e-Eye Retina Vulnerability Scanner replaces ISS

e-Eye Digital Security hit a homerun in 2004 when they won the $6 Million dollar Defense Information System Agency’s I-ASSURE contract which will allow their robust e-Eye Retina Vulnerability Scanner to be used on DOD systems world wide.

The Retina Vulnerability Scanner will be used to measure compliance with Department of Defense (DoD) Computer Emergency Response Team (CERT) Information Assurance Vulnerability Management Notices.

The DOD used to use Internet System Security (ISS) vulnerability assessment tools exclusively for this task. However, on 30 September 2005 the ISS vulnerability tools will no longer be used by the Department of Defense.

This comes at a time of the "cover up" CiscoGate controversy which involved ISS. On July 2005, Michael Lynn, a former research analyst with Internet Security Systems, resigned from the company just before releasing a major flaw in Cisco routers (many of which are on critical infrastructures).

According to Lynn, Cisco and ISS allowed him to speak about the flaw at the Black Hat but suddenly changed their minds at the last minute attempting to shut Lynn up with legal action. Cisco and ISS were trying to protect there shareholders at the cost of all the customers, organizations and nations that depend on the Cisco routers. From an ethical perspective, this was not a great way for an Internet System Security company to act.

It will be interesting to see if e-Eye Digital will be more ethical than ISS as it comes to power. Something very evil tends to happen when large groups of people get together to gather large sums of money.

As stated above, after Friday, 30 Sept 05, the ISS scanner will no longer be available. You should be able to download the new e-Eye Retina Network Security Scanner from one of the DISA pages:

ISS/Retina Vulnerability Scanners (DOD):

e-Eye Retina Network Security Scanner(SCCVI)
http://iase.disa.mil/stigs/iss/index.html
http://iase.disa.mil/stigs/iss/retina.html



eEye Digital Security and DISA press release:

http://www.eeye.com/html/company/press/PR20040623.html



Official Word from DISA

Information Assurance Support Environment:

DISA IA Announcement: DISA will be converting from using Internet Security Scanner to the e-Eye Retina Network Security Scanner(SCCVI) effective 1 Aug 05 for all security reviews, compliance validations, certification efforts, etc. All open findings related to a penetration test conducted with the ISS tool will be archived (closed) as a Retina penetration test is conducted by DISA. The ISS findings are still valid open findings that need to be worked and closed by the site. However, sites are highly encouraged/recommended to perform a self-assessment using the Retina scanner, as soon as they receive the tool.

Information, online training, and Retina software can be obtained from the http://iase.disa.mil website.



eEye Digital Security

http://www.eeye.com/html/index.html

Retina Network Vulnerability Scanner:

http://www.eeye.com/html/products/retina/index.html



Resources

ISS is Shady

e-Eye Press release

Inside CiscoGate

Lynn’s Lawyer


Cisco & ISS vs. Lynn

First Step in Completing the SSAA

In my opinion understanding the system you are working on is the most important part of writing an System Security Authorization Agreement (SSAA). Once you have an understanding of the how the system works, why the system is necessary and what the current status of the system is it becomes much easier to put the pieces together.

Although the SSAA is a very detailed document, much of the data in the document is filler information. You are gathering information on the system or the system being created in order to put together a comprehensive account of security of the system.
If you look at the outline below, you will see that much of the items require in the SSAA should already exist:

1. MISSION DESCRIPTION AND SYSTEM IDENTIFICATION

2. ENVIRONMENT DESCRIPTION

3. SYSTEM ARCHITECTURAL DESCRIPTION

4. ITSEC SYSTEM CLASS

5. SYSTEM SECURITY REQUIREMENTS

6. ORGANIZATIONS AND RESOURCES

7. DITSCAP PLAN

SSAA OUTLINE <--- HERE

The difficultly comes when you have very little information of resources (such as engineers who have worked on the system or old documentation). That is when the SSAA gets tricky and each paragraph becomes like a mountain you must conquer.

I’ve found that most of my challenges come from legacy systems that do not fit into the modern day security needs of the organization. When this happens I don’t panic. I’m simply assessing the system an reporting the facts. It is the Designated Approval Authority that must ultimately take the risk.

Use Tags to Research ISPs, SSAAs or whatever

Del.icio.us & and Technorati are great site you can use to research C4ISP/ISP, SSAA or whatever you want. Since these sites are a whole new way to web lets start from the begining.

There is a new branch of the Web growing like a well organized storm cloud. This recent trend on the Web can be used to strengthen your presence with major search engines and reach an active audience that is highly interested in your content.

Welcome to the world of "folksonomy" and "tagging."

What is Folksonomy and Tagging?

Folksonomy is a combination of the words folks and taxonomy meaning "people classification management." This allows users some level of control over how the web is organized. One of the most popular tools of the folksonomy concept is tags. Tagging, in the context of this article, is the process of labeling a piece data with metadata.

