MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
FROM: Clay Johnson III
Deputy Director for Management
SUBJECT: Protection of Sensitive Agency Information
In an effort to properly safeguard our information assets while using information technology, it is essential for all departments and agencies to know their baseline of activities.
The National Institute of Standards and Technology (NIST) provided a checklist for protection of remote information. (See attachment) The intent of implementing the checklist is to compensate for the lack of physical security controls when information is removed from, or accessed from outside the agency location. In addition to using the NIST checklist, I am recommending all departments and agencies take the following actions:
1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

Most departments and agencies have these measures already in place. We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us. Please ensure these safeguards have been reviewed and are in place within the next 45 days.
Attachment

The Office of Management and Budget Memo

I can help audit and control access by user and machine (two factors) in 30 days. Want help? Email me identitystuff @ gmail.com

The U.S. government has 45 days to upgrade its security standards for protecting the data it holds on millions of U.S. citizens.

The Office of Management and Budget (OMB), which operates under the White House, sent a "Memorandum for the Heads of Departments and Agencies" on June 23 requesting the implementation of new security standards and practices concerning data.

The request comes in the wake of several embarrassing government security breaches due to losses of laptops holding sensitive information. Many of the incidents resulted in an accidental release of Social Security numbers and dates of birth--two key pieces of data used in identity theft.

Identity deals that would make sense

So I got to thinking about some deals that I would find interesting:

Sun:

Break the company up into 3 units - hardware, software, and services each with their own P&L, operating separately under the Sun brand. Then they buy PWC, scoop up some other software companies in security/identity, and break hardware out.

IBM/SAP:

IBM buys SAP, ports stuff to DB2, SAP picks up an identity play so now you have a super platform company with a strong authoratative source offering with Identity and other apps on top, running on IBM hardware.

SAP/Novell:

SAP gets some solid extensions of directory and IdM and if you threw RSA into that mix, you would have a killer secure offering, arguably one of the best.

Oracle:

Integrates what it has and maybe picks up HP so they have a hardware platform to play with.

Novell to buy RSA

Now that's a deal!

Directory, authentication, IdM, integrated. AWESOME!

RSA & EMC Acquisition?

I don't get it...

What value does tokens add to EMC's suite. Sun should pick up RSA not EMC.

Am I missing something? What am I missing

June 29, 2006, 12:50 pm
RSA Security (RSAS) Shares Soar On Report Company Will Be Bought
Posted by Eric Savitz
RSA Security (RSAS) shares are soaring today on a New York Times report that says a sale of the company is “near,” possibly to EMC (EMC).

Here’s an excerpt from the Times’ story:

RSA Security, a pioneering digital security company, quietly put itself up for sale several months ago and is now near a deal with EMC or at least one other bidder, people involved in the auction process said last night.

A deal, possibly worth more than $1.8 billion, could be reached in a few days, these people said. The company has a market value of $1.46 billion.

RSA’s board is expected to meet before the weekend to review final bids, these people said. They cautioned, however, that it remained possible that RSA could still decide against a sale.

It could not be learned last night who was competing against EMC, the data storage giant.

In response to the story, RSA this morning has issued a statement confirming that it is in talks about a “potential stratgic transaction”:

While it is our policy not to comment on rumors, this statement is made in response to a report appearing in today’s New York Times concerning the potential sale of the company. RSA Security is currently engaged in negotiations with parties regarding a potential strategic transaction. No definitive agreement has been reached. There can be no assurance that any agreement will be reached or that a transaction will be consummated. We do not plan to make future announcements with respect to this process unless and until our Board has approved a specific transaction and we have entered into a definitive agreement.

RSA shares, which were halted for the company’s announcement, are up $3.63 at $22.99. EMC, the fourth most active stock on the NYSE today, is off 21 cents at $11.04.

My Old Identity Management Implementation Playbook

email me to get a copy, or take a look at a preview here

I decided to give it away, and since it is free I won't be offering any free consulting or support around it, so you're on your own, but it's a decent map.

sending mail to identitystuff@gmail.com gets you a copy

NAC - The new Identity Management

I stumbled across Eric Norlin’s blog as I was surfing around the other day, and he had what I thought was an interesting observation – NAC (Network Access Control) is the new IdM (Identity Management). I couldn’t agree with him more.

