GAO Questions Security of Census Data

From: GovInfoSecurity.com

Auditor Says Many Deficiencies Relate to Access Controls

By Eric Chabrow

A government auditreveals that the Census Bureau does not do a good enough job protecting the confidentiality of its data – a stinging conclusion, considering the bureau collects personal information about every individual residing in the United States.

In the report made public Feb. 20 – entitled Information Security: Actions Needed by Census Bureau to Address Weaknesses – the Government Accountability Office says the bureau has not effectively implemented appropriate information security controls to protect its information systems. Auditors say many of the deficiencies at the Commerce Department agency relate to access controls, the security rules and procedures used to regulate who or what can access the bureau’s systems.


Deploying security-analytics-as-a-service to dissect network attacks

From: ComputerWorld

Packetloop is a new cloud-based service that lets users drill down into network attacks based on uploaded packet captures

Rohan Pearce (CSO Online (Australia))

Sydney-based start-up Packetloop has gone live with its security-analytics-as-a-service offering. The service came out of private beta earlier this month.

The service, which leverages Amazon Web Services’ cloud, lets users upload full network packet captures, which are then analysed by Packetloop to produce a record of attacks against an organisation’s network, complete with visualisations.

“First and foremost it’s about analytics,” Packetloop CEO and co-founder Scott Crane says. “Getting analytics into the hands of the average security user.”


Some agencies unable to continuously monitor all networks, equipment

From: Federal Times


Agencies are under White House orders to continuously monitor and fix security risks on their computer systems and networks.

Specifically, by October 2014, they should be using automated software to monitor 95 percent of the devices operating on their networks to know whether they are secure. Those automated security scans should take place about every 72 hours. .

Yet half of the government’s largest agencies, including the Environmental Protection Agency and Transportation Department, are falling short, according to the latest data. A 2012 report on Perform-ance.gov noted that continuous monitoring scores dropped for several agencies as they discovered new hardware assets operating on their networks.


US Military Contracts Will Require Continuous Monitoring of Industrial Control Systems

From: SANS

Later this year, the Pentagon will issue cybersecurity certification requirements for organizations that operate components of the country’s critical infrastructure and those that support the US military. The requirements have been under development for some time, predating the president’s executive order that asks the government to consider requiring cybersecurity standards in federal contracts. The owners of critical infrastructure organizations have been asking for cybersecurity guidance, but are reluctant to having requirements imposed. Within the next year, military contracts will include a requirement that industrial control systems (ICS) be continually monitored. Currently, those systems are tested for security every three years. –http://www.nextgov.com/cybersecurity/2013/02/pentagon-will-require-security-stan dards-critical-infrastructure-networks/61328/?oref=ng-channelriver


Trusted ID, monitoring efforts can’t keep IT security off high-risk list

From: GCN

By William Jackson

After 16 years of plans, strategies and regulation, federal IT security remains one of 30 program areas designated by government auditors as high risk.

The Government Accountability Office released its latest biennial assessment of programs most vulnerable to fraud, waste, abuse, and mismanagement and ineffectiveness. The security of government information systems has been on the list since 1997, and in 2003 protection of the nation’s privately owned critical infrastructure was added.

The two are lumped together as one high-risk area, which is receiving increasing attention from the administration, Congress and non-government security experts. Despite the attention and initiatives being taken to improve security, little progress was noted by GAO.


Cybersecurity Regulation through Executive Order

Editor’s Note:  The new cybersecurity Executive Order is attached here.

The regulatory nature of the Order was made evident in Sec. 10.b’s discussion of agencies proposing “prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866…” and in the Section’s frank discussion of “cybersecurity requirements.”

The Order’s strong emphasis on use of private sector standards is very significant along as is the Order’s instance on cost-effectiveness.  What remains to be seen is the extent to which industry compliance with the Order provides companies with safety from regulatory and legal hazards.


Mcafee Enhances its Business Security Management and SIEM Products

From: CIO

The company adds real-time querying capabilities to ePO and enables SIEM to automate security response to suspicious events

By Lucian Constantin


Analysis of Security Automation and Continuous Monitoring (SACM) Use Cases

Editor’s Note:  The complete draft memo, draft-waltermire-sacm-use-cases-04 may be found here.  The Abstract is below.

From: IETF.org

D. Waltermire, Ed. (NIST)


This document identifies use cases, derived functional capabilities, and requirements needed to provide a foundation for creating interoperable automation tools and continuous monitoring solutions that provide visibility into the state of endpoints, user activities, and network behavior.  Stakeholders will be able to use these tools to aggregate and analyze relevant security and operational data to    understand the organizations security posture, quantify business risk, and make informed decisions that support organizational objectives while protecting critical information.  Organizations will be able to use these tools to augment and automate information sharing activities to collaborate with partners to identify and mitigate threats.  Other automation tools will be able to integrate with these capabilities to enforce policies based on human decisions to harden systems, prevent misuse and reduce the overall attack surface.


Feds Update Cybersecurity Compliance Handbook

From: Information Week

J. Nicholas  Hoover

The federal government will soon finalize the most comprehensive overhaul to its internal cybersecurity guidelines since initial release.

The federal government has nearly finalized its first major overhaul to the primary handbook to federal cybersecurity standards in nearly four years, and its most significant update since the initial release of that handbook in 2005.

The National Institute of Standards and Technology (NIST) on Wednesday released the final public draft of the 455-page final public draft of NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, and announced that it was seeking comments on the document.


SCAP 1.2 Validation Program Test Requirements Now Available

Editor’s Note:  NIST Interagency Report (IR) 7511 Revision 3 Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements is attached here.

From: NIST

NISTIR 7511 defines the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in producing SCAP validated products.