Thursday, April 14, 2005

April's ISSA-Denver Meeting

Yesterday afternoon the local ISSA chapter hosted a very interesting speaker. The speaker was Patti Titus, the current Chief Information Security Officer, Transportation Security Administration DHS. I was going to link to her bio but it appears to not exist anywhere so I will just copy it and then go into my notes about her discussion.

Patricia Titus currently reports to the Chief Information Officer at Transportation Security Administration in Washington, DC, in the capacity of the Chief Information Security Officer and Director of IT Security. Her duties have been to develop and implement a new IT Security Office for TSA. She also reports and works for the CISO at the Department of Homeland Security. Prior to joining TSA in April 2002, Ms. Titus was assigned as a Technical Advisor to the Deputy CIO at the Department of Treasury. Since joining public service in March 2000, Ms. Titus has been assigned to various emerging technology projects and has worked extensively on the enterprise network security projects. Prior to public server Ms. Titus worked in small start up companies within the DC metropolitan area as Vice President of Sales and Marketing. She spent several years in the Information Technology industry in various capacities. Prior to this she spent 13 years living overseas on duty with the US State Department, Department of Defense and Swiss Government.

Okay so now you know who she is - here's what she had to say:

Patti had several points she wanted to convey to the crowd, anong the points she touched on
were Homeland Security Presidential Directive/Hspd-12, a policy for a Common Identification Standard for Federal Employees and Contractor. Basically the problem has come to light that there exist "Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). " Patti discussed the need for implementation of better biometeric solutions, PKI infrasturcture etc. She however did not comment on where the money was going to come from to finance these cool new gadgets for the government.

As previous user of biometrics this intrigues me - during a normal week I encountered no less than 20 false readings for a simple finger print scanner that allowed access to the lab I worked in. If we are going to utilize this technology in the government we really need to make things work - the common worker will not tolerate having to scan their finger 3 or 4 times every time they try to enter a room.

There was a brief discussion concerning IPSonar, an enterprise software consists of several interrelated discovery processes that find routes and routers, hosts, servers, wireless access points, operating system information, unauthorized connections or hosts, and perimeter leaks. This included how an intern was the one who actually deployed the initial testing launch of this program and how the resulting report of holes lead to the report being labeled - TOP SECRET - ONLY THOSE AT THE TOP CAN SEE THIS -

This is discouraging news to me. I would hope that our government would be running toolsets by now that allow them to accurately discover and gauge the risk that their network has to the outside world. To have an intern (Hats of to her for pointing out the silliness) come in and throw a product on the network that so accurately describes where water is pouring from the damn is not a building confidence for those security geeks who pay attention to these things.

We learned some interesting things about the TSA's luggage machines - no wonder I get yanked all the time - I must be getting the guy who isn't punching the threat button fast enough.

Patti discussed the convergence of CIO and CISO positions in the enterprise market. I agree with her on this one - the CISO position had little chance of survival in my eyes, typically you are stepping on the CIO/CTO's toes and something has to give. I will be curious to see whether we actually see the CISO blend with the CFO position. The advent of SOX puts the financial department on the hook for non-compliancy, with jail sentences following quickly behind that.

Patti left with a few thoughts, reminding us that We Do Not Negotiate with Terrorists, Cyber or Real! She also said something that made me wonder how soon till we see someone hunt down a "cracker" and put a bullet in him for cracking their systems.

All and all a very interesting speaker - I had an opportunity to have dinner with her the night before her speech and was happy to meet some one who was candid about her role within the current administration, the political appointees and what was right and wrong with our current behaviors.