August 26, 2009
Need to read:
The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security.
“The IT Sector Baseline Risk Assessment is an example of what can happen when public and private sector partners work together and represents a major step forward in mitigating risks to critical infrastructure functions that are essential to both homeland and economic security,” said DHS Assistant Secretary for Cybersecurity and Communications Gregory Schaffer. “While elements of the assessment have already been adopted, the establishment of this iterative platform for assessing IT sector risk will also enable us to address ever more sophisticated threats.”
From Release
IT Sector Baseline Risk Assessment (PDF, 114 pages – 3.37 MB)
August 25, 2009
Yep — the leading cause of cyber security breaches — per RSA study (tip to BBC):
The security vendor RSA revealed that the majority of breaches are actually caused unintentionally by employees.
Its survey showed that firms believed 52% of incidents were accidental and 19% were deliberate.
“Unintentional risk gets overlooked, yet it’s the most serious threat to business,” said the RSA’s Chris Young.
June 24, 2009
Interesting implications from this post:
“Is it going to be the dominant player by default because the Department of Homeland Security is weak and this new unit will be strong?” said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies. “That’s a legitimate question, and I think DoD will resist having that happen. But there are issues of authorities that haven’t been cleared up. What authorities does DoD have to do things outside the dot-mil space?”
This is a serious concern, especially given that pc’s in your home are the foot soldiers:
Owners of machines forming a botnet typically do not know their computer has been hijacked and home users account for 95% of all attacks mounted by botnets, according to figures from security firm Symantec.
Public computers are fair game too. See this story in NYT about Iranian hackers capturing University System of Oregon computers.
May 29, 2009
Declan McCullagh at CNET lays out a history of fed cyber sec since creation of DHS as Obama prepares to report out on the 60 day Cyber Sec review. McCullagh notes we have been here before:
If any of this sounds familiar, it should. About a year after President George W. Bush took office, his administration announced a highly-anticipated, 76-page document called the “National Strategy to Secure Cyberspace” (PDF). Few of its bullet points calling for immediate “response” have been enacted; even fewer people remember what they were.
NYTimes report on DOD preparations to defend cyber space. The Post says not to expect a naming of who will fill the position (Special Assistant to the Pres) expected to report through the NSC chain.
May 28, 2009
This article from the Winnipeg Free Press discusses how everyone may play an unwitting role in cyber spy attempts to do damage.
Consumers are also vulnerable, said Parry Aftab, chairwoman of anti-virus software maker McAfee’s consumer advisory board.
Software on their computers may allow others to steal information, she said.
“Many of us who may casually download pictures or songs or videos or screen savers . . . may be downloading malicious coding that’s designed to sit dormant on our computers until whoever it is arming them activates them,” Aftab said.
The US goverment spent much educating citizens in WWII to be aware of spying activities and to mind the information within their possession — perhaps a cyber oriented campaign is needed here.
May 25, 2009
Robert Scoble compares Google to ant hill.
I thought about using a metaphor of a battle ship, like what worked with Gates, but, see, Google is more like an ant farm.
Google is more like an ant hill. One powered by 20% time which is how the ants find out where the food is. Heck, enough of Google’s ants have left to join Facebook, Twitter, and friendfeed, that it should be clear by now there’s some new tasty food bits that they aren’t yet munching on. Heck, friendfeed should be a major embarrassment to Google since that 14-person team has at least five Google superstars on it (the guy who came up with the idea for Google not to be evil started the company. That’s Paul Buchheit and he also ran the Gmail team. Also on the friendfeed team is the guy who ran the Google Talk team, the guy who ran Google Maps team, the designer for a whole bunch of Googley products, and the guy who ran the backend team on Gmail). Over at Facebook and Twitter I keep running into people who used to work at Google too.
And now Google’s own founders are admitting that they need to get into real time.
The ants are moving!
Interesting metaphor. Causes one to ponder what it takes to manage an ant hill… Or, do is the proper term “steer”? Is “managing” an antiquated concept in a knowledge economy?
May 25, 2009
Imagine, sharing information to overcome a threat. Post story notes increased cooperation between military, private sectors.
“We shared with them the fact that we’ve got a very, very aggressive cyber threat,” said Robert Lentz, a Pentagon official who heads the partnership. The Pentagon soon will seek to amend defense acquisition rules to require cybersecurity standards for firms seeking contracts. “The sooner we all understand what’s required to protect the information in our networks, and we teach this in universities and in businesses, the better off we all will be, down to the Internet user at home,” Robert Lentz said. (a Pentagon official who heads the partnership)
May 18, 2009
At least, that is the summary of this article from the BBC:
- “We have seen some good initiatives from industry on improving the trustworthiness of software. What I am hoping to see from government with this new post is more involvement in standards and education efforts in security.” Benjamin Jun, Cryptology Research
- “We need to have a new security paradigm in the future,We need to have a clear idea of what our society should be at the end of the decade so this problem is addressed adequately. We must use this crisis to make the right changes.” Mark Cohn, VP Enterprise Security, Unisys
- “The first order of business has to be to draw attention to the subject and then start working with all the agencies and organisations throughout industry and government. You have to be able to kick all these different groups in the seat of the pants to get them moving in the same direction.” Ken Silva, CTO – Verisign
- “A key component will be co-operation and collaboration. There has been an ad hoc approach to this in law enforcement with perpetrators of a digital breach in one country while the act has happened in another.” Liesyl Franz – Tech America
