tag:blogger.com,1999:blog-4088979.post5199907435428858857..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: NSA IAM and IEM SummaryRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4088979.post-34900367188253989662011-07-15T15:00:32.531-04:002011-07-15T15:00:32.531-04:00I took both classes and found them to be beneficia...I took both classes and found them to be beneficial to our organization. The idea of security for everyone was a good concept, and while some of the areas were "weak" the instructor advised this was on purpose as this is for the organization to build their own ideas and methods to test and implement the practices. It was emphasized that this is a structure, not a one size fits all solution. I wish they had more of these to offer, it was a unique set of classes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74635617276153957232010-01-06T16:20:43.968-05:002010-01-06T16:20:43.968-05:00I love the idea of bringing security to all the em...I love the idea of bringing security to all the employees, not just the IT folks. The IAM process sounds very much like a program designed to involve the entire enterprise in security. IBM did some work on this recently; empowering every employee to do their part in company security. <br />I also agree with the comments about not needing a firewall or antivirus on every machine. Each network requires different methods to secure it and the biggest exploit is the people inside the fence. Just remember, those "students" are given a fire hose of knowledge in one or two days worth of training. The instructors are quite limited in what they can teach during those few hours. They might as well teach the students the basics and let them learn from there. Expertise is only gained through experience and experience is only gained through doing it wrong until you get it right. <br />I am disappointed that none of the links work anymore. I was hoping to gather some great information on these ideas but the blog was done a few years back so everything seems to have changed. Thanks for the basic information though.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-26177074347554002252008-03-18T11:28:00.000-04:002008-03-18T11:28:00.000-04:00I could not agree more with -pete. All of our "re...I could not agree more with -pete. All of our "requirements" are based on assumptions that will eventually breakdown over time. Solutions are specific ways of implementing controls and therefore must be relevant to the current threat environment. Since each organization's threat environment is different, we as practitioners need to have the flexibility to implement the controls in the most suitable manner and to change our implementations as new threats emerge. Being saddled with "requirements" that may in fact be based on assumptions that no longer hold true actually hurts our ability to address current threats. For example, the recommended password length for a Windows box has been 8 characters with complexity enforced basically since the dawn of time. It is in fact based on old assumptions about computing power and storage that no longer hold true, especially for Windows systems. Yet, assessments frequently state this setting as a "requirement." Requiring anti-virus software on servers is another one that I find offensive.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-19091374422401914692007-09-14T05:22:00.000-04:002007-09-14T05:22:00.000-04:00I have always had a problem with any framework or ...I have always had a problem with any framework or regulation that requires solutions. Why require AV, Firewalls, IDS, etc. rather than requiring specific security (access and interaction restrictions, etc.) or specific controls (confidentiality, integrity, subjugation, etc.)? I can't tell you how many students we must continually de-program so that they realize that a firewall is used as a point of easy central administration that introduces a single point of failure which is not required if proper architecture, segmenting, and host-based security measures and controls are in place. So NOT having one is not immediately bad as so many consider. Or those who think we NEED anti-virus on ALL our systems when they don't stop to consider it's a blacklist technology that introduces resource consumption to a computer that could go without if proper host controls are defined: even with a Windows box. <BR/><BR/>So if you are a person of authority over writing some of these rules then please please please leave solutions out of your requirements as opposed to security and controls. Security is not about solutions. It's about separation and control.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-46350986699052779842007-09-13T07:25:00.000-04:002007-09-13T07:25:00.000-04:00Marcin,Those are excellent -- especially the .pdf'...Marcin,<BR/><BR/>Those are <B>excellent</B> -- especially the .pdf's. Thank you.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-72670477814303165672007-09-13T03:16:00.000-04:002007-09-13T03:16:00.000-04:00Hey Richard, I took the IAM and IEM training with ...Hey Richard, I took the IAM and IEM training with Greg Miles last year as classes. I'd like to point out a couple of my posts that I did during the trainings:<BR/><BR/><A HREF="http://www.tssci-security.com/archives/2006/09/13/day-1-of-nsas-iam/" REL="nofollow">Day 1 of NSA’s IAM</A><BR/><A HREF="http://www.tssci-security.com/archives/2006/09/15/iam-day-2/" REL="nofollow">IAM Day 2</A><BR/><A HREF="http://www.tssci-security.com/archives/2007/01/18/thoughts-on-iem-day-1/" REL="nofollow">Thoughts on IEM</A><BR/><BR/>In IAM Day 2 post, I also include a sample TAP that we did during the class. The material and scope of the IAM is to review the security posture of an organization from a "50,000 ft view." So it may seem a bit corny, but that's what the IAM is. Of course, like you mention, it's a methodology for you to adopt and change to meet your organizational needs.<BR/><BR/>I also created a checklist of items for review from the "18 baseline categories" the NSA uses to divide technical/managerial security realms up. It's by no means comprehensive, but I was starting to run out of ideas. See <A HREF="http://www.tssci-security.com/archives/2006/10/12/iam-checklist/" REL="nofollow">here</A>.Marcinhttps://www.blogger.com/profile/02403324596880195518noreply@blogger.com