Using Tagging & Folksonomy to Advertise

Three of the most effective sites currently using tags and/or folksonomy are: Del.icio.us, digg.com, and technorati. Each of these sites is a major player in the folksonomy world.

Del.icio.us is a social bookmarking web application that is growing very fast in popularity. With a free account, del.icio.us users can submit and access all of their bookmarks from any computer with Internet access. By submitting and tagging your own web pages, you instantly give access to thousands of other users with interests in the same tags. Encouraging site visitors to submit your selected webpages to their own del.icio.us bookmark page is a very good way to get more exposure to del.icio.us users. Submitting to del.icio.us is instant and it creates meaningful relevant links important to the major search engines.

Digg.com is mostly a technical news site. If you are familiar with the Web phenomenon Slashdot, then digg will remind you of that geek culture. The difference is that ALL of digg's content is created, submitted, and judged by its audience. If your page, blog or online article is good enough to be "dug" by digg users, you could receive literally hundreds of unique visitors immediately. Virtually any participation (comments, submissions, links in your profile) can get your site traffic from digg. The beauty of digg is that it is so popular that many submissions to digg can instantly dominate some keywords on search engines such as google.com.

Technorati.com is a power house in the world of tagging. If you have a blog, Technorati should become one of your favorite search engines on the World Live Web. Many Technorati Tags are beginning to dominate the Web by having constantly updated, fresh blog content on highly focused subjects. The beauty of Technorati is that blog application such as blogware and others are completely integrated with it allowing blog categories to be instantly tagged and syndicated into the blog search engine. Any blog can be manually added as well to technorati's very open tagging system. Like digg, even if you only happen to get a trickle of traffic from technorati itself many times the link value alone will sky rocket the speed in which your site rank in the search engines.

There are many other folksonomy sites that can help you with "tag syndication." With its encouragement to get users to submit their own RSS feeds as content, My Yahoo! is a great way to increase traffic and links. Web applications like TagCloud integrates RSS and tagging while wikipedia.org is method of allowing social webpage and content development. All these methods and many more have two great things in common 1) they are free (as of this writing) and 2) they give the power to reshape and categorize the Web to the people. If content is King then content management is the the kingdom.

Security Risks and Ways to Decrease Vulnerabilities in a 802.11b Wireless Environment

Introduction

This document explains topics relating to wireless networks. The main topics discussed include, what type of vulnerabilities exist today in 802.11 networks and ways that you can help prevent these vulnerabilities from happening. Wireless networks have not been around for many years. Federal Express has been using a type of wireless networks, common to the 802.11 networks used today, but the general public has recently just started to use wireless networking technology. Because of weak security that exists in wireless networks, companies such as Best Buy have decided to postpone the roll-out of wireless technology. The United States Government has done likewise and is suspending the use of wireless until a more universal, secure solution is available.

Background

What is Wireless?

Wireless LANs or Wi-Fi is a technology used to connect computers and devices together. Wireless LANs give persons more mobility and flexibility by allowing workers to stay connected to the Internet and to the network as they roam from one coverage area to another. This increases efficiency by allowing data to be entered and accessed on site.

Besides being very simple to install, WLANs are easy to understand and use. With few exceptions, everything to do with wired LANs applies to wireless LANs. They function like, and are commonly connected to, wired Ethernet networks.

The Wireless Ethernet Compatibility Alliance [WECA] is the industry organization that certifies 802.11 products that are deemed to meet a base standard of interoperability. The first family of products to be certified by WECA is that based on the 802.11b standard. This set of products is what we will be studying. Also more standards exist such as 802.11a and 802.11g.

The original 802.11 standard was published in 1999 and provides for data rates at up to 2 Mbps at 2.4 GHz, using either FHSS or DSSS. Since that time many task groups have been formed to create supplements and enhancements to the original 802.11 standard.

The 802.11b TG created a supplement to the original 802.11 standard, called 802.11b, which has become the industry standard for WLANs. It uses DSSS and provides data rates up to 11 Mbps at 2.4 Ghz. 802.11b will eventually be replaced by standards which have better QoS features, and better security.

Network Topology

There are two main topologies in wireless networks which can be configured:

Peer-to-peer (ad hoc mode) – This configuration is identical to its wired counterpart, except without the wires. Two or more devices can talk to each other without an AP.

Client/Server (infrastructure networking) – This configuration is identical to its wired counterpart, except without the wires. This is the most common wireless network used today, and what most of the concepts in this paper apply to.

Benefits of Wireless LANs

• WLANs can be used to replace wired LANs, or as an extension of a wired infrastructure. It costs far less to deploy a wireless LAN than to deploy a wired one. A major cost of installing and modifying a wired network is the expense to run network and power cables, all in accordance with local building codes. Example of additional applications where the decision to deploy WLANs include:
• Additions or moves of computers.
• Installation of temporary networks
• Installation of hard-to-wire locations

Wireless LANs give you more mobility and flexibility by allowing you to stay connected to the Internet and to the network as you roam.

