Author name: Bruce

from Seattle Times, (6/17/14) A cheap brand of Chinese-made smartphones carried by major online retailers comes preinstalled with espionage software, a German security firm said Tuesday. G Data Software said it found malicious code hidden deep in the propriety software of the Star N9500 when it ordered the handset from a website late last month. The find is the latest in a series of incidents where smartphones have appeared preloaded with malicious software. G Data spokesman Thorsten Urbanski said his firm bought the phone after getting complaints about it from several customers. He said his team spent more than a week trying to trace the handset’s maker without success. “The manufacturer is not mentioned,” he said. “Not in the phone, not in the documentation, nothing else.” he Associated Press found the phone for sale on several major retail websites, offered by an array of companies listed in Shenzhen, in southern China. It could not immediately find a reference to the phone’s manufacturer. More One of the things that G Data discovered was Android.Trojan.Uupay.D trojan masquerading as the “Google Play Store”!  This may be the Chinese governments attempts to spy on its own people which is what most governments are trying to do lately each for their own interests.   Hopefully, individuals will get smarter about protecting their own privacy and stay informed about cyber security.

Oracle Linux 5 STIG V1R1 DISA Field Security Operations (FSO) has released the Oracle Linux 5 STIG Version 1. The requirements of the STIG become effective immediately. Oracle Linux 5 Overview: DoD Instruction (DoDI) 8500.01 requires that “all IT that receives, processes, stores, displays, or transmits DoD information will be […] configured […] consistent with applicable DoD cybersecurity policies, standards, and architectures” and tasks that Defense Information Systems Agency (DISA) “develops and maintains control correlation identifiers (CCIs), security requirements guides (SRGs), security technical implementation guides (STIGs), and mobile code risk categories and usage guides that implement and are consistent with DoD cybersecurity policies, standards, architectures, security controls, and validation procedures, with the support of the NSA/CSS, using input from stakeholders, and using automation whenever possible.” This document is provided under the authority of DoDI 8500.01. – Oracle Linux V V1R1   Although the use of the principles and guidelines in these SRGs/STIGs provide an environment that contributes to the security requirements of DoD systems, applicable NIST SP 800-53 cybersecurity controls need to be applied to all systems and architectures based on the Committee on National Security Systems (CNSS) Instruction (CNSSI) 1253.   The STIG is available on IASE at http://iase.disa.mil/stigs/os/unix/oracle_linux.html.

DoD security clearance levels? DoD security clearances are issued by some US government agencies, not just the DoD though they do issue most.  DoD security clearances include: Unclassified Official DoD information that falls outside the classification scheme but may still be For Official Use Only Confidential This information/level of access refers to information that would either “cause damage” or be “prejudicial” to national security if released.  It is based on “need to know”.  It requires a reliability check (RS check) which includes checks into marriages, foreign employments, immediate relatives. Secret This is information that would cause “grave damage” to national security if made available to the public. This level of clearance will grant the right to access designated and classified information up to Secret level on a need-to-know basis. Department Heads have the discretion to allow for an individual to access Top Secret-level information without higher-level clearance on a case-to-case basis. Top Secret This refers to information that, if disclosed without authorization, would cause “exceptionally grave damage” to national security. In addition to the checks at the Secret level, foreign travels, assets, and character references must be given. Field check will also be conducted prior to granting the clearance. This level of clearance will grant the right to access all designated and classified information on a need-to-know basis. reference: http://www.dtic.mil/whs/directives/corres/pdf/520001_vol2.pdf http://en.wikipedia.org/wiki/Classified_information_in_the_United_States

