For the third year in a row, the government’s overall FISMA grade improved. But don’t get too excited; the grade only improved from a C- to a C this year. (And D+ in 2005).

But there’s a lot to hide in an “average grade”. Turns out that the reality is a split between overachievers and underachievers.

The agencies/departments with a grade of A-, A or A+:

• Department of Justice
• US AID
• EPA
• NSF
• SSA
• HUD
• OPM (I would hope so)

And, sadly the ones that got an F:

• Department of the Interior
• Department of Treasury
• Nuclear Regulatory Commission
• Department of Veterans Affairs
• Department of Agriculture

FISMA (Federal Information Security Management Act) became a federal law back in 2002 as part of the E-Government Act. Six years later, there has been improvement, but there’s still clearly a long way to go.

So what’s the disconnect? Speaking from a vendor perspective, we’ve had first-hand experience with the lack of actionable, concrete guidelines around FISMA – for processes, monitoring and check-list assessment items. We even contacted NIST directly to get more guidance on how their very broad guidelines should be translated to actual features and reporting in something like our monitoring solution. The end goal, after all, is to help our government customers not only meet the FISMA requirements but also to be seen/assessed as meeting those requirements. As we do for other compliance/governance requirements like Sarbanes-Oxley, the more that EM7 can automate and report on, the better.

But that leads to the second issue here. How accurate is the FISMA scorecard? SC Magazine writes, “Many have seen organizations get an A when they believe they should have received an F, and vice versa” and some experts “blame this on the lack of a standardized evaluation, as well as censorship among auditors.” There’s talk about language ambiguities and opinions that the scorecard is not “one size fits all” – that small agencies face different IT security challenges than the big guys.

So what’s right about FISMA? We can point to a heightened awareness about the importance of security and the “security picture” in each federal agency. Certainly, from our own survey at FOSE, we saw the difference just from last year to this one:

• 91% surveyed said FISMA was important (up from 66% last year)
• Over 50% had solutions installed to help with FISMA (up from only 14% last year)

Based on these numbers, we’re not surprised to see the FISMA average grade go up, but we expected it to be even higher. So what will it take to get the government on the honor roll? From Rep. Tom Davis, “We need to seriously consider incentives for agency success and funding penalties and personnel reforms for agencies that don’t measure up…We need a bill with teeth, and we need agencies to understand the goal is to keep information safe, not to check a statutory box.”

ShareThis

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. ???Networld??? magazine didn???t give me the boot within 3 months.  They never had the chance, as I never wrote for ???networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don???t take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn???t appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

People ask why do you blog?  In the final analysis I blog because I like to. Every once in a while though you get a comment from a reader that reminds you why it is all worth while.  Here is one I received today from a person alleging to be a Julie Peterson:

Julie Peterson commented on Safe Access wins SC Magazine Award Reader Trust Award, again!:

Dressed in a tuxedo and chewing those rubber chicken breasts at the award ceremony is your idea of fun? Aren't you the same mentally retarded idiot who said in 2007 that you hated SC awards and that anyone can buy the SC awards with a sponsorship? Why do you think people give over $10k as sponsorship for the SC awards? Who is watching the awards except other vendors? By the way you suck big time with your rubbish blogs. Didn't networld magazine give you the boot within 3 months? Think before you write Mr. mental. Well done on winning, but please, dont give the impression that you cant buy an award from SC! And don't forget to eat your medication pills tonight, otherwise from your hair it is obvious you ran away from a mental hospital.

First of all Julie, let me thank you for your kind words! You made the statement and let me answer your questions for you.

1. Is dressing in a tuxedo and chewing rubber chicken breasts my idea of fun?  Actually, I do enjoy dressing up in a tuxedo once in a while.  The food at the awards ceremony was actually pretty good, if not diet friendly, as were the cocktails.  The entertainment at the awards show was pretty good as well. Catching up with friends you had not seen for a while and networking with industry peers was pretty worthwhile too.  Maybe your idea of a good time is putting on a bowling shirt and swilling a couple of beers and pretzels before going home and undressing into your dirty ripped underwear. Hey I say to each his own.

2. I am not the idiot who in 2007 said that I hated the SC awards and that anyone can buy the SC awards with a sponsorship.  I am the idiot who said that about the InfoSec Products Guide award by the folks at Silicon Valley Communications.  In contrast I have always said nice things about the SC awards. I actually have a lot of respect for them.  Also for the record, StillSecure has never been a sponsor of the SC Magazine awards. I have seen sponsors who did not win awards as well.  So looks like you got that one wrong Julie, but it happens.

3. “Networld” magazine didn’t give me the boot within 3 months.  They never had the chance, as I never wrote for “networld, network world or any other magazine. Maybe you have me confused with Mike Rothman or Mitchell Ashley, who do and did write for Network World. But let me assure you that I do try and think before I write.

4. Regarding what medication pills I take and does my hair make it obvious I ran away from a mental hospital. I don’t take any medication, maybe I should.  Better living through chemistry you know ;-)  As to my hair, what can I say.  At this stage I am happy I have any hair at all.  My wife always says when I get my haircut it looks like a Buzz Lightyear style, but no one ever mentioned a mental hospital look to it.  In any event sorry it doesn’t appeal to you.

So who is this troll Julie Peterson?  Could it be Richard Stiennon in drag?  Maybe his wife striking out?  Maybe another one of my fans?  Who knows, but these sort of comments keep me juiced about blogging and remind me of how much fun I have doing it.  Thanks again Julie!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

• The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog  posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).

• User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.

• Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.

• Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)

• Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

After my “used car salesman of NAC” series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that “SC Magazine awarded ForeScout’s CounterACT a four-out-of-five star rating, lauding the product’s ability to “function like a firewall, an IPS and a NAC device all rolled into one”.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, “The ForeScout CounterACT was the device which took the most time to install and configure.”  Later on the reviewers had this to say, “The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.”  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

After my ???used car salesman of NAC??? series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that ???SC Magazine awarded ForeScout???s CounterACT a four-out-of-five star rating, lauding the product???s ability to ???function like a firewall, an IPS and a NAC device all rolled into one???.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, ???The ForeScout CounterACT was the device which took the most time to install and configure.???  Later on the reviewers had this to say, ???The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.???  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

Finally the iPhone is coming to Canada! Yes, I know I could have a cracked one. I’m just glad to see it officially released here. A question that remains. What kind of data rates are Ted Rogers and company going to charge?

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to all of our new subscribers yesterday! Thanks for joining!

And now, the news…

1. Bug exposed in web security standard | vnunet
2. How safe is instant messaging? A security and privacy survey | CNET
3. Bush widens immigration checks | LA Times
4. Apple QuickTime Multiple Vulnerabilities | Secunia
5. FBI Charges Blind Phone Phreak With Intimidating a Verizon Security Official | Wired
6. Exploiting VoIP vulnerabilities to steal confidential data | SC Magazine
7. Security holes in Linux kernel closed | Heise
8. Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules | Windows Security
9. VA promotes teamwork on cybersecurity (-10 points) | FCW
10. Another bug your tools won’t find and your WAF won’t prevent | ZDNet

Tags: News, Daily Links, Security Blog, Information Security, Security News