Cyber Security, Data Breach, IT Security, Security, Technology

WATCHDOG WANTS TO KNOW IF DOD HAS ACTUALLY SAVED MONEY BY JUMPING TO THE CLOUD

Last month, the Defense Department inspector general published a hard-hitting reportquestioning the structure and execution of the department’s cloud computing strategy.

Now, auditors are putting DOD technology officials on notice that they’re already beginning another probe of the agency’s cloud efforts.

The message of the new report: Show us the money.

A Dec. 9 letter from Carol N. Gorman, assistant IG for readiness and cyber operations, said the audit aims to determine whether DOD components actually performed cost-benefit analyses before acquiring cloud computing services and “whether those DOD components achieved actual savings as a result of adopting cloud services.”

The memo is addressed to the undersecretary of defense for acquisition technology and logistics, the DOD chief information officer, the director of the Defense Information Systems Agency, and the commanders of U.S. Cyber Command and U.S. Strategic Command.

Read More

Advertisements
Standard
Cloud Computing, Cyber Security, Data Breach, IT Security, Technology

How cards and mobile devices will both serve as identity tokens

Cards and smartphones will work together seamlessly within a centralized identity management system. Not only will this centralized system support the use of secure identities carried on both form factors; it also will support their use across multiple applications and on a growing range of digital platforms beyond smartphones including wearables. This will require that organizations take a little different approach to identity management than they have in the past.

There is an important reason why plastic ID cards will remain a widely used identity vehicle for the foreseeable future: they enable quick visual identification in addition to other capabilities for access control including opening doors and making cashless payments. The number of applications that can be carried on smart cards will continue to grow over time and will extend to logical access control, as well.

 

This will give users the ability to replace all previous mechanical keys and dedicated one-time password hardware with a single ID card. Using Bluetooth Smart or Near Field Communications technology, users will simply “tap in” with their card to gain access to facilities, VPNs, wireless networks and cloud- and web-based applications.

Read More

Standard
Cybersecurity Boardroom Workshop 2015, How Boards of Directors and CXOs Can Build the Proper Foundation to Address Today's Information Security Challenges
Cloud Computing, Cyber Security, Data Breach, Education, IT Security, Technology

How Boards of Directors and CXOs Can Address Today’s Information Security Challenges at Cybersecurity Boardroom Workshop 2015

Cybersecurity Boardroom Workshop 2015, How Boards of Directors and CXOs Can Build the Proper Foundation to Address Today's Information Security Challenges

Cybersecurity Boardroom Workshop 2015

In the days prior to Thanksgiving 2013, malware designed to steal credit card data at Target was surreptitiously installed. According to Bloomberg BusinessWeek, the company had installed a malware detection tool. Target had specialists in Bangalore to monitor its computers around the clock. Two days after Thanksgiving, the malware was spotted. The team in India got an alert and flagged Target’s security managers. And then?

Nothing happened. Target’s alert system had worked effectively. But then, Target stood by as 40 million credit card numbers flowed out of its computers. Only a few months later, CEO Gregg Steinhafel and CIO Beth Jacob were both out of the company.

Cybersecurity has become widely recognized as a critical corporate challenge. Boards and senior managements are putting it on their agenda, categorizing cybersecurity not as a compartmentalized risk for the information technology team, but as strategic and enterprise-wide.

However, a security program is only as strong as its weakest link. While a survey by the Institute of Internal Auditors found 58% of board members felt they should be actively involved in cybersecurity preparedness, only 14% said they were actively involved. Unfortunately, 65% also said their perception of the risk their organizations faced had increased.

Board members and senior managers need to become more educated about the topic to be able to ask questions that are strategic yet granular enough to address company-specifics. To go further, it will be imperative to join Cybersecurity Boardroom Workshop 2015, the first seminar targeted at strategic and executive leaders for whom cybersecurity readiness is a relatively new yet critically important area to be intelligently conversant about.

Cybersecurity Boardroom Workshop 2015 is specifically designed for board members and senior executives of public and private firms looking for new ways to gain and maintain competitive business advantage. Business executives with responsibility for IT, finance, compliance, risk management and procurement as well as entrepreneurs and innovators are welcome.

By the end of Cybersecurity Boardroom Workshop 2015, to be held in Dubai, March 8-9, Hong Kong, March 12-13, Seoul, March 19-20, Singapore, March 26-27, London, 9-10 April, and New York City, April 16-17, participants will:

  • Understand enterprise cybersecurity and the impact on shareholder value in the short and long term
  • Identify immediate security needs for the organization with actionable steps for senior management
  • Learn how to identify current and future challenges to better enable management to focus on threat reduction and operational reliability
  • Get up to speed on international and domestic approaches and frameworks for effective cybersecurity practices corporate wide

DAY 1: UNDERSTANDING THE CYBER WORLD

Understanding Cybersecurity

  • The trillion dollar global cyber risk environment
  • The enterprise-wide challenge of protecting the organization’s assets
  • The impact of cybersecurity attacks on shareholder value
  • Identity theft and the legal implications of data breaches

Social Engineering: The “Weakest Human Link” in Cybersecurity

  • The responsibility for cybersecurity in the organization
  • Assessing the quality of the cybersecurity workforce
  • Evaluating shortcomings in meeting cybersecurity workforce standards
  • Assessing the effectiveness of current professionalization tools

