Continuous Monitoring track at IT Security Automation Conference (10/3-10/5)

From: SANS Institute

The concept and practice of Continuous Monitoring has blossomed into the keystone of federal information security programs. Continuous monitoring covers management, operational, and technical aspects of an information system program providing a comprehensive and holistic means to effectively manage these programs. Many security programs face challenges implementing and managing an effective information security program.


Report: Continuous monitoring distinguishes security leaders

From Micro

One of the most enduring maxims in the IT security world is the notion that the next threat facing your organization could always be lingering just around the corner. As a result, vigilance has become synonymous with diligence as administrators must now proactively seek out and guard against network and data security dangers around the clock.

The good news, according to the latest analysis from Enterprise Strategy Group (ESG), is that companies are starting to acquire and implement the technologies and policies that can help bridge the gap between capabilities and expectations. In a recent survey of 315 U.S.-based enterprise IT security professionals, researchers observed a “dramatic” increase in the adoption of continuous monitoring strategies.


Continuous Monitoring at GFIRST (Part 2)

Editor’s Note:  Part 1 is found here.

From: McAffee Blog

by Brian Contos

Yesterday I blogged about a presentation I gave at GFIRST in Atlanta, Georgia where I demonstrated a number of application and database attacks and referenced how this is extremely relevant to Continuous Monitoring (CM) for federal agencies.

McAfee’s Approach to Continuous Monitoring

Risk Awareness


New advisory council takes aim at security best practices

Editor’s Note: For Continuous Monitoring Best Practices, see FISMA Focus here.

From: InfoSecurity Magazine

The ability to continuously monitor big data across financial, operational and IT domains has emerged as a critical security and regulatory requirement for global corporations and government agencies. However, no comprehensive industry alliance has been in place to encourage the development of independent best practices.

The Agiliance Security Risk Management (SRM) Advisory Council aims to change that, bringing together a range of security-minded organizations and US government agencies to encourage new thinking with respect to IT security and risk management.


Continuous Monitoring at GFIRST (Part 1)


By Brian Contos

At GFIRST in Atlanta, Georgia, I just gave an application and database hacking demonstration.  I demonstrated various attacks such as:

  • SQL Injection
  • XSS
  • Session Hijacking
  • Parameter Tampering
  • Database Protocol Hacking

I also gave a demonstration of a targeted Phishing attack that brought together Metasploit, Stuxnet,, Facebook…oh, and Cameron Diaz.

These demonstrations were meant to highlight how vulnerable applications, databases, and sensitive data in general can be without the right security controls and development practices.  This is extremely relevant to Continuous Monitoring (CM) for federal agencies.


EPA Monitoring Shortcoming Highlighted by GAO

Editor’s Note:  A GAO report on EPA’s Information Security found multiple serious deficiencies, some related to continuous monitoring.  The GAO report is attached here.  The section of the report titled “EPA Did Not Effectively Log and Monitor System Activity” is reprinted below.

From: GAO

To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Agencies accomplish this by implementing system or security software that provides an audit trail, or a log of system activity, that can be used to determine the source of a transaction or attempted transaction and to monitor a user’s activities. Audit and monitoring involves the regular


Special Webcast: Own Your Own Network: Continuous Monitoring

From: SANS Institute

Wednesday, September 26, 2012 at 1:00 PM EDT (1700 UTC/GMT) presents:

    Own Your Own Network: Continuous Monitoring

Featuring: Jerry Shenk and Michael Thelander

You need to register with the SANS Account to be able to sign in.

Webcast Overview:

Own Your Own Network: Continuous Monitoring

Continuous monitoring has been defined by NIST and the SANS 20 Critical Security Controls as key to reducing risk in IT environments. Under these definitions, continuous monitoring encompasses at lot of moving parts! Change management, configuration management, vulnerability assessment, patch management, threat assessment – all are included in a comprehensive continuous monitoring program.


Stepped-up computer monitoring of federal workers worries privacy advocates

Editor’s Note:  For more on this issue, see the TPSAC IPD here.

From: The Washington Post

By Lisa Rein

When the Food and Drug Administration started spying on a group of agency scientists, it installed monitoring software on their laptop computers to capture their communications.

The software, sold by SpectorSoft of Vero Beach, Fla., could do more than vacuum up the scientists’ e-mails as they complained to lawmakers and others about medical devices they thought were dangerous. It could be programmed to intercept a tweet or Facebook post. It could snap screen shots of their computers. It could even track an employee’s keystrokes, retrieve files from hard drives or search for keywords.


The Federal Cybersecurity Regulation Already in Place

From: CircleID

While Congress and the White House deliberate possible actions on FISMA reform and increased oversight of critical infrastructure, relatively little attention is being given to the government-wide cybersecurity regulation already in place, the Data Quality Act (DQA).

Unlike FISMA, which primarily governs the government’s internal cybersecurity processes, and contemplated legislation and/or Executive Order(s), which would likely also include a focus on critical infrastructure protection, the DQA contains a unique mandate. Specifically, the law and its implementing regulations, set standards for the quality of virtually all information disseminated by the Executive Branch — including data which has been collected from the private sector as well as states and municipalities.


Continuous Monitoring Among Federal IT Priorities

From: InformationWeek/Government

Cybersecurity, continuity planning, and data records management top the list in our latest Federal IT Priorities Survey

By Michael Biddick

Many mandates have been heaped on federal IT executives over the past few years: cloud computing, data center consolidation, open government,shared services, and wider support for mobile devices and applications. Which of these requirements, all coming from the Office of Management and Budget, have risen to the top of agency to-do lists? Well, none of them.

Older posts «