Request for Comments on NSA IAM and NSA IEM

Does anyone have experience with NSA's Infosec Assessment Methodology and Infosec Evaluation Methodology? Through my local ISSA chapter, I've signed up to take courses on both programs for a combined price less than that offered for the IAM alone at another venue. Being a consultant in the DC metro area, I believe I am going to hear NSA IAM and IEM mentioned more frequently. Any thoughts?

Comments

Anonymous said…
So far the only time I've heard of the IAM has been from consultants. Given that I work in a DoD world much of the time, this leads me to believe one of two things:

- That the IAM is too new so not many people have heard of it.

- That the IAM is too process oriented and documented and therefore completely against the religion of most fledgling security organizations (like the BS7799-2 / ISO 24743).

The DCMA seems to be paying attention to standards and processes more lately. So does Export Control. So I suspect you'll see more interest in IAM and associated friends over the next eighteen months.

In the mean-time you can use it as a differentiating factor on some of your gigs if the customer seems interested in that sort of thing. Cheers, -Ali
10:17 AM
Anonymous said…
This reminds me of the times when I had to help a company (Engineering and Manufacturing Depts.) do their ISO900x certificatiion - total BS, with the exception of the marketing hipe, allowing them to advertise their products as "ISO900x compliant". This, in the US automotive industry, at that time (and more so in the present), was equivalent to "look how certified we are, while the Germans and Japanese kick our a**-es in real life products" ... the security area of IT is moving in the same direction :(
5:03 PM
Anonymous said…
i studied the iam when it was taught by nsa staff directly. it's a high-level overview of an approach to infosec assessment. it's a good foundation for a beginning security professional because it teaches you to develop a hierarchical risk assessment, but it's inappropriate for anyone with more than a year of experience in the field. the credential itself doesn't infer competency, and because there isn't a strict methodology, you can't be sure that an assessment done by one iam-trained person will be similar to an assessment done by another iam-trained person.

but take my advice with caution: i also believe the cissp is a very over-rated credential (i have a cissp as well, but don't publicize that fact.)
10:57 PM
Anonymous said…
As a standard disclosure, I should say right now that I'm with Security Horizon and hold a CRADA with NSA to teach the NSA courses.

With that said, let me start by saying the NSA IAM and IEM are intended to get people on the same sheet of music when it comes to performing assessments and evaluations. It intentionally leaves some room for flexibility in the processes. But the foundational areas are always the same. Part of the issue is that, as a customer, I can call 100 different firms that specialize in providing information security assessments, evaluations, audits, analysis; whatever you want to call it. And the sad truth of the matter is that I will likely get 100 different answers as to what one of these is comprised of, what's covered, and what the customer can expect to get back.

The IAM is a vulnerability assessment methodology, NOT a risk assessment or threat assessment. Granted, we HAVE to cover risk in the course, but the key focus areas are based on the identification of vulnerabilities? Why did NSA do that?

If we consider the modern definition of RISK as it applies to information security, you'll see that there are three main areas of which RISK is comprised: Threats, Impact (also known as asset value), and Vulnerabilities. If you think of this as a triangle with RISK being in the center and the three sides are these three things I've just mentioned, you can see that RISK is now an "area" within the triangle.

How do we limit our RISK most effectively? Can we change the Threats to our organization? Probably not... not really. What about the Impact, or the asset value? By changing this, we have to change our core business. The only side of the triangle we have direct control of is the Vulnerability side. By limiting our POTENTIAL vulnerabilities, we can decrease the area of RISK within the triangle.

Whew! That was a long answer to a short question. My point here really is that we all need to be doing the same core things so that the customer can understand what we're doing. NSA is working closely with Ron Ross at NIST to ensure we're hitting those requirements; and in some of the newer 800 series of documents you'll actually see the NSA methodologies mentioned.

As for how "hot" the methodologies are.. well, that depends on who you are. We've seen several requirements in RFPs from the Federal and Private sectors over the last 18 months for these methodologies. And yes, if you look at the NSA methodologies and if they're performed according to the requirements, results from one IAM should be similar to the results from another. The real key here is something that no one CAN teach... the expertise of the person doing the work. We can build a great methodology, but in the hands of a dolt, it's still going to be a case of "Garbage in / Garbage out".

Just my 2 cents. I'll be happy to take questions.
1:45 PM
Richard Bejtlich said…
Russ,

Thanks a lot for your insights. It's nice to see someone define the risk equation and its components properly! I think I will blog a link to your comments for the benefit of those who may consider this post "closed."
3:03 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more