Cons of Wireless LANs

Wireless LANs are a relatively new technology which has only been around since 1999. With any new technology, standards are always improving, but in the beginning are unreliable and insecure. Wired networks send traffic over a dedicated line that is physically private; WLANs send their traffic over shared space, airwaves. This introduces interference from other traffic and the need for additional security. Besides interference from other wireless LAN devices, the 2.4 GHz is also used by cordless phones and microwaves.

Security Issues of WLANs

• War-driving

  
  War-driving is a process in which an individual uses a wireless device such as a laptop or PDA to drive around looking for wireless networks. Some people do this as a hobby and map out different wireless networks which they find. Other people, who can be considered hackers, will look for wireless networks and then break into the networks. If a wireless is not secure, it can be fairly easy to break into the network and obtain confidential information. Even with security, hackers can break the security and hack. One of the most prevalent tools used on PDAs and Microsoft windows devices is, Network Stumbler, which can be downloaded at http://www.netstumbler.com. Equipped with the software and device, a person can map out wireless access points if a GPS unit is attached. Adding an antenna to the wireless card increases the capabilities of Wi-Fi. More information can be found at: http://www.wardriving.info and http://www.wardriving.com to name a few.

• War-chalking

  War-chalking is a method of marking wireless networks by using chalk most commonly. War-driving is usually the method used to search for networks, and then the person will mark the network with chalk that gives information about the network. Some of the information would include, what the network name is, whether the network has security, and possibly the contact information of who owns the network. If your wireless network is War-chalked and you don't realize it, your network can be used and/or broken into faster, because of information shown about your network.

Eavesdropping & Espionage

Because wireless communication is broadcast over radio waves, eavesdroppers who just listen over the airwaves can easily pick up unencrypted messages. These intruders put businesses at risk of exposing sensitive information to corporate espionage. Wireless LAN Security – What Hackers Know That You Don't www.airdefense.net Copyright 2002

Internal Vulnerabilities

Within an organization network security can be compromised by ways such as, Rouge WLANs (or Rouge Aps), Insecure Network Configuration, and Accidental Associations to name a few.

Rouge Access Points – An employee of an organization might hook up an access point without the permission or even knowledge of IT. This is simple to do, all a person has to do is plug an Access point or wireless router into an existing live LAN jack and they are on the network. One statistic in 2001 by Gartner said that, “at least 20 percent of enterprises already have rouge access points.” Another type of attack would be if, someone from outside the organization, enters into the workplace and adds an Access Point by means of Social Engineering.

Insecure Network Configurations - Many companies think that if they are using a firewall or a technology such as VPN, they are automatically secure. This is not necessarily true because all security holes, big and small, can be exploited. Also if devices and technologies, such as VPNs, firewalls or routers, are mis-configured, the network can be compromised.

Accidental Associations – This can happen if a wireless network is setup using the same SSID as your network and within range of your wireless device. You may accidentally associate with their network without your knowledge. Connecting to another wireless LAN can divulge passwords or sensitive document to anyone on the neighboring network. Wireless LAN Security – What Hackers Know That You Don't www.airdefense.net Copyright 2002

Social Engineering – Social Engineering is one of the most effective and scariest types of attacks that can be done. This type of attack really scares me and can be done for many other purposes besides compromising security in wireless networks. A scenario: Someone dressed up as a support person from Cisco enters the workplace. The secretary sees his fake credentials and lets him get pass the front desk. The impersonator walks from cubicle to cubicle, collecting user names and passwords as he/she goes. After finding a hidden corner, which seems to be lightly traveled, he plugs an insecure Access Point into the network. At the same time he configures the Access Point to not broadcast its SSID and modifies a few other settings to make it hard for the IT department to find this Rouge Access Point. He then leaves without ever being questioned by anyone because it looks like he just fits in. Now, all he has to do is be within 300 feet from the access point, (more if he added an antenna), and now has access to all kinds of secure documents and data. This can be a devastating blow to any corporation and could eventually lead to bankruptcy if the secrets of the company were revealed to competitors.

Bruce Schneier came to my classroom and said the following about Social Engineering, “Someone is just trying to do their job, and be nice. Someone takes advantage of that by targeting this human nature. Social Engineering is unsolvable.”

Securing Wireless Networks

According to Bruce Schneier and others such as Kevin Mitnick, you can never have a totally secure computing environment. What is often suggested is to try and control the damage which can be done if security is breached. One can try many different tools on the market which can help prevent security breaches.

WEP – WEP supports both 64 and 128-bit keys. Both are vulnerable, however, because the initialization vector is only 24-bits long in each case. Its RC4 algorithm, which is used securely in other implementations, such as SSL, is quite vulnerable in WEP. Http://www.infosecuritymag.com/2002/jan/cover.shtml Wireless Insecurities By Dale Gardner. Different tools exist to break WEP keys, including AirSnort, which can be found at www.airsnort.net. Although this method is not a secure solution, it can be used to help slowdown an attacker if other means are not possible financially or otherwise.

