Nov
30
From: Wired
By Mark Seward, Splunk
Advanced cyber-security threats, whether they are criminals, hactivists or nation states, are breaching organizations at an alarming rate. Aided by time, persistence and smarts, they adeptly penetrate an organization and exfiltrate confidential data without alerting tradition security software tools.
Nov
29
For more on the importance of measurement and IT security, see CRE’s 2010 statement to the Infomtion Security and Privacy Advisory Board (ISPAB) here.
From: Dark Reading
CISOs seek more discipline in measuring and mitigating risk in the coming year
By Ericka Chickowski
As CISOs and risk management pros gear up for a new year, they’ll be tasked with sheltering their organizations from a highly dynamic threat environment through a renewed sense of discipline as regulators, executives, and shareholders increasingly turn the microscope on their IT security practices. In order to improve and coalesce security practices, it’ll take work to line them up with maturing risk management philosophies. According to risk management experts, consultants, and practitioners, enterprises are likely to turn to the following risk management priorities in 2013 to achieve their security objectives.
Nov
28
From: GovInfo Security
Auditors Seized Control of Network, Records during FISMA Audit
In a good news, bad news audit report, the Social Security Administration’s inspector general lauded the agency for its information security program and practices for being generally consistent with the requirements of the Federal Information Security Management Act. Yet, the audit uncovered weaknesses that put Social Security systems and data at risk.
“We determined that SSA had established an overall information security program and practices that were generally consistent with FISMA requirements,” Inspector General Patrick O’Carroll Jr. wrote in a 37-page audit report. “However, weaknesses in some of the program’s components limited the overall program’s effectiveness to adequately protect the agency’s information and information systems.”
Nov
27
From: Help Net Security
This week, 23 vulnerabilities in industrial control software – specifically SCADA software – from several vendors have reportedly been found by a researcher at security firm Exodus Intelligence.
This follows the revelation of unreported SCADA application vulnerabilities from some of the same manufacturers, as exposed by Italian security company ReVuln last week.
Ross Brewer, vice president and managing director International Markets, LogRhythm, has made the following comments:
While cyber attacks on SCADA systems may be rare when compared to the astonishing number of incidents involving web applications or enterprise IT networks, the threat they pose are disproportionately severe.
Nov
26
From: FierceGovernmentIT
By Molly Bernhart Walker
Despite a series of damning, yearly Federal Information Security Management Act compliance audits, the Transportation Department failed again in fiscal 2012 to remedy recurring weaknesses that expose the department to serious security threats, according to a Nov. 14 Office of Inspector General report (.pdf). Twenty-one of 35 open recommendations made since 2009 remain open, say report authors.
In 2009, the department’s security program did not meet all federal requirements and the following year its lack of progress in other critical areas constituted a material weakness in internal controls. In 2011, DOT had not corrected weaknesses in its information security procedures, enterprise-level and system-level controls, and management of corrective actions.
Nov
23
From: The Optrics Insider
Data centers represent the nerve center of IT enterprises. With the presence of a complex mix of databases, network devices, applications and physical and virtual systems, the modern day data center present a unique challenge for IT operations. With cyber-crime looming large, data center operations are required to not only be robust and efficient, but also highly secure to ensure business continuity and data integrity.
Though the IT infrastructure in data centers face both external and internal security threats, of late, internal threats seem to be far more alarming as many of the reported security incidents have been caused by malicious insiders. Disgruntled staff, greedy techies, tech-savvy contractors and sacked employees could act with malicious intent and misuse privileged access.
Nov
20
From: NetIQ
by Michele Hudnall
Threat detection and management will be required to monitor continuously and in business context with regard to level of risk. Given the rapid change, information requirements, environment complexity, growing devices, explosive data growth and growing real-time analysis requirements accessing that data, risk of threats to the organization is growing exponentially. It will no longer be acceptable to audit for compliance at fixed intervals. Real-time, service contextual threat risk will be a monitoring requirement in 2013.
Current Conditions . . .
Nov
16
From: Government Computer News
By William Jackson
Continuous monitoring is replacing periodic certification of government information systems as the federal standard for IT security, but it is a means to an end rather than an end in itself, say government security pros.
“Continuous monitoring is a tactic in a larger strategy,” said Ron Ross, senior computer scientist at the National Institute of Standards and Technology.
The larger strategy is a comprehensive approach to the growing number of vulnerabilities, threats and attacks targeting government systems, which have put information security on the Government Accountability Office’s list of high risk activities since 1997.
Nov
16
Editor’s Note: A NIST slide presentation on the CAESARS Framework Extension, An Enterprise Continuous Monitoring Technical Reference Model, is available here. CRE’s comments on the 2nd Draft of the CAESARS Framework Extension are available here.
From: Government Computer News
By William Jackson
Fully continuous monitoring of the security status of information systems is an ideal that is unlikely to be reached because of the complexity of round-the-clock, real-time scanning of every aspect of a system. Both industry and government are moving toward making it more practical, however.
Nov
14
Editor’s Note: The DOE OIG Evaluation Report, “The Department’s Unclassified Cyber Security Program – 2012” is attached here. As was explained here, cybersecurity defects that could allow for manipulation/corruption of agency data undermine the organization’s ability to comply with the Data Quality Act’s pre-dissemination review requirements for public release of information. The DQA requirements have been held by the US Court of Appeals for the DC Circuit to be “binding.”
Below are two excepts from the OIG report,