I am often asked to explain the Common Criteria certification process. If you dig below the surface a bit you will find that Common Criteria certification is very Un-Common. The name originated in the multilateral agreement that established the process in 2000: Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security. The certification is called ‘Common’ criteria because the ‘Arrangement’ was initially agreed to, in common, by the nations of Australia, Canada, Finland, France, Germany, Greece, Italy, The Netherlands, New Zealand, Norway, Spain, the United Kingdom, and the United States of America. It just so happens that these countries often cooperate on global security issues, more so than, for example, with China or the Russian Federation. The value of the certification is the assurance to manufacturers that the product certificate will be accepted by signatories to the Arrangement. In many cases a project engineer or architect may look first to the list of certified products rather than marketing collaterals when designing a secure system. So, if vendors expect to sell into a secure environment, the applicability of Common Criteria certification should be a consideration early in the product roadmap.

If you have come across a requirement for product compliance with FIPS 140-2, Security Requirements for Cryptographic Modules, you may have wondered about FIPS and its applicability to information technology products. FIPS is the acronym for Federal Information Processing Standards. FIPS was established in the 1960s to provide uniform guidelines or specifications for processes, data interchange, and functionality within the Federal government’s early information technology departments. Currently FIPS are maintained by the National Institute of Standards and Technology (NIST). In general, FIPS are developed and issued when there are no industry standards available for citation in requirements and/or procurement documents.

In previous blogs we talked about needing to educate the end users and knowing the details of what activity is occurring on your enterprise’s systems. In part 3, we’re going to talk about managing the threats that occur with a layered approach. Good security doesn’t stop at the endpoint with just an antivirus client (link to symc sep), it doesn’t stop with just a perimeter firewall. It starts with good knowledge of your environment, and grows out to each layer (Network, Endpoints, Client Hardware, Storage, etc) we’ll talk about each one in the next paragraphs.

In Part 1 we investigated effective end-user education by making them take part in exercises to ensure that they are aware of risks out in the wild that exploit the well meaning insider. In Part 2, we’ll educate the IT department by learning what’s happening on their network. The best way to do this is with an appliance like the Symantec Security Information Manager (SSIM). The way that SSIM works is by collecting logs from a multitude of devices, whether they be network devices like firewalls and routers, or application log files like IIS or Symantec Endpoint Protection to correlate events to determine if any malicious activities are occurring across multiple layers. This level of visibility into the enterprise is critical to maintain your level of situational awareness.

I attended an all-boys high school. At 16, we had no idea how to talk to women. It seems OMB is tongue-tied too when it comes to FISMA reform, CyberScope, and chatting up CIOs and CISOs. As the deadline for all agencies to use CyberScope for FISMA reporting looms – November 15, 2010 – it looks like OMB is in serious danger of going to the prom alone. A new MeriTalk study – FISMA's Facelift – reports that as of July 2010, 85 percent of Federal IT security leaders have yet to go on a first date with CyberScope. If beauty is only skin deep, let’s dig beneath the surface. Of the 85 percent “CyberScope virgins,” 72 percent don’t understand CyberScope’s mission and goals – and 90 percent don’t know how to get lucky – they’re unclear on the submission requirements. 55 percent question CyberScope’s economic benefits – asserting it will increase cost. Most damaging, Feds don’t see the value of courting. 55 percent don’t believe CyberScope will improve security oversight and 69 percent are unsure if the new approach will improve Uncle Sam’s cyber security.

"Why are agencies forced to pay twice to C&A systems?" said the exasperated and cash-strapped Federal IT exec. "If agency A wants to use a system from agency B - a system that has already been C&A'd - then agency A needs to pay for a completely new C&A. If we're spending more than 20 percent of our cyber security budget on C&A - and the average C&A costs $167,643 - shouldn't we look for efficiencies?" An observation over lunch was quickly validated by other Feds - IT execs battling with the double-headed budget and security dragon. Curious stuff. The FISMA C&A reciprocity riddle set me on a fool's errand to put a dollar figure on the cost of C&A redundancy. That said, it opened a new window on OMB's lack of transparency - quite astonishing in this era of open government.

Taking a look at the latest quarterly update on security from Symantec, there are still some basic steps that system administrators can do to protect their network and endpoints. These are the low-hanging fruit that can help prevent attacks and comprise of confidential data. Education is still one of the top three returns on investment on the security side. An educated end-user will not click on links in emails that aren’t from trusted parties, open password-protected zip files and run their contents, and question suspicious emails with the help desk. An educated management team understands that Security is not just a line item that can be eliminated or reduced. As treats become more sophisticated at penetrating networks and endpoints, increasingly more sophisticated tools are needed to prevent, find, and remove these threats.

After years of public acrimony and a 6 month trial, San Francisco IT administrator Terry Childs has been found guilty of hijacking the city’s computer system.  Cyber-Ark has always maintained that this was more than simply a case about a rogue employee, but in fact an example of an organizational failure in managing and effectively taking ownership of privileged accounts and identities.  At the end of the

The adaptive nature of threats to information security has proven to be one of the greatest challenges to personal, business, and government adoption of computing in general, and communication of digital information over the public Internet, in particular. Today we are not only concerned with theft of private or sensitive information created and stored on ubiquitous personal computing and communications devices, we also have to be concerned with the security of our information while it is in transit and when it is in storage at its destination.