NIST 800-53 v3 controls in database form - No Extra Charge!

Have you ever been asked to implement standards for your organization - only to find out that they are buried within a gazillion page document with tables and appendices that you must pull actionable items out of? Top that off with your organizations's risk scores, cross referenced controls for the defined risk level...you get the picture. I think we all have and we can agree that it isn't much fun. This morning, a colleague pointed me to a new release from our friends at NIST. Enter NIST SP 800-53 v3 in database format. From the readme:

The NIST SP 800-53 reference database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The priority and minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.

The download is about 42MB and is available here. After a quick decompression, you are ready to roll. However, this beta is limited to Windows support. If you're not familiar with the NIST SP 800 family of publications, you should be. They provide a great set of knowledge, vetted security controls and are available at no extra cost.

The application itself requires no installation, and therefore, will run without administrative control over the machine you are using it on (hint - you can share it with folks like legal counsel or developers so they can enjoy ease of access). To further protect the integrity of the data, the instance runs as read only. Once up and running, you are presented with a fairly busy interface that takes a bit of browsing to understand. However, after a few minutes you can quickly find the controls you need, according to your risk impact scores, with all the supporting information at your fingertips. This truly is a helpful tool to have in your cache.

First iPhone Worm in the wild - for Jailbroken iPhones only

PMP Today reports that the first iPhone targeted worm is hitting jailbroken iPhones due to a standard SSH password. The worm is a mobile device Rick Roll, resulting in a Rick Astley photo being set as the phone's background.

The easy fix is, of course, to not use a default SSH password - "alpine" wasn't exactly a good password to start with.

Risky Behavior: Making Risk Assessment Fun

The Naval Safety Center's Picture of the Week often provides a great visual aid when discussing risks - I find that audiences get a kick out of them, and they can help break the ice when starting a risk assessment. This one? I'm pretty sure that's an integrity risk (for his bones), and an availability risk (to his services). Impact? High! Probability? Well...that depends.

Visualizing a Risk Vocabulary

Worlde.net's word visualization tool can be a great way to map out words and concepts. The Wikipedia text for Risk Assessment became part of a presentation I am building for a presentation that I was asked to provide as a guest speaker in an MBA class. Here's what is looks like:


The map for computer virus is also interesting:

I suspect that these will be useful visual aids in my presentations - a new way to present security concepts is often helpful, particularly when dealing with a non-IT staff audience.

Future Proofing an Information Security Job

One of the more interesting information security job questions that I've seen recently is "How do you future proof a security job?".

That's an interesting question - security, like much of IT has changed significantly over the past few years, and the skillsets required have changed or matured. A decade ago, there were far fewer dedicated information security positions, web security was just starting to become a visible issue, and intrusion detection was in its infancy. We've come from a world where local networks mean that copied floppies and boot sector viruses were our main threat to a world where even our phones are possible threat vectors.

How then, can an information technology security professional stay relevant?

If you want to remain a technologist, rather than enter management, there are two popular paths: specialize or become a generalist.

If you choose to specialize, your route will take you down the path of becoming ever more highly trained in one discipline, or possibly a few closely related areas. Penetration testers may become more skilled programmers, and could delve deeply into web technologies, or system kernel exploits. Network security experts might become a CCIE, or tackle high end certifications from specific vendors.

The problem is that when that technology dies, you may have to re-train. That's nothing new in the world of information technology. Banyan Vines and Netware administrators have moved on to handle Active Directory and experts in Token Ring have trained to deal with gigabit switched ethernet and Internet protocols. What it does mean is that you have to keep an eye open to avoid being outdated with the technologies that you are expert in. Specialization is a great way to get a job - if that job is in demand, and the supply is small. Cobol programmers knew this in 1999 - but that was a relatively rare opportunity for a dying technology to make a brief comeback.

The other route, of course, is that of the generalist. This tends to put you into a role that glues together security with other IT areas, and can be quite rewarding - but you may find that you're unable to operate at the same depth that your specialized peers can attain. Generalists may have a harder time justifying specialized training, and will not necessarily find that their resumes qualify them directly for the highly specialized jobs that require a single scarce skill.

Which route should a security analyst take? That's a tough call. At the end of the day, your work environment and your own preferences will likely shape your futureproofing efforts. In either case, technology will change, new threats will appear, and the job will continue to provide the challenges that we all face.

How To: Search Engine Webpage Removal - A Search Engine Entry Removal Roundup

If you run a website of any type, there is a good chance that you'll want to remove content from Google, Bing, and other search engines at some point, either due to outdated information or sensitive data exposure. Below are links to the documentation provided by each of the major search engines for their removal process.

Most search engines will tell you that your first action should be to create an appropriate robots.txt, and many want you to return a 404 error. If you don't, they may keep your content cached for even longer than they might otherwise.

Google

First, you can build and submit a removal request for information, images, outdated or inappropriate content.

Then, you can remove your own content, then cause Google to re-index it more quickly using their webpage removal request tool.

Finaly, make sure you follow Google's noindex meta tag and robots.txt instructions.

Yahoo!

With Yahoo's move to the Bing search engine, their removal process has changed. You can use their SiteExplorer tool to remove your site from their results.

Ask (formerly Ask Jeeves)

Ask only provides robot.txt support, and has no formal published removal process.

Bing

Microsoft's new search engine has recently published removal instructions.

AltaVista

Per AltaVista's support information,

"If an AltaVista user comes across web pages that contain private personal, professional or financial information that is not available to the public and/or may have been illegally obtained, he or she can write to legal-support-uk@av.com to request that the offending URL be removed from AltaVista's index. Please note that removing said URL from AltaVista's index does not remove the URL from the public internet or the indexes of other search engines."

Archive.org / the Wayback Machine

Archive.org provides a long term snapshot of much of the Internet, dated by when the page was crawled. If your site has been available for any length of time, and if you have static content that it can crawl, there's a good chance you'll want to contact Archive.org for exclusion.

President Obama on Cybersecurity Month

President Obama's short video on cybersecurity month is available. This is the first time I've heard the President outline our frequent security advice - verify identities before giving out information, update your software, beware of suspicious emails. You can watch for yourself below: