Archive for January, 2012

White House Calls for Comprehensive Cyber Security Legislation

From: SANS Institue

I just finished reading a book on cybersecurity written by one of the few people who was in position where he could see the whole picture. I sent copies to friends who have been asking me how they could “get up to speed” on this topic. The author is Joel Brenner who was the National Counterintelligence Executive in the Office of the Director of National Intelligence.  People from all across the community told him the truth and he summarized it fully and clearly.  Called “America the Vulnerable,” this book may help shape the national debate, but far more importantly, it can give cybersecurity professionals the breath of knowledge that few of us ever have a chance to gain and thereby make each of us more effective in what we try to do.

CSO Interchange: Cloud concerns are largely propaganda

From: InfoSecurity

Last week’s CSO Interchange roundtable centered on “Barriers to Cloud Adoption”, with talks on identity issues from Jericho Forum’s Paul Simmonds and SSL from security researcher Moxie Marlinspike.

CSO Interchange’s discussions are held under Chatham House rules, but founder Philippe Courtot, CEO of Qualys, subsequently talked to Infosecurity about his own view on the barriers to cloud adoption. And it seems that a lot of it is propaganda. “There is a lot of misinformation around because the established players don’t want to hear about the cloud,” he told us. “They are not ready, and it is a threat to their business. The cloud doesn’t inhibit people – it is the implementation of the cloud that matters.”

A closer look at two of today’s top security threats

From: SC Magazine
Matt Ulery, director, product manager, NetIQ
As an information security professional, there are two security issues that I continually hear about when talking to IT organizations today: protecting against malware and advanced persistent threats (APTs), and securing data in virtual and cloud environments.
Advanced persistent threats

Hackers and computer criminals have shown an ongoing ability to stay one step ahead of the security professional. This is occurring in large part because security is often not treated as a sustained effort, and too many organizations take a check-box approach to implementing security or meeting compliance objectives. 

No ‘supranational regulatory body’ should govern the Internet, say U.S. officials

From: FierceGovernmentIT

The United States will oppose attempts to create a “supranational regulatory body” for the Internet during a planned December 2012 meeting of the International Telecommunications Union, said Larry Strickling, head of the National Telecommunications and Information Administration. Strickling spoke Jan. 11 at the Brookings Institution.

On the agenda for the United Nations agency’s planned conference in Dubai is a renegotiation of International Telecommunications Regulations (.pdf), a 1988 treaty that governs international interoperability.

Ahead of the meeting, some of the 193 ITU member nations have proposed major changes, including moving oversight “of critical Internet resources into the ITU, including naming and numbering authority,” Strickling said.

20 critical controls for effective cyber defence (UK)

Editor’s Note:  FISMA Focus, on an occasional basis, will provide information on the cybersecurity efforts of allied nations.

From: Centre for the Protection of National Infrastructure

The Top Twenty Critical Security Controls are a baseline of high-priority information security measures and controls that can be applied across an organisation in order to improve its cyber defence. The controls (and sub-controls) focus on various technical measures and activities, with the primary goal of helping organisations prioritise their efforts to defend against the current most common and damaging computer and network attacks.

Draft cyber bill gives DHS controversial authorities

From: 1500AM

By Jason Miller

The draft version of the comprehensive cybersecurity bill could give the Homeland Security Department the ability to take “any lawful action” against contractors if their systems are under attack.

Bob Dix, a former staff director for the House Oversight and Government Reform Committee and now vice president government affairs and critical infrastructure protection for Juniper Networks, said that could mean taking over a vendor’s system that contains federal data.

FedRAMP baseline controls released

From: Fierce Government IT

Federal officials released Jan. 6 security controls that constitute the basis of governmentwide authorization and accreditation of cloud computing systems.

The controls (.zip), part of a program known as FedRAMP, are meant to act as a common federal baseline for low- and moderate- risk cloud services. A Dec. 8, 2011 memo (.pdf) from Federal Chief Information Officer Steven VanRoekel tells agencies to use provisional authorization of public cloud computing services granted via an independent third party using FedRAMP criteria when conducting their own risk assessments.

Senate to debate cyber bills in early 2012

From: 1500AM

By Jolie Lee, Web Editor

Senate Majority Leader Harry Reid (D-Nev.) promised to bring up comprehensive cybersecurity legislation early in 2012. Last year, there were more than 50 bills introduced in Congress, but they received little attention.

2012 just might be the year Congress tackles cybersecurity.

“Cyber risk is one of the key emerging national and economic issues of our time,” said Jacob Olcott, former counsel for Chairman of the Senate Commerce Committee Sen. Jay Rockefeller (D-W.Va.), and now a principal with Good Harbor Consulting.

Automation with a Dash of Humanity

Part 2: Roundtable Discussion on Info Risks for the New Year

By Eric Chabrow

As organizations move to the continuous monitoring their IT systems to assure they’re secure, they rely much more on automated processes. But don’t forget the role people play.

“Certainly, we can’t do this job of continuous monitoring without automation,” NIST Senior Computer Scientist Ron Ross says in the second of a two-part roundtable discussion on information risk management in the new year. Automation “is a necessary piece, but not sufficient, because there are a lot of things that only humans can do and humans do best.” Processes to continuously monitor insider threats require human intervention. “The combination of these activities really will work well to do what we would call a very robust continuous monitoring program,” Ross says.