Finding Processes

Use netstat -ano to find process and their associated process IDs. Then use Windows Task Manager to relate the pid with a service name.

Another Attempt at Defining Control

I looked for "control" in an online dictionary. Here are a couple of definitions that I like:

A restraining device, measure, or limit;

To verify or regulate

I like a combination of those applied to information systems, so here's my first attempt: Rules that measure, limit, or regulate activity or behavior within and information system environment.

The definition is not that important, because I can fall back on examples to help someone understand controls.

Feel free to shoot holes in my definition.

Definition of Security Control

I'm writing a a piece to describe validating the DoDI 8500.2 security controls. The audience is project managers, lead developers, and clients -- anyone who isn't familiar with the effort, but needs to know so they can make a judgment about how much work is ahead of them.

While writing this piece, I decided to define the term security control. I'm finding it's more difficult than I thought.

I first tried to create my own definition. When I discovered that my definition stunk, I searched for others.

Here's one from 8500.2 itself -- the horse's mouth:

E2.1.26. IA Control. An objective IA condition of integrity, availability, or confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format (i.e., a control number, a control name, control text, and a control class). Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with OMB Circular A-130 (reference (v)).

I mean no offense to the people who wrote that, but it's difficult to understand. It is a definition that's all encompassing and yet leaves me with a confused feeling and is not much help pinning down the term. I'm looking for a short, pithy definition.

I'll keep trying and post what I find.

SAMI

I have a requirement to say whether the application being accredited contains SAMI data. What the heck is that? I did a google search and found it's an acronym for Sources and Methods Intelligence. That doesn't help me very much. However, if your app. processes SAMI data, you need to retain audit records for 5 years instead of 1. That must mean SAMI is important stuff. I'm still searching and it's taken the better part of half an hour so far.

I just found a defintion inside the definitions section of a DoD manual:
Any classified non-SCI information that has been determined by the Data or Information Owner to need the protection afforded by DCID 6/5 and bears a SAMI marking.

Because the information my app. process is not classified, I can safely say my app. does not process SAMI data. But what does SCI information mean? I'll find that next.

SCI:

Sensitive Compartmented Information, Classified
information concerning or derived from intelligence
sources, methods, or analytical processes, that is required
to be handled within formal access control systems established
by the Director of Central Intelligence (DCI).

Of course, I'm inserting these definitions in my list of acronyms and glossary.

FISMA Security Controls

Our company is working on a strategy to offer our SSDLC (secure software development life cycle) and they're looking to me for help understanding when and how to include security controls in the process.

The only security controls I've worked with so far are DoD controls. Because we want this process to apply to non-DoD customers, I'm looking into other controls such as NIST. I just started reading publication 800-53, "Recommended Security Controls for Federal Information Systems"

I'm not sure if that's the right publication, but it will certainly lead me to the answer.

Definitions

I'm going to give a presentation today about C&A efforts to our company's sales staff. I thought I'd start with a description of what a C&A is.

These are my definitions based on other standard definitions like NIST and others. What do you think of them?

Definitions

Certification: A formal evaluation, in support of an accreditation, of a computer system's safeguards to determine whether it meets a specific set of security requirements.

Accreditation: A formal decision by an approving authority that a computer system is approved to operate at an acceptable level of risk based on a set of specific requirements.

C&A: A process that ensures a system meets a formal set of security requirements.

How to Install Anything on Ubuntu

I found a link to an article describing how to install anything on Ubuntu. It's the kind of article I always hope to find when I have a similar technical question. The writer was thinking of someone like me when they wrote it.

New Things to Learn

I need to figure out how to do the following things:

Install Adobe Flash Player for Firefox
Find out if I can receive my email from work
Can I run Windows Office in WINE on Ubuntu?

Those are the biggest items preventing me from using my Ubuntu install as my work-at-home computer.

Now, I need coffee.

67 Updates

I'm trying to setup a firewall. I found Firestarter is the one for Ubuntu, so I attempted to download it. This gave me an opportunity to work with Synaptic package manager. My experience so far with package managers (pm) is with SUSE.

