Cloud Computing, Cyber Security, IT Security, Security, Technology

DISA’s ‘one belly button’ approach to IT services

The Defense Information Services Agency is undergoing a radical transformation in how it serves its customers. The end goal is better collaboration and coordination internally and across the military services and agencies.

The reorganization, announced Jan. 11, has been in the works for the better part of a year. DISA kicked off 2015 by outlining theradically different path it’s heading down.

Lt. Gen. Ronnie Hawkins, DISA’s director, said the new structure will focus on five core tenets:

  • Cybersecurity
  • Cloud
  • Collaboration
  • Command
  • Control

“One of the things that I’ve constantly heard, both on the outside when I was there as well as when I was vice director and director that it’s hard to get a hold of people within the agency,” Hawkins said during a recent luncheon panel sponsored by the Washington chapter of AFCEA. “And more importantly, some of the things I’ve heard is that DISA ‘costs too much’ and DISA is ‘too slow in delivering speed to market.’ Those are the things we’ve been working on.”

Hawkins said the reorganization is trying to address both of those criticisms.

Read More

Advertisements
Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

Report suggests most DoD networks susceptible to mid-grade cyber threats

Anew Pentagon report on the Defense Department’s major systems includes some worrying assessments of DoD’s overall cybersecurity posture: A troubling proportion of its IT systems appears to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone’s worried about.

The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD’s overall defensive positioning.

For obvious reasons, the unclassified report tends not to spell out specific cyber weaknesses in specific systems, but the office’s assessment teams found “significant vulnerabilities” on nearly every major acquisition system that went through operational testing and evaluation in 2014, including many problems that could and should have been found and fixed earlier in the acquisition cycle.

“Nearly all the vulnerabilities were discoverable with novice- and intermediate- level cyber threat techniques,” the authors wrote. “The cyber assessment teams did not need to apply advanced cyber threat capabilities during operational testing.”

Read More

Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

GAO: Agencies face cyber risk in building access systems

The Homeland Security Department may have its hands full protecting the nation’s infrastructure from terrorist attacks, but the Government Accountability Office said the department needs to do much more to improve the cybersecurity of access and control systems in the thousands of buildings it operates.

In that area, DHS is only at square one, according to a recent GAO report.

According to the report, “no one at DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.”

GAO: Agencies face cyber risk in building access systems

Moreover, the report said, DHS lacks a strategy that “defines the problem, identifies roles and responsibilities … and identifies a methodology for assessing this cyber risk.”

The Interagency Security Committee, the division within DHS responsible for physical security standards for nonmilitary facilities, has not incorporated policies related to cyber threats in building and access control systems.  The ISC attributes this failure to recent incidents of active shooters and workplace violence, which it has deemed a priority over cyber threats.

Read More

Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

What Government Can (And Can’t) Do About Cybersecurity

People are calling 2014 the “Year of the Breach.” President Obama even focused on “cybersecurity” during his 2015 State of the Union address. I’m thrilled that security seems to have finally broken into the public consciousness. It’s a complex problem that requires an international effort, cooperation between public and private sectors, and careful consideration of the best path forward.

Click on this  link for an interactive view of the Word Cloud by David McCandless.

The mess we’re in
I’ve written before about the staggering complexity of application security in the modern enterprise. So it’s not too surprising that the level of insecurity has grown over the past 20 years due to automation’s breakneck speed. The infographic below gives a sense of just how large and complex our codebases are. But like other extremely complex issues, such as healthcare, climate change and education, government intervention is a delicate matter that may do more harm than good.

Read More

Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

Is Barack Obama a Cybersecurity Leader?

This past year, Obama issued another executive order directing government agencies to shift to the use of chip-and-PIN cards that are deemed more secure than magnetic stripe cards (seeObama Seeks to Speed EMV Adoption). Now, the president is aggressively pushing his latest cybersecurity initiatives, which include measures to encourage businesses to share cyberthreat information, nationalize data breach notification and toughen criminal laws to allow prosecution of botnet sales and protect student data (see Obama Unveils Cyberthreat Info Sharing Plan and Obama Seeks to Nationalize Breach Notification). “If we don’t act, we’ll leave our nation and our economy vulnerable,” Obama said in this week’s State of the Union address. “If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”

President Obama at the State of the Union. (White House photo)

Defining Leadership

Does all of this make Obama a cybersecurity leader? To help me answer that question, I asked experts in the IT security and privacy field to share their thoughts on the matter.

“It’s incontrovertible that the president has demonstrated true leadership in the cybersecurity space,” says Larry Clinton, president of the industry trade group Internet Security Alliance. “No world leader has shown more vision and insight to the cyberthreat.”

Read More

Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

President’s Plan To Crack Down On Hacking Could Hurt Good Hackers

Last night President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many within the security community believe that the president’s proposed cybersecuirty legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.

“Obama’s recommended cybersecurity legislation will do absolutely nothing to stop the hackers we’re concerned about or protect any of the companies who were victimized. It certainly won’t protect ‘the children,'” says Jeremiah Grossman, founder of WhiteHat Security. “What the proposed legislation would do is criminalize professional routine security research that’s been crucial in protecting companies and citizens at large. This outcome would be disastrous.”

Of particular concern is the proposal to update the Computer Fraud and Abuse Act. Some of the proposed “modernizations” include the expansion of the definition of “exceeding authorized access” language to include any kind of authorized access for a “purpose that the accesser knows is not authorized by the computer owner,” a new definition ripe for broad misinterpretation by the courts.

Read More

Standard
Cloud Computing, Cyber Security, IT Security, Security, Technology

Vice President Biden Visits Norfolk, Va., Talks Cybersecurity

Vice President Joe Biden visited Norfolk State University on Thursday to highlight a program that will give historically black colleges and universities millions of dollars to train students for jobs in cybersecurity.

NSU will be the lead campus in a new consortium that will includes 12 other historically black colleges, two national research labs and a school division in South Carolina, Biden announced during the visit. He was joined by Gov. Terry McAuliffe, U.S. Rep. Bobby Scott, Energy Secretary Ernest Moniz and other officials.

The Department of Energy will supply the national cybersecurity consortium with $25 million in grants over the next five years, part of the Obama administration’s effort to train more workers for jobs protecting the nation’s computer networks from attacks.

The threat offers both a problem and an opportunity, said Biden, whose quick visit snarled midday traffic between Norfolk Naval Station, where his plane landed, and NSU.

The massive hack at Sony several weeks ago underscored the seriousness of the issue, and as private companies and governments work to counter the threat, the cybersecurity industry is growing 12 times faster than the rest of the economy.

Read More

Standard