David Kirkpatrick

July 12, 2010

Government gets an “f” on cybersecurity from GAO

The Government Accountability Office rips the disconnect between White House rhetoric and the actual facts on the cybersecurity ground. Seems like cybersecurity has been a pretty good political talking point for the last seven years, but gosh, it sure is tough to actually implement. The threat is out there, and is real. Hopefully the next GAO report finds a vast improvement.

From the link:

The White House Office of Science and Technology Policy has so far failed to live up to its responsibility to coordinate a national cybersecurity R&D agenda, the Government Accountability Office (GAO) said in a report released this week.

As a result, the U.S risks falling behind other countries on cybersecurity matters, and being unable to adequately protect its interests in cyberspace,the 36-page report (PDF document) warned.

The GAO report was prepared at the behest of the House Committee on Homeland Security, and called on the OSTP to show more leadership in pulling together a focused and prioritized short, medium- and long-term R&D strategy for cybersecurity.

The report noted that the White House’s National Strategy to Secure Cyberspace from 2003 tasks the OSTP with coordinating the development of such a strategy and for updating it on an annual basis.

Over the years, the OSTP has taken “initial steps toward developing such an agenda,” the GAO report said. However, “one does not currently exist” even today, the report said.

November 17, 2009

Crunching the numbers on NSA’s new data center

The National Security Agency is planing a $1.5 billion cybersecurity data center at the Camp Williams National Guard base in Utah. This post takes a crack at the numbers and finds the result a bit wanting.

From the link:

For me, the math just doesn’t add up. According to the budget document, the power density will be “appropriate for current state-of-the-art high-performance computing devices and associated hardware architecture.” Yet if you calculate the watts per square foot by dividing the center’s total watts (65MW) by total square feet (1.5 million), you come up with a power density estimate of about 43 watts per square foot. No way that’s “state of the art.”

October 13, 2009

Cybersecurity and cloud computing

Filed under: Business, Technology — Tags: , , , , — David Kirkpatrick @ 2:25 pm

There are many pitfalls out there vis-a-vis security and privacy and cloud computing. Both enterprise and individuals should approach cloud computing methodically and really put some thought into what data goes into the cloud.

From the link:

The best defense against data theft, malware and viruses in the cloud is self defense, researchers at the Hack In The Box (HITB) security conference said. But getting people to change how they use the Internet, such as what personal data they make public, won’t be easy.

Also from the link:

Access to personal data on the cloud from just about anywhere on a variety of devices, from smartphones and laptops to home PCs, shows another major vulnerability because other people may be able to find that data, too.

“As an attacker, you should be licking your lips,” said Haroon Meer, a researcher at Sensepost, a South African security company that has focused on Web applications for the past six years. “If all data is accessible from anywhere, then the perimeter disappears. It makes hacking like hacking in the movies.”

October 9, 2009

RAND Corporation — defense is the best cyberattck offense

Cybersecurity news from the RAND Corporation:

U.S. Must Focus on Protecting Critical Computer Networks from Cyber Attack

Because it will be difficult to prevent cyber attacks on critical civilian and military computer networks by threatening to punish attackers, the United States must focus its efforts on defending these networks from cyber attack, according to a new RAND Corporation study.

The study finds that the United States and other nations that rely on externally accessible computer networks—such as ones used for electric power, telephone service, banking, and military command and control—as a foundation for their military and economic power are subject to cyber attack.

“Adversaries in future wars are likely to go after each other’s information systems using computer hacking,” said Martin C. Libicki, the report’s lead author and senior management scientist at RAND, a nonprofit research organization. “The lessons from traditional warfare cannot be adapted to apply to attacks on computer networks. Cyberspace must be addressed in its own terms.”

Working against connected but weakly protected computer systems, hackers can steal information, make the systems malfunction by sending them false commands and corrupt the systems with bogus information.

