08 April 2011
-- Homeland Security Department personnel and contractor support staff who perform cybersecurity functions would not be furloughed during a government shutdown, DHS officials said.
As the prospects dim for Republicans, Democrats and the White House to broker a deal for funding agency services, federal departments are racing to determine which employees will have to stay at home when the current stopgap spending bill expires Friday midnight. Federal law states the government must stop all activities except those "necessary for the safety of human life or protection of property."
Given the uncertainty surrounding which staff are essential, it is possible that adversaries, believing employees' guards are down, might view this period of confusion as an opportune time to infiltrate government systems, some observers said.
When asked if Homeland Security is contracting out for additional incident-response personnel to monitor for potential intrusions, department officials said operational plans still are being finalized, but their present understanding is DHS' cybersecurity employees would continue working during a shutdown, since their duties fall under the statutory exemption.
11 March 2011
Though malicious outsiders always pose a threat, the experts from Symantec, Agiliance and SecureForce who spoke at today's GovWin Virtual Executive Roundtable agreed that the majority of security breaches are caused by well-meaning insiders.
"Most data breaches are caused by well-meaning insiders such as employees losing laptops, sending out inadvertent communications or e-mails, not thinking about the right processes or steps for how to transmit encrypted or secure data," said Tiffany Jones, Director of Public Sector Strategy and Programs at Symantec.
As the recent Wikileaks data breach demonstrates, IT professionals must be prepared to prevent and deal with situations caused by individuals who have proper access and abuse it. Webinar attendees agreed that inside threats are a serious issue: Over 70 percent of respondents to an in-webinar poll said that inside threats are more serious than external threats.
Malicious insiders -- usually disgruntled or compromised employees -- and outside attackers are also constant threats to both private-sector and government networks.
A range of vital components is needed to combat cybersecurity threats, including continuous monitoring, controls, improved user behavior, baseline scanning and intelligent security policies. "You can't secure what you can't manage," said Jones.
Just as importantly, controls must be repeatable and able to be automated at agencies and in vendor solutions.
According to Mike Saintcross, Director of Federal and Mid-Atlantic Sales at Agiliance, continuous monitoring, which consists of technology that gives constant awareness of risks and security on networks, is "finally maturing across most agencies."
Continuous monitoring is essential for detecting threats that come from both outside and inside the network, since most well-intentioned users who cause security breaches do so by violating policies (e.g., losing laptops, writing down passwords).
Other factors that play a large role in appropriate security are context and prioritization. "If you're getting lots of notifications about a vulnerability that turns out to be in a component that's five firewalls deep, it may not actually be that big a risk," said Stefen Smith, Chief Security Officer at SecureForce.
22 February 2011
Federal CIO Vivek Kundra says government will slash IT budgets where projects aren't working, while spending more on innovation.
By J. Nicholas Hoover, InformationWeek
The President's fiscal 2012 IT budget focuses on cutting what the government can't afford while still investing in game-changing technologies, federal CIO Vivek Kundra said today on a call with reporters.
Overall, the federal IT budget will go up by 1.3% to $79.5 billion, but that represents relatively flat spending compared to IT budget increases under the Bush administration.
On one hand, the budget begins a multi-year shift toward eliminating more than 800 federal data centers and eventually moving as much as $20 billion in IT spending to the cloud via data center consolidation and a cloud-first budgeting policy. It also reflects savings from rigorous statistics-based IT project reviews put in place last year. On the other hand, the government is spending significantly more money this year on cybersecurity and certain special projects like the FAA's NextGen air traffic control system.
While cloud computing is called out mostly in general terms in the President's budget and agencies' budgets, Kundra noted that cloud savings could be substantial, adding that the General Services Administration and Department of Agriculture would each save millions by moving to cloud email and collaboration services.
As part of the recently-released federal cloud strategy, agencies have committed to moving 72 total services to the cloud, Kundra said. He predicted that agencies' collaboration services will move to the cloud first, followed by workflow, infrastructure, business intelligence, and even security management.
10 January 2011
By John Casciano 12/17/10
New guidelines requiring continuous monitoring of federal networks are based on a wealth of real-world experience and highlight the necessity of using new tools to push agencies' cyber defenses to the next level. As envisioned in guidance released by the National Institute of Standards and Technology in June 2010, continuous monitoring enables organizations to proactively identify security issues that can be mitigated or plugged in advance of cyber intrusions or attacks.
In the dynamic and ever-changing networks in which agencies operate, continuous monitoring simply can't be performed manually; it must be supported by software that provides powerful new weapons for defending against and thwarting attacks.
To give real meaning to continuous monitoring and to implement effective enterprise defenses, chief information officers and chief security officers need to be cognizant of the promises and pitfalls their agencies face. One risk is that enterprises will embrace a reactive, narrow view of continuous monitoring that emphasizes only the tactical angle, giving short shrift to the proactive, and more important, meaning of the term. The result could be the illusion of 24-7 proactive protection, but not the reality.
Two emerging technologies, each employing continuous monitoring, address this challenge. To bolster security, organizations must differentiate between the two and employ both.
01 October 2010
Heartland Payment Systems, Inc. paid $5 million to Discover Financial Services Company earlier this month in a settlement over a data security breach, a situation that a better initial response might have minimized.
The settlement resulted from a 2008 incident. Hackers installed spyware on Heartland's network, disclosing critical data such as account numbers and customer names for Visa, MasterCard, American Express, and Discover Card accounts.
Too often, companies that experience a data security breach only make the situation worse by not responding correctly. With more than 30 years of experience in the computer industry, Mike Theriault, president and CEO of B2B Computer Products in Addison, Ill., knows what businesses need to do as soon as they realize there's a data security problem.
"First of all, don't panic," he said. "People make the mistake of reacting before they know exactly what the problem is. Don't take any unnecessary action until you can accurately define the problem and know the scope."
Theriault has boiled the best response down to six steps. He says that although they're generally sequential, the order will depend on how regulated your industry is and the types of security risks your company faces.
27 September 2010
Avoiding Social Engineering and Phishing Attacks
Do not give sensitive information to anyone unless you are sure that they are indeed who they claim to be and that they should have access to the information.
What is a social engineering attack?
In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as
- natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
- epidemics and health scares (e.g., H1N1)
- economic concerns (e.g., IRS scams)
- major political elections
How do you avoid being a victim?
09 September 2010
Scans of a key system utilized by the Homeland Security Department's cybersecurity operations arm revealed 202 unique high-risk vulnerabilities, according to the DHS inspector general.
The operational arm, known as US-CERT, is the federal entity responsible for gathering information about cybersecurity incidents within the .gov domain; it also provides technical assistance to other federal agencies. The organization's role is likely to increase in importance as DHS exercises newfound oversight authority over other federal agencies.