Saturday, June 6, 2015

Post OPM Breach Rant


Like the majority of cyber security professionals in the world, I can't help but to reflect on the recent major beach of US government personnel files from the Office of Personnel Management.
While the government has made strides towards unifying the security postures across agencies, with efforts like the DHS Trusted Internet Connection initiative, as well as advanced technical solutions like the EINSTEIN 3 Intrusion Detection System; I feel that a more fundamental form a remediation is necessary.
Security can be compromised by ambiguities and shortcomings in the guiding standards. A recent GAO finding pertinent to reports of FISMA compliance associated with use of the previous version of SP 800-53 indicated disconnects between FISMA compliance reports and agencies' actual security posture (M.E Kabay 2009 – NIST 800-53 is essential in federal government IT systems). I'm here to say that his ambiguity still persists in SP800-53, Revision 4.
We (our government's Infosec leaders) need to rework information security strategy from the ground up, by creating a clear standard which allows our numerous agencies to elevate their security postures rather than creatively word-smithing their existing procedures around unclear security controls. Although not perfect, commercial standards such as the Payment Card Industry Standard (PCI-DSS version 3.1) have addressed this issue well. The end result of a PCI assessment generally leaves the subject knowing 3 things; We have this control in place, or We do not have this control in place, & finally we'll have to implement X to become compliant.
Of course there are always multiple technical shortcomings that factor into breaches of this magnitude, however ultimate remediation starts from the bottom of the stack. The integration of commercial products and personnel, in the form of government contractors, have long been a strategy embraced by the federal government. This approach has not been applied in the development of 800-53, or at least not done well. Not to totally discredit the standard, it was definitely a forerunner of the majority of regulatory compliance standards, and implemented correctly addresses the vast majority of all security risks. However, I do feel that in this case less may be more. Collectively the NIST standard is comprised of over 950 individual controls, turning something that actually isn't rocket science into an exercise which I'd rather just build a rocket instead of performing. 

Removing some of the complexity and red tape which is not aligned to true risk, will allow agencies, and commercial organizations alike to concentrate on the basic shortcomings that cyber criminals target and successfully compromise again, and again....