NRC must beef up information systems security practices, processes, IG says

From: FierceGovernmentIT


The Nuclear Regulatory Commission needs to perform continuous monitoring of its information systems and update its system security plans, according to a recently released internal audit.

The NRC inspector general’s audit (pdf) also said that configuration management procedures aren’t being consistently implemented and the commission’s action plan to fix deficiencies needs improvement – two findings that were identified from previous evaluations mandated by the Federal Information Security Management Act.

Read Complete Article


The White House breach and the evolving attack surface

From: Government Security News

By: Mark Seward

With more than 10 million purported attempts to break into Pentagon systems and servers each day, it was not surprising when the White House confirmed that individuals thought to be working for the Russian government attempted to hack its servers.
The White House is in good company with NATO, the Ukrainian government and U.S. defense contractors all detecting similar activities. Responding to the attack, anonymous officials indicated that the intruder didn’t damage any system or gain access to the “classified network.” This is typical of cyberespionage attacks, which are often motivated more by information gathering than by financial gain. Government businesses and agencies looking to defend themselves against cyberespionage attacks need IT security teams to take the fight to the new attack surface: on the network itself.


DHS Drafts Blueprints for Self-Repairing Networks as Hacks Mount

Editor’s Note: See the CircleID article, Achieving a Cyber-Reliant Infrastructure.

From: Nextgov

By Aliya Sternstein

The Department of Homeland Security is working with industry to automate cyber defenses inside the government, which will ensure operations continue during and after hack attacks, DHS officials said Wednesday.

Enterprise Automated Security Environment, or EASE, could give rise to something like a self-repairing network, Philip Quade, chief operating officer of National Security Agency’s information assurance directorate, told Nextgov last week.

Read Complete Article


6 tips for adopting open source

From: GCN

By David Egts

Open source code drives collaborative innovation from a larger pool of developers at a lower cost, which is why federal agencies are adopting the “open source first” model. In fact Sonny Hashmi, CIO of the General Services Administration, recently announced that implementing open source software is among his top priorities this year.

So what’s the best way to increase your agency’s adoption of open source software and keep it secure? Here are six tips to get you there:


3. Use SCAP for continuous monitoring of your datacenter’s security posture.


The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

From: InformationWeek/DarkReading

Adam Firestone

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.


Security Contractor Data Breach Undetected for Months

From: Claims Journal


A cyberattack similar to previous hacker intrusions from China penetrated computer networks for months at USIS, the government’s leading security clearance contractor, before the company noticed, officials and others familiar with an FBI investigation and related official inquiries told The Associated Press.


In addition to trying to identify the perpetrators and evaluate the scale of the stolen material, the government inquiries have prompted concerns about why computer detection alarms inside the company failed to quickly notice the hackers and whether federal agencies that hired the company should have monitored its practices more closely.


Marrying Monitoring With IAM

From: DarkReading

Ericka Chickowski

Prevalence of stolen online credentials and rampant password reuse means enterprises must keep better tabs on how credentials are used.

As the value of valid online credentials starts to surpass that of credit card information, even enterprises unrelated to the sites these credentials are stolen from will need to up their identity management mojo. That’s because rampant password reuse puts corporate credentials at risk even when no vulnerabilities are being exploited and no information about corporate systems has been leaked.


Foreign LinkedIn Connections Could be Deemed Security Risk Under Continuous Monitoring


Are foreign LinkedIn requests and connections a security risk? Continuous monitoring pilots cast new light on the scrutiny over social networking contacts.


How much do you think before you click ‘accept on a new LinkedIn connection? While the network itself advocates only connecting with individuals you know personally, that practice is rarely adhered to, and individuals are often encouraged to connect with companies and recruiters with no real-world verification even possible. Many professionals even tout the size of their networks with tag-lines like”1000+ connections” and “all-requests accepted.”