NIST SP 800-137

From: GCN

By Patrick D. Howard, (ISC)2 Government Advisory Council Executive Writers Bureau

Given the critical nature of operations that supervisory control and data acquisition (SCADA) systems manage, an article containing the words “cloud,” “SCADA” and “vulnerabilities” together should raise the hair on the necks of information security professionals.

Traditionally, SCADA applications used to control critical infrastructure have been hosted within an organization’s IT infrastructure and have relied on the protection offered inside the infrastructure perimeter. In some cases, organizations have “air gapped” their SCADA applications from the broader network and particularly from the Internet.

Read Complete Article

Editor’s Note: The following is from GAO’s Testimony before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives. The complete Tesimony may be found here. The following is an excerpt.

From: GAO

Statement of Gregory C. Wilshusen, Director, Information Security Issues

Our final report is expected to be released later this year, and our preliminary observations include the following:

From: United States Senate Committee on Appropriations

Tuesday, June 23, 2015

FINANCIAL SERVICES AND GENERAL GOVERNMENT SUBCOMMITTEE (John Boozman, Chairman)

Hearing to review information technology spending and data security at the U.S. Office of Personnel Management

Witnesses:

Ms. Katherine Archuleta, Director, U.S. Office of Personnel Management

Mr. Michael Esser, Assistant Inspector General – Audits, U.S. Office of Personnel Management

Mr. Richard Spires, Chief Executive Officer, Resilient Network Systems, Inc.

Webcasts:

FSGG Subcommittee Hearing: OPM Information Technology Spending & Data Security

Chairman Boozman Opening Statement

OPM Director Archuleta Testimony

From: Australian Broadcasting Corporation

By Anthony Stitt

When it comes to security, the long-standing saying that education is the great equaliser often tends to be put on the back burner. Organisations focus on technology rather than addressing a common root cause – people. While security issues cannot be addressed without technology, organisations also need to consider how education can address the people problem.

***

From: ars technica

Two separate “penetrations” exposed 14 million people’s personal info.

by Sean Gallagher

***

While OPM instituted continuous monitoring of some systems using security information and event management (SIEM) tools, those tools covered only 80 percent of OPM’s systems according to a fiscal year 2014 audit by OPM’s Internal Office of the Inspector General (OIG) audit team. And as of October 2014, monitoring didn’t yet include contractor-operated systems, according to the same organizational oversight.

From: IT Jungle

by Alex Woodie

Every day millions of IBM i server events are packaged up in the syslog standard and sent offsite for safekeeping and analysis. In many cases, the syslog files are sent in plain text across the wire because, hey, they’re just boring old log files, and what could anybody ever do with those, right? Wrong, says IBM i security software company Raz-Lee Security.

Syslogs are a bread-and-butter data format for IT professionals around the world. Just about every device in the data center uses the syslog format to transmit data about what it’s done. All sorts of IT activities are documented in syslog, from debugging applications and general systems management to real-time network alerts and security auditing.

From: ars technica

Security tools vendor found breach, active over a year, at OPM during sales pitch.

by Sean Gallagher

As officials of the Obama administration announced that millions of sensitive records associated with current and past federal employees and contractors had been exposed by a long-running infiltration of the networks and systems of the Office of Personnel Management on June 4, they claimed the breach had been found during a government effort to correct problems with OPM’s security. An OPM statement on the attack said that the agency discovered the breach as it had “undertaken an aggressive effort to update its cybersecurity posture.” And a DHS spokesperson told Ars that “interagency partners” were helping the OPM improve its network monitoring “through which OPM detected new malicious activity affecting its information technology systems and data in April 2015.”

From: FedBizOpps.Gov

From: CFO

Data theft by insiders is rampant but usually not discovered until after they’ve left.

John Parkinson

***

All these cyber threats are real and need to be addressed — but there’s a threat closer to home that too often gets ignored and that continually drives information security experts to distraction.

***

From: Information Age

Given the challenges of SCADA systems, what can be done to improve the security of critical infrastructure?

by Chloe Green