Tag Archives: fisma

Who will be the Jamaica Ginger of Information Security?

I read a short section in Bruce Schneier’s book Liars and Outliers that tells the tale of Jamaica Ginger:

“an epidemic of paralysis occurred as a result of Jamaica Ginger… it was laced with a nerve poison… and the company was vilified”, but not until 10s of thousands were victims, this resulted in the creation of the FDA.

To date, throughout most industries there is no absolute requirement with meaningful incentives to introduce and sustain operational information technology safeguards. There are isolated elements focused on particular threats and fraud (such as, PCI for the credit card industry, CIP for the Energy sector, etc…). So what will result in the Jamaica Ginger of information security?

Some portend that a cyber-war (a real one) that creates such societal disruption; a long enough sustained negative impact to survive the policy development process, and driven enough motivation to be complete. OSHA, FDA, and other such entities exist as a result of such events.

The best action enterprises can follow is to mature and engage sufficient operations that address their information technology concerns in the marketplace. As a means of self preservation; selfish (perhaps) demonstration of a need to NOT have legislation or a body established (such as the Federal Security Bureau), and ultimately preparedness should such a requirement be introduced the changes to your business would be incremental at best.

Other thoughts?

James DeLuccia

How to improve the maturity of your security program – Learn from mistakes made others!

Organizations struggle with a complex information security compliance program needs placed upon the organization.  Mature organizations participate in regular self review and improvement activities on an annual basis, and in some organizations as regular as monthly.  These organizations are fortunate to have larger security teams that reflect the global (think Fortune 500) deployment of assets.  This network provides an immensely valuable feedback loop on the following, among many others:

  • What are effective practices
  • What policies are great for the business, and where are exceptions being raised frequently that may indicate unknown business requirements
  • Attack patterns and weaknesses in the security program based on statistical review of events within the business
  • Where are programs meeting customer / client requirements – based on sales attributions and audit findings, respectively.

For organizations of this sophistication and those of all other sizes there is an additional input that raises the overall efficiency and effectiveness of the security compliance program.  That is through a self comparison against public data.  Specifically data released by government audits, intelligence committee reports, and guidances / complaints issued by government enforcement agencies.  These are immensely helpful in providing businesses across all sectors insights into security threats, trends, shifting perceptions of “due care”, and areas where risks are ebbing and flowing.

A simple set that an organization may consider includes:

The takeaway here is that every organization should regularly identify these sources, consolidate them in a manner that can be analyzed, and develop an intelligence report on any gaps in practice and security controls as documented by these organizations.  These apply to every organization and not simply those in the government space.  The process of careful analysis against the organization’s strategy combined with the rote knowledge of the practitioners internally can support realizing these benefits.

The genesis of this article was inspired through close workings with Fortune 50 organizations and developing leading global security programs.  A nice article illuminating this and other opportunities for improvements to security compliance programs is by Adam Shostack, in “The evolution of information security“.  A very good read.

Thoughts .. and expansions of idea are always welcome!

James DeLuccia IV


Managing information Security in an ever changing environment

Can a network be defended and secured?  Of course, observe the red team / blue team activities that are executed by businesses, governments, and at conferences.  There is one catch, these do not reflect reality.  Businesses are living networks and under constant change either directly encouraged or indirectly effected by the windows of the market and universe as a whole.

A fine quote that brought this to bear for me was published in an NSA publication stating: “One simply must realize that while the search for the right foundations proceeds, construction will continue.” where the article describes how the Duomo in Florence was built without an understanding of how to build the planned dome at the top.  That is akin to information security today – the challenge and task of information security is to build and execute a security program that reflects that the business is in constant development, and we will not always “know” what is effective for where we are going.  Think Mobile and Cloud security as the current sources of concern and challenge.

The takeaway is to recognize that the standards organizations build their security programs upon (ISO 27001, NIST) and are regulated / audited against (PCI DSS, NERC/FERC) are in themselves in a constant state of change.  This is only matched by the dynamics of the changing foundations of what information security is protecting (mobile, cloud, etc..) and the market demands placed on the organization.  Being still is not the answer, but instead iterating rapidly with a conscious focus on the strategy of the organization with an enabling security program will enhance the longevity of the organization and the relative effectiveness of the security compliance program itself.

NSA Article referenced:  “Cybersecurity: From engineering to science” by Carl Landwehr

Other thoughts?

James DeLuccia IV

Synergy and specificity, a review of Forrester’s Simplify Cybersecurity w/ PCI

The recently published, Simplify Cybersecurity With PCI, by Heidi Shey and John Kindervag is an interesting and valuable read.  The premise is that the government regulations (any really) are generally obtuse and ideal focused without prescriptive how-to descriptions.  While the payment card industry standard (PCI DSS v2.0 in this case) is direct on what and how technology controls should be deployed.  The authors present a synergy that exists that can help an organization establish a security program.

I would definitely recommend businesses struggling to establish a security program to review the concept.  I would challenge those involved in establishing security programs and enhancing such programs to focus on their core business strategies and focus on an iterative cycle, and not simply a controls exercise.  Ultimately I agree there are synergies as described by the authors, and I feel the mappings is quite insightful, but I would pair this with the cyclical nature of an ISMS to round out the edges and make it a more pragmatic and ultimately effective program.

