Monthly Archives: July 2010

Security

vCloud Survey

Leave a comment

VMware has created a public cloud survey with a $5 coffee gift card incentive.

Our survey asks why you chose your provider, the type of workloads you’re running, if you use intermediaries with your cloud solution, and what you perceive as the biggest benefits or concerns when it comes to cloud.

Now is your chance to let the providers know that compliance and security are (or aren’t) your top concern.

Security

Updates to NIST SP 800-53

Leave a comment

The National Institute of Standards and Technology (NIST) today has re-released their Special Publication 800-53.

The document I just saw says it is Revision 1, with a June 2010 stamp on the cover.

This is confusing because the current version made available to the general public is listed as Revision 3. Here is the official copy on their website with all the changes clearly marked:

800-53-rev3_markup-final-public-draft-to-final-updated_may-01-2010.pdf

Note that NIST also posted an errata document that lists just the changes to 800-53. FISMAPEDIA gives a granular comparison between Revision 3 and Revision 2.

One big change that has happened seems to be related to FIPS 199 security categories — organizations now can use their own impact assessment formula or something like NIST SP 800-60 instead.

Another big change is the addition of the phrase “Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary.”

A vast majority of the edits in the document are cosmetic (i.e. changing the term one-time to replay-resistant) but here are some I found interesting:

  1. Pg 8, The supplemental guidance is explicitly said to contain no requirements
  2. Pg 22, Removed the statement that a security officer acts on behalf of CIO
  3. Pg 27, Changed the Risk Management Framework to “the organization’s approach to managing risk”
  4. Pg 38, New statement on liability in the cloud: “If a security control deficit exists, the responsibility for adequately mitigating unacceptable risks arising from the use of external information system services remains with the authorizing official.”
  5. Pg 38, New compensating controls statement for cloud: “Employing alternative risk mitigation measures within the organizational information system when a contract either does not exist or the contract does not provide the necessary leverage for the organization to obtain needed security controls.”
  6. Pg 41, New legislation reference, going way back, already mentioned on pg 51: The Atomic Energy Act of 1954 (P.L. 83-703), August 1954.
  7. Pg 43, Deleted ISO 17799 and replaced with 15408-1 through 3: Information technology — Security techniques — Evaluation criteria for IT security
  8. Pg 52, Definition of defense-in-depth: Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.
  9. Pg 54, Definition of hybrid security control: A security control that is implemented in an information system in part as a common control and in part as a system-specific
    control.
  10. Pg 55, Definition of an internal network now includes the security technology implemented between organization-controlled endpoints
  11. Pg 59, A surprisingly weak definition of removable media: anything “which can be inserted into and removed from a computing device”. That means anything to me. It should have reference to effort, such as “easily” or “designed to be”.
  12. Pg 63, Definition of sensitive information: Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.
  13. Pg 66, Statement that all controls are required: The implementation of security controls by sequence priority code does not imply the achievement of any defined level of risk mitigation until all of the security controls in the security plan have been implemented. The priority codes are used only for implementation sequencing, not for making security control selection decisions.
  14. Pg 79, Level of cryptography used may depend on level of personnel clearance
  15. Pg 80, Encryption and “offline storage” added to AC-3 as supplemental guidance to reduce risk of unauthorized data disclosure
  16. Pg 84, AC-7 Unsuccessful Login Attempts does not apply to devices that have no login such as removable media, unless that media is encrypted
  17. Pg 90, AC-18 Wireless Access completely updated and references NIST Special Publications 800-48, 800-94, and 800-97
  18. Pg 91, Unclassified mobile devices prohibited in “facilities containing information systems processing, storing, or transmitting classified information”
  19. Pg 93, Portable storage media can be completely prohibited
  20. Pg 94, Publicly accessible content includes information posted on any “organizational information system accessible to the public, typically without identification or authentication”
  21. Pg 102, Time may be recorded as an offset of UTC
  22. Pg 108, New guidance on interconnection between information systems. Use a contract or try to figure out an Interconnection Security Agreement
  23. Pg 128, IA-2 Identification and Authentication: “Unique identification of individuals in group accounts (e.g., shared privilege accounts) may need to be considered for detailed accountability of activity.”
  24. Pg 133, IA-5 Authenticator Management: “Organizations exercise caution in determining whether an embedded or stored authenticator is in encrypted or unencrypted form. If the authenticator in its stored representation, is used in the manner stored, then that representation is considered an unencrypted authenticator. This is irrespective of whether that representation is perhaps an encrypted version of something else (e.g., a password).”
  25. Pg 195, SC-29 Heterogeneity: “Organizations that select this control should consider that an increase in diversity may add complexity and management overhead, both of which have the potential to lead to mistakes and misconfigurations which could increase overall risk.” Yes, do not attempt a dual-skin strategy unless you know what you are getting yourself into.
  26. Pg 196, Completely new SC-34 Non-Modifiable Executable Programs
  27. Pg 202, SI-4 Information System Monitoring includes “physical, cyber, and supply chain activities”

Still awake?

Security

Azure Appliance Security

Leave a comment

The Microsoft announcement that it is moving the cloud service into an appliance and semi-private service comes at the same time that the Amazon CTO calls private clouds “false clouds”.

Stepping aside from all the marketing about what is real and what is false, I think this move by Microsoft raises some great security and compliance questions.