Understanding the Cybersecurity Testing Method

  • Reconnaissance: How to use tools to find vulnerable systems and devices
  • Packet sniffing: How to gather information from computer systems
  • Port scanning: How port information is exposed on computer systems
  • Password policy and cracking: What to consider when developing password policy
  • Vulnerability: How to reduce attacks by enforcing proactive compliance policies

Basics of Security Architecture for Board Members and CXOs

  • How architecture defines the structure of a system and makes it explicit
  • The fundamentals of layered architecture: presentation, business, data, and service layers
  • How the current computer network infrastructure was not designed originally to be secure
  • Embedding architecting security into systems from inception

DAY 2: RESPONDING TO THE CYBERSECURITY CHALLENGE

Introduction to NIST’s Cybersecurity Framework

  • Describing the enterprise’s current and target cybersecurity posture
  • Identifying and prioritizing opportunities for improvement
  • Assessing and accelerating progress toward the target state
  • Communicating with internal and external stakeholders about cybersecurity risk

The Five Core Functions of NIST’s Cybersecurity Framework

  • Identify: Organizational understanding to manage cybersecurity risk
  • Protect: Safeguards to ensure delivery of critical infrastructure services
  • Detect: How to identify the occurrence of a cybersecurity event
  • Respond: Taking action regarding a detected cybersecurity event
  • Recover: Maintaining plans for resilience and to restore any impaired capabilities

Introduction to Intelligence-driven Cyber Network Defenses

  • How investigations are based upon the scientific method: observing, hypothesis, evaluation, prediction and validation
  • How to leverage cutting edge technology, vigilant people and innovative processes
  • How to continuously improve the enterprise process for defending IT assets
  • How to empower people to resolve the problem with guidance and mentoring

Establishing or Improving a Cybersecurity Program

  • Prioritize and scope: Identifying business/mission objectives and high-level priorities
  • Orient: Identifying related systems and assets, regulatory requirements, and risk approach
  • Create a current profile: Developing a profile by indicating current degree of preparedness
  • Conduct a risk assessment: Analyzing the operational environment in order to discern the likelihood of an attack
  • Create a target profile: Describing the organization’s desired cybersecurity outcomes
  • Determine, analyze, and prioritize gaps: Determining gaps between current and target profiles
  • Implement action plan: Deciding which actions to take in regards to identified gaps

Cybersecurity Boardroom Workshop 2015 is produced by Golden Networking, the premier networking community for business and technology executives, entrepreneurs and investors. Panelists, speakers and sponsors are invited to contact Golden Networking by sending an email to information@goldennetworking.com.

Standard
Cyber Security, Data Breach, Defense, IT Security, Security, Technology

U.S. Central Command’s Accounts Hacked

U.S. Central Command’s Twitter and YouTube accounts were hacked Jan. 12, reportedly by ISIS sympathizers. Both accounts were suspended.

The account compromises came the same day President Obama proposed new cybersecurity measures, including a national data breach notification law.

U.S. Central Command's Accounts Hacked

CENTCOM is one of nine unified commands in the U.S. military, with responsibility for 20 countries, including Afghanistan, Iraq and Syria.

“We can confirm that the U.S. Central Command Twitter and YouTube accounts were compromised earlier today,” Elissa Smith, a U.S. Defense Department spokeswoman told Information Security Media Group the afternoon of Jan 12. “We are taking appropriate measures to address the matter.”

Read More

Standard
Cyber Security, Data Breach, Defense, IT Security, Security, Technology

PENTAGON: HACKERS DIDN’T GET CLASSIFIED INFORMATION

Monday’s hack of Twitter and YouTube accounts belonging to U.S. Central Command was embarrassing, but it doesn’t appear to have compromised any classified information.

“CENTCOM’s operational military networks were not compromised and there was no operational impact to U.S. Central Command,” said Navy Commander Elissa Smith, a Pentagon spokeswoman.

Smith said the military is viewing the incident “purely as a case of cybervandalism.” But, she said, the Pentagon has notified law enforcement about “the potential release of personally identifiable information.”

Read More

Standard
Cyber Security, Data Breach, Defense, IT Security, Security, Technology

DISA To Defend DoD Networks In New Role

he Pentagon is standing up a new headquarters within the Defense Information Systems Agency (DISA) that will assume responsibility for defending military networks and will reach initial operating capability this week.

disa-dodin-defense

This joint force headquarters will assume roughly a dozen tasks from US Cyber Command, and will have authority to secure, operate and defend the Department of Defense Information Network (DoDIN), said US Air Force Brig. Gen. Robert Skinner, DISA chief of staff.

“The end result is to provide unity of command and unity of effort across the entire DoDIN,” Skinner told reporters after his remarks at an industry conference here Monday. “We’re going to take this off US Cyber Command’s plate because there has been this vacuum at the operational level for command and control.”

Read More

Standard
Cyber Security, Data Breach, Defense, IT Security, Security, Technology

New DoD cloud security requirements coming Tuesday

The Defense Information Systems Agency (DISA) is poised to release final security guidance for purchasing cloud services on Tuesday as the Defense Department shifts to commercial providers.

635566771355225809-FED-Mark-Orndoff

After receiving more than 800 comments on the draft guidelines, DISA reorganized the security levels to allow certain work areas to exist in virtual private networks while still keeping the most sensitive data physically separated on DoD networks.

The final draft also tweaks the authorization requirements to track closer to the Federal Risk and Authorization Management Program (FedRAMP) except in specific areas where greater security assurance is needed.

Read More

Standard