GSLC certification – GIAC Security Leadership (GSLC) The GSLC is for security professionals with managerial or supervisory responsibility for information security employees. Its often used as a replacement for the CISSP since its listed on the old DoD 8570 Chart of acceptable Tier 3 certifications. The following comes directly from SANS: 802.11 The manager will demonstrate an understanding of the misconceptions and risks of 802.11 wireless networks and how to secure them. Access Control and Password Management The manager will demonstrate an understanding of the fundamental theory of access control and the role of passwords in controlling access to systems. Building a Security Awareness Program The manager will demonstrate an understanding of the critical elements of creating and managing a Security Awareness Program. Business Situational Awareness The manager will demonstrate familiarity with the concept of situational awareness and the fundamental sources of information that lead to business situational awareness. Change Management and Security The manager will be able to identify the signs of poor change management, understand the risks to the organization, and develop a program to improve operations. Computer and Network Addressing The manager will demonstrate an understanding of how computers have a variety of names and addresses on a network and this must be managed. Cryptography Algorithms and Concepts The manager will demonstrate an understanding of the several crypto algorithms and the concepts behind secure ciphers. Cryptography Applications, VPNs and IPSec The manager will demonstrate an understanding of how cryptography can be used to secure a network and how Pretty Good Privacy (PGP) works, and be introduced to VPNs, IPSec and Public Key Infrastructure (PKI). Cryptography Fundamentals The manager will demonstrate a basic understanding of the fundamental terminology and concepts of cryptography. Defense-in-Depth The manager will demonstrate an understanding of the terminology and concepts of Risk and Defense-in-Depth, including threats and vulnerabilities. Defensive OPSEC The manager will demonstrate an understanding of what OPSEC is and the techniques used in defensive Operational Security. Disaster Recovery / Contingency Planning The manager will be able to lead the BCP/DRP team and realistically plan for Business Continuity and Disaster Recovery. DNS The manager will demonstrate an understanding of how the Domain Name System (DNS) works, common attacks against DNS, and what can be done to defend against those attacks. Endpoint Security The manager will demonstrate an understanding of the issues related to defending Windows desktops and laptops. Facilities and Physical Security The manager will demonstrate the ability to articulate the needs of the information technology and security program to the parts of the organization responsible for facilities and physical security. General Types of Cryptosystems The manager will demonstrate an understanding of the three general types of cryptosystems. Honeypots, Honeynets, Honeytokens, Tarpits The manager will demonstrate an understanding of basic honeypot techniques and common tools used to set up honeypots. Incident Handling and the Legal System The manager will demonstrate an understanding of the basic legal issues in incident and evidence handling. Incident Handling Foundations The manager will demonstrate an understanding of the concepts of incident handling and the six-step incident handling process. Information Warfare The manager will demonstrate familiarity with the theory and techniques of information warfare. IP Terminology and Concepts The manager will demonstrate an understanding of the terminology and concepts of IP protocols and how they support the Internet. Logging The manager will demonstrate an understanding of how logging works, options for collection and processing and the uses for correlation technology. Malicious Software The manager will demonstrate an ability to articulate what malicious code is, the common types of malicious code, how it propagates, and why it is such an expensive problem Manager’s Guide to Assessing Network Engineer The manager will be able to assess the ability of a network engineer to understand network traffic. Managerial Wisdom The manager will demonstrate knowledge of the most effective business techniques from the most acclaimed books. Managing Ethics The manager will demonstrate familiarity with ethical issues and guidelines pertaining to IT security. Managing Intellectual Property The manager will be able to identify and protect intellectual property and intangible assets. Managing IT Business and Program Growth in a Globalized Marketplace The manager will demonstrate an understanding of the key factors affecting globalization and the fundamental principles to managing an IT business and achieving sustainable growth Managing Legal Liability The manager will demonstrate an understanding of how to use due diligence to manage an organization’s legal liability with emphasis on fraud and IT issues. Managing Negotiations The manager will demonstrate familiarity with guidelines for sound negotiation practices. Managing PDA Infrastructure The manager will understand the critical issues related to data stored on Personal Digital Assistant devices. Managing Privacy The manager will demonstrate an understanding of the privacy concerns that customers typically have and solutions that can be used to maintain privacy of data. Managing Security Policy The manager will be able to assess current policy, identify overall security posture of organization, ensure that existing policy is applicable to organization’s needs and modify policy as required. Managing Software Security The manager will demonstrate the ability to build security into the software development process. Managing Technical People The manager will demonstrate an understanding of techniques that can be used to communicate with and manage technical staff. Managing the Mission The manager will demonstrate an understanding of how mission statements and policy keep organizations on track and how security relates to the mission. Managing the Procurement Process The manager will demonstrate knowledge of the management responsibility for vendor selection through the primary phrases of the procurement process and learn how to provide oversight into requirements analysis, price paid, and analysis of ROI. Managing the Total Cost of Ownership The manager will demonstrate an understanding of how to apply TCO to analyze proposed solutions over their entire life cycle as well as be able to identify main areas of cost for a given project. Methods of Attack The manager will demonstrate an introductory understanding of the most common attack methods and the basic strategies used to mitigate those

Do you struggle with confidently making “risky” decisions? Are your colleagues hesitant to buy in when the outcomes are so uncertain? We all know that many factors, most of them beyond your control, can affect the outcome of any business decision: future economic trends, the behavior of competitors, the success or failure of new technology, possible governmental regulation. To do a good job on these “big bet” decisions you must base your actions on the best available information, solid reasoning, and clear thinking. Join Dr. Steven Tani, Fellow and Partner with the Strategic Decisions Group, on June 10th as he explores the five things every executive needs to know about how to handle and embrace risk. Live or Recorded option available. Free Webinar: 5 Things Every Executive Should Know About Risk Tuesday, June 10th | 9 am Pacific (2014) apply here Presented by the Strategic Decision and Risk Management certificate program.

