60 days to offer a solution or have one inflicted upon us

U.S. Presidents have always wanted to fix things; that is why they become presidents. Our current President has stated he wants the Department of Defense and other agencies to submit recommendations for US Cyber Security in 60 days. They will. But you will not like their solution. Let’s do something about it.

Here is the original document. Notice it is NOT an executive order yet.  This is also not the first time a president has made this stand. But let’s take it seriously.

What is the problem?

Right now we drive the internet like a car without seat-belts.  Unfortunately it’s not as simple as “Insert the metal fittings one into the other.” We can get close to lap-belts with steps below. It will take at least 4 years  to get real change. And then we can look at the 5-point harness of race cars.

The scope according to the document: assets, vulnerabilities,  adversaries,  and capabilities.

This is a good way to get answers, but those answers and questions will come from military thought leaders, not cyber security professionals. What is wrong with that? Replacing the concept of bullet with packet makes everything work right? You and I know that the physical concepts do not equate to virtual concepts. Many have suggested blocking or breaking the internet [SOPA/PIPA]. Many have said a central authority should have control over encryption [CLIPPER CHIP]. Telling people to be aware works for 5 minutes… well maybe 6. As proof I offer ALL password audits.

Every time people use concepts from the physical world and they push on one side of the cyber balloon, it only bulges on the other side, pushing the problem away not solving it. We must think differently.

Think in terms of:  What are achievable objectives? What will  people and corporations understand and support? What will do the most good? What do we have to work with now? What will work without breaking most of the internet? Over the next four week I will discuss these questions, but let’s start with the last one first.

What will work without breaking most of the internet?

Standards & Protocols that we already have.

  1. DNSSEC = Integrity of resolution
  2. IPv6 = identification of origin and possible privacy
  3. Certificates = Non-repudiation of  source or both people and devices

1. Say YES to fully implementing DNSSEC–  if you do, a few things happen: 1. Spam goes down dramatically. 2. Impersonation is much more difficult. 3. We can depend on resolution response.  DNSSEC resolution is quality resolution, but current DNS is very easy to attack and has a low quality of trust. Services offered by companies need to be trustworthy,;we need to know they are who they say they are. DNS is not trustworthy; DNSSEC is.

The ultimate goal would be DNSSEC reverse resolution for every end point (when you make a query, we know who is asking the question). We need to say NO to DNS. We can do this  technically: first implement DNSSEC for all resolution, then block all DNS. Impose filtering by all ISP’s, and corporate firewalls.

2. IPv6 only no IPv4- What makes V6 better? Location, Location, our ability to pinpoint LOCATION. What makes V4 bad? Spoofing of location. If we only used V6 we could know  where a computer, IOT, laptop, or mobile phone is located. If you know where it is, jurisdiction is established. Now we know where it is; we can hold someone accountable.

Sidebar- at this point, really technical people are screaming ‘you can still spoof, you can still move around’ – yes but… there is another…

Want a build a wall?  You can with internet routing tables. We know that routers route around failure; that is what makes the internet so resilient. That needs to change just a little. I am not in favor of breaking the Internet, but a lot of other countries do it. We are not saying don’t route, just don’t route attacker’s crap/spoofed packets. Do a little inspection.

The rest of the world may not use V6 – fine.  That means less trust; less trust means we should limit traffic and increase inspection.  If other countries play the V6 game, the U.S. can offer  “most favoured nation routing status. If you break the rules, “Embargo on.”

Choices for those Sanctuary ISP’s who want to facilitate illegal v4 packets?  I don’t mind if you do not want to play the same game, but don’t make us pay for your poor protocol choices. Your poor choice means you shoulder the routing burden and get less trust.

Side benefit of IPv6: it has an optional header for IPSEC.  IPSEC is for encryption/privacy. One of the key components of IPSEC is the ability to authenticate endpoints and people via certificates. Which leads me to…

3. Smiles everyone smiles… I mean CERTIFICATES FOR EVERYONE AND EVERYTHING: You want to control the Mirai botnet? If everyone and everything was issued a certificate (X.509) you know the device  or the person and you can either block or fix.

If your DVR is a part of Mirai, the ISP can block the one device and not everything you own. If you cannot get your favorite show, you will individually scream at the vendor who sold it. This places the responsibility back on the vendor who sold the poorly-secured device.  Oh, the vendor doesn’t want to issue certificates? Fine – but then you have less trust, less bandwidth and the ISP is in control. If the ISP issued the crappy device,  then (via certificates) we can attribute bad behavior, see a pattern, and hold them responsible.

We can control who issues certificates or their certificate practices with a little oversight. If we cannot control the CA, then we can control what root certificates we trust. More importantly we can take that trust away when entities hit the naughty list.

Combine these three.

You have the start of a solution that places the burden on the vendors; they can then choose to push that cost on to an informed customer. If we use crappy devices with none of these  security  features, the receiving end has the choice to reject us. More next week…

Things will break along the way.

Yes this will break a lot of older applications and IOT. Breaking means fixing. This fixing will direct money to solving the cyber security problem in a very narrow focus.

The Federal government is good at imposing a public safety like seat-belts. These are safety measures, it will reduce cyber-death but not eliminate it. People need choice (not to wear seat-belts) But the government should make sure seat-belts are there.

So if you do not want to use these cyber security tools, fine.  Ignore them at your own risk. For military, government, and large commercial entities, these 3 should be the cyber law.

