tag:blogger.com,1999:blog-4088979.post8005281060159300631..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: FISMA ReduxRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-4088979.post-25055435033821255512007-09-20T06:05:00.000-04:002007-09-20T06:05:00.000-04:00Enforcement of compliance regulation is must for m...Enforcement of compliance regulation is must for many organizations but implementing, establishing and maintaining of same is a tough task due to complexity and cost. www.Training-hipaa.net website provides a wonderful and valuable template suite which any organization, small or big, can use to meet their compliance requirements for HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 or any other regulation/standards requiring business impact analysis, risk assessment, disaster recovery planning (DRP), business continuity plan (BCP) and Testing & Revision of Plan.<BR/><BR/>http://www.training-hipaa.net/template_suite/enterprise_contingency_plan_template_suite.htmAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-26817075535627602172007-09-16T14:25:00.000-04:002007-09-16T14:25:00.000-04:00Thanks for the nice post!Thanks for the nice post!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-79815535849358151032007-07-31T09:10:00.000-04:002007-07-31T09:10:00.000-04:00I would like to introduce one website for your vis...I would like to introduce one website for your visitors which I recently discovered a very good regulatory compliance website which provides all the useful information regarding FISMA and also provides good information about other regulatory compliance authorities such as HIPAA, ISO 17799, OSHA, etc. http://www.compliancehome.com/topics/FISMA/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29882300792053814502007-03-23T23:14:00.000-04:002007-03-23T23:14:00.000-04:00To wii wii et al - The IP address is an error/typo...To wii wii et al - The IP address is an error/typo that I should have caught. As I recall the thought was to discuss egress filtering and looking for invalid/spoofed IP addresses coming from inside one's own network (an IP address that is invalid on your own network). Thank you to Richard for his keen eye and pointing this out.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-91251519514114547722007-03-22T09:25:00.000-04:002007-03-22T09:25:00.000-04:00little G, please tell me how you would render 295 ...little G, please tell me how you would render 295 using the 8 bits available in the first octet of an IPv4 address?<BR/><BR/>In all my years doing incident response I have never seen anyone alter a log file to change an octet of an IP address to be a value outside of the range valid for IPv4. Maybe on Mars where I hear they use 36 bits (9 bits per "octet") for an IP address you can have 295 as the first value.<BR/><BR/>As for wii wii's comment, that is clearly not what the FISMA book is discussing.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-14141674550290178572007-03-22T00:58:00.000-04:002007-03-22T00:58:00.000-04:00there are programs that can generate dword ip addr...there are programs that can generate dword ip addresses or octal ip addresses that may look non-standard. trying doing 'ping 0100.0351.0273.0143' which is an octal ip address. spammers sometimes use octal or dword ip address for obfuscation. try doing 'ping 1089059683' also try using hex ip addresses.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-701583915690313712007-03-21T22:49:00.000-04:002007-03-21T22:49:00.000-04:00Only the destination IP address has to be valid wh...Only the destination IP address has to be valid when launching an attack.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-55551667739452847052007-03-21T22:41:00.000-04:002007-03-21T22:41:00.000-04:00I don't know for sure, but I'm guessing that the p...I don't know for sure, but I'm guessing that the point that was trying to be made was that if you see an invalid IP address in a log file that obviously something is awry and you will know that something has been inappropriately modified. It is pretty easy to modify log files to make them say anything.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-47572021103634055712007-03-21T16:55:00.000-04:002007-03-21T16:55:00.000-04:00For those of you who haven't read my review, the I...For those of you who haven't read my review, the IP address comment is:<BR/><BR/><I>The "Suspicious Events That Are Worth Auditing" chart on p 348 really made me laugh. Item "SE 6" says "Invalid IP addresses that are not in the range of acceptable octets, for example: 295.128.16.0." Are they SERIOUS?