VPN and IPSec - IPSec VPNs let companies connect remote offices or wireless connections using the public Internet rather than expensive leased lines or a managed data service. Encryption and authentication systems protect the data as it crosses the public network, so companies don't have to sacrifice data privacy and integrity for lower costs. A lot of VPN's exist on the market today. An important note about VPNs is, interoperability does not really exist, and whatever you use for your server has to be the same brand as your clients most of the time. Some VPNs include:

• Borderware
• BroadConnex Networks
• CheckPoint
• Cisco
• Computer Associates

DMZ – Adding this to your network enables you to put your wireless network on an untrusted segment of your network.

Firewalls – Firewalls are all over the place. Firewalls range from hardware to software versions. By adding a firewall between the wireless network and wired network helps prevent hackers from accessing your wired network. This paper doesn't go into specifics about different firewalls and how to set them up, but there are many. Some of the firewalls include:

• ZoneAlarm (an inexpensive based software firewall) Zonelabs.com
• Symantec has many different firewalls depending what you require.

PKI - Public-key infrastructure (PKI) is the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on the Internet. What is PKI? http://verisign.netscape.com/security/pki/understanding.html

Site Surveys – Site Surveys involve using a software package and a wireless device to probe your network for Access Points and security risks.

Proactive Approaches

Since wireless technology is insecure, companies or anyone can take a proactive approach to try and identify hackers trying to gain access via wireless networks.

Honeypots – are fake networks setup to try and lure in hackers. This enables administrators to find out more about what type of techniques hackers are using to gain access. One product is Mantrap created by Symantec.

“ManTrap has the unique ability to detect both host- and network-based attacks, providing hybrid detection in a single solution. No matter how an internal or external attacker tries to compromise the system, Symantec ManTrap's decoy sensors will deliver holistic detection and response and provide detailed information through its system of data collection modules.”

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=157

Intrusion Detection – Intrusion Detection is software that monitors traffic on the network. It sounds out a warning if a hacker it trying to access the network. One such free product is Snort.

“Before we proceed, there are a few basic concepts you should understand about Snort. There are three main modes in which Snort can be configured: sniffer, packet logger, and network intrusion detection system. Sniffer mode simply reads the packets off of the network and displays them for you in a continuous stream on the console. Packet logger mode logs the packets to the disk. Network intrusion detection mode is the most complex and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set and perform several actions based upon what it sees.” http://www.snort.org/docs/writing_rules/chap1.html#tth_chAp1

Network Monitoring - Network Monitoring would be products such as snort that monitor the flow of traffic over the network.

Quick tips and tricks

• When setting up wireless networks and access points there are a few quick steps that can be taken to immediately secure the network, even though it does not make it secure. Some of these ways include:
• Change your default SSID: each router or access point comes with a default SSID. By changing this it can take longer for an attacker to know what type of device he is trying to hack.
• Change the default password – generic default passwords are assigned to access points and routers. Sometimes the password is admin. By changing this password, the attacker cannot modify settings on your router as easily.
• Disable broadcasting SSID: By default AP's broadcast their SSIDs, if you shutoff this setting it is harder for outsiders to find your AP.
• Enable MAC filtering: WARNING: this can only work in smaller environments where a centralized access list does not need to be maintained. You can enable only specific wireless cards to access the AP by only enabling those MAC addresses.
• Turn off shares: If security is important, scanning for shares and turning off the shares on the network can help. Also encrypting sensitive data can prevent hackers from accessing the data.
• Put your wireless access points in a hard to find and reach spot.
• Keep your drivers on all wireless equipment updated. This helps patch existing security vulnerabilities.
• Read current press releases about emerging wireless news.

About The Author

Richard J Johnson

Network+ Certified

RJ Computer Consulting

http://rjcomputerconsulting.com

Richard@johnsorichard.com

Hacking Threats and Protective Security

Written by: Michael Hart

The 1998 Data Protection Act was not an extension to, but rather a replacement which retains the existing provisions of the data protection system established by the 1984 legislation. The Act was to come into force from 24 October 1998 but was delayed until 1st March 2000.

In addition to data, manual records were to be brought within the terms of the new data protection system, thus allowing subject access rights to access to such records.

Due to the allowances made for existing institutions to be brought into compliance with the new legislation, manual data processing that began before 24 October 1998 was to comply with the new subject access accommodations of the Act until 2001.

Now 4 years later there are still unresolved issues such as the security threats presented by computerisation, these can be broadly divided into 3 broad categories:

Incompatible usage:
Where the problem is caused by an incompatible combination of hardware and software designed to do two unconnected but useful things which creates weak links between them which can be compromised into doing things which they should not be able to.

Physical:
Where the potential problem is caused by giving unauthorised persons physical access to the machine, might allow user to perform things that they should not be able to.