When I first got into the Identity Management space, it was the wild west. Thor and Waveset were the early frontrunners (in my opinion) and both have since been acquired by Oracle and Sun respectively. Back then Identity Management meant a lot of things – password reset, self service, provisioning, de-provisioning, single sign on, meta directory, directory on steroids, yada, yada, yada. Then as things matured the companies starting exploring federation, security, and more yada yada yada.

I think that where we are today is more mature than 3-4 years ago (duh) and that there is some core functionality out there, with the approach of how users and user data are managed (authoritative sources, workflow, app interfaces/connectorsetc.) being the differentiators, along with the underlying technology of course (java, xml, other). There are now applications for virtually all of the components of the IdM problem – password resets, self service, provisioning, etc. Where I think IdM needs to get to is matching and managing USER data with CONNECTION data so you get users and machines identity correlated and accurate.

So let’s look at NAC. There are many vendors at the wild west stage with core functionality still being flushed out in my opinion. There are many things that NAC proposes to address – on-boarding machines, doing a machine health check, patch alert tool, anti virus checker, yada yada yada. This to me is akin to what authentication is - authentication. After a user is authenticated (or a machine), so what? You’re now in the building. It’s like dressing up as a fire fighter and walking into a building – once you’re in you can do whatever you want because you are considered to be a trusted/known user. Isn’t NAC the same thing?

You cannot truly control what that user machine does once you give it access to your network. Well actually you can, the solution I sell does it, but I don’t want to be too self promoting – I’d rather make a point here:

NAC is the new IdM and what we’re all striving for is to implement solutions that help us establish trust of users and devices and maintain and check that trust passively and actively all the time. We have some maturing to do, and I believe it is a matter of time before someone at the big guys (Cisco, Juniper, Crossbeam, Nortel, etc) get it and deliver integrated solutions at the network AND application layer that keep an eye on who we trust.

identitystuff @ gmail.com

P2P and Identity

Here is another amusing article that makes a few points for me (below):

1. Stupid always wins
2. Default settings should be avoided at all costs
3. I am glad I stopped using all the P2P appliacations years ago

There are some other interesting things that this brings to light -

a. Since a *true* identity is harder to come by, does that make identity management or identity proof more valuable?
b. With each identity theft publicized, will that make us more vigilant in protecting our identities?
c. Why does no one seem to understand that the only ways to prevent identity theft are to not publicize your identity, and control access to it? Navy? Hello?
d. Is identity management really something that is a second step to identity based access or proving identity in the first place?


June 23, eWeek - Cyber criminals use P2P tools for identity. Cyber criminals are multiplying quickly and becoming more sophisticated in the ways in which they take advantage of unwitting Internet individual users and companies, said Howard Schmidt, a co-architect of the national cyber-security policy presented to the president's Critical Infrastructure Protection Board in 2003. At an SD Forum seminar Thursday, June 22 Schmidt said Peer-to-peer
(P2P) networks such as Limewire, Kazaa, Grokster, and others aren't helping to quell the increase in crimes committed via the Internet. The Internet cultivates careless and ignorant use of P2P applications as a major part of the current identity theft problem. People who use P2P applications to download music, software, and photos may leave themselves wide open to identity theft by simply being unaware of their computer settings. "One woman's credit-card information was found in such disparate places as Troy, MI, Tobago, and Slovenia. Why? We found that the "shared" folder in her music-downloading application was in fact making readily available her entire "My Documents" folder to that app's entire P2P audience, 24 hours per day," Schmidt said. By typing in common search terms such as "bank May statement," or "stop payment" in Limewire's search function, personal information is often getting into the wrong hands, enabling cyber-looting.
Source: http://www.eweek.com/article2/0,1895,1980963,00.asp

Homeland Security through the eys of Network Security

I was just on a long drive (250 miles) down to CT/NYC for some meetings over the next two days and I heard on the radio that Al Qaeda may have been planning an attack on the NYC subway system for 2003. They were apparently going to open up a can of cynaide gas (different than whoop ass which is what we would have done) in the subway.

I began to think about all that DHS must deal with in terms of how a CISO, network security professional, and those of us who keep bad guys out of where they should be. It's a lot alike, with several key differences.

In the network security world, the CISO, CSOs etc. must plug EVERY hole/exploit/port while the bad guys only need one way in. Same with DHS - they need to be able to secure every way into the US (legit or otherwise) and know the threats and ultimately prevent them from happening. In the DHS world, this means physical ways in, virtual ways in, and corrupt social ways in to access data and people. Same with the CISO/CSO view of the world (ideally).

