Austin, Munich, Stockholm, Beijing – On the 11th of
January, atsec celebrates its 12th birthday. As always, our best wishes
and thanks to all of the contributors: our customers, our partners, and
our employees. A lot has happened during these years and we invite you
to take a look at our news section to get an overview of the events of 2011.
This year R.G. "Jerry" Converse of Fulbright & Jaworski L.L.P. took up the pen and sent us this birthday greeting:
“Happy Birthday, atsec!
You are not an ordinary 12-year-old! Your knowledge and
wisdom extend well beyond your years. Some of the best people in the
world work at atsec and make it what it is today. We at Fulbright &
Jaworski LLP are honored to list atsec information security corporation
among its clients.
Our best wishes to you for many more years of success.”
R.G. "Jerry" Converse
Fulbright & Jaworski L.L.P.
I enjoy having the opportunity to support our local security community and so I am very happy to have the opportunity to present to the Austin ISSA on January 19 (Thursday) - 11:30am to 1pm.
In this presentation I will explain a little about IT security assurance, describing a basic concepts about what security assurance is, and what it is not. I will also explain the framework used in the IT security industry that attempts to make sense of all of those disparate security claims (from ISO/IEC 27001, FISMA compliance, FIPS 140-2, Common Criteria, personnel certifications, PCI compliance, etc, etc).
This presentation is derived from the work currently being performed in ISO's JTC1 SC27 (IT security techniques subcommittee) in revising ISO/IEC 15443, a Framework for IT Security Assurance (FRITSA).
- Fiona Pattinson
I've been watching the FISMA implementation program and the related Federal Risk and Authorization Management Program, FedRAMP, program for quite some time now and on Friday the 16th December, 2011, I was lucky enough to be able to attend the FedRAMP Industry Day, hosted by GSA.
Building on the recent announcement of the OMB's FedRAMP Policy memo giving the requirements for a standardized program for the security assessment, authorization, and continuous monitoring for cloud products and services. Presenters from GSA and NIST described the program built through a collaboration of several agencies including NIST, GSA, DHS, the DoD,the OMB and others. The program introduces an innovative policy approach to developing trusted relationships between Executive departments and agencies and cloud service providers (CSPs).
My impression of the proposed program is refreshingly good. The evident co-operative philosophy between the agencies coupled with an outline of a program that described goals aimed at providing the right assurance to those who need it indicated to me that a lot of active listening has been happening over the past months. Paying attention to lessons learned in the conformance assessment sector, and an emphasis on appropriate standards has led to the definition of a what I hope will be a successful program. An emphasis of the quality of third party assessors from the outset is a good place to start when a program based on trust is being established. It's a shame that not all conformity assessment programs have that same philosophy.
The program should be up and running during the course of 2012, so we won't have to wait too long to see if my prediction is true. Of course I would expect to see a few teething problems, as I would with any new program.
The program has updated the FedRAMP web page recently. FAQs, the OMB policy and the requirements for third party assessor organizations (3PAO) are all to be found here.
- Fiona Pattinson
by Jeremy Powell
The 2011 Annual Computer Security Applications Conference was held last week in Orlando, FL, and I had the good fortune to attend. The first two days were full of half- and full-day tutorials with varying topics. You can find the program and course descriptions here.
The following is a small set of highlights from the conference that I found particularly interesting:
Sven Dietrich from the Stevens Institute of Technology gave a half day tutorial on the evolution of botnets through their existence. Focusing largely on tracking historical time lines, he described how new technology to defend against botnets drives the quality and robustness of the botnets up, thus matching advancement with advancement. What I found really striking is the sheer sophistication of the advanced bots, allowing for completely decentralized command and control and clever usage of cryptography to deploy updates to the bots. It would seem that these bots have software life cycles (and security concerns!) not unlike conventional software.
Adding to my newfound knowledge of botnets from Dr. Dietrich's tutorial, several papers were presented on live analysis of botnets and malware. The two papers "Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games" and "Detecting Malware’s Failover C&C Strategies with SQUEEZE" were particularly interesting. They both independently proposed methodologies to gain useful information from the behavior of bots when they are under duress. The research suggested that, when bots are having trouble connecting to their peers or to the command and control nodes, they are robustly designed to attempt to connect in different ways. Who they connect to, can enable researchers (and law enforcement) to identify other malicious machines that should be blacklisted and possibly taken down. In some cases, I would imagine from what Dr. Dietrich's tutorial suggested, the bots will phone directly home as a last ditch effort to receive commands, betraying their owners' identities.
Anoop Singhal of NIST and Xinming (Simon) Ou of Kansas State University presented on a method to automatically generate attack graphs and compute "probabilities" of certain attack paths, that can then be input into an enterprise's risk assessment. Although it is considerably "academic" in implementation, an industrialized version of this product would be invaluable to network administrators. After providing a network diagram specification, vulnerability scanning results, and the National Vulnerability Database, the software can reason about whether it is more cost-effective to patch a vulnerable database or to apply other mitigating controls along the potential paths to that database. The really cool thing is that this attack graph generation doesn't need to be restricted to network-based attacks. One could envision this being combined with a server configuration, or even applying it to analyzing malicious information flows through a Multi-Level Security system (e.g., SELinux).
To round things out, researchers from Carleton University spoke about the usefulness of images as passwords. "Facing the Facts about Image Type in Recognition-Based Graphical Passwords" discussed and rebutted the claim that human faces are a particularly good image-based password alphabet because we are hardwired to recognize faces. He conducted experiments to determine and compare the usability and effectiveness of faces to images of every day objects and images of suburban houses. Interestingly, every day objects were a superior password alphabet, because people tend to perform recall better than they recognize. This is illustrated anecdotally by the fact that some participants who were assigned face-based passwords were actually naming the images of the people to help remember them easier. This seems to demonstrate that the ability to "write down" a password (i.e., "Shoe-screwdriver-ball" or "Bill-Marcy-Fred") is a better mechanism to remember passwords than just through simple recognition.
As all conferences are, much of the fun is chatting with security researchers and practitioners and hearing their stories and backgrounds. I was impressed by the earnest and hard work they all have done to keep our security posture in the tech industry as strong as it is today. Unfortunately, the IT security community is currently only effective as a reactionary force; it takes buy-in from developers to bring our efforts from only a quickly outmoded patchwork of security fixes to the full potential of sound security architecture in both software and hardware. But that's a topic for another article...
Posts
All Comments