Software:
Where the problem is caused by badly written items of "privileged" software which can be compromised into doing things which they should not be able to.

Security philosophy:
A systems security implementations (software, protected hardware, and compatible) can be rendered essentially worthless without appropriate administrative procedures for computer system use.

The following details the results of the threat analysis. If a computer system was setup to mimic the current running of the health practice the following considerations should be understood:

Assets To Be Protected:
That due to the nature of the institution, stable arrangements would need to be made to protect the:

Data: Programs and data held in primary (random access and read only memory) and secondary (magnetic) storage media.

Hardware: Microprocessors, communications links, routers, and primary / secondary storage media.

Security Threats:
The following details the relevant security threats to the institution and the more common causes of security compromise.

Disclosure:
Due to both the sensitive nature of the information to be stored and processed there are more stringent requirements of the new data protection legislation, all reasonable precautions must be taken to insure against this threat.

Attackers:
Although the vast majority of unauthorized access is committed by hackers to learn more about the way computer systems work, cracker activities could have serious consequences that may jeopardize an organisation due to the subsequent violation of the seventh data protection principle ie that personal data shall be surrounded by proper security.

The staff:
It is widely believed that unauthorized access comes from the outside, however, 80% of security compromises are committed by hackers and crackers internal to the organisation.

operators:
The people responsible for the installation and configuration of a system are of critical risk to security. Inasmuch as they may:

[1] Have unlimited access to the system thus the data.

[2] Be able to bypass the system protection mechanisms.

[3] Commit their passwords for your system to a book, or loose notes.

[4] A tendency to use common passwords on all systems they create, so that a breach on one system may extend to others.

The data subject:
The data subject invoking the right to access personal data creates a breach in security by definition. To comply with such a request the data must be ‘unlocked’ to provide access to it, thus creating additional risks to security. Inasmuch as:

[1] If copies have to be made, this will normally be by clerical staff who would not normally have such rights themselves.

[2] The copies may go astray whilst being made available.

[3] Verification of the identity of the data subject becomes very important.

Software:
Many business have database applications that are typically designed to allow one to two staff to handle a greater work load. Therefore such software does not allow validation (confirming that data entries are sensible) of the details the staff enter.

This is a critical security risk as it allows basic acts of fraud to be committed, such as, bogus data entry (entering additional unauthorised information).

Importance Of Good Security:
Data is valuable in terms of time and money spent on gathering and processing it. Poor or inadequate system protection mechanisms canlead to malicious computer system attacks (illegal penetration and use of computer equipment).

One or more devious, vandalising, crackers may damage a computer system and / or data, such damage could have serious consequences other than those of the subsequent violation of the seventh data protection principle that may jeopardize the organisation. For example:

Loss of information: Which can cost money to recreate.

False information: With possible legal action taken.

Bad management: Due to incorrect information.

Principles Of Computer Security:
The publication and exploration of inefficiencies and bugs in security programs that exit in all complex computer programs (including operating systems), methods of entry and ease of access to such technical information has meant that a system is only as secure as the people who have access to it and that good system security cannot be guaranteed by the application of a device or operating system.

Computerisation:
Media reports that draw public attention to the security threats inherent in the nature of programable technology and the safety of individuals information has given rise to situations where institutions entrusted with sensitive information need to spend as much time and energy to gain public trust in such systems as they do in providing serveries.

Although this scenario does not yet apply to the health industry inasmuch as the public are not yet the end users of the system, such social impressions must be considered:

This leads us to the question: if life with computers is so wonderous, how do you leave it? Simply flip a switch and everything will shut down and you can explore the marvels of the oustide world. Computers are only tools and, just like an electric screwdriver, computers can save time and effort without taking anything away from you. All you have to decide is when you want to use a computer and when you don't, you're still in complete control of your life.

Principles Of Inference:
One of the new concepts introduced by the data protection legislation is ‘inference’, and data is now regarded as itself sensitive if sensitive data can be inferred from it. For example, if an estate agent displays complete details about one terraced house, you can infer what the neighbouring house is like. In a medical practice, full patient details about three members of a family could probably allow you to construct the details of a fourth.

This must be linked to the proposition that, in the last 10 years or so more information has been stored about individuals than in all of previous history, and, because of computerisation, all of that information is capable of being pulled together from the different organisations (banks, stores, state, etc) which hold it.

Right To Privacy:
It can be seen that the statement ‘The processing of personal computerised data represents a threat to the individual’s right to privacy’ is well founded. Unfortunately, until now, there has been no statutory right in English law to personal privacy.

For this reason, a right to privacy of that information has been set into the data protection legislation, and, it is only such legislation that prevents complete dossiers from being compiled on any given individual.

Health professionals are exempted from the need for prior approval before processing personal information, for example, as it is clear the health of the individual overrides the individual’s right to privacy, and the consent can be taken for granted.