I think those of us who live and breathe in the networked world have it far easier than DHS, yet breaches and break in's still occur. Obvious holes are (usually) plugged and there are any number of IDS/IPS, Firewall, and security Systems out there and even identity management systems out there now too to help know and control access to what is ours.

Yet breaches still happen. Did you ever wonder how many breaches happen in either the carbon based world or network world that we DON'T hear about. Me too. All the time. The thing with the NSA collecting phone records has somehow morphed into 'they listen in on every call' which is bunk, and you know what - I want them to have the capability to stop the bad guys and prevent what could happen to me, just like I expect companies (public and private) to protect my data so that it doesn't get into the hands of a bad guy, and I willingly fill out forms all the time providing different companies data. Is that the big difference?

The other thought I had was about masquerading of identity. I could probably buy another passport online somewhere and then become someone else - creating a new identity. Those of is in the network/security world have directories - what does DHS have, or any U.S. Government organization for that matter? Sure they have directories but there is no SINGLE authoritative source and I personally believe that the smart cards are a trial for the highest risk poulation, and that this is phase 1 of a multi phase program to know about who is here and to build that authoritative source.

Will it work? I don't know. Probably not the first time around, but then again how many other projects run by government or large organizations in general run smoothly the first time?

Security is not an event or series of events - is a risk management and user management lifestyle. You either want to lead that lifestyle or not.

I do.

New email for the Identity Management Blog

IDENTITYSTUFF @ GMAIL.COM

'Please make a note if it'
(in canned directory assisance voice)

Identity and Trust - Part III

I know I am approaching a Star Wars esque naming convention for this series, however, without the proper amounts of caffiene my creative juices aren't pegging the red line...

Anywho, I saw a blog the other day talking about their belief that identity was the root of trust, and that Identity was really about Identity (I forgot where I saw it so email me and I'll link). Then I remembered an article I read in a local paper about a bank teller involved in identity theft.

The kicker in this article is that the bank teller used someone else's ID to get the job that put her in the position to be able to take a few bucks from the bank. In other words if Identity is the root of trust and we validate once, even in the real world, then we are setting ourselves up for something like this. Trusted relationships must be validated whether we think they ought to or not, and managing this trust that maps back to an identity is crucial so that we reduce the risk that the identity is in fact stolen/fake.

Even with all of the corporate screening and backgroung checks, etc. the identity was AN identity, not the right one and belonged to an untrusted source...

***
PORTSMOUTH - A woman arrested last week on allegations of being a bank teller-turned-robber, was arraigned and bailed under the false identity she purchased for $1,000, said police.

On May 30, police arrested Maria Garcia, 23, of 14 M St., Hampton, on five counts of theft by unauthorized taking and four counts of forgery. A former teller for the Pease branch of Banknorth, Garcia is alleged to have stolen $7,250 from the bank’s customers and automatic teller machine.

But police have since learned Maria Garcia is actually Heliana Medina.

Brought to Portsmouth District Court from the Rockingham County House of Corrections Monday, Medina was arraigned on a new count of felony identity fraud. Police allege she confessed to purchasing a birth certificate and Social Security card - both in the name of Maria Garcia - from someone in Lawrence, Mass., for $1,000.

Homeland Security 0, Stupid 1

I got an email last night that I found funny. Not ha ha funny, but scary funny. Having met with Lee Holcomb a couple of months back and having to go through the security check in procedure (I thought it was twice as rigorous as airports) I would have thought that the folks working the security desk would have caught this. This was like the classic Columbia House 12 8 tracks for a penny trick where you filled out bogus information to get free music (real world/old school Kazaa? Kazaa's grandfather?). As I sit at Logan airport waiting to board my flight I wonder if the stopping short of a cavity search security folks here shouldn't get a promotion with a full relocation package...


Homeland Security accepts fake ID
By Stephen Dinan
THE WASHINGTON TIMES
June 12, 2006


