NIST SP 800-137

From: FireMon Blog

Author: Ward Holloway

A Federal Times article recently noted that three former Federal IT Executives, including two high ranking IT security officials from the Office of Management and Budget (OMB), felt that government IT security was too focused on compliance and “oftentimes do not reflect their agencies’ most critical security needs”. In a new report entitled “Measuring What Matters: Reducing Risk by Rethinking How We Evaluate Cybersecurity”, the authors note that government agencies “continue to spend scarce resources on measures that do little to address the most significant cyber threats.”

From: ABC (Australia)

Shaun McLagan

Albert Einstein said once that if he were seeking a needle in a haystack, unlike others, he wouldn’t stop when he found a single needle but would instead look for all the possible needles. That’s a well advised approach for security analysts; after all, the accepted position today is that miscreants will get in. The challenge is to identify the breaches and deal with them as soon as possible, thereby reducing the window of opportunity for damage to be done.

From: Dark Reading

A number of factors contribute to uneven adoption of database security technology in the enterprise — most of them center around complexity

By Ericka Chickowski, Contributing Writer/Dark Reading

In spite of a fairly mature product set and boardroom directives to protect sensitive databases, the average enterprise today still has a long way to go before it’ll apply comprehensive database security technology and processes to all of its critical databases — let alone all of its corporate databases. Even with compliance mandates slowly boosting the sale of database activity monitoring (DAM) tools at the enterprise level, the technology itself is growing cobwebs within many organizations for two big reasons: cost and complexity.

From: GCN

By William Jackson

Compliance with IT security requirements for executive branch agencies dropped slightly in the last fiscal year, highlighting the challenges of monitoring and hardening networks and systems in the face of increasing threats and decreasing budgets.

As the administration focuses on a handful of key capabilities to enhance federal cybersecurity, overall compliance with the Federal Information Security Management Act slipped from 75 percent in fiscal 2011 to 74 percent in 2012 according to the annual report from the Office of Management and Budget.

From: Dark Reading

Acquisition is expected to close in April

PORTLAND, OREGON — March 11, 2013 — Tripwire, Inc., a global provider of IT security solutions, today announced it has entered into a definitive agreement to acquire nCircle, a leading provider of information risk and security performance management solutions. The acquisition is expected to close in April and is subject to the customary closing conditions. The terms of the acquisition are not being disclosed.

Editor’s Note: The Final Report of the Defense Science Board (DSB) Task Force on Resilient Military Systems is attached here.  Below is an excerpt from a section of the report discussing continuous monitoring.

Editor’s Note:  CDT apparently prefers that private sector networks remain vulnerable to hostile state and non-state actors rather than allow “automated monitoring of data on private networks” for national security purposes.   Perhaps the author should consider that the possibility that the organizations systematically hacking private sector networks are a significantly greater threat to personal privacy, information security, and intellectual property protection than the American government.

From: Center for Democracy and Technology

by Greg Nojeim

From: GCN

By William Jackson

Managing risk in a network requires knowing your assets and prioritizing defenses, says the National Institute of Standards and Technology’s Ron Ross. Complexity is the enemy, and moving to the cloud can help simplify.

“You can reduce the complexity of your infrastructure by 5 to 40 percent by moving to the public cloud,” said Ross. “Without reducing that complexity, we’re going to be doing what technicians call thrashing — a lot of activity with few results.”

From: GCN

By Greg Crowe

Recently the Defense Information Systems Agency released its Security Technical Implementation Guidelines (STIG) for use of Microsoft’s Windows 8 operating system. The unclassified version is available on the DISA website.

First, the guide specifies that this STIG covers only the versions of Windows 8 that supports the x86/64-based processor architecture. This precludes Windows 8 RT, but DISA said RT is being evaluated under a different STIG. Since RT runs on ARM processors, it only makes sense that DISA would cover it with other mobile operating systems.