Monday, November 4, 2019


It's been a LONG time since I've posted on here and I wanted to return. One of the recent things I have been working on is trying to "settle the argument" of the DoD's SSE role versus its ISSE role. Below is what I drafted.
Enjoy!
dw


Within the Army’s Acquisition community, there exists today a lack of clarity when defining and discussing the roles of a System Security Engineer (SSE) and an Information System Security Engineer (ISSE). This confusion is due in large part to there being some ambiguity in how the roles are defined in different publications used within this community. Additionally, it doesn’t help that the role names are so close to being identical.

Examination of the Official Verbiage

The logical starting point for this discussion is the examination of what is actually written in the different publications relevant to both System Security Engineering and Information System Security Engineering. This discussion will cover the relevant Department of the Army regulations, DoD’s guidance, and the descriptions of the roles as provided by NIST.

Army Guidance

The US Army defines the Information System Security Engineer (ISSE) as being “an individual or a group responsible for conducting information system security engineering activities, including [AR25-2] [DA PAM25-2-14]:
-          System Architecture
-          System Design
-          System Development
-          System Configuration

Furthermore, Army regulations require that the Program Manager (PM)/System Manager(SM) assign an Information System Security Engineer to all IS and PIT systems [AR-25-2][DA PAM25-2-14]. The ISSE should be “fully integrated into the systems engineering process.”
When discussing the Risk Management Framework (RMF) specifically, the US Army, in [DA PAM25-2-14] articulates the requirement to integrate system security engineering into existing processes. Unfortunately, this statement on its own has caused some confusion as to the ISSE versus SSE role within DoD and the US Army. There does exist some clarity, discussed later, when examining publications from both NIST and DoD directly.
The confusion between the SSE and ISSE role is never firmly answered amongst the multiple levels of regulations and guidance between Defense Acquisitions through US Army, DoD, and ultimately NIST. However, some clarity exists in the specific wording chosen in each document.
The ISSE role is specifically identified as being required in [DA PAM25-2-14].

DoD Guidance

In two tables within [DoD 8570-01M], Table C4.T7 and Table C10.T7, we find the following:
Table C4.T7. IAM Level III Functions
M-III.2. Ensure that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with DoD Component level IA architecture.

Where “IS” is prepended intentionally to “security engineering.” We also find the below, an even clearer articulation as to the name of the role/function.
Table C10.T7. IASAE Level III Functions
IASAE-III.18. Ensure that acquired or developed system(s) and network(s) employ Information Systems Security Engineering and are consistent with DoD Component level IA architecture.

NIST Guidance

Finally, we look at what the different NIST publications have to say. In [NIST SP800-37] we find a specific definition that, when examined, shows that there is a difference between SSE efforts and that of an ISSE. The first definition is:
Systems Security Engineering – Process that captures and refines security requirements and ensures their integration into information technology component products and information systems through purposeful security design or configuration.
Notice that the definition describes the integration of security requirements into IT products and information Systems. This is not synonymous with the integration of security requirements into a full system or system-of-systems. However, one must consider the target audience of this publication and its content, the Risk Management Framework. In broader scoped NIST publications, as shown below, this definition is expanded to be system-holistic and includes cybersecurity concerns, and not solely focused as the definition above.
Another NIST publication in which its audience and content must be considered is [NIST SP800-53A]. Two items within this publication should be considered when examining the relationship between the SSE and ISSE roles. In the “Target Audience” section, the document uses the term “information Security Engineers” and does not use the terms Information System Security Engineers nor System Security Engineers. Later in the document, when discussing control SA-8 (Security Engineering Principles), the assessment objective specifically states: “applies information system security engineering principles” which clearly references the specific role/function of ISSE efforts.
Finally, [NIST SP800-160 vol I] shows a clear delineation of the two roles. It should be noted that this publication is title: “Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”. This is the first of two volumes of NIST’s System Security Engineer guidance.
[NIST SP800-160 vol I] describes Systems Security Engineering as focusing on “protection of stakeholder and system assets so as to exercise control over asset loss and the associated consequences” and the approach described within the publication “helps to reduce the susceptibility of systems to a variety of simple, complex, and hybrid threats including physical and cyber-attacks; structural failures; natural disasters; and errors of omission and commission”. As this shows, the publication specifically states that SSE efforts include but is not confined to cyber aspects. The publication further states that:
Systems security engineering, as an integral part of systems engineering, helps to ensure that the appropriate security principles, concepts, methods, and practices are applied during the system life cycle to achieve stakeholder objectives for the protection of assets—across all forms of adversity characterized as disruptions, hazards, and threats.”
Again, this shows that NIST SP800-160 does not confine SSE to only the cybersecurity realm, which the publication specifically articulates a few sentences later:
“Systems security engineering leverages many security specialties and focus areas that contribute to systems security engineering activities and tasks. These security specialties and focus areas include, for example: computer security; communications security; transmission security; anti-tamper protection; electronic emissions security; physical security; information, software, and hardware assurance; and technology specialties such as biometrics and cryptography.”