While installing Firestarter, I discovered I had 67 updates that were waiting. I have those going right now. I believe keeping up with updates is crucial to secure computing. I'm going to stay on top of that issue.

What's the root Password?

I tried to su to root to change permissions on a file. When the system prompted me for a password, I realized I had never set one during installation. Did I miss something? Was I sleeping during the installation?

I looked through the Ubuntu forum, www.ubuntux.org and quickly found the following information. A new user asked the same question on the forum and of course, someone quickly pointed the guy in the right direction with a link, but they piled on the typical advice, "Too lazy to look around for yourself?" That's pretty typical with forums.

Anyway, default Ubuntu does not have a root password set.

"su" is not the command to get to root. Instead, I had to type:

sudo passwd

The system prompted me for my password, then it wanted a new password for root. I set one, a complex one and I was off to work again.

Next, I need to install a firewall. I see that Firestarter is the one to use.

First Post about Ubuntu

I installed Ubuntu from a cd the other day after building my Frankenstein computer from three old machines. I had a few hardware troubles getting it together. I used an old hard drive with Windows XP installed to get the machine going. Then I overwrote it with Linspire. That didn't inspire me very much so I installed Ubuntu. That inpired me well enough.

I didn't connect it to the internet until today. I wanted to get it secured first. My next post will describe what I did to secure my Ubuntu installation.

System Description vs. Functional Description

I'm trying to determine the meaningful difference between the System Description (ssaa section 1.2) and the Functional Description (ssaa section 1.3).

A VM to Replicate our Environment

I'm building a VM to replicate our operating environment. VM is an impressive tool. I can see how it would save lots of time for administrators and developers, and save some money.

I plan to get much more familiar with it.

IATO

Since deciding to go the IATO route, we've been able to focus and get more work done.

I think we can get the SSAA done in the next week or so. I've contacted our AF rep. and he said I should call him next week to talk in person about who will fill the roles (DAA, etc.).

Also, I need to learn more about the negotiation phase. That is, when we turn in the SSAA, should we do it in person? Should we send it as an email and then have a face to face meeting later? Should we do both in person?

I'll call next week and get answers.

IATO -- let's go!

Yesterday, we decided to go the route of seeking IATO (Interim authority to operate) instead of a full-blown DITSCAP right away. This will give us a year, assuming we get an IATO, to operate and concurrently finish our entire DITSCAP with a FATO (full authority to operate). I feel good about this decision now, because it will get us going and seems achievable in the near term. Like taking a small bite instead of a big bite that we choke on. In the past, I wondered why we want to go the IATO route? I thought we had the time to do it all. Well, we don’t. No one ever has enough time.

The Project Manager Saves the Day

Yesterday, my project manager really got involved in putting together a project plan for our DITSCAP effort. It was great. He asked me lots of questions. I answered some and couldn’t answer others. The ones that I could answer were wonderful, because in the explaining, I learned what I know and identified areas that I don’t know much about.

I Feel Ready to Dive in

IÂ’ve read the following article at least three times. On the third reading, just today, it has made more sense than ever. Every sentence makes sense. The previous readings left me with a foggy understanding that really didnÂ’t lead me to concrete work or lessons.

http://iac.dtic.mil/iatac Life Cycle Security and DITSCAP, IAnewsletter, Vol. 4, No. 2, Spring 01.

New blog, first post

This is my first post for my new blog.

Leave a record of lessons learned about our DITSCAP effort to help others and help us on future projects.

Our project: To certify our system so it can run inside a military domain. I’ll leave the details kind of vague, because I don’t want to bring public attention to our project. I don’t know what the confidentiality concerns are. So instead of pushing any limits, I’ll leave names, locations, and departments out of this blog. I’ll try to provide enough concrete information to make it useful to someone not familiar with my specific project.

This is my first DITSCAP effort. We’re certifying an off-the-shelf product to operate within a collaborative domain. The product is a web application server. Later, we will also certify web services that will be installed on the app. server. We’ll also certify some other systems that will use the web services.