When doing threat and risk assessments it never hurts to have tools and resources to help you get through. Here is a tool that was put out by the RCMP and Canadian Security Establishment called “Harmonized Threat and Risk Assessment (TRA) Methodology”.
From Royal Canadian Mounted Police site:
This initial version of the Harmonized TRA Methodology should be regarded as an interim release pending completion of the policy suite renewal project by the Treasury Board Secretariat. Of necessity, it will require updating once the Government Security Policy and supporting standards have been revised and replaced. That being said, the actual mechanics of the methodology are likely to remain the same, only references to the superior policies, directives and standards are expected to change significantly.
There are a number of tools as appendices that could be useful. Give it a whirl.
So, if the US president isn’t allowed to have a Blackberry for security concerns, should we be using them? What’s the rationale behind the refusal?
From ComputerWorld:
The press has been all over President-elect Barack Obama’s addiction to his BlackBerry and the possibility that he might have to give up the device for reasons of national security. But no one in the media seems to be asking the most logical follow-up question: Is the technology that can compromise the future chief executive’s BlackBerry also a threat to mobile devices being used every day by thousands of senior executives in corporate America?
One security expert, Ron Cochoran, president of RER Technology, answers that question quite succinctly: “If the president can’t use it for security reasons, then there’s obviously something wrong with the security system.”
Quite the sweeping statement.
But, what if it were true? Then that would beg the question, “what’s wrong with Blackberry security?” or is this all fluff?
OK, so further to this story, my confusion resides in the fact that the British military rolled out Blackberry devices last year and yet the French government banned them for officials a few months earlier. There seems to be a complete lack of consistency on this subject. Most of it, like the situation in India, seems to based on paranoia.
Is this merely posturing?
The Communications Security Establishment (CSE) in Canada at one point in 2006 had approved the use of a “secure blackberry” implementation. Strangely, this document (Google cache) appears to have now been removed from the CSE website. Not to mention the absence of the list (Google cache) of other products they were evaluating.
OPEN UP, WE HAVE A WARRANT! But, we’re not sure where the laptop that has it is at the moment. You haven’t happened to have seen some laptops around here have you? Say, 418 of them or so? Oh, and if you happen to know where some of our firearms are as well? We’re kinda missing 76 guns.
WTF?
From CNN:
Of the 76 missing weapons, 35 were stolen from agents’ homes, hotel rooms or vehicles, the report said. Some of the others were left in public places or lost in shipping — or their losses were still unexplained.
Two of the stolen guns were used to commit crimes, the report said. One was used to shoot through the window of a residence, and the other was recovered from suspects arrested on burglary charges.
The inspector general determined that 53 percent of the weapon losses were the result of employees’ carelessness or failure to follow ATF policies.
Of the 418 laptops, 50 were reported stolen.
The report said that in most cases, it was not clear whether the missing laptops contained sensitive or classified information. Seven did; 13 did not.
It’s even more disturbing that of the laptops that aren’t accounted for they don’t have an idea what was on most of them. So, of the 418 there were 50 reported as stolen. Leaving 368 laptops in the wind. Laptops that may or may not have sensitive data on them. Apparently none of them used encryption. The first person that tries the spin “but, they had passwords” will get such a smack.
Wow.
So, bearing that in mind. If we can help build you a better asset management policy/system for the ATF can we get one of those neat hats?
Nah, screw that. We’ll take cash.
Tags: ATF Missing Laptops, ATF, ATF Missing Guns, ATF Laptops
There are some claims that should never be made. Larry Ellison made a “hacker proof” claim a while back and we know how that played out.
This time we find that South Korea’s Defense Ministry has made similar claims about it’s own “cyber” network (deduct 10 points).
From The Korea Times:
A Defense Ministry spokesman assured Tuesday that the department’s cyber-security system is “hacker-proof,” adding that its intra-net computer data network is detached from the external Internet.
The ministry’s announcement was designed to address new security concerns in wake of the arrest of a North Korean defector who was allegedly working for North Korean intelligence.
Local media have reported that Won Jung-hwa, 34, had allegedly collected e-mail addresses of a number of South Korean military officials. The reports said these e-mail addresses may have been used by hackers to break into the Defense Ministry’s computer network. In fact, the Korean military officials issued a security warning to its personnel last month when some staff began receiving e-mails with attachments containing hacking programs.
As long as there are humans in the mix there will always be a way to compromise the system.
Well, this is an odd story. Sadly, it is far from uncommon for secret, or apparently not so secret, docs to be found by passersby. Back in April ‘06 Hydro Quebec security plans and passwords were found on a subway platform. To say nothing of the foreign affairs minister who left classified docs at his ex-girlfriend’s apartment.
This time it was a document that detailed how to Environment Canada computers could be pwned.
From Canadian Press:
Environment Minister John Baird has asked officials to look into how a government document – detailing how Environment Canada computers could be hacked – wound up on a street corner in Ottawa.
However, Baird said the document contained no top secret or classified information.
