Saturday, September 14, 2019

People Believe Fakes Because They Want To

Christye Sisson, an associate professor of photographic sciences at the Rochester Institute of Technology. is a government-funded university researcher in the field of fake videos. She noticed that people believe even very obviously fake videos. Since her job is crafting as realistic as possible fakes, this observation surprised her. That got her thinking. She surmised that folks buy into even very obvious fakes when those fake videos reinforce existing beliefs. This is an example of a  long-recognized phenomenon know as confirmation bias.

This also demonstrates why cyber security folks trying to tackle the Fake News world absolutely must include human factors team members with expertise in psychology, cognition, learning, and the use of propaganda. Tech knowledge alone can definitely screw up the world, but that knowledge, alone, can rarely fix it.

Read her Fast Company article:
I create fake videos. Here’s why people believe even the obvious ones
People will accept anything as true if it confirms their beliefs—regardless of whether a video or image has obviously been manipulated.

(c) 2019 D. Cragin Shelton

Saturday, July 27, 2019

Is CISSP Worth It?

A professional colleague recently asked for comments on a Peerlyst posting of the same title at

Here are my thoughts:

First, I believe the CISSP is a worthwhile certification, and am glad I completed mine back in 2002. That said, I blame both (ISC)2 and a subset of CISSPs for grossly overstating what the certification indicates. When both the organization and some CISSPs represent it as meaning that the holder is an expert on all aspects of information security they do us all a disservice. The results of that deception are that employers  have made CISSP a filter for hiring in totally inappropriate situations, and individual CISSPs have taken on on jobs they were not really qualified for, such that their poor performance damaged the reputation of all CISSPs and the certification itself.

The CISSP certification process does not ensure a CISSP is truly expert in anything. The experience requirement should (but may not actually) show that the holder is knowledgeable and capable at above journeyman level in at least two of the domains. The exam ensures that the holder is sufficiently aware of the breadth and content of the domains that make up the multi-discipline information security environment. For years I have told aspirants that the exam should allow any CISSP to approach a professional engagement and determine which domains will be involved, and determine which specialties should take part. Yes, the CISSP is a management certification, not a performance certification. (In my opinion, SANS GIAC certifications are the "gold standard" of performance certifications in our field.) A CISSP should be able to identify for each engagement the need to either BE SMART, GET SMART, or HIRE SMART in order to complete all the tasks. needed for the engagement; know what experts you need, and already be, become, or hire the right experts. 

Between 2000 and 2002 when I was studying for the exam, a CISSP colleague told me that CISSPS at Black Hat / DEFCON would hide the fact that they held the certification; if they were outed, they would apologize for having it and explain it was a job requirement. That situation changed after first U.S. Defense, and then other major institutions formalized the requirement to hold relevant jobs.

On the subject of management versus performance certifications, note that ISACA's CISM is a direct competitor to the CISSP as a management certification. The CISM was designed for managers overseeing work by CISA auditors. In fact, when ISACA first introduced the CISM, any current CISSP could grandfather (no exam) into a CISM by paying a fee and presenting a resume showing relevant infosec management experience. Also, (ISC)2 created the Associate of (ISC)2 status as a means of diverting young infosec workers into the (ISC)2 pipeline in lieu of the ISACA pipeline. 

Finally, I disagree with a statement that the certification is akin to  a college degree.  Completed degrees have no indication of continuous updating of knowledge and skills. The CPE requirement of CISSP, CISM, SSCP, CISA, all in accord with ISO 17024, is the linchpin to making any of these certifications an ongoing indication of currency in the field.

(c) 2019 D. Cragin Shelton

Tuesday, May 21, 2019

DHS Security Tip 19-001, Best Practices for Securing Election Systems

On May 21, 2019, The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Hunt and Incident Response Team (HIRT) published their idea of Best Practices for Securing Election Systems, with high-level tips covering the following topic areas:

  • Software and Patch Management
  • Log Management
  • Network Segmentation
  • Block Suspicious Activity
  • Credential Management
  • Establish a Baseline for Host and Network Activity
  • Organization-Wide IT Guidance and Policies
  • Notice and Consent Banners for Computer Systems
  • Additional Resources

MY GAWD, what a waste of government resources. That Security Tip is nothing more than a generic set of best practices for managing security of any computer network infrastructure.

The complete election system has a number of separate subsystems, some of which can be supported with computer and network systems. A true "election system security guide' would name each of these component process systems and have specific information (no just compete) security advice for each. The basic component processes of any election system are the following:

  1. Voter registration process system.
  2. Voter registry record set
  3. Ballot creation system
  4. Ballot distribution system
  5. Voter validity check upon distribution of ballots or appearance at polling place
  6. Ballot marking process
  7. Ballot marking recording process (at local polling place or central location after ballot transportation)
  8. Ballot tabulation process
  9. Ballot tabulation reporting process
  10. Ballot tabulation accumulation.

Each of these process needs a system of action, with security processes embedded, preferably using at least the full Parkerian Hexad as the framework for each set of security guides.

Now, anyone want to build out this described "election system security tip?"

(c) 2019 D. Cragin Shelton

Saturday, May 18, 2019

System Security Categorization Under the Risk Management Framework

A new member of the cybersecurity community asked a professional forum the following:
Does anyone have any good experiences to share where you were successful at breaking down the Categorization step of the [NIST SP] 800-37 RMF [Risk Management Framework]  (step 1)? Or any advice on ways of explaining it in layman's terms?

