NIST SP 800-137

From: Government Computer News

By William Jackson

This is the first a three-part series on building a government cybersecurity ecosystem.

Since its inception, the Internet has grown wild, which has spurred innovation, activity and information sharing, but has left security and standards unattended. The result is an online environment where outlaws can roam free.

Now a multiagency effort wants to impose a little order with a structured cyber “ecosystem” that could automatically assess and respond to threats, learn from previous incidents and even heal itself.

From: eSecurityPlanet.com

Ever since computer software established itself as the backbone of modern commerce, communications and entertainment, it has been a target for “hacktivists,” organized cyber criminals, rogue nation states and terrorist organizations. Their primary attack vector is exploiting design flaws and weaknesses in applications in order to steal data, commit fraud and disclose sensitive information.
With each major public data breach, our attention focuses on how to prevent these incidents. Often, the debate involves vulnerability management and how both software suppliers and end user organizations can make software code more secure. This raises the question, “Is vulnerability management the Achilles heel of cyber security?”

From: Dark Reading

Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks

By Robert Lemos

From foreign-built routers and laptops to open-source software, vulnerable technology supply chains have become a concern of security professionals as well as government officials.

With its recommendation that U.S. companies and the government not buy communications technology from two major Chinese firms, Huawei and ZTE, the House Intelligence Committee spotlighted the lack of confidence that organizations have in their infrastructure. It’s a problem not just for the United States and U.S. companies, but for businesses in other nations and other governments as well, says Julie Taylor, senior vice president for cyber security solutions at government contractor SAIC.

Editor’s Note:  The value of continuous monitoring continues to be underappreciated.

From: WISTV.com

Report: DOR refused service that could have stopped hacker

By Jody Barr

COLUMBIA, SC (WIS) –

The South Carolina Department of Revenue had access to free network monitoring through the state’s Internet technology department, but never chose to use it. That information came out Thursday in a letter from the Division of Information Technology director Jimmy Early to state Senator Vincent Sheheen, who is independently investigating the cyber attack.

The NASA Ames Research Center has won a 2012 U.S. National Cybersecurity Innovation Award for reducing risk through automated continuous monitoring at very low cost.

NASA Ames proved that the power of continuous monitoring and mitigation, first seen at the U.S. State Department, could be easily and inexpensively replicated even in a smaller agency. NASA Ames altered its vulnerability detection program to bring responsibility directly to system administrators and technical staff—those who can actually fix problems. By normalizing and tabulating Common Vulnerability Scoring System scores for each host and cross-referencing hosts to our asset inventory, the Center produced a “scoreboard” showing which hosts (and which system administrators) are security heroes, and which are security problems. The scores were further modified by constantly scanning the Center from a truly external server and adjusting scores upward when vulnerable hosts have services exposed beyond agency firewalls.

Editor’s Note: Ensuring continuous monitoring of BYOD environments will be an increasingly important task.

From: InfoSecurity-Magazine.com

Looking to help organizations wrestling with the security implications of the bring-your-own-device (BYOD) phenomenon, Israel’s Hadassah Medical Center has implemented the ForeScout CounterACT 7 network access control (NAC) functionality.

From Deltek/GovWin

In a draft solicitation issued mid-October 2012, the Department of Homeland Security (DHS) outlines 15 toolsets and 11 services areas for the new Continuous Diagnostic and Mitigation (CDM) program and for continuous monitoring as a service (CMaaS).

In June 2012, DHS outlined requirements for Continuous Monitoring. The core capabilities for continuous monitoring fell into five areas: hardware asset management, software asset management, vulnerability management, configuration management, and anti-virus. The concept of operations for the continuous monitoring program identified three approaches:

• Internally operated services
• Continuous Monitoring as a service (CMAAS)
• Cloud provider security services.

From: FedTech

Commerce Department CIO finds ways to reduce costs while addressing major IT challenges.

From: SANS Intitute

The innovation:  Deploying continuous automated monitoring to radically reduce the vulnerability of confidential citizen health data, with the added innovation of generating competition among contractors to improve security.

WASHINGTON, Oct. 30, 2012 /PRNewswire-USNewswire/ — The Centers for Medicare & Medicaid Services (CMS) has won a 2012 U.S. National Cybersecurity Innovation Award for using continuous automated monitoring to protect confidential citizen health data against theft and alteration.

From: GCN

By Jim Flyzik

Continuous monitoring is a critical but often misunderstood component at the epicenter of “proactive” cybersecurity.

How do we prevent malicious threats from getting into an organization’s network while allowing legitimate data to flow efficiently? How do we monitor data on our storage devices, the data at rest?  How do we audit all the devices in our network and their unique configurations?

In today’s complex technology landscape, network parameters are constantly evolving. This makes it nearly impossible for IT professionals to manage growing gaps in the infrastructure when even the smallest misconfiguration can leave the strongest defenses vulnerable to attack.