Your turn.

This is an outline of a solution that I will expand upon with your help below. Now it is your turn to add to the solution. You have a few key technology tools to convert to regulatory tools that don’t break the internet. You have a few tools that allow for privacy. You have a few tools for guiding net neutrality with responsibility.  Now it is your responsibility to tell someone. Someone at the DOD, your legislator, your President.

More to come.

My next 4 weeks will be spent discussing:

  • What will most people understand and get behind?
  • What are achievable objectives?
  • What will do the most good?
  • What do we have to work with now?

Commercial:

Don’t understand what we are talking about? Come to class.

CISSP / CEH / Cloud Security and others. Ask for a free seat.

CISSP domains for 2015 crystalball

10 years ago when I first started teaching the CISSP, my first action was to go to ISC2 and download the common body of knowledge (CBK). I took the outline and detailed everything in it. Oh what a fool I was.

After becoming an official instructor, after authoring and project managing the official curriculum for two years, after going to item writing school at ISC2, and after talking to people on the “inside,” I realized all organizations are just as screwed up as everybody else out there. All the things that you think are wrong with your organization are also wrong with ISC2. My conclusion is/was: there is very little rhyme or reason how the common body of knowledge is related to the exam or the course. And in the recent past, the official curriculum course went way off the deep end.

 WHAT SHOULD WE DO?

Instead of whining and complaining about it: Figure out exactly how the system works and work around the system. Not to cheat the system but to ignore the flawed process that everybody else is using.

WHAT IS OLD IS NEW.

Once every few years, ISC2 rewrites and reorganizes the CBK and the course. You should see a big announcement early in 2015 from ISC2.  The press release will be something like: Only get curriculum from us because everybody else in the market doesn’t have a clue as to what’s going on and we know when they don’t blah blah blah…Well they did not count on us paying attention. We started working on our new course late summer 2014.

OH WE KNOW…

The new version of the common body of knowledge rearranges the names and the underlying materials. I see 8 domains, 50 major topics that are the same, and 14 new topics. The exam will take about 3-9 months to catch up to the CBK while questions are incorporated via the research method.

 WHY DO YOU CARE?

Here is the reason for writing my article. If you download the CBK from ISC2, you agree to use it for personal use only. Therefore I am publishing this outline here before it is on the ISC2 site. There is no secret here. I paid attention. I do have all the subtopics, but they are not listed here. If you want the full details, either wait for ISC2 in January 2015 or signup for our VMLT iPad app (see below).

I GIVE YOU THESE 10 no 8 Domains

I gave the domains a short three-letter acronyms because that is what every good technologist does. Here are the new domains mapped to the old domains. The mapping is not perfect and there are a great many details that make it wrong to say there is a one-to-one correspondence of old names to new names. I’m sure there are going to be slight adjustments to names and topics when they are released.

1. SRM- Security and Risk Management = InfoSEC governance risk; Compliance from law & some BCP

2. ATS – Asset Security = Partial Operations security

3. ENG – Security Engineering = Security architecture and design has a small part of Cryptography

4. CNS – Communication and Network Security = Telecommunications and network security

5. IAM – Identity and Access Management = Access control

6. ANT – Security Assessment and Testing = was part of law domain

7. OPS – Security Operations  = Physical security, Legal, regulations, investigations & disaster recovery

8. DEV – Software Development Security = Application security, but OWASP is in other domain

My only criticism of the new domain names: Do you think that we need the word “Security” in almost every domain name?

[Commercial]

Past students: Have you been keeping up with your CPE’s? Come to class, free!

New students: We have added the new topics to our course and changed the names to match. We are staying ahead. We are ready to help students kick some EXAM butt. We have already built our course for live on line. Registration starts now with the 2014 prices. January 17, 2015 is the class start date.

For those of you who do not want our full course: we make it a subscription on our apple iPad app VMLT. The app will be $1 and require that you buy a subscription on our site to unlock most of the details and recordings. We will make it a free limited subscription to the first 100 people who download. The new material will be released slowly over the next 30 days.

Please don’t ask about Droid. The answer is NO unless you have a $100,000 and 6 months.

Rename of newsletter & Operations Backup Class

Hi everyone!

It is another year and time to start thinking about your CPE’s. So come to class tonight see the link below.

We are going to take about two things tonight in class.

1.Cloud backup solutions

Yes we are talking about Enterprise tools and  SoHo for the cloud. We talk about some new backup tools from the cloud. Oh and let’s talk about your old backup tools.

SpiderOak, Boxcryto, and everything else under the sun… well um under the cloud.

2. Renaming of the newsletter

My web guy said, ” Ah yeah the name of your newsletter is catching in peoples mail filters”  So I guess my cool name and thought just is not cutting it for some of you.

Here are the domain names I own so lets start here:

  • LeastCrappyAnswer
  • CISSPTopics
  • CISSPTV
  • DefenseAgainstTheDarkArts ( I was in a Harry Potter mood.)
  • WeekOfSecurity

So come to class and vote on the new name and get one more CPE. If you cannot make it give me your vote via email.

Data Backup and Control
Jan 28th 2014 18:00 CST U.S.
http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=15&company=ES&namex=pprename&link=http://vmlt.adobeconnect.com/f_31/

When you click the link type your name and email. Smile and have some fun.

…with Freedom, Responsibility, and Security for All.

Dean Bushmiller