First, I seem to remember Salesforce rumbling about this public-private service model as far back as 2005, around the time of the Google search appliance. The idea then was to take a web service and package it so it can receive updates but that’s it. This allows an entrance into a market that has a natural fear of getting into a service like cloud. It also helps reduce the expense of Salesforce trying to establish a meaningful cloud compliance or confidence message.

Microsoft is taking steps in this direction now. ComputerWorld reports that Muglia offers details on Microsoft Azure Appliance

Once settled in the data center, the appliance will be connected to Microsoft’s own instance of Azure. “We will maintain a flow of new software down to all of the appliances so they will be kept up to date,” he said, adding that the customer will retain control over factors such as when to apply updates and which services to deploy.

That sounds a lot like having another Microsoft product in a private environment that gets new software through the update service. Cloud? Ooops, nevermind I started to get into the definition again.

I am more interested to know what kind of logging, monitoring and access controls are in place. Naturally it is completely absent from the ComputerWorld article. The word “security” and the word “compliance” are not used a single time! Here is a good example question: does Microsoft, or Salesforce for that matter, maintain their own accounts with access to data in these appliances? That would make “change vendor defaults” for regulations and compliance very difficult to achieve.

History, Security

WMD Definition

Leave a comment

A comment on Bruce’s blog today pointed me to a law in North Carolina that says a sawed-off shotgun is a weapon of mass destruction.

It looks like an afterthought in the text of the actual law, G.S. 14-288.8:

(c) The term “weapon of mass death and destruction” includes:
(1) Any explosive or incendiary:
a. Bomb; or
b. Grenade; or
c. Rocket having a propellant charge of more than four ounces; or
d. Missile having an explosive or incendiary charge of more than
one-quarter ounce; or
e. Mine; or
f. Device similar to any of the devices described above; or
(2) Any type of weapon (other than a shotgun or a shotgun shell of a type particularly suitable for sporting purposes) which will, or which may be readily converted to, expel a projectile by the action of an explosive or other propellant, and which has any barrel with a bore of more than one-half inch in diameter; or
(3) Any firearm capable of fully automatic fire, any shotgun with a barrel or barrels of less than 18 inches in length or an overall length of less than 26 inches, any rifle with a barrel or barrels of less than 16 inches in length

One-quarter ounce charge? That seems amazingly low to me, given that the definition is for mass death and destruction. Is it really necessary to define a quantity for heavy or mass casualties, or do these terms reflect instead the intent of an attacker?

It reminds me of one particular controversy over casualty counts: the Nazi aerial bombing of a Spanish town in 1937 as immortalized in the Clash song Spanish Bombs.

This tragic attack is thought to be the origin of the term WMD due to the direct assault on civilians with three hours of bombing waves using newly developed “firebombs”.

…The only things left standing were a church, a sacred Tree, symbol of the Basque people, and, just outside the town, a small munitions factory. There hadn’t been a single anti-aircraft gun in the town. It had been mainly a fire raid.

…A sight that haunted me for weeks was the charred bodies of several women and children huddled together in what had been the cellar of a house. It had been a refugio.”

Eye witnesses estimated that aside from a series of bombs of 1,000 pounds a series of 3,000 two-pound aluminum incendiary projectiles were used.

In the form of its execution and the scale of the destruction it wrought, no less than in the selection of its objective, the raid on Guernica is unparalleled in military history. Guernica was not a military objective. A factory producing war material lay outside the town and was untouched. So were two barracks some distance from the town. The town lay far behind the lines. The object of the bombardment was seemingly the demoralization of the civil population and the destruction of the cradle of the Basque race. Every fact bears out this appreciation, beginning with the day when the deed was done.

Monday was the customary market day in Guernica for the country round.

Wikipedia claims the ratio was likely to be forty tons of bombs dropped as many as 1,700 dead, or 43 dead per ton of explosives. The town only had about 7,000 inhabitants. It then compares this number to bombing raids in WWII that averaged a ratio of about 10 dead per bomb.

The vast difference in ratios between Guernica and other bombing raids has led James Corum of the Army War College (mixed motives?) to argue that high casualty counts from bombs are propaganda:

From the 1930s to the present, the effect of airpower to produce casualties has been overestimated out of the ignorance of the press and the common perceptions of airpower. In some cases, the civilian casualties caused by air attack have been deliberately overstated in order to make a propaganda point. Recent conflicts such as the Gulf War demonstrate that the perceptions of heavy civilian casualties remain even if great care is taken to limit collateral damage in an air campaign. The recent wars show us that the deliberate falsification of civilian casualties from air bombardment is likely to remain as a major propaganda theme.

The propaganda theme?

Perhaps estimates are increased with the idea to show weapons with potential for mass destruction actually cause mass destruction.

It is not always so simple, however, as I have mentioned before. Looking at Guernica versus other bombing runs I am curious about the effect of defenses like balloons, better civilian preparedness, and other significant target differences. That takes me back to the core definition of WMD. Furthermore, propaganda seems to run both ways. Here is another angle, completely the opposite from the “propaganda point” argued above:

It is impossible to state yet the number of victims. In the Bilbao Press this morning they were reported as “fortunately small,” but it is feared that this was an understatement in order not to alarm the large refugee population of Bilbao.

Add that perspective to the fact that Nazis claimed the town was really damaged by retreating civilians and not the bombing raid.

In other words, history shows it is more revealing to investigate motives and means when trying to regulate WMDs. This is likely to be more on target than searching for an accepted measure of the causes for severe and mass destruction. The question then does become what is the intended use of an incendiary bomb, or a shotgun that has a barrel less than 18 inches?