The Department of Homeland Security allowed a man to enter its headquarters last week using a fake Matricula Consular card as identification, despite federal rules that say the Mexican-issued card is not valid ID at government buildings.
Bruce DeCell, a retired New York City police officer, used his phony card -- which lists his place of birth as "Tijuana, B.C." and his address as "123 Fraud Blvd." on an incorrectly spelled "Staton Island, N.Y." -- to enter the building Wednesday for a meeting with DHS officials.
Mr. DeCell said he has had the card for four years and has used it again and again to board airliners and enter government buildings, without being turned down once. But he said he was surprised that DHS, the agency in charge of determining secure IDs, accepted it.
"Obviously, it's not working," Mr. DeCell said.
The Mexican government has issued millions of Matricula Consular cards in the past few years, mostly to give illegal aliens a form of identification that banks and other institutions will accept.
The FBI, in testimony to Congress, has said that the cards are not secure. The General Services Administration ruled in 2003 that the Matricula Consular is not valid ID for entering a federal building.
In addition to being a forgery obtained for him from a street vendor in California, Mr. DeCell's card was modeled on an older version, which the Mexican government publicly acknowledges is not a secure document. The Mexican government says the old-style cards "are no longer valid."
Some members of Congress tried to crack down on use of the card, particularly as valid ID for opening a bank account, but the Bush administration opposed that effort.
Jarrod Agen, a spokesman for DHS, said the department shouldn't have allowed the ID to be used for entry to its headquarters.
"DHS is following up on these allegations and will take necessary actions to ensure there is not another occurrence of this type," he said.
Mr. DeCell had provided his name, birth date and Social Security number to be pre-cleared for entry to the building and had been vetted before, Mr. Agen said. The security guard accepted the ID to match Mr. DeCell's name to a name on her list of cleared visitors, he said.
The spokesman said Mr. DeCell's group went through metal detectors and other routine security screening and had an escort at all times while in the building.

Trust is the Root of...

I have been ruminating about trust quite a bit lately and especially the validation of trust giving rise to the concept of identity and ultimately identity management. Several questions keep running through my head:

Are we presupposed to be untrustworthy as humans, hence the need for Identity Management?
Is Identity Management really just a PC way to say 'Trust validation'?
Why is it different online vs. real world?
Is it really different?

Back in the day (15 years ago when I was first 'online' on a bbs and then Delphi) there was a lot of anonymity on the internet. I could in fact say I was anyone else and virtually be anyone else online. As more people started getting their 9600 baud, 14.4, and 28.8 modems upgraded from the 2600 speed, more people joined the club creating interesting usernames and ultimately personas. I can't help but wonder did these personas give us an outlet like a character in a play allowing us to explore alter egos and behave dishonestly without the thought of getting caught, whether you were hacking into Citibank to trade Russian pistols, or pretending to be a 19 year old blond virgin for your buddies to talk about the next day?

Since there are now a buhjillion usernames out there, have we reached a point where we want to tell people that we need to know who you are and what you do to actually validate what we believe about someone?

This leads me to ponder the second question about the Political Correctness factor in all of this. Why is it so easy for companies to say 'we spy on you and gather more information about you and in essence know more about you than your enire family and rolodex combined', yet people freak out when they hear the NSA is looking at phone records (not listening in on calls, which they probably do too) or there is some other perceived intrusion in our lives, and ultimately our identitities. This is technology people, if you can build it, you can break it. If I want to know something bad enough I will find out. I also think there is an element of control and a huge element in CYA (cover your ass) in the proliferation of the identity management space, especially de-provisioning, but that's a whole other topic for another time.

So why is the perception that online should be any different than real life? Don't you want to know who is at the other end of the phone? Don't you want to know that your fiancee is not someone else on the lamb or in a polygamous cult who wants to see how the other half lives? We all want to know, and control, and cover our asses, and there aren't shiny, slick applications in real life like there are online/on networks.

I guess it's not that different really. We want to know each other so we know where to place our trust. It seems to be in short supply these days...

Is this About Identity or Trust Part II

So in my previous entry I had been exploring whether all of this Identity Management stuff was about managing identity or constantly validating trusted relationships. One thing that popped into my head is that since both identity and trust are fluid things, if we look at where the market is today, then we can assess the future now and see how right we'll be... Let me explain...

First there were directories, this is where your identity starts/started. You had been verified/validated by HR so we know that legally you are who you say you are and now you have a record, off of which hangs a bunch of other data about you.

Next came authentication where we validated (or re validated) that you are still in fact here and now are making interest on your identity because you are validatable.

Now we're at the Identity Management/Access Management point where self service, password resets, single sign on (SSO), etc. are all the rage so that by application we can validate and re validate you and your priviledges and automatically grant you access to where you need to go.

If I look to the future then the validation and revalidation process will need to get automated to the fullest extent, which means that there will be an awful lot of data checking going on out there. And now we are back to the same old question - how valid or clean is the data. Garbage in/Garbage out.

