NIST Cloud Security Working Group

Homeland Security Consultants CEO Provides Cloud Security Guidance to the NIST Cloud Security Working Group

Robert Cope in conjunction with Thomas Earl of Arcitura presented the topic of Cloud Trust Boundaries to the NIST Cloud Security Working Group. Cloud Trust boundaries are used to identify the demarcation of authority between a Cloud Service Provider and the Cloud Service Consumer. Accurately identifying the Cloud Trust Boundary is critical for applying appropriate security controls to protect the service offering. Additionally, Cloud Consumers clearly understand what security controls will need to be supplied on their end.

Sean Cope, Homeland Security Consultants FedRAMP Lead brought up the topic that attack vectors can occur from within the Cloud Service or launched from a Cloud Consumer. Since the Cloud Consumer is a potential attack platform a trust rating (security designation) should be given to the Cloud Consumer so that the Cloud Service Provider has a trust metric with potential customers they serve. This would most likely apply to Cloud Systems with a High Security Categorization or other special needs circumstances.

Robert Cope will continue to work the NIST Cloud Security Working Group to further develop security engineering concepts dealing with cloud boundary security controls.

Homeland Security Consultants Participates in NIST 800-53 Rev 4 Test Case Development

Homeland Security Consultants volunteers for FedRAMP Program Management Office (PMO) request to help develop test cases for 3PAO Assessors. The FedRAMP PMO called to arms those 3PAOs that had the resources and will to provide test cases that will be used in the upcoming release of the new NIST 800-53 Rev 4 overlay for FedRAMP.

“We were excited at the opportunity to help out the FedRAMP PMO and fellow 3PAOs in this crucial task.”

Security controls were divvied up amongst the 3PAOs to develop test cases to account for the Cloud environment. These test cases will be used in upcoming FedRAMP assessments for new and existing cloud providers.

Knowledge Based Authentication (KBA) has been Compromised

Knowledge Based Authentication (KBA) has been Compromised

by Sean Cope 09/27/13

Everyone needs to be concerned, real concerned. No matter who you are your public records information, which is used to verify your identity when dealing with your mortgage provider, bank, and credit lines is at risk of being used against you.

A hacker service is in play that provides very low cost access to your personal information. This information can be leveraged by an unauthorized third party to cause catastrophic damage to your personal finances. Gov Info Security article by Eric Chabrow reveals that the hacker organization SSNDOB is behind the data breaches of known KBA data warehouses and is selling personal information for pennies on the dollar.

Recently I needed to change my mailing address at a financial institution and was required to answer security questions to prove my identity. Having just gone through the Knowledge-Based Authentication process, it is easy to imagine how an attacker could successfully change a mailing address and order a new credit card. You might not never know that an account was opened only until a credit check to apply for a new mortgage reveals your destroyed credit.

How do you protect yourself against Knowledge Based Authentication (KBA) attacks?

One of the easiest ways to protect yourself is to Freeze your credit. This tactic will not eliminate the threat entirely, but will provide protection against unauthorized credit being opened up in your name. Think about it, an attacker would have a very easy time opening up a credit line, maxing out the cards limit and leave you with a destroyed credit history. You might be paying for a monthly credit monitoring service that will notify you that an additional line of credit has been opened up in your name, but why expose yourself to such activities?

Experian, Trans Union, and Equifax have credit freeze sites that are easy to navigate, and when it’s time to unlock your credit, it too is an easy fill in the form process. Just make sure not to store your Personal Identification Number (PIN) on your computer. Print out a few copies and keep it with your important documents.

HSC receives FedRAMP Third Party Assessment Organization Status

HSC receives FedRAMP Third Party Assessment Organization Status

Homeland Security Consultants, LLC has received Third Party Assessment Organization (3PAO) status under the Federal Risk and Authorization Management Program (FedRAMP). HSC is now an authorized Third Party Assessment Organization able to conduct security assessments for prospective Cloud Service Providers wishing to do business with the Federal Government.

For more information about our HSC FedRAMP services, please visit:

For more information about FedRAMP initiative, please visit the GSA FedRAMP Microsite.

Federal Perspective: AES is just plaintext without FIPS 140-2

Federal Perspective: AES is just plaintext without FIPS 140-2

by Sean Cope
Even though the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) was issued over a decade ago, I recently ran across information security specialists who challenged the need for FIPS 140-2 validation as it applies to products that use the Advance Encryption Standard (AES) algorithm to perform cryptographic functions.

The debate circled around the notion that if the encryption module has been classified as using AES strength encryption, then why would there be a need to have it FIPS 140-2 certified. The cause for the debate circled around an inaccurate understanding of encryption strength verses cryptographic module validation.

From the National Institute of Standards and Technology (NIST) viewpoint, if an encryption module has not undergone the Cryptographic Module Validation Program (CMVP) then no matter what type of encryption algorithm and corresponding bit-strength is used, the information that the encryption is supposed to be protecting must be treated as if it were not protected.

NIST views invalidated cryptographic modules as providing zero protection for the information system. NIST elaborates on the point as stating that “…data would be considered unprotected plaintext” if an invalidated encryption module provided the encryption capabilities employed for use by the information system.

With NISTs clear guidance it is important to educate Program Management, Senior Level Executives, and security professionals alike that the FIPS 140-2 cryptographic module validation is one critical requirement that cannot be overlooked.

If you find yourself in a similar situation, point the person to NIST Cryptographic Module Validation Program (CMVP) – NIST CMVP and set the record straight.