Comparing the Guidance

It is obvious that there is no apparent agreement in ISSE and SSE definitions between the US Army, DoD, and NIST publications. However, as shown here, when the content and audience of each individual publication is considered, the difference between the two roles becomes clearly defined.
System Security Engineering – the processes of examining and applying security requirements holistically to a system or system of systems. These requirements are derived from multiple domains including cybersecurity, physical security, etc.
Information System Security Engineering – the process of examining and applying cybersecurity requirements to a system or system of systems. These requirements are primarily derived via the RMF process and are defined by NIST Controls [NIST SP800-53r4] and DISA’s Control Correlation Identifiers.

What is an ISSE?

Looking at some of the referenced definitions above, it becomes simple to state from a very high level the actions associated with the ISSE role. Specifically, recall that [AR25-2] [DA PAM25-2-14] identify four primary areas of the ISSE focus. These four areas are:
-          System Architecture
-          System Design
-          System Development
-          System Configuration
The word System has been defined within [ISO/IEC/IEEE 15288:2015] as:
-          A set of interacting elements (i.e., system elements) organized to achieve one or more stated purposes.
In order to understand the role of the ISSE within the scope of the Risk Management Framework, we must refine the definition of System to the following:
-          A set of interacting elements (i.e., system elements) organized to process Department of Defense (DoD) data and/or connect to a DoD Network.
With the appropriated scoped definition of System, we can further define these four target areas and the ISSE’s role within each.

System Architecture

According to [ISO/IEC/IEEE 15288:2015], System Architecture can be defined as “fundamental concepts or properties of a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution”. In other words, a [normally] high-level description of a system and its internal and external interactions.
The ISSE role regarding system architecture is examine and evaluate the proposed interactions and environment of the system. The ISSE best serves the program by asking specific questions about these high level interactions, the operational environment, and potential alternatives.
An example of the ISSE function at this level be the examination of proposed wireless protocols, the spectrum management/saturation of the operational environment, and the feasibility of the sub-systems connecting via a proposed wireless protocol.

System Design

Design is defined by [ISO/IEC/IEEE 15288:2015] in two ways:
-          Information, including specification of system elements and the relationships, that is sufficiently complete to support a compliant implementation of the architecture
-          Provides the detailed implementation-level physical structure, behavior, temporal relationships, and other attributes of system elements
Typically overlooked by ISSEs, or even excluded by design leads, the system design area is a critical area where the expertise of the ISSE should be leveraged heavily. The ISSE should be examining the protocols, transmission mediums, and system instrumentation/performance requirements, at both the hardware and software levels. This examination should identify conflicts and potential cost drivers that may have alternatives.
An example of the ISSE function during this process would be that of examining proposed hardware items to verify their ability to support a required encryption schema in terms of both cycle time and system power. Another example would be the examination of the physical design to ensure that cyber-physical requirements can be sufficiently and appropriately satisfied.

System Development

Development refers to the process, life cycle, or framework that is utilized within the program in order to implement the system architecture and design into a given system or system of systems.
The role of the ISSE during System Development really involves the entire lifecycle of the program and will vary depending upon the specific process, framework, or lifecycle used to develop the system/system of systems.
The primary role of the ISSE with this domain is to insure that the appropriate inject points exist in each phase of the development in order to ensure that cybersecurity requirements and affects are account for at the appropriate juncture.

