Automation has always been a crucial mission of computing. In fact, that’s all computers do. They automate our tasks and turn what used to be lengthy and boring activities into a few clicks, on in our case today, a few keystrokes. (One may ask, why “a few” clicks? Why not “a single click”, or even “no clicking at all”? That’s a question I will attempt to elaborate on later.) This article describes our attempt to automate the periodical assessment of a system against newly found vulnerabilities using 2 of the few freely available SCAP tools: SCAP Sync and jOVAL.
Over the past few months, we have been methodically adding bits and pieces to SCAP Sync. A blog post detailing all of our changes is long overdue, so I would like to catch you up on what we have been doing! We have introduced some new security changes and we are synchronizing lots of new data sources in order to provide a more comprehensive database of SCAP content.
Detecting Vulnerabilities is a necessity for any IT department hoping to keep their infrastructure secure or any IT security professional administering a Security Control Assessment. For that purpose, there is no lack of tools to scan the various facets of an organization’s pivotal technology: the Cisco Router Assessment Tool, Tenable Network Security’s Nessus, Hewlett Packard Web Inspect, App Detective and the open source Nmap. Though these scanners excel at finding vulnerabilities, none of them are readily able to work with the others to communicate their findings back to IT personnel. At Lunarline, we’ve been watching this problem for some time, so we decided to build a solution.
Vulnerability Scan Converter (VSC) is that solution, and we’re unveiling it today in advance of its commercial launch later this year. Continue reading
We rolled out some major upgrades to SCAP Sync this week! We will be highlighting its new capabilities in a series of upcoming blog posts. Our goal is to show you how you can use SCAP Sync in your day-to-day security work to improve productivity and automate tedious workflows.
The first new feature that we are covering is CVE Applicability. This new feature makes it easy for you to research whether an announced vulnerability affects you or your employer.
Over the weekend, Lunarline rolled out several new features to SCAP Sync. In this post, I am going to point out three of my favorite new features: it is easier to use, it has a feed for monitoring updated SCAP content, and it has version history for SCAP Content.
By the way, if you are going to be at the ITSAC conference in Baltimore this week, please come say hello! We are speaking about SCAP Sync from 2:30 – 3:00 on Wednesday, October 3rd in Room 344. We also have a booth for the duration of the conference. Our booth is #19, which is along the left wall as you enter the exhibitors’ hall.
We are proud to announce that SCAP Sync (http://scapsync.com) is now live! SCAP Sync is a search engine and content repository for SCAP. Lunarline is offering this as a free service, starting today.
SCAP Sync crawls SCAP content from multiple original sources (including NIST and MITRE) then syndicates that content in several convenient formats for both security practitioners as well as application developers who are looking to use SCAP content in their own applications.
We haven’t posted on DoD’s pending transition from the DoD Information Assurance Certification & Accreditation Process (DIACAP) to what is called – at least for now – the DoD IA Risk Management Framework (RMF). Now, after reading the articles by noted security experts Len Marzigliano and Richard Bejtlich, it’s time to take a look at what this transition might really mean for DoD and its supporting contractors.
For those of us who have been around a while, we remember the emergence of the DoD Information Technology C&A Process (DITSCAP) and the somewhat reluctant transition from that C&A process to the DIACAP in 2007/2008. We watched while the DIACAP, which was intended to be a standardized process that would be applied consistently across the entire DoD to support reciprocity and cost savings, was subjected to modification and interpretation by each of the services. The result – standardization and consistency flew out the window and the DoD was back to incompatible, non-standardized processes and the inability (and perhaps unwillingness) to support full reciprocity across the DoD. In the end, despite all of the best intentions of the DoD authors of the DIACAP, it became yet another resource-intensive, paperwork centric process. But, 5 years into the transition and some of the wrinkles are getting sorted out.
And now, DoD wants to change yet again? Whoa, and we are just getting used to the DIAC AP!
So, why now, and why the RMF? It all goes back five years or so ago to a series of discussions hosted by then Director of National Intelligence, Hon. Dale Meyerrose, along with the DoD CIO, Hon. John Grimes. The goal of their conversations was to jointly find solutions to long-standing problems relating to the extensive resources the IC and DoD historically expend for C&A, ensure that C&As accomplished by one agency would be valid for all agencies, and to deliver systems to the customer faster. Concurrently, the National Institute of Standards and Technology (NIST) was working on a revision of the C&A processes used for Federal Information Systems. And then it dawned….. why not work together across the Federal government to create a single process that would be applicable across the entire Federal government to include the DoD and Intelligence Community (IC)?
The result is the NIST RMF and the IC and DoD have agreed to adopt this standard as their own – with some minor modifications, of course. Stay tuned for our next posting where we will continue this journey.
Lunarline is on the front lines of this new transition. Please be sure to take a look at our White Paper at http://lunarline.com/Services/Whitepapers.aspx. With our extensive experience in applying the NIST RMF, our participation in Federal, DoD and IC C&A transition working groups, and our NSA/CNSS certified training in this process, we can support you today and help prepare you for tomorrow.
I had an opportunity to review the draft of the upcoming revision 1 to Federal Continuity Directive 1 (FCD-1). I had several issues with it. It talks about about “establishing contingency plans for the performance of essential functions.” Unfortunately this contradicts SP 800-34 which says “An Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovery an information system.”
Just to clarify - Until this draft, the government has used the term “contingency plan” to denote the policies and procedures for the recovery of a single system. “COOP Plan” has been used as the policies and procedures for recovering Primary Mission Essential Functions (PMEFs) and Mission Essential Functions (MEFs).
There are several other instances where the drafters of this revision crossed terms as used in other publications, particularly the NIST Special Publications. I’d like to see more consistency across publications to reduce confusion. Continue reading
For the second year in a row, Lunarline, Inc. is named to the Inc. 500|5000 list, jumping 366 spots to rank No. 1846. This is the fifth year Inc. magazine has compiled their exclusive list of the nation’s fastest growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs.
The FOSE Conference and Exposition serves as a forum for bridging ideas and innovations between the public and private sector—and provides a forward-looking view of upcoming federal IT initiatives. The event will be held at the Walter E. Washington Convention Center from July 19-21. Lunarline, Inc. will be an exhibitor at booth #212 with some new and exciting offerings!
Lunarline has proven expertise in cyber security and privacy solutions, specialized information assurance services, and Next-Generation infrastructure strategies. Lunarline will be available to discuss ways that new tools and approaches are improving enterprise-wide and federated decision making and security.
Lunarline will also provide information on their upcoming School of Cyber Security (SCS) launch. The SCS is dedicated to providing excellence in cybersecurity training and certifications.