Blogs

I've felt resistance from system administrators regarding the use of DISA checklists to setup IA related products.

I noticed a statement at the beginning of one of the checklists that I think will help me convince them that the checklists are clearly required.

The checklists says,

We should run the AppScan Expert and them based on what it finds, ask the client more questions. The scan expert finds additional URLs and suggests other tests to run.

We should also ask the client what technologies they are using like cold fusion, j2ee, etc. This helps us refine the scans and testing.

Here's a list of some questions to ask before scanning an application with AppScan. There are lots more. Please add them to the comments and I'll make this list into a more formal document.

1. Invasive or not? (i.e. destructive or non-destructive)

2.  Overnight or during the day?

3. Does the app include webforms?

If yes, what are the urls? 

4. Is there an admin login page you want tested?

5.  Does the app have Flash?

6. Does the app send email?

The terms "IA products" and "IA-enabled products" appear throughout the 8500.2 controls frequently.

I need a reusable defintion:

Information Assurance products protect information and
information systems by ensuring their availability, integrity, authentication,
confidentiality, and non-repudiation. 

Examples are backup systems, firewalls, and encryption systems.

I took the second in the series: Identity Management Awareness Session 2 - Overview of IAM.

This one took about 45 minutes and gave an overview of Oracle's Identify Management tools which include Oracle Identity Manager (OIM) and Oracle Access Manager (OAM). The presenation made a strong case that Oracle is the leader in this area. I'll look around to find some evidence of that from independent sources.

I'm taking the online training provided by Oracle for it's identity management partners. If you want the link, let me know.

The first session is Identity Management Awareness Session 1 - Business Drivers. It provides an overview of the reasons organizations need better identity management. It's about 15 minutes long. I liked it and found it to be a familiar, but worthwhile overview of the subject.

MS Vista tip: to display the Task Manager, press Ctrl/Shift/Esc

I am a little concerned by the poor logic and irresponsible twisting (without quoting sources) of statistics from a 'security expert'. My hope is that the paraphrasing from the presentation was taken out of context:
http://www.darkreading.com/document.asp?doc_id=145224&WT.svl=news1_4

The author does not appear to understand risk, prevention versus
detection, or the myriad of motives involved with computer or cyber

Overview of the Security Controls for Integral Applications
The biggest part of the DIACAP process is testing the application to make sure it’s compliant with regulations. The testing is based on security controls. DoDI 8500.2 contains 157 security controls. We don’t have to evaluate (test) all of those controls.

A presenter at the last MN ISSA meeting mentioned LM hashes and rainbow tables while describing a security incident he helped resolve. I don't know anything about LM hashes are or rainbow tables. So I did some reading and this is what I found.