System Configuration

Configuration refers to the specific items and details that are the realization of the architecture, design, and development processes. This phase has the lowest level of granularity and is intended to manage a system/system of systems from development through disposal. Items are tracked specifically by manufacturer information and serial number. Changes to the system, to include item replacements are both approved prior to action and documented.
The ISSE typically does not play a direct role in maintaining a system’s configuration. However, the ISSE should be involved in all cyber-related configuration changes and updates. This involvement requires that the ISSE provide expertise in the potential and known impacts of a given potential change to the system.

What is an SSE?

As stated above, the SSE role is one that applies security requirements holistically to a system. These requirements come from both security-based engineering domains such as cyber and physical, and from non-security-based engineering domains such as human factors engineering (Ergonomics) and Reliability, Availability, and Maintainability (RAM) Engineering.
Traditionally and by best practice, the SSE comes from the Systems Engineering field and has a broad understanding of many engineering disciplines. This means that an ISSE with additional engineering experience can most likely fill the role of an SSE, the less-granular understanding of cybersecurity engineering makes the SSE a poor choice to fill the ISSE role.
Although not specified in the literature, it is generally safe to assume that, like the ISSE, the SSE provides engineering assistance in four domains:
-          System Architecture
-          System Design
-          System Development
-          System Configuration
The difference however, and an important one, is the definition of System as relates the SSE supporting these four areas. For that, we go back to the original definition as found in [ISO/IEC/IEEE 15288:2015]:
-          A set of interacting elements (i.e., system elements) organized to achieve one or more stated purposes.
This means that the general actions of the SSE within these four areas are the same as the ISSE with the understanding that the SSE is not looking solely at Cybersecurity requirements but at many requirements from multiple security and non-security engineering disciplines.
[NIST SP 800-160 vol 1] goes into great, very granular, detail regarding the System Security Engineering process and the function of the System Security Engineer. There are numerous and specific tasks as well as an excellent framework (which makes prudent use of a closed-loop feedback) for this process.

Conclusion

The roles of the ISSE and SSE are separate, although at times complementary, functions within the system development life cycle. This should be obvious to the reader when considering the target audience, wording, and scope of the references cited herein.









Thursday, December 21, 2017

Frameworks, Frameworks, Everywhere!!!...

- but not a component to spare???

It seems recently that everywhere I turn, at work, on the interwebs, and in research, I see the word FRAMEWORK sticking out in bold text with neon arrows.

Two examples of this that really stick out in my mind at the moment are that of:
1) at work, someone has asked for a framework-based checklist to use in verifying that ALL security controls have been included in contracts, implemented by vendors, and verified by assessments. (umm...would one checklist really provide a strong feeling of security through ALL of these processes???)
2) in some recent research I've been doing (taking all of my free time), I've read over 30 papers regarding cyber security of part of the IoT world and they all mention...FRAMEWORKS. Except...and here's one aggravation, none of them really make any proposal to this end.

So these got me thinking, as cyber security peeps, are we asking the proper questions? I mean, are we asking ourselves the proper questions before we shout these questions and "solutions" to the world. Or are we, true to what seems to be the norm, making knee-jerk reactions and suggestions without thinking them through? Better yet, are we looking for any evidence that someone just may have already had the thought? I feel like smart-phone IDS's may fall into this bucket.

I've seen for a while now the presence of IDS's in the marketplace for my phone. Now, as someone who loves IDS's and has worked more than one day on more than one type, I wonder if anyone asked the simple question: "To what end?" Seriously, is the average user going to know what to do if their Android screen shows a popup stating "Possible Mirai Botnet Infection Detected." Or will they just click "OK" and forget about it within five minutes? I don't know but I don't think we can start counting on individual users to form some sort of Ad Hoc Security Operations Center.

I don't know if we need yet another Framework, or another Model, nor even another Paradigm. What I do know is that we need to apply common sense the advice we are giving our management. We need to further flesh out our ideas, do the research, and play our own devil's advocate to our suggestion. And all of this should be done BEFORE we open our mouths to our management and customers.

In short, I think we continue to over-complicate our own lives and efforts. Instead, let's get back to some of the basics...
   - Defense in Depth
   - Examine RoI
   - Perform a realistic Risk Assessment
   - Compose a realistic Threat Model
   - Learn new things Every Day!!!
   - Have FUN!!!