This is why I think that trust is the root of off of this and I can't help but wonder - who will be the ultimate trusted authority, who will build the first meta directory for mankind, and who will manage all of these identities and insure that the integrity and the trust is maintained in the face of the anonymity that the internet gives us. Did you ever think that my name was Mary, and that I was 5'8' 125lbs, and looked smokin hot in any shade of red?

Rest easy - I'm no hottie. But I could play one on the internet. Tune in next time when I explore trust some more.

Mark

iPOD and USB Hacks - This sounds like fun. Scary fun

As seen over at Bruce Schneier's Blog...

Plug an iPod or USB stick into a PC running Windows and the device can literally take over the machine and search for confidential documents, copy them back to the iPod or USB's internal storage, and hide them as "deleted" files. Alternatively, the device can simply plant spyware, or even compromise the operating system. Two features that make this possible are the Windows AutoRun facility and the ability of peripherals to use something called direct memory access (DMA). The first attack vector you can and should plug; the second vector is the result of a design flaw that's likely to be with us for many years to come.


The article has the details, but basically you can configure a file on your USB device to automatically run when it's plugged into a computer. That file can, of course, do anything you want it to.



Recently I've been seeing more and more written about this attack. The Spring 2006 issue of 2600 Magazine, for example, contains a short article called "iPod Sneakiness" (unfortunately, not on line). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up -- and then steal his passwords and critical files.



And here's an article about someone who used this trick in a penetration test:



We figured we would try something different by baiting the same employees that were on high alert. We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user's computer, and then email the findings back to us.


The next hurdle we had was getting the USB drives in the hands of the credit union's internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.



Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.



I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.




There is a defense. From the first article:



AutoRun is just a bad idea. People putting CD-ROMs or USB drives into their computers usually want to see what's on the media, not have programs automatically run. Fortunately you can turn AutoRun off. A simple manual approach is to hold down the "Shift" key when a disk or USB storage device is inserted into the computer. A better way is to disable the feature entirely by editing the Windows Registry. There are many instructions for doing this online (just search for "disable autorun") or you can download and use Microsoft's TweakUI program, which is part of the Windows XP PowerToys download. With Windows XP you can also disable AutoRun for CDs by right-clicking on the CD drive icon in the Windows explorer, choosing the AutoPlay tab, and then selecting "Take no action" for each kind of disk that's listed. Unfortunately, disabling AutoPlay for CDs won't always disable AutoPlay for USB devices, so the registry hack is the safest course of action.
In the 1990s, the Macintosh operating system had this feature, which was removed after a virus made use of it in 1998. Microsoft needs to remove this feature as well.




Remember STUPID ALWAYS WINS

Is all this really about Identity Management or Trust?

I got to thinking again about whether or not Identity Management isn’t mis-named. What I have come to believe having worked on implementations, secured networks, looked at NAC, FFIEC, SOX, HIPAA, and other compliance initiatives, what it comes down to is how do we know who to trust?

We have all of these semi-pc ways of trying to justify the intrusion into our personal lives and exploiting privacy loopholes, yet we still have to keep coming up with all of these applications/solutions/etc. to prove that we are trustworthy to our constituency – wives, kids, family, neighbors, employers, towns, counties, states, country, and ultimately ourselves. Since this is geared towards the business folks who are tasked with establishing trust I will stick to that for this entry.

Businesses, and by that I mean employers, are tasked with collecting and maintaining a lot of information about employees including prospective, current, and past. They are also in the position where this information ultimately HAS to establish trust at some acceptable level for us to be hired. In the IT world I will equate this to getting an account.

Once we are employed, and verified as a trusted employee, we are then monitored, validated, revalidated, challenged, and tested hundreds of times a day about who we are and are we trustworthy. Firewalls, logins, content blockers, badges, token fobs, biometrics, etc. are all part of this never ending process of maintaining trust. I would add for good reason in some cases (MCI, Enron, Tyco), but I think a lot of it is lawsuit-avoidance for the littler stuff.

So then isn’t the root of Identity Management really the ongoing validation of trust? Taking it a step further, isn’t it also about insuring we trust ourselves not to surf for porn, send blueprints for the new Jet fighter to China or ‘Uranium Enrichment for Dummies’ to Iran? Is Identity Management about externally imposing a sense of conscience to keep our own in check?

Adults do stupid things, like sell secrets to foreign governments, try to pick up teenagers in chat rooms, and a whole lot of other less interesting stupid stuff every day. Are we subconsciously trying to see where the shallow end of the gene pool is? Are we trying to control trust which would appear is a very fluid thing?

I’ll have to blog some more on this and see what comes of my rants…