“It’s certainly bizarre,” he said. “I’m told two things: that it’s neither classified nor secret and that it’s stuff that could be available under access to information.”
Still, Baird said his department takes document security seriously and he’s asked officials to find out how this 131-page document came to be found by a passer-by on a street in a rain-stained, tire-marked, brown envelope.
So, want to pwn government computers? File an access to information request.
Sigh.
Here is an interesting piece that I read on Inforworld this morning.
From Inforworld:
Well, some friends and I got curious one day and decided to look into the folder where the software was, and voila – we found the Public folder. It didn’t contain much, but we located a simple .txt file that contained an alphabetical list of names and Social Security numbers. We decided to take this file, so we could have some fun with some of our more paranoid friends by walking up and greeting them as “Number ….”
Word quickly got out. Rumors spread that we had obtained a bar-code scanner and had used it to scan student IDs when the students weren’t looking. Some even suggested we hacked the server. Eventually, school administrators found out who had copies of the file and started to threaten expulsion.
Be sure to head over and read the whole piece. It’s an interesting article.
OK, I’ll take this copy of the Washington Post, a bottle of milk, a box of nails and a bag of skittles. Oh, and a PCI package.
The hosting provider, Rackspace, has come out with a PCI solution package called the PCI Toolbox.
From Internet News:
The bundle, known as the PCI Toolbox, consists of standard components such as anti-virus protection, customer network scanning services, firewall services, intrusion detection systems, and log and patch management services.
It also includes Rackspaces’s support team of experienced security professionals, who will modify the Toolbox offerings in line with changing PCI requirements.
“In many cases, customers are left to fend for themselves; we’re putting the pieces together into our compliance framework,”
One stop shopping.
This seems to a well intentioned but, misguided attempt by the Office of Management and Budget. They are attempting to establish minimum requirements for professional certification for IT workers.
Hmm.
From GCN:
“This is a change we have not faced in the IT security industry before,” he added.
The closest parallel has been in the Defense Department, which anticipated OMB’s reaction in this area. DOD’s Directive 8570 on information assurance, approved in December 2005, requires all of the department’s information assurance workers to obtain an accredited commercial certification in computer security. DOD has approved 13 certifications for the directive.
The DOD requirement already has thrown what one conference attendee called a giant monkey wrench into the IT security manpower market.
“If OMB issues a similar requirement, it’s going to throw the supply and demand curve even more out of balance,” he said.
Datesman agreed, saying it probably would take years for the supply of certified workers to catch up with demand. A CISSP certification requires five years’ experience. “You don’t mint them out of college,” he said.
OK, this is where this trolley leaves the track. I have met CISSP certified folks that I would wager they’d be lucky to fight their way out of a wet paper bag. “Don’t mint them out of college” is a phrase that I’d argue. I would offer that the ISC2 should start auditing certified members. The validity of the CISSP cert is becoming diluted in the eyes of the market.
A picture is worth a thousand words.
It’s great for the mandatory HR tick box but, how many of these folks actually have the ability? Sure they can memorize some flash cards and pass a test but, are they effective? Some, not so much.
On the face of it this is a good idea.
Like all good intentions, they make great paving stones on the road to hell.
I wonder, is this battle heating up again? Would you allow an iPhone into your corporate environment?
If yes, how come? If not, why?
From Network World:
It’s still not good enough. That’s the reaction of IT analysts and security outfits to Apple’s new iPhone 3G. Sure, the iPhone 2.0 software will support Microsoft Exchange and Cisco VPNs. But is it safe enough for enterprise use — as safe as, say, PCs? Gartner says not quite. The security guys say be afraid. It’s just not good enough yet.
And it never will be. Oops, that wasn’t supposed to slip out.
But hasn’t that historically been IT’s official position? We’re the Department of No. Whatever it is, we’re against it.
Cell phones? Wi-Fi? BlackBerries? Web sites? LANs? Laptops? Spreadsheets? PCs? Departmental minis? Not one of those technologies was secure enough, reliable enough and enterprise-ready enough when business users first insisted on sneaking them in under the IT (or MIS or DP) department’s radar.
Of course, users had to sneak that stuff in. They knew what the answer would be if they asked us: No. Not ready. Not good enough. Not yet.
No? Never heard that one before? Ha!
As a security guy, I’m a little more open minded on the introduction of the iPhone. Now the ball point pen mind you, that is somewhat suspect in my book.
Former DOJ staffer Mischel Kwon to head up the US-CERT.
From Network World:
The U.S. Department of Homeland Security has chosen a new head of its U.S. Computer Emergency Readiness Team (US-CERT).
Mischel Kwon, will start as director of US-CERT on June 24, a DHS spokeswoman said Thursday. She is presently acting deputy director of IT security and the chief IT security technologist at the U.S. Department of Justice. She is also an adjunct professor at The George Washington University, where she runs the school’s Cyber Defense Lab.
She replaces Cheri McGuire, who left in March, and will report to Cornelius Tate, director of the DHS’s National Cyber Security Division.
Deducting 10 points for excessive use of the word “cyber”.