This does not prevent health professionals from having the full burden of protecting that information from unauthorised access, specifically due to the higher obligations placed on them by the Hippocratic oath which states that a member of the medical profession should respect the secrets which are confided them, even after the patient has died.

However, as can be seen from the exemptions and exceptions, a difficult balance has to be achieved between the right to privacy, and the needs of the individual (and/or the organisation).

In the case of the any entity or practice, the data subject’s rights to the protection of the data that relates to them creates a conflict of interests between them and the practice inasmuch the complex security system needed for this requires extra administration and the navigation of a complex system every time data is need may place extra stress on the staff, both things the management may wish to avoid.

© I am the website administrator of the Wandle industrial museum (http://www.wandle.org). Established in 1983 by local people to ensure that the history of the valley was no longer neglected but enhanced awareness its heritage for the use and benefits of the community.

Network Vulnerability Assessment Notes

What is a Vulnerability?
Weakness in a system that allows the system to be maliciously exploited
and used outside of the way it was designed to be used and/or open to
a threat increasing the risk of operational corruption or disaster.

What is a Threat?
A possible danger to your system: a person, a thing, or an event that might attack the system either accidentally or deliberately.

What is a Risk?
The potential of a threat to exploit a vulnerability


Vulnerability Assessment
A Vulnerability Assement consists of determining that amount of risk associated
with a given vulnerability. And the systems compliance with secuirty policies
and practices.

Vulnerabilty Assessment Tasks:
-Identify System Vulnerabilities -Evaluate and measure risk associated with vulnerabilities -Point out possible solution (if any)

Penetration Test Vs. Vulnerability Assessment
Penetration Test:
-Use hacker techniques to break into a system

Vulnerability Assessment:
-Risk evaluation
-Repeatable methods to uncover all vulnerabilities
-Analysis of security practices and implementation of security policies

6 Steps to a Solid Assessment
from Peltier's Networkwork Vulnerability Assessment trainer
Step 1: Site Survey
Step 2: Develop a Test Plan
Step 3: Build the Toolkit
Step 4: Conduct the Assessment
Step 5: Analysis
Setp 6: Documenation

Reference:
Peltech.com

NR-KPP stands for Net Ready Key Performance Parameters

NR-KPP stands for Net Ready Key Performance Parameters.
Net Ready is the ability to have immediate access to mission or business essential information. Like the term Netcentric, Net Readiness is the full exploitation of the Internet and/or Intranet whether the organization's primary mission is business, volunteerism or warfare.

So Net Ready Key Performance Parameters refers to evaluating the “net readiness” of a given information system or organization.

Formal Definition:
NR-KPP was developed to assess net-ready attributes required for both the technical exchange of information and the end-to-end operational effectiveness of that exchange. The NR-KPP replaces the Interoperability KPP, and incorporates net-centric concepts for achieving Information Technology (IT) and National Security System (NSS) interoperability and supportability.




What are the elements within the Net Ready Key Performance Parameters?

Net Centric Operations and Warfare Reference Model (NCOW RM) Compliance Statement

Information Assurance (IA) Accreditation Compliance Statement


Your guide on creating the NR-KPP will be the CJCSI 6212, Interoperability and Supportability on National Security Systems:

Net-Ready Key Performance Parameter. All Information Support Plans (ISP) for systems that exchange information with other systems will contain a Net-Ready KPP. For all ISPs with an associated approved JCIDS CDD or CPD capabilities document, the ISP can refer to the associated CDD/CPD. ISPs for CRDs, ORDs, non-ACAT and fielded systems will include the NR-KPP in the ISP.

The NR-KPP will consist of the following:
a. AV-1, OV-2, OV-4, OV-5, OV-6C
b. SV-4, SV-5, SV-6
c. TV-1 generated from DISR online
d. Applicable CRD crosswalk (See Table D-3)
e. Initial LISI Profile (Interface Requirements Profile) See Enclosure K
f. NR-KPP statement. (Table I-1)
g. IA Statement of Compliance
h. Key Interface Profile (KIP) Declaration (list of the KIPS that apply to
the system)

Key Interface Profiles (KIPs) Compliance Statement

Reference:
CJCSI 6212, Interoperability and Supportability on National Security Systems
ß http://www.teao.saic.com/cbrtraining/docs/CJCSI_6212_01.pdf

Net Ready -> http://del.icio.us/tag/%22net%2Bready%22
More on NR-KPP à http://del.icio.us/tag/%22nr%2Bkpp%22

http://del.icio.us/rss/tag/netcentric

Information System Security Engineering Professional (ISSEP) certification

I've been thinking of taking the Information System Security Engineering Professional (ISSEP) certification. Since the CISSP info is still fresh in my mind and much of the ISSEP are things I do or have to deal with daily it seems like a good idea.

What is the ISSEP?
The ISSEP was developed by the International Information System Security Certification Consortium (ISC)2 in conjuction with the National Security Agency/IAD. Where as the CISSP is an all encompassing general look at security, the ISSEP is a concentration on system security engineering process. System security engineering has to do with ensuring that selected solutions
meet the mission or business security needs. It is defined as "the art of and science of discovering users security needs, and designing and making with economy and elegance information
systems so that they can safely resist the forces they might be subjected to."