Monday, August 28, 2017

Helmet Schedules - NFL and Big10



Not a geek/nerd thing...but still important. Below links are for the 2017 Helmet Schedules for both the NFL and the BIG10. I created the NFL one. The BIG10 schedule came from fbschedules.com and looks a little nicer than mine with their formatting.


GO LIONS!!!
GO BLUE!!!


NFL 2017 Helmet Schedule
Big10 2017 Helmet Schedule

Tuesday, July 5, 2016

Python and Firefox bookmarks on Windows

I'm working today on the creating a python program to reorganize my Firefox bookmarks. My previous post was about the PowerShell code I created to do this and since I haven't touched Python in a little bit, I figured what better way to relearn python than to write a program that requires database interaction.

While I am still working on this program I had an interesting error that drove me bonkers for 20 minutes or so. Unfortunately, I had actually found the answer within one or two google search results...but I didn't believe it could be that simple and kept searching.

The error I received when using a SELECT statement just to test the db connection:

sqlite3.DatabaseError: file is encrypted or is not a database

The FIX was very simple, and found at: https://deshmukhsuraj.wordpress.com/2015/02/07/windows-python-users-update-your-sqlite3/

The short of it is:
 - Download the proper file for your architecture from: http://www.sqlite.org/download.html
 - Unblock and Unzip
 - Copy the sqlite3.dll from the unzipped directory into your C:\python27\DLLs

I made a backup copy of the original sqlite3.dll in the folder. However, without any restarting or reloading of my dev tool, it worked as advertised.

Sunday, July 3, 2016

Powersell to organize FireFox bookmarks

FireFox bookmarks are stored in the user's profile directory, in a sqlite database name "places.sqlite". As I keep working more on different things to do with PowerShell, I was at first annoyed that the scripts I had already written for simple file maintenance and organization couldn't be used as is with organizing the enormous amounts of bookmarks that I have. I searched around the interwebs and found a few decent examples but still wanted to roll my own.

Below is the current script as is. I only tested this on my version of FF, 47.0. However, this is a rather simplistic script and, following a best practice to backup data first, making a copy of the places.sqlite file will allow one to "roll back" to the original state.

One last note: I started this intending to make use of "System.Data.Sqlite" library. This was not hard to implement but was lengthier than I wanted. I then went to PSSqlite and found it to be a little easier to use.

#*******************************************************
#** File: Organize-FireFoxBM.ps1
#** Author: Dave Werden
#** General Notes:
#** - add 'COLLATE nocase' to end of search queries for
#**   case-insensitive searches. Similar to 'LIKE'
#**
#** - FK <= 8 is standard FF Folders
#** - Position == 0 is root level
#*******************************************************



#Need to check for pssqlite module before executing script
if(!(Get-Module pssqlite)) {
    Import-Module pssqlite
}

#*******************************************************
#** Bookmarks are stored in a profile folder in a
#** sqlite file: places.sqlite
#*******************************************************

#firefox profile folder
$profFFBasePath = "$($env:APPDATA)\Mozilla\Firefox\"
$profINIFile = "$($profFFBasePath)\profiles.ini"
$profFFProfPath = "$($profFFBasePath)\Profiles\"

#get firefox default profile name (folder name)
$profName = gc $profINIFile | select-string "Path" | split-string -separator "/" | select-string "default"

#set var for full path to default profile folder where the bookmarks are located and go there
$profBookMarksPath = $($profFFProfPath + "\" +  $profName)
cd $profBookMarksPath

#*******************************************************
#** Need a sqlite provider
#** sqlite provider DL'd from https://psqlite.codeplex.com/
#** unzipped to system PS modules folder...had to unblock DLLs
#*******************************************************

$database = ".\places.sqlite"

#*******************************************************
## query strings - Data pulls only
#*******************************************************

#This query will return the ID,  URL, GUID, Title, and Parent Folder of all bookmars
$sqlQueryBMs = "SELECT moz_places.id, moz_places.URL, moz_places.GUID, moz_bookmarks.title, moz_bookmarks.id, moz_bookmarks.parent
                FROM moz_places, moz_bookmarks
                WHERE moz_bookmarks.fk = moz_places.id"

