Friday, September 14, 2007

SAMI

I have a requirement to say whether the application being accredited contains SAMI data. What the heck is that? I did a google search and found it's an acronym for Sources and Methods Intelligence. That doesn't help me very much. However, if your app. processes SAMI data, you need to retain audit records for 5 years instead of 1. That must mean SAMI is important stuff. I'm still searching and it's taken the better part of half an hour so far.

I just found a defintion inside the definitions section of a DoD manual:
Any classified non-SCI information that has been determined by the Data or Information Owner to need the protection afforded by DCID 6/5 and bears a SAMI marking.

Because the information my app. process is not classified, I can safely say my app. does not process SAMI data. But what does SCI information mean? I'll find that next.

SCI:
Sensitive Compartmented Information, Classified
information concerning or derived from intelligence
sources, methods, or analytical processes, that is required
to be handled within formal access control systems established
by the Director of Central Intelligence (DCI).
Of course, I'm inserting these definitions in my list of acronyms and glossary.

Friday, September 07, 2007

FISMA Security Controls

Our company is working on a strategy to offer our SSDLC (secure software development life cycle) and they're looking to me for help understanding when and how to include security controls in the process.

The only security controls I've worked with so far are DoD controls. Because we want this process to apply to non-DoD customers, I'm looking into other controls such as NIST. I just started reading publication 800-53, "Recommended Security Controls for Federal Information Systems"

I'm not sure if that's the right publication, but it will certainly lead me to the answer.

Wednesday, September 05, 2007

Definitions

I'm going to give a presentation today about C&A efforts to our company's sales staff. I thought I'd start with a description of what a C&A is.

These are my definitions based on other standard definitions like NIST and others. What do you think of them?

Definitions

Certification: A formal evaluation, in support of an accreditation, of a computer system's safeguards to determine whether it meets a specific set of security requirements.

Accreditation: A formal decision by an approving authority that a computer system is approved to operate at an acceptable level of risk based on a set of specific requirements.

C&A: A process that ensures a system meets a formal set of security requirements.

Friday, January 26, 2007

How to Install Anything on Ubuntu

I found a link to an article describing how to install anything on Ubuntu. It's the kind of article I always hope to find when I have a similar technical question. The writer was thinking of someone like me when they wrote it.

Monday, January 15, 2007

New Things to Learn

I need to figure out how to do the following things:

Install Adobe Flash Player for Firefox
Find out if I can receive my email from work
Can I run Windows Office in WINE on Ubuntu?

Those are the biggest items preventing me from using my Ubuntu install as my work-at-home computer.

Now, I need coffee.

Friday, January 05, 2007

67 Updates

I'm trying to setup a firewall. I found Firestarter is the one for Ubuntu, so I attempted to download it. This gave me an opportunity to work with Synaptic package manager. My experience so far with package managers (pm) is with SUSE.

While installing Firestarter, I discovered I had 67 updates that were waiting. I have those going right now. I believe keeping up with updates is crucial to secure computing. I'm going to stay on top of that issue.

What's the root Password?

I tried to su to root to change permissions on a file. When the system prompted me for a password, I realized I had never set one during installation. Did I miss something? Was I sleeping during the installation?

I looked through the Ubuntu forum, www.ubuntux.org and quickly found the following information. A new user asked the same question on the forum and of course, someone quickly pointed the guy in the right direction with a link, but they piled on the typical advice, "Too lazy to look around for yourself?" That's pretty typical with forums.

Anyway, default Ubuntu does not have a root password set.

"su" is not the command to get to root. Instead, I had to type:

sudo passwd

The system prompted me for my password, then it wanted a new password for root. I set one, a complex one and I was off to work again.

Next, I need to install a firewall. I see that Firestarter is the one to use.

First Post about Ubuntu

I installed Ubuntu from a cd the other day after building my Frankenstein computer from three old machines. I had a few hardware troubles getting it together. I used an old hard drive with Windows XP installed to get the machine going. Then I overwrote it with Linspire. That didn't inspire me very much so I installed Ubuntu. That inpired me well enough.

I didn't connect it to the internet until today. I wanted to get it secured first. My next post will describe what I did to secure my Ubuntu installation.