One note also, is that the authors intend that the PCI DSS standard is appropriate for mapping, but I would caution readers and all who utilize PCI DSS.  The standard is specifically articulated for a set of risks and typically bounded by scope of the card data environment.  When utilizing these standards it is important to eliminate and or address these pre conditional weaknesses first, prior to establishing a proper security, and ultimately compliance program.

Other thoughts?  I have personally done many mappings (most recent 134 global regulations and guidances) and can appreciate the value of such alignments, but also with each standard carries assumptions that must be managed at the program level.


James DeLuccia

Compliance mandates do not make up your enterprise security program (PCI, SOX, GLBA, etc.. included)

A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place.  Each organization is different – the risks and the needs to mitigate.  A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances.  Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc …  Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.

The mistake is achieving compliance to compliance requirements alone.  There is a gap in the business’ OWN needs.  Over the past year I have spoken on this topic publicly at conferences and my book  has a huge focus on aligning and establishing business requirements cohesively.

To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years.  These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc…  In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties.  Not to be the basis of the enterprise program, but a singular consideration.

The capability of the organization to address market competitive requirements is based upon the proper balance.  Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities.  15% of the program to meeting these ‘license to operate’.

The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation.  There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.

Thoughts?  Challenges?


When Cryptography is irrelevant, bypassing key card security

A malware executed attack was highlighted by ActivClient that provides technology for secure authentication (smart cards to comply with the GSC-IS 2.1).  The attack is described in detail in a number of sites, such as Security Week here, and I would encourage reading the explanation of the attack by AlienVault here.

What is interesting here and relevant to all security practitioners and sectors is that cryptography at some levels can be made irrelevant.  The immense sophistication of the crytography and hardware manufacturing placed within these keycards and their infrastructure, in this case, are countered simply by capturing the pin that is associated with the key.  That allows an attacker to access the protected resources the card was designed to restrict.  Specifically the attack works because the attacker gets the PIN through a key logger, then binds it to the local computers certificate, and finally attacks remote resources protected by key card whenever the card is connected.

In all, a pretty elegant way of defeating what would be a complex and low-return attack vector (hacking the crytography).

The takeaway is that, as always it seems, the old assumptions that hardware / cryptography / and standard processes are enough is wrong.  A practice of continually evaluating the impact of new attack types (variants) and the new ability of attacker.  Plus, the recent ongoing attack on the underlying security safeguards as a means of attacking an organization has reached a critical level.  In the past 12 months anti-virus source code has been stolen; 2 factor authentication tokens perceived as insecure due to the RSA breach; Certificate Authorities breached and poisoned, and this demonstration of bypassing card security.

The malware yes, could be detected through malware and behavioral IPS type technology on the network and host.  The increased activity / parallel queries of a user could yes be detected.  The vulnerabilities allowing the installation in this particular case could also be patched.  The result though is still an ongoing need to evolve security practices; monitor and respond rapidly to suspect activity, and reduce / limit access as much as possible.

Other thoughts and avenues?

Kind regards,

James DeLuccia IV



Excerpts from s.773 as introduced in the U.S. Senate: Cybersecurity Act of 2009

The following are interesting excerpts from S.773 that were of particular interest.  I strongly suggest reading the full bill and the included comments, as this will be impactful to global information technology security controls in the near future.


(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.

Developing standards based on a “Risk Profile” is massively more universal and feasible to execute than the minutiae that exists broadly.  It is important to note that the Risk Profile for one institution shall be different than another institution based on the infrastructure, management setup, personnel, and third party service providers enjoined in the business/government processes.  This is equally true for businesses, and a point often raised with regards to PCI DSS – that it addresses specific risks for specific data, but is not an appropriate information security framework for all / any / whole businesses.


(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated…as a critical infrastructure information system or network, who is not licensed and certified under the program.

The establishment of a mandatory certification program is important, and valuable.  I would stipulate that a series of certifications shall be presented (likely from an existing training provider, such as SANS) to provide certifications that reflect specific subject areas (network security; application security; governance and compliance; etc…).


(b)(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access

The consolidation of “relevant data” will create a large of amount of information that can be transformed into very actionable intelligence for both public and private institutions.  It is great that (C ) INFORMATION SHARING allows for the private sector to access this data repository.  The amount of trending and innovations that could be developed would be significant.  Conversely it is also highly risky to setup widespread data sharing permissions, large scale transmission of likely sensitive data, and the propensity for organizations to institute data masking and privacy measures to limit their risk but also the value of such data.

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network

This is a section that has received widespread attention, so I shall not comment but it is a concern that should be evaluated by all parties.

As this bill is continually debated and amended it will surely change, but it is critical that security professionals understand the intent of this legislation.  It is this core intent that will prevail in the long term.  The focus of information security and national threats is escalating, as highlighted specifically in the – 2009 Report to Congress on the US-China Economic and Security Review Commission and the ‘Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation‘ (There are many threats across the globe, but these two reports are simply highlighted given their recent release).

Comments / Concerns?

James DeLuccia