Aug
30
From: SANS Institute
The concept and practice of Continuous Monitoring has blossomed into the keystone of federal information security programs. Continuous monitoring covers management, operational, and technical aspects of an information system program providing a comprehensive and holistic means to effectively manage these programs. Many security programs face challenges implementing and managing an effective information security program.
Aug
29
From SimplySecurity.com/Trend Micro
One of the most enduring maxims in the IT security world is the notion that the next threat facing your organization could always be lingering just around the corner. As a result, vigilance has become synonymous with diligence as administrators must now proactively seek out and guard against network and data security dangers around the clock.
The good news, according to the latest analysis from Enterprise Strategy Group (ESG), is that companies are starting to acquire and implement the technologies and policies that can help bridge the gap between capabilities and expectations. In a recent survey of 315 U.S.-based enterprise IT security professionals, researchers observed a “dramatic” increase in the adoption of continuous monitoring strategies.
Aug
28
Editor’s Note: Part 1 is found here.
From: McAffee Blog
by Brian Contos
Yesterday I blogged about a presentation I gave at GFIRST in Atlanta, Georgia where I demonstrated a number of application and database attacks and referenced how this is extremely relevant to Continuous Monitoring (CM) for federal agencies.
McAfee’s Approach to Continuous Monitoring
Risk Awareness
Aug
28
Editor’s Note: For Continuous Monitoring Best Practices, see FISMA Focus here.
From: InfoSecurity Magazine
The ability to continuously monitor big data across financial, operational and IT domains has emerged as a critical security and regulatory requirement for global corporations and government agencies. However, no comprehensive industry alliance has been in place to encourage the development of independent best practices.
The Agiliance Security Risk Management (SRM) Advisory Council aims to change that, bringing together a range of security-minded organizations and US government agencies to encourage new thinking with respect to IT security and risk management.
Aug
27
From: alnaqeb.com
By Brian Contos
At GFIRST in Atlanta, Georgia, I just gave an application and database hacking demonstration. I demonstrated various attacks such as:
I also gave a demonstration of a targeted Phishing attack that brought together Metasploit, Stuxnet, Bit.ly, Facebook…oh, and Cameron Diaz.
These demonstrations were meant to highlight how vulnerable applications, databases, and sensitive data in general can be without the right security controls and development practices. This is extremely relevant to Continuous Monitoring (CM) for federal agencies.
Aug
22
Editor’s Note: A GAO report on EPA’s Information Security found multiple serious deficiencies, some related to continuous monitoring. The GAO report is attached here. The section of the report titled “EPA Did Not Effectively Log and Monitor System Activity” is reprinted below.
From: GAO
To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Agencies accomplish this by implementing system or security software that provides an audit trail, or a log of system activity, that can be used to determine the source of a transaction or attempted transaction and to monitor a user’s activities. Audit and monitoring involves the regular
Aug
20
From: SANS Institute
Own Your Own Network: Continuous Monitoring
Featuring: Jerry Shenk and Michael Thelander
Own Your Own Network: Continuous Monitoring
Continuous monitoring has been defined by NIST and the SANS 20 Critical Security Controls as key to reducing risk in IT environments. Under these definitions, continuous monitoring encompasses at lot of moving parts! Change management, configuration management, vulnerability assessment, patch management, threat assessment – all are included in a comprehensive continuous monitoring program.
Aug
17
Editor’s Note: For more on this issue, see the TPSAC IPD here.
From: The Washington Post
By Lisa Rein
When the Food and Drug Administration started spying on a group of agency scientists, it installed monitoring software on their laptop computers to capture their communications.
The software, sold by SpectorSoft of Vero Beach, Fla., could do more than vacuum up the scientists’ e-mails as they complained to lawmakers and others about medical devices they thought were dangerous. It could be programmed to intercept a tweet or Facebook post. It could snap screen shots of their computers. It could even track an employee’s keystrokes, retrieve files from hard drives or search for keywords.
Aug
16
From: CircleID
While Congress and the White House deliberate possible actions on FISMA reform and increased oversight of critical infrastructure, relatively little attention is being given to the government-wide cybersecurity regulation already in place, the Data Quality Act (DQA).
Unlike FISMA, which primarily governs the government’s internal cybersecurity processes, and contemplated legislation and/or Executive Order(s), which would likely also include a focus on critical infrastructure protection, the DQA contains a unique mandate. Specifically, the law and its implementing regulations, set standards for the quality of virtually all information disseminated by the Executive Branch — including data which has been collected from the private sector as well as states and municipalities.
Aug
13
From: InformationWeek/Government
By Michael Biddick
Many mandates have been heaped on federal IT executives over the past few years: cloud computing, data center consolidation, open government,shared services, and wider support for mobile devices and applications. Which of these requirements, all coming from the Office of Management and Budget, have risen to the top of agency to-do lists? Well, none of them.