#*******************************************************
## query strings - Data inserts only
## Trigger needed to be inplace before inserting folders
#*******************************************************

#I hand-jammed this in for my own organization plan...
#could do this with an array and a loop/LINQ
#could also..maybe will...add subfolders using this method
$sqlInserts = 'insert into moz_bookmarks (type, parent, title,dateAdded) VALUES (2,2,"BMs_Temp",CURRENT_TIMESTAMP),
                (2,2,"My_Family",CURRENT_TIMESTAMP),
                (2,2,"My_Job",CURRENT_TIMESTAMP),
                (2,2,"My_Money",CURRENT_TIMESTAMP),
                (2,2,"My_Radio",CURRENT_TIMESTAMP),
                (2,2,"My_Searches",CURRENT_TIMESTAMP),
                (2,2,"My_Coding",CURRENT_TIMESTAMP),
                (2,2,"My_Hobbies",CURRENT_TIMESTAMP)'

#Entries into moz_bookmarks need a GUID
#This will add a GUID to any newly created folder
#need to fix trigger to create more firefox-centric guids!
$sqlCreateTrigger = "CREATE TRIGGER AutoGenerateGUID
                    AFTER INSERT ON moz_bookmarks
                    FOR EACH ROW
                    WHEN (NEW.guid IS NULL)
                    BEGIN
                       UPDATE moz_bookmarks SET guid = (select hex( randomblob(4)) || hex( randomblob(2)) ||
                                  substr( hex( randomblob(2)), 2) )  WHERE rowid = NEW.rowid;
                    END"


#*******************************************************
## query strings - Data mods only
#*******************************************************

#Steps
#   1. What taxonomy do I use to sort bookmarks
#   2a. Pull all Bookmarks from original folders and move to target folders
#       i. Based upon keyword search of URL (and/or Title?) 
#       ii. DO NOT pull from target folders
#   2b. Pull all Bookmarks from original folders and move to a single temp Folder
#       i. Would probably make it easier to:
#            1) Find Dups
#            2) Clean up/Identify 'straglers' after all move operations completed
#
#Choice: 2b
#
#   3. Automated Cleanup of empty folders


#first, modify bookmarks to have parent id of our temp folder
$sqlMoveAllToTemp = 'UPDATE moz_bookmarks set parent = (Select id from moz_bookmarks where title = "BMs_Temp") 
                     where fk > 4
                     AND parent < (Select id from moz_bookmarks where title = "BMs_Temp")'

#Taxonomy...arrays of keywords :-)
$keywordsFamily = @("werden","ancestry","family","DNA","genealogy","worden")
$keywordsJob = @("compsec","embed","FCA","NGC","jobsearch","usajobs")
$keywordsMoney = @("bank","finance","money","account","loan","finance","credit","checking","savings")
$keywordsRadio = @("RF","frequency","shortwave","QR","CW","Morse","HF","UHF","VHF")
$keywordsSearches = @("google")
$keywordsCoding = @("python","perl","linux","database","php","coding","code","scripting","visual studio","netbeans","java")
$keywordsHobbies = @("jeep","wrangler","fish","guitar","Audible","audio book")


foreach ($word in $keywordsHobbies)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Hobbies`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsSearches)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Searches`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsMoney)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Money`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsJob)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Job`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsCoding)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Coding`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsRadio)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Radio`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}

foreach ($word in $keywordsFamily)
{
    $sqlUpdate = "UPDATE moz_bookmarks
                    SET parent = (SELECT id from moz_bookmarks WHERE title = `"My_Family`") WHERE moz_bookmarks.title like `"%$($word)%`" COLLATE nocase;"
    Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlUpdate -SqlParameters @{ word = $word }
}


#*******************************************************
## Uncomment below to Execute other Queries from above
#*******************************************************

#Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlInserts

#Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlCreateTrigger

#Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlMoveAllToTemp


#*******************************************************
## Clean up
#*******************************************************


#drop the trigger...get original db back to original triggerless state
$sqlDeleteTrigger = "DROP TRIGGER AutoGenerateGUID"

Invoke-SqliteQuery -DataSource $database -QueryTimeout 10 -Query $sqlDeleteTrigger