The most respected information technology risk management certifications accepted for risk management / IA / computer security positions are the ISC2 CISSP, CISA, CISM, CAP and CISSP-ISSEP. I will give a quick, down and dirty look at these certification from the perspective of someone in the industry.  This is my personal opinion based on my experience.  I have the CISSP and CAP.   I know many doing IT/security/Risk Management work with one or more  of the listed certifications and have direct experience hiring and teaching for organization looking for risk management professionals. What is the TOP risk management certification? The choice of “best” or “top” risk management certification depends on the industry. Financial industries are very much into the CISA.  The ISACA CISA and CISM are certs that came from the financial industry.  I was surprised to learn that a friend of mine who worked for Ernst & Young as a corporate tax/finance auditor was working on taking the CISA.  When I asked him why, he said that other accountants/financial auditors take that test.  Banks and other financial organizations look highly upon the CISA and CISM. US Federal organizations heavily favor the CISSP for risk management work.  Within the government, its the gold standard for risk management and Information Security jobs.  So much so that they think that someone with a CISSP can do ANY security job.  It’s very broad in content so its a misconception that a CISSP can perform any security or risk management job.  Its best if the CISSP is accompanied by actual experience with a given subject matter and/or a specific certification that might give indication of knowledge on a subject matter that is not so general.  All of that said, the CISSP is a GREAT certification if you want to get paid well. The ISC2 CAP, is a great certification for risk management.  It is the most relevant for risk management.  The CAP focuses on the NIST risk management framework.  It breaks the entire process down.  CISSP is really all over the place covering way too many security points.  By contrast, the CISA is all about auditing systems.  The CISM is all about Information Management. The CAP is a solid certification that goes 6 feet deep into pure risk management.  If you are serious about learning risk management for IT, then the ISC2 CAP is for you. The ISSEP is a step up from the CISSP and the CAP.  Its like a SUPER CAP.  Its an actual concentration of the CISSP.  I noticed that high level risk management positions in the US federal space sometimes ask for it.  It is definitely and Alpha Predator of risk management certifications.  You cannot go higher than this for RMF outside of getting a Masters or PHD in Information Assurance/Information Security or the like. The problem that I see with the ISSEP (CISSP concentration) is that its a LOT of work for very little extra marketability.  I mean, with an ISSEP you are a 1% in the RMF space but only .01% of the jobs in RMF/C&A category actually require an ISSEP.  What I mean to say is that not many people are looking for the ISSEP.  Its a hard certification because you must first achieve the CISSP.  The ISSEP material is hard, boring and very comprehensive. Over all the CAP, CISSP and CISA/CISM are the best certifications for a professional in doing Risk Management Framework for IT.

The DoD CIO gave an overview of the Risk Management Framework (RMF) transition.  The Risk Management Framework Knowledge Service (RMFKS) is a central repository for RMF DoD for IT.  This site is up for access as long as you have a Common Access Card (CAC) or ECA cert.  The link is below but some of the links on the site are still under construction. rmfks.osd.mil  The former site was for certification & accreditation / risk management was the DIACAP Knowledge Service (https://diacap.iaportal.navy.mil/).  

  Federal Risk and Authorization Management Program 3rd Party Assessment Organizations (3PAO) FEDRAMP was developed to give the federal government a way to use cloud based service as securely as possible.  It applies to federal US agencies it provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.     3pao – third party assessment organizations Third Party assessors play an integral role in the FedRAMP process.  Accredited independent assessors - Third Party Assessment Organizations (3PAOs) have demonstrated independence and technical competency required to test the security implementations and collect representative evidence.  Whether accredited through FedRAMP or not, third party assessors:  Create a Security Assessment Plan Perform initial and periodic assessments of CSP security controls Conduct security tests and produce a Security Assessment Report  

You keep hearing the term DIARMF, but the name of the new DoD 8510.01 document is simple RMF. DoDI 8510.01 Risk Management Framework (RMF) for DoD Information Technology (IT), March 14, has been released. So why do people keep calling it DIARMF?  The draft version of DoDI 8510.01 floated around for almost 3 years and it was called DIARMF.  Basically, when officials first started talking about using NIST SP 800-37 Risk Management Framework as the new DIACAP, the name DIARMF stuck. The official name is RMF.