</I>Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-72817976051827593702007-03-21T16:51:00.000-04:002007-03-21T16:51:00.000-04:00Anonymous,How can you possibly defend looking for ...Anonymous,<BR/><BR/>How can you possibly defend looking for an "IP address" that technically CANNOT exist?Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33808717712077654762007-03-21T16:47:00.000-04:002007-03-21T16:47:00.000-04:00I don't understand your comment on Amazon about th...I don't understand your comment on Amazon about the IP address. It would seem that not using IP addresses that are outside standard octets to be a good idea. I still have a copy of strobe. It seems to work.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-71510868746302908402007-03-01T15:57:00.000-05:002007-03-01T15:57:00.000-05:00Your characterization of contracting companies and...Your characterization of contracting companies and their relationship to FISMA packages shows a lack of understanding about FISMA, the role of contractors, and the role of agency IT security personnel. <BR/><BR/>A technical vulnerability test is part of the ST&E that comprises a C&A package. It is very much hands on engineering by professionals who must maintain knowledge of the latest infrastructure devices and security testing tools. They must know how to use the tools and interpret the results. Also, it is the government and those in IT security that require the 500 page packages. This is based on the requirements of IG auditors who know little about IT security but can discern if a document matches NIST template guidelines number for number.<BR/>I, too, believe there is a lot of waste in the FISMA compliance process. If you studied the subject rather than relying on one book, perhaps you would understand why.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-48703369844734700162007-02-27T21:03:00.000-05:002007-02-27T21:03:00.000-05:00The FISMA book seems okay to me.The FISMA book seems okay to me.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44474845732728960752007-02-21T16:27:00.000-05:002007-02-21T16:27:00.000-05:00FISMA itself is good... a law requiring security p...FISMA itself is good... a law requiring security planning and budgeting. Hey, that's right-on with what it needs to be. Unfortunately, all this other junk gets strapped on to it, and nobody knows what they are doing.<BR/><BR/>It's like when I go to the Smithsonian and look at the exhibits on Africa. I realize that the more I learn about Africa, the more I realize I don't know jack about Africa.<BR/><BR/>There are some problems with the implementation of C&A in particular. Too many rules and everybody has a serious case of NIH. It's not supposed to be this much work.<BR/><BR/>I probably said it best here:<BR/><A HREF="http://ism-community.org/blogs/michaelsmith/archive/2007/02/19/indicator-species.aspx" REL="nofollow">Blog Entry</A><BR/><BR/>The way to look at C&A from a technical standpoint is that it's an excuse to have people come to you and ask your opinion. Let them know what it is--right, wrong, or indifferent.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-83103191105511030012007-02-16T11:39:00.000-05:002007-02-16T11:39:00.000-05:00I actually have to deal with the FISMA regulations...I actually have to deal with the FISMA regulations. I was hired for "network security", and apparently, if our more political security officers had their way that means "write lots of .doc's on the state of affairs, THEN after those .doc's are done, go try to fix any findings, updating the .doc's as you go."<BR/><BR/>We started using NIST 800-26, and we had to redo a major section of our paperwork to move to NIST 800-53. I'm a programmer/system admin, and I've been yelling at these people for 3 years about the futility of the FISMA regulations and how if they spent half the money they're wasting on writing 500+ page C&A packages on intelligent System Admins and Network Analysts, they'd actually be improving security.<BR/><BR/>I like the concept of organizing security standards, but the auditing and C&A processes do not address security at all. They address document management and "BS Production". If you want a real laugh, check out <A HREF="http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf" REL="nofollow">NIST's "Central Logging Standards"</A>. I thought there might be interesting information, but it ended up being 64 pages of saying nothing.<BR/><BR/>Richard, thanks for summing up my frustrations with the system. I sent the article to our "Information Systems Security Officers", and no one replied :).<BR/><BR/>Your work is appreciated by my entire organization who have been railing against the system since it's inception.