Like
the majority of cyber security professionals in the world, I can't
help but to reflect on the recent major beach of US government
personnel files from the Office
of Personnel Management.
While
the government has made strides towards unifying the security
postures across agencies, with efforts like the DHS Trusted Internet
Connection initiative, as well as advanced technical solutions like
the EINSTEIN 3
Intrusion Detection System; I feel that a more fundamental form a
remediation is necessary.
Security
can be compromised by ambiguities and shortcomings in the guiding
standards. A recent GAO
finding pertinent to reports of FISMA compliance associated with
use of the previous version of SP 800-53 indicated disconnects
between FISMA compliance reports and agencies' actual security
posture (M.E Kabay 2009 – NIST
800-53 is essential in federal government IT systems). I'm
here to say that his ambiguity still persists in SP800-53, Revision
4.
We
(our government's Infosec leaders) need to rework information
security strategy from the ground up, by creating a clear standard
which allows our numerous agencies to elevate their security postures
rather than creatively word-smithing their existing procedures around
unclear security controls. Although not perfect, commercial standards
such as the Payment Card Industry Standard (PCI-DSS version 3.1) have
addressed this issue well. The end result of a PCI assessment
generally leaves the subject knowing 3 things; We have this control
in place, or We do not have this control in place, & finally
we'll have to implement X to become compliant.
Of
course there are always multiple technical shortcomings that factor
into breaches of this magnitude, however ultimate remediation starts
from the bottom of the stack. The integration of commercial products
and personnel, in the form of government contractors, have long been
a strategy embraced by the federal government. This approach has not
been applied in the development of 800-53, or at least not done well.
Not to totally discredit the standard, it was definitely a forerunner
of the majority of regulatory compliance standards, and implemented
correctly addresses the vast majority of all security risks. However,
I do feel that in this case less may be more. Collectively the NIST
standard is comprised of over 950 individual controls, turning
something that actually isn't rocket science into an exercise which
I'd rather just build a rocket instead of performing.
Removing
some of the complexity and red tape which is not aligned to true
risk, will allow agencies, and commercial organizations alike to
concentrate on the basic shortcomings that cyber criminals target and successfully compromise again, and again....
