Big Data Ushers in Era of Security Intelligence

From: Wired

By Mark Seward, Splunk

Advanced cyber-security threats, whether they are criminals, hactivists or nation states, are breaching organizations at an alarming rate. Aided by time, persistence and smarts, they adeptly penetrate an organization and exfiltrate confidential data without alerting tradition security software tools.


7 Risk Management Priorities For 2013

For more on the importance of measurement and IT security, see CRE’s 2010 statement to the Infomtion Security and Privacy Advisory Board (ISPAB) here.

From: Dark Reading

CISOs seek more discipline in measuring and mitigating risk in the coming year

By Ericka Chickowski

As CISOs and risk management pros gear up for a new year, they’ll be tasked with sheltering their organizations from a highly dynamic threat environment through a renewed sense of discipline as regulators, executives, and shareholders increasingly turn the microscope on their IT security practices. In order to improve and coalesce security practices, it’ll take work to line them up with maturing risk management philosophies. According to risk management experts, consultants, and practitioners, enterprises are likely to turn to the following risk management priorities in 2013 to achieve their security objectives.


IG: Social Security Systems, Data at Risk

From: GovInfo Security

Auditors Seized Control of Network, Records during FISMA Audit

By Eric Chabrow

In a good news, bad news audit report, the Social Security Administration’s inspector general lauded the agency for its information security program and practices for being generally consistent with the requirements of the Federal Information Security Management Act. Yet, the audit uncovered weaknesses that put Social Security systems and data at risk.

“We determined that SSA had established an overall information security program and practices that were generally consistent with FISMA requirements,” Inspector General Patrick O’Carroll Jr. wrote in a 37-page audit report. “However, weaknesses in some of the program’s components limited the overall program’s effectiveness to adequately protect the agency’s information and information systems.”


SCADA software bugs leave national critical infrastructure vulnerable

From: Help Net Security

This week, 23 vulnerabilities in industrial control software – specifically SCADA software – from several vendors have reportedly been found by a researcher at security firm Exodus Intelligence.
This follows the revelation of unreported SCADA application vulnerabilities from some of the same manufacturers, as exposed by Italian security company ReVuln last week.

Ross Brewer, vice president and managing director International Markets, LogRhythm, has made the following comments:

While cyber attacks on SCADA systems may be rare when compared to the astonishing number of incidents involving web applications or enterprise IT networks, the threat they pose are disproportionately severe.


DOT IG critical of recurring FISMA security weaknesses

From: FierceGovernmentIT

By Molly Bernhart Walker

Despite a series of damning, yearly Federal Information Security Management  Act compliance audits, the Transportation Department failed again in fiscal  2012 to remedy recurring weaknesses that expose the department to serious  security threats, according to a Nov. 14 Office of Inspector General report  (.pdf). Twenty-one of 35 open recommendations made since 2009 remain open, say  report authors.

In 2009, the department’s security program did not meet all federal  requirements and the following year its lack of progress in other critical areas  constituted a material weakness in internal controls. In 2011, DOT had not  corrected weaknesses in its information security procedures, enterprise-level  and system-level controls, and management of corrective actions.


Monitoring Privileged Activities, a Crucial Aspect of Data Center Infrastructure Management

From: The Optrics Insider

Data centers represent the nerve center of IT enterprises. With the presence of a complex mix of databases, network devices, applications and physical and virtual systems, the modern day data center present a unique challenge for IT operations. With cyber-crime looming large, data center operations are required to not only be robust and efficient, but also highly secure to ensure business continuity and data integrity.

Though  the IT infrastructure in data centers face both external and internal  security threats, of late, internal threats seem to be far more alarming  as many of the reported security incidents have been caused by  malicious insiders. Disgruntled staff, greedy techies, tech-savvy contractors and sacked employees could act with malicious intent and misuse privileged access.


2013: The Year of Continuous, Real-time Threat Monitoring in Business Context

From: NetIQ

by Michele Hudnall

Threat detection and management will be required to monitor continuously and in business context with regard to level of risk. Given the rapid change, information requirements, environment complexity, growing devices, explosive data growth and growing real-time analysis requirements accessing that data, risk of threats to the organization is growing exponentially. It will no longer be acceptable to audit for compliance at fixed intervals. Real-time, service contextual threat risk will be a monitoring requirement in 2013.

Current Conditions . . .


Continuous monitoring: A piece of the IT security puzzle

From: Government Computer News

By William Jackson

Continuous monitoring is replacing periodic certification of government information systems as the federal standard for IT security, but it is a means to an end rather than an end in itself, say government security pros.

“Continuous monitoring is a tactic in a larger strategy,” said Ron Ross, senior computer scientist at the National Institute of Standards and Technology.

The larger strategy is a comprehensive approach to the growing number of vulnerabilities, threats and attacks targeting government systems, which have put information security on the Government Accountability Office’s list of high risk activities since 1997.


Help is available for effective continuous monitoring

Editor’s Note:  A NIST slide presentation on the CAESARS Framework Extension, An Enterprise Continuous Monitoring Technical Reference Model, is available here. CRE’s comments on the 2nd Draft of the CAESARS Framework Extension are available here.

From: Government Computer News

By William Jackson

Fully continuous monitoring of the security status of information systems is an ideal that is unlikely to be reached because of the complexity of round-the-clock, real-time scanning of every aspect of a system. Both industry and government are moving toward making it more practical, however.


DOE OIG: “Without…effective continuous monitoring…there is an increased risk of compromise and/or loss, modification…of systems and the information”

Editor’s Note:  The DOE OIG Evaluation Report, “The Department’s Unclassified Cyber Security Program – 2012” is attached here.  As was explained here, cybersecurity defects that could allow for manipulation/corruption of agency data undermine the organization’s ability to comply with the Data Quality Act’s pre-dissemination review requirements for public release of information.  The DQA requirements have been held by the US Court of Appeals for the DC Circuit to be “binding.”

Below are two excepts from the OIG report,

Older posts «