System Security Engineers tasks:
Discover Information Protection Needs
Define system Security Requirements
Design System Security Architectures
Develop Detailed Security Design
Implement System Security
Assess Information Protection Effectiveness

Instead of ten Domains the ISSEP has four:
System Security Engineering
Certification and Accreditation
Technical Managment
U.S. Government Information Assurance Regulations

Most of of the ISSEP's material comes from the Information Assurance Technical Framework (IATF).

My co-worker recently took the test and he said it was more difficult than the CISSP. The CISSP is easily THE most difficult test I've every done. Although, since most of the information comes from the IATF, I'm not sure how it could be more difficult.
The CISSP is so broad that you could not possibly get all the information from a single source.

http://www.acsac.org/2003/case/thu-c-1530-Oren.pdf
www.nsa.gov
www.isc2.org

Taking the CISSP: part 1

I took the CISSP.  I really don't know what to say about it aside from acknowledging that it was extremily difficult.  Andrew Briney's article is the most accurate description of the CISSP test.  Briney says, "It's a mystery wrapped in riddle inside an enigma."

His other very true point:

"The exam is best characterized as an 'inch deep and a mile wide.' Whether this makes it easy or difficult is a matter of perspective."

For me the hardest part were the answers.  I feel like I've mastered the art of studying for a test.  The fact that there is so much knowledge crammed in a 250 question test makes my study techniques watered down.  Its very difficult to cover all 10 domains effectively.

I'm not one of those bastards that can walk into a test cold (no studying, no worries) finish in half the average time and pass.  If I don't study, I fail.  I've learned to live with this.  I know my weakness.  I just second guess myself too much on every answer.  I'm one of those guys that does not believe that everything is black and white but that everything is a million shades of gray.  For me that is where the difficulty lies.  The CISSP wants you to choose the "best" answer.  So while many or even ALL of the answers might be true, there is only one BEST answer.  But my best might not be your best.

I've taken many certifications.  They have become almost a hobby of mine.  In June, I took the Security+ hoping it would help prepare me for the CISSP.  First of all let me just say comparing the the CISSP and the Security+ is like comparing Lennox Lewis' fighting style to that of some 12 year old girl from John C. Still Middle School.  There is NO freakin' comparison... NONE, do you hear me!  The preparation that I put into the Security+ is what help me in my CISSP success.  That being said, there were about 6 very similar questions from the Security+ that were on the CISSP but the CISSP contains ALL of the domains of the Security+ on a comprehensive level.

As I said, I've taken many certs.  And I DO think that taking a test makes him smart or more technically skilled then some l33t hacker that has been cracking databases since age 12, but I believe some certifications have great value to the IT and Security industry.  Many say that any dependency on certification is what is lowering the amount of IT and security professionals with skills.  While there maybe truth to that, I say it is just another way for employers to gauge whether or not they are investing in a skilled employee.  Whether they choose the right candidate will ultimately be decided (just like anyone else) by time.

NO certification I have taken comes within an Astronomical Unit of the CISSP.  Of course I'm not an MCSE or a CCNP (though I've tasted the fruits of both) so perhaps there is a match in its level of difficulty.

Having taken the test I don't feel I was fully prepared even though I have legitamate experience in nearly all aspects of security, I read a book and studied on and off for a year before taking the test.  I tell you, this test beat the shit out of me.  They give you 6 hours to complete the test and I finished in 5 1/2 hours.  When I was done, I was sure I'd failed.  I started trying to think of ways I'd pay the company back since they would not pay for a failed certification.  I also started studying for the repeat.  I was pleasantly surprised when I got the "congradulations" email.

Adequate study for me would have consisted of reading no less that two "600 page" books and going to a boot camp. 

This is the best online CISSP resource I have found: www.cccure.org.

 

Special Shout outs go to the ISSA COS chapter and Mr. Proeller, so long and thanks for all the bagels.. bad, bad joke...42.

Information Security Vs. Information Technology career fields

In my experience Information Security as a career field is far superior to Information Technology (IT). I've done both for a number of years. IT seems to get worse every year and Information Security seems to get better.

Overall Information Security pays better, has less competition from competent professionals and usually doesn't have a lot of out of country competition. There are exceptions such as highly specialized IT jobs and management posistions. When I refer to "IT" I'm speaking of basic network engineers and
System Administors not WAN engineering CCIE's, or IT guys with running their own business contracts or very specialized software coders that know assembly. I used to be very excited about IT until I went into the private sector for about a year.

Why does Information Technology suck as a career field?
Well it doensn't necessarily SUCK, but there are several reasons why I will more than likely never go back to vanilla flavored IT: Too much work, Slave wages, competition.