In most instances, the damage from cyber attacks is temporary and repeated attacks lead the victim to develop systems that are more difficult to penetrate. The RAND study finds that military cyber attacks are most effective when part of a specific combat operation—such as silencing a surface-to-air missile system protecting an important target—rather than as part of a core element in a long, drawn out military or strategic campaign.

Libicki says it is difficult to determine how destructive a cyber attack would be. Damage estimates from recent cyber attacks within the United States range from a few billion dollars to hundreds of billions of dollars a year.

The study indicates that cyber warfare is ambiguous, and that it is rarely clear what attacks can damage deliberately or collaterally, or even determine afterward what damage was done. The identity of the attacker may be little more than guesswork, which makes it hard to know when someone has stopped attacking. The cyber attacker’s motivation, especially outside physical combat, may be equally unclear.

The weapons of cyber war are amorphous, which eliminates using traditional approaches to arms control. Because military networks mostly use the same hardware and software as civilian networks, they have similar vulnerabilities.

“This is not an enterprise where means and ends can be calibrated to one another,” Libicki said. “As a result, it is ill-suited for strategic warfare.”

Because offensive cyber warfare is more useful in bothering, but not disarming, an adversary, Libicki does not recommend the United States make strategic cyber warfare a priority investment. He says similar caution is needed for deterring cyber warfare attacks, as it is difficult to attribute a given attack to a specific adversary, and the lack of an ability to counterattack is a significant barrier.

Instead, Libicki says the United States may first want to pursue diplomatic, economic and prosecutorial efforts against cyber attackers.

The study, “Cyberdeterrence and Cyberwar,” was prepared by RAND Project AIR FORCE, a federally funded research and development center for studies and analysis aimed at providing independent policy alternatives for the U.S. Air Force.

About the RAND Corporation

The RAND Corporation is a nonprofit research organization providing objective analysis and effective solutions that address the challenges facing the public and private sectors around the world.

October 7, 2009

Small business cybersecurity guide from NIST

Cybersecurity is important at all levels of business, and is often a place where small business looks to cut corners and save money.

The release:

New computer security guide can help safeguard your small business

Just in time for October’s Cyber Security Awareness Month, the National Institute of Standards and Technology (NIST) has published a guide to help small businesses and organizations understand how to provide basic security for their information, systems and networks. NIST has also created a video that explores the reasons small businesses need to secure their data.

The guide, Small Business Information Security: The Fundamentals, was authored by Richard Kissel, who spends much of his time on the road teaching computer security to groups of small business owners ranging from tow truck operators to managers of hospitals, small manufacturers and nonprofit organizations. The 20-page guide uses simple and clear language to walk small business owners through the important steps necessary to secure their computer systems and data.

Small businesses make up more than 95 percent of the nation’s businesses, are responsible for about 50 percent of the Gross National Product and create about 50 percent of the country’s new jobs, according to a 2009 Small Business Administration report. Yet these organizations rarely have the information technology resources to protect their sensitive information that larger corporations do.

Consequently, they could be seen as easy marks by hackers and cyber criminals, who could easily focus more of their unwanted attention on small businesses. And just like big companies, the computers at small businesses hold sensitive information on customers, employees and business partners that needs to be guarded, Kissel says. He adds that regulatory agencies have requirements to protect some health, financial and other information.

“There’s a very small set of actions that a small business can do to avoid being an easy target, but they have to be done and done consistently,” Kissel says.

In the guide Kissel provides 10 “absolutely necessary steps” to secure information, which includes such basics as installing firewalls, patching operating systems and applications and backing up business data, as well as controlling physical access to network components and training employees in basic security principles.

He also provides 10 potential security trouble spots to be aware of such as e-mail, social media, online banking, Web surfing and downloading software from the Internet, as well as security planning considerations. The guide’s appendices provide assistance on identifying and prioritizing an organization’s information types, recognizing the protection an organization needs for its priority information types and estimating the potential costs of bad things happening to important business information.

###

NIST works with the Small Business Administration and the Federal Bureau of Investigation in this outreach to educate small businesses.