A team I was on worked this very problem just over a year ago at a U.S. government department. Our team concluded that doing categorization "right" requires a multi-discipline team, and commitment from organization leadership that will ensure the needed people actually take part in the process.

Although aimed at government systems, I believe our lessons learned can be applied in other enterprises.

We used a core team of internal experts and external consultants (I was one  of the consultants) to set up the process, then members of that core team led selected stakeholders for each system under review to carry out the categorization process.

First, you need to use not only SP 800-37, but also SP 800-60, Vols 1 & 2, Guide for Mapping Types of Information and Information Systems to Security Categories. In 800-60 you find usable definitions with amplifying discussions of each of the impact levels (Low, Moderate, High), that the stakeholder team will apply.  SP 800-60 also provides an extensive set of information types to consider as you analyze each system.

Next, for each system under review, you need to identify the relevant stakeholders, and get both them and their bosses to commit to taking part in the process. That commitment must include taking part in at least two, possibly three, live meetings to walk through the actual categorization process. The stakeholders group should include at a minimum, the system owner (responsible for maintaining and funding the system), data owners (those with authority to define the data types), representative system users, and, if possible 2nd tier users, that is users of linked systems that pull data from or send data to the system under review.

We learned from a pilot study that the stakeholder team will need Just-In-Time training on the reasons and requirements for the RMF process (keep it short and focus on mandated approvals and funding impacts), the nature of the Confidentiality-Integrity-Availability (C-I-A) triad, and the meaning of each of the three impact levels (L/M/H). We developed worksheets, shared with the stakeholder team in advance, to walk through the process.  We also learned that asking the stakeholders to independently complete the worksheet forms was not effective; we needed the real time live interaction of the stakeholders with the meeting moderators from the core team to really get the questions answered.

The master worksheet listed the complete set of information types from SP 800-60. Prior to tackling a specific system, the core team worked with an expert on the system to identify only the ones in that list likely to be in the system, but we left the full list visible. At the first meeting with the complete stakeholder team we reviewed the need for categorization, the nature of C-I-A, and the specific definitions for each of the three impact levels. We also described the two-dimensional use of the High Water Mark principal, in that it is used first within each security goal  and only at the end might it be rolled up into a single value for the system.

We then walked the stakeholder team through the information types, having them confirm whether each likely type was present in the system, then applying the impact levels for each security goal to that information type. We intentionally did NOT ask them what the impact level as at this point. Doing so is guaranteed to give you "gut-feel" impact levels instead of defensible values based on the definitions.

Instead, the prompting questions were as follows:

Confidentiality: What would be the result if someone not authorized to see this data got to the information?
Integrity: What would be the result if authorized users got this data from the system but the data was not accurate?
Availability: What would be the result if authorized system users could not get to the information when they needed it?

Only after obtaining the potential results statements did we match those statements against the three impact level definitions and descriptions. We completed the results to impact level step immediately after the team confirmed the results statements in each case.

As we completed the table we recorded both the results summary and impact level justification based on the definitions for C, I, and A, on each data type. This gave us a fully auditable record of exactly how the system category was obtained. To save time, we implemented part of the high water mark principal in that once a security goal was shown with impact High, we no longer asked about that goal in the later data types. For completeness, it would be nice to have all three done for every data type, but your stakeholder team has been puled away from their primary jobs for this effort, and you want to get them back to their main jobs as quickly as possible..

The meetings do not have to be face-to-face, but must be real time together, not asynchronous.  We repeatedly saw stakeholders bring up new, relevant information as they heard others in the meeting describe the results of loss of C, I, or A.  Simple voice-only teleconference can work, but much better is to have shared screen view, with one of the moderators acting as scribe, marking up the worksheet for all to view. This includes recording the results statements and the impact justification statements as the work proceeds.

Finally, we resisted allowing the final High Water Mark step of rolling the three goals into a single system impact level. That is because in later stages of the RMF process, understanding how much protection is needed for confidentiality, integrity, and availability is necessary will drive the selection of controls to do so. This can be a big impact on overall costs of implementing the controls.

Biggest concern: buy-in by both the stakeholders and their bosses is absolutely essential. Otherwise, they will not take the time to go through this process, and will instead try to pencil whip the answers.
Secondary is that some system owners will try to push a HIGH impact level just to support how "important" their jobs are, but in the process cause significant unneeded expense in implementing overly restrictive security controls.

(c) 2019 D. Cragin Shelton

Wednesday, January 30, 2019

Facebook on Privacy Rights: You Have None!

Apple removed that FB app from the App Store. FB responded by secretly releasing a "research app" through cut-out companies (to mask FB involvement) of a VPN app that secretly reported all user activity. TechCrunch found out and reported on this 'research' VPN app; having been caught AGAIN, FB is removing the iOS version of their secret surveillance VPN from distribution. However, FB is leaving this Big Brother VPN in the Android environment.

Read the TechCrunch article Facebook pays Teens to install app that spies on them for the details.

The comparative attitudes toward users' (customers'?) privacy among Apple, Google, and Facebook is why I dropped FB many years ago, and am currently moving as much of my online activity as possible from Google to Apple.

So, why are YOU still using Facebook?

Yes, I do recognize the irony of posting this article on Blogger.

(c) 2019 D. Cragin Shelton