Lets start with too much work. Many business' that rely heavily on their servers, routers, Data bases and other information systems want their systems to be up 24/7 which requires on call workers. I used to be excited about getting the pager and/or corporate cellphone until I got called a few times at the crack of ASS
on a weekend. When a critical system goes down, the IT persons' pager blows up. This sometimes means working long hours. When you are on call, your free time is completely dependent on the status of the Information System. FYI, the system hardly
ever goes down when you're sitting at home thinking, "Damn, I'm bored! I wish I could fix the server." It usually goes off when your
at your daughter graduation or in the middle of your mariage about to say "I DO" or in mid-stroke when you're about to orgasm.

Information Security specialists can also have a "digital leash." But major virus' taking down an entire network is much more rare than a system crash or user error.. especially if you have Windows
behind a good robust firewall.

Slave wages.. o.k. thats an overstatement, but unless you are specialized, as stated above, you will be hard pressed to make over 55k in a basic IT job. Now 55k is pretty good, but in security you can make as much as 100k (particulary in forensics).

The low wages are directly related to the amazing amount of competition you will face as an IT guy. Where I live there are a hand full of military installations which crank out bright young service who are willing to take the minimum that most companies will pay. One of the biggest competitors may not even come from your country of origin. In the U.S., global outsourcing has become an epidemic. India is one of the biggest competitors for American IT jobs including help desk and software engineering.

Information Security typically hires within the host coutries borders. Many even require a secuirty clearance which greatly limits not only international competition, but local competition as well.

The bottom line in Information Technology and Information Security is specialization. The more skilled you are at one particular trade, the more certifications, licenses and degrees you have focusing on one specialized skill that are in demand the better. They may just be pieces of paper but consider them ammunition against the competition that want YOUR job. The specialization doesn't have to be in Security it could be in Database Analysis or Network Management or some programming language.

ISP Architectural Views

One the most important part of an Information Support Plan
(previously known as a C4ISP) is the Architectural Views.
The DoD Architecural Framework Document describes each veiw
in painful, painful detail.  Since the C4ISP has been
changed into the ISP, the DoD Architectural Framework is a
bit out dated.  For example it doesn't mention "ISP" and
also includes some old views that have been phased out such
as OV-3 and SV-1.  The following gives my view on some of
the views.

In my limited experience creating views is very interative
process. Meaning you create a little then your tweak and
change them as you go.

AV-1 Overview and Summary Information is a breeze if you
have all the appropriate information readily available.

Operation Views (OV)
These are fun for me because I feel like I understand
them.  OV-1, High-level Operational Concept Graphic is
one that I've had the pleasure of not having to do. 
Merely starting it was a bit of a challenge.  It is
intended to look pretty. I've seen it done affectively
with MS Word and PowerPoint.

OV-2 is Operation Node Connectivity.  As a network guy,
this is my favorite.  I use Visio for this one with
simple shapes representing the nodes or you can get
fancy and use computer Icons OV-4, Organizational
Relationship Chart is another fun easy diagram that can
be created with Visio or Word using simple shapes. 
Ov-5 is the Activity Model.  Since it is so closely
tied to SV-4, fuctional description and SV-5,
Operational Activity to System Function Traceability
Matrix, it is very, very interative and not one of my
favorites. I complete these three one after another. 
Both SV-4 and OV-5 must be completed before you do SV-5
since all the info in SV-5 comes from those two.
OV-6c, Operational Events-Trade Description requires a
very good understanding of what happens to the data
upon entering the system.  But once you have that
nailed down it is fairly straight forward.  The logical
data model, OV-7, can get a bit convoluted, I imagine. 
In it you are supposed give a visual representation of
the various domains.

System Views (SV)
The SV's can get a little gray as some of the views can
touch on things that involve your system but you have
perhaps only heard of.  For example, if your system "A"
connects with System "B" you may have to show that
connection even though you don't know much of anything
about System "B". I haven't seen SV-1 on the Teao Saic
site so I assume it has been phased out. But it deals
with Interfaces.  SV-2, System Communication Description
is very much like the example of system "A" in relation
to "B".  SV-2 shows how your system communicates/connects
with other systems.  Its almost like a birds eye veiw of
OV-2. SV-4, System Functionality Description, like I said
in the OV section closely related to OV-5 and SV-5.  So
if one changes, they may all have to change.
SV-5 is a large table that shows the direct relationship
between Operational Activity to System Function.  It is a
pain in the ass for reason stated above. SV-6 can be a
very complex table.  It is the System Data Exchange
Matrix.. you'll note that anything with the word "matrix"
in it sucks.  That is because one change on a seperate
veiw can affect change in other views and almost always
includes the matrices.

Technical View (TV)
TV-1, Technical Standards merely lists all the capabilities
of the system and references each of the technical standards
used.

That is my oppinion of the ISP views.  I hope you find them as relatively painless
as I did and if not this site will help you out --->
http://www.teao.saic.com/cbrtraining/archpro01.asp