Small Business Information Security: The Fundamentals can be downloaded from the Small Business Corner Web site athttp://www.csrc.nist.gov/groups/SMA/sbc/.

The related video, “Information Technology Security for Small Business. It’s not just good business. It’s essential business,” features experts from NIST and the Small Business Administration. The video is available on You Tube and the Small Business Corner of the NIST Computer Security Web pages.

September 29, 2009

Congress, the federal government and internet security

Filed under: Media, Politics, Technology — Tags: , , , , — David Kirkpatrick @ 10:19 pm

I’m sympathetic to reality of cyberattack against the government, but I’m guessing it’s needless to say I’m against any form of government control over internet traffic.

From the link:

There is no kill switch for the Internet, no secret on-off button in an Oval Office drawer.

Yet when a Senate committee was exploring ways to secure computer networks, a provision to give the president the power to shut down Internet traffic to compromised Web sites in an emergency set off alarms.

Corporate leaders and privacy advocates quickly objected, saying the government must not seize control of the Internet.

Lawmakers dropped it, but the debate rages on. How much control should federal authorities have over the Web in a crisis? How much should be left to the private sector? It does own and operate at least 80 percent of the Internet and argues it can do a better job.

“We need to prepare for that digital disaster,” said Melissa Hathaway, the former White House cybersecurity adviser. “We need a system to identify, isolate and respond to cyberattacks at the speed of light.”

So far at least 18 bills have been introduced as Congress works carefully to give federal authorities the power to protect the country in the event of a massive cyberattack. Lawmakers do not want to violate personal and corporate privacy or squelching innovation. All involved acknowledge it isn’t going to be easy.

June 17, 2009

The latest cybersecurity news

This release is from todayand covers the most up-to-date cybersecurity work done for national defense. Given the information society and interconnectedness of today’s world, cybersecurity is a very real matter of national defense. At the same time it’s an area frought with privacy and other concerns.

The release:

NIST, DOD, intelligence agencies join forces to secure US cyber infrastructure

The National Institute of Standards and Technology (NIST), in partnership with the Department of Defense (DOD), the Intelligence Community (IC), and the Committee on National Security Systems (CNSS), has released the first installment of a three-year effort to build a unified information security framework for the entire federal government. Historically, information systems at civilian agencies have operated under different security controls than military and intelligence information systems. This installment is titled NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations.

“The common security control catalog is a critical step that effectively marshals our resources,” says Ron Ross, NIST project leader for the joint task force. “It also focuses our security initiatives to operate effectively in the face of changing threats and vulnerabilities. The unified framework standardizes the information security process that will also produce significant cost savings through standardized risk management policies, procedures, technologies, tools and techniques.”

This publication is a revised version of the security control catalog that was previously published in response to the Federal Information Security Management Act (FISMA) of 2002. This special publication contains the catalog of security controls and technical guidelines that federal agencies use to protect their information and technology infrastructure.

When complete, the unified framework will result in the defense, intelligence and civil communities using a common strategy to protect critical federal information systems and associated infrastructure. This ongoing effort is consistent with President Obama’s call for “integrating all cybersecurity policies for the government” in his May 29 speech on securing the U.S. cybersecurity infrastructure.

The revised security control catalog in SP 800-53 provides the most state-of-the-practice set of safeguards and countermeasures for information systems ever developed. The updated security controls—many addressing advanced cyber threats—were developed by a joint task force that included NIST, DOD, the IC and the CNSS with specific information from databases of known cyber attacks and threat information.

Additional updates to key NIST publications that will serve the entire federal government are under way. These will include the newly revised SP 800-37, which will transform the current certification and accreditation process into a near real-time risk management process that focuses on monitoring the security state of federal information systems, and SP 800-39, which is an enterprise-wide risk management guideline that will expand the risk management process.

 ###

 NIST Special Publication 800-53, Revision 3, is open for public comment through July 1, 2009. The document is available online at http://csrc.nist.gov/publications/PubsDrafts.html#800-53_Rev3. Comments should be sent to sec-cert@nist.gov.