforced by a team which includes the legal system and the security practitioners.

Other sessions that were heavily attended and well regarded were individual sessions for which there is not yet a link for video or audio. These include “Is Google Evil?” by Ira Winkler, and “The Danger that Lurks in the Internet’s Core Protocols” by a panel including Jeff Moss, Dan Kaminsky and Anton Kapela.

In 2007 a handful of companies (including Google, Microsoft, and Yahoo) decided to draft a set of guidelines influencing the behavior of online businesses when it comes to the subject of policies and regulations dealing with human rights. It was to be a kind of unofficial voluntary code of conduct initiative thing.

According to this letter(pdf) from Yahoo to Senators Durbin and Coburn:

Principles on Freedom of Expression and Privacy [...] provide direction and guidance to the ICT industry and its stakeholders in protecting and advancing the enjoyment of freedom of expression and privacy globally. The Principles describe key commitments in the following areas: Freedom of Expression; Privacy; Responsible Company Decision Making; Multi-Stakeholder Collaboration; Governance, Accountability & Transparency

Along with censorship and freedom of speech, the idea was also to provide general requirements for privacy. The idea also calls for a way to determine if a company is compliant with the code and a way to hold companies accountable if they violate it.

This is important because it shows that some of the most relevant internet-based companies are taking the rights of their users seriously. So seriously, in fact, that they are willing to sponsor a set of guidelines that help other companies protect THEIR user’s rights as well. If more companies get on board, this could be a step in the right direction in helping to strengthen the trust between service provider and user.

We’re constantly looking over, analysing, and adhering to narrowly defined security standards in the IS field. These standards are focused on large companies, yet what is there for the little guy?

Websites slap on labels like “Hacker Safe”, which we don’t trust and there are countless blogs vulnerable to a number of security holes, gaps, and simple poor configuration.

What we need is an open-source set of general security recommendations and guidelines for a host of applications – encryption, blogs, and even social networks. The formula for these guidelines to work, be useful, and adopted are,

• Keep Them General - Don’t include specific instructions on how to configure a setting.
• Have Input From Independent Security Experts – The people that work, teach, and have “intangible” experience working in information security.
• A Ranking System - What something protects against, how effectively it does it, and how difficult is it to configure.

Such a set of open source standards, would do wonders for not only the people using them, but the companies that stand behind them. Especially smaller companies who can respond quickly, speak more freely with the public, and have a more varied palate of work vs. a large corporation.

Why not have a set of well-scrutinized general security guidelines that could be adopted by schools, independent consultants, or Web developers?

Cisco unveiled a blueprint to address Payment Card Industry data security for the healthcare industry.

The blueprint is intended to provide healthcare organizations with a model for safeguarding patient financial transaction data and other personally identifiable information that is captured and processed within a healthcare facility or retail pharmacies. Called PCI for Healthcare Solution, it offers design and implementation guidelines to protect credit card, patient demographic and employee information.

Stats collected by Cisco are showing that external data security related attacks on the healthcare industry have increased 85% between January 2007 and January 2008. One in four healthcare executives do not know where their sensitive data is located, the vendor says. Also, many organizations do not have a security framework in place to provide optimal protection.

I like this idea because it shows a strong cross reference between two completely different types of industry (retail / healthcare). It shows that standards and practices that have already proven to help secure and improve industry trust, can be carried over into other forms of industry. The healthcare industry is already heavily flooded with many standards of it’s own that one would think there wasn’t anymore room to grow. But something like this, if implemented correctly could be a helpful hand in an over saturated area.