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-12965237608738196832007-02-14T14:04:00.000-05:002007-02-14T14:04:00.000-05:00It's pretty easy for packet surgeons and the like ...It's pretty easy for packet surgeons and the like to poke holes in FISMA and the attendant C&A process. <BR/><BR/>But, one good thing to come out of FISMA is the guidance from NIST on Information Security. As a result of FISMA, they have created a compendium of security, best practices and methodologies rooted in a common lexicon. The IA community needed this standardization and I think most of NIST's guidance is very valid. Specifically, the 800-53 Recommended Security Controls for Federal Information Systems.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74379309499999483672007-02-14T13:41:00.000-05:002007-02-14T13:41:00.000-05:00I'm not so sure that any standard will help .gov s...I'm not so sure that any standard will help .gov sites. The people implementing it will screw it up and the people auditing it will use low-skilled billable scanner jocks that will miss any non-signature based risk.<BR/><BR/>Sure there are exceptions to this. However why is it that most of the highly technical consultants stay away from regulatory/standards/gov work? If you are good, you'll go work in the private sector.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-948775257330302162007-02-13T16:02:00.000-05:002007-02-13T16:02:00.000-05:00The last item I wrote on ISO 17799 is here. I hav...The last item I wrote on ISO 17799 is <A HREF="http://taosecurity.blogspot.com/2006/12/thoughts-on-sas-70-and-other-standards.html" REL="nofollow">here</A>. I have no direct exposure to it.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-52253922481169633012007-02-13T15:47:00.000-05:002007-02-13T15:47:00.000-05:00DO you feel the same way about ISO 17799?DO you feel the same way about ISO 17799?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-58741122999513710432007-02-13T10:30:00.000-05:002007-02-13T10:30:00.000-05:00You know those of us that refuse to do .gov work a...You know those of us that refuse to do .gov work are all laughing. We laugh because we all know what a joke doing sec work in most of the government is.<BR/><BR/>A lot of government's inefficiencies are kept internal to the government for the most part. However when the government directly interacts with the public: hurricane response, filing taxes, etc. we all get to experience just how bad it is. With the internet, attackers to get to directly exploit all the inefficiencies. <BR/><BR/>A more accessible, inefficient government is REALLY accessible ;)<BR/><BR/>Maybe someday when I want to give up on learning or caring I'll do gov work.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-53810764083209325002007-02-13T10:09:00.000-05:002007-02-13T10:09:00.000-05:00Having been involved in C&A before, I couldn't agr...Having been involved in C&A before, I couldn't agree more. It's a worthless paperwork exercise, producing countless documents that are outdated before they are even complete. It's no wonder that people dread the C&A process, and try to avoid it at every possible opportunity. Unfortunately, those of us with some security knowledge are often forced into taking on C&A responsibilities, since it's perceived as a security function. In reality, it is a task better suited for a technical writer.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-78683255128836237532007-02-13T09:36:00.000-05:002007-02-13T09:36:00.000-05:00Documentation has it's place, but when it replaces...Documentation has it's place, but when it replaces actually *doing* anything...that's when weeble-wobbles cry.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36542818673598107982007-02-13T05:45:00.000-05:002007-02-13T05:45:00.000-05:00Shirkdog, you are assuming of course, that anyone ...Shirkdog, you are assuming of course, that anyone told the DAA about it in the first place. More likely, they just used it, and if asked, they lie and say they don't.Romanhttps://www.blogger.com/profile/11876474952896467461noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-2670798953679410832007-02-13T00:24:00.000-05:002007-02-13T00:24:00.000-05:00A system is flawed when they are ways to subvert i...A system is flawed when they are ways to subvert it. An example, a DAA can approve FTP, when the control clearly states "STOP USING FTP and INSECURE PROTOCOLS"<BR/><A HREF="http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf" REL="nofollow"><BR/>http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf</A><BR/>16.2.2 Are insecure protocols (FTP,UDP) disabled?<BR/><BR/>Don't forget the price tag of the 3rd Party Assessment. :-)Shirkdoghttps://www.blogger.com/profile/11570146126536682558noreply@blogger.com