Beyond Firewalls and Encryption

"...Palmer says the prototype system will correlate historical traffic patterns with dynamic data from monitors, sensors and other devices capturing information about network traffic and user activity in real time. "It's going to introduce a whole new set of technologies we've been doing at IBM Research around botnets, detecting malware and other kinds of cyber threats," Palmer says

( Read More )


6 Key Cybersecurity Bills Before Congress 

" This article contents the summary of 6 Key Cybersecurity Bill Before Congress including:

1) H.R. 4061 : Cybersecurity Enhancement Act of 2010 
2) S 773: Cybersecurity Act of 2010 
3) S. 921: United States Information and Communications Enhancement Act, or U.S. ICE 
4) H.R. 4900: Federal Information Security Amendment Act 
5) S. 3155 and H.R. 4692: International Cybercrime Reporting and Cooperation Act 
6) S. 1438: Fostering a Global Response to Cyber Attacks Act .." 

( Read More )


Cyber Crime: New Threats, New Targets 

"..In an interview about current threats, Richardson discusses: 

•Ramifications of the Google attacks; 
•Security implications of Web 2.0 technologies; 
•What organizations can do now to minimize their risks.

( Read More )

CA Possible Solution For Banking Trojans?
"..ZeuS, Spy Eye, Mariposa - these are just some of the many information-stealing Trojans out there. ZeuS is, hands down, the most prominent. Its longevity is assured by the myriad of variants that are put into circulation daily..." 

( Read More )

6 Key Cybersecurity Bills

One of the 6 Key Cybersecurity Bills is Text of H.R. 4061: Cybersecurity Enhancement Act of 2010

"..Feb 9, 2010 - Referred in Senate. This is the text of the bill after moving from the House to the Senate before being considered by Senate committees. This is the latest version of the bill currently available on GovTrack.." 

( Read More )

6 Key Cybersecurity Bills

Text of S. 773: Cybersecurity Act of 2009 is including on 6 Key Cybersecurity Bills

"..Apr 1, 2009 - Introduced in Senate. This is the original text of the bill as it was written by its sponsor and submitted to the Senate for consideration. This is the latest version of the bill currently available on GovTrack..."

( Read More )

6 Key Cybersecurity Bills

Text of S. 921: United States Information and Communications Enhancement Act of 2009

"..Apr 28, 2009 - Introduced in Senate. This is the original text of the bill as it was written by its sponsor and submitted to the Senate for consideration. This is the latest version of the bill currently available on GovTrack.."

( Read More )

6 Key Cybersecurity Bills

Title:H.R. 4900: Federal Information Security Amendments Act of 2010 


"..Mar 22, 2010 - Introduced in House. This is the original text of the bill as it was written by its sponsor and submitted to the House for consideration. This is the latest version of the bill currently available on GovTrack.."

( Read More )

6 Key Cybersecurity Bills

Title: S. 1438
 Fostering a Global Response to Cyber Attacks Act 

To provide for immigration reform

( Read More )

New Yahoo! Messenger Worm Spotted
"..You've have all probably been already told a hundreds of times to be careful when clicking on links in unsolicited emails and messages. But, what you also need to know and hear repeatedly is that you need to be careful even when following links found in messages from your friends..." 

( Read More )

The Cybersecurity Boom

....The increasing number and intensity of cyberattacks has attracted the attention of the Obama administration and Congress, which have begun steering new dollars to the problem. And much of that new spending is focused on the Washington region, as the federal government consolidates many of its cybersecurity-focused agencies in the area......' 

( Read More )


An Unifixed Net Glith Could Strand You Offline
....In 1998, a hacker told Congress that he could bring down the Internet in 30 minutes by exploiting a certain flaw that sometimes caused online outages by misdirecting data. In 2003, the Bush administration concluded that fixing this flaw was in the nation’s “vital interest.” 

Fast forward to 2010, and very little has happened to improve the situation. The flaw still causes outages every year......' 

( Read More )

The Enemy Within

'....When the Conficker computer “worm” was unleashed on the world in November 2008, cyber-security experts didn’t know what to make of it. It infiltrated millions of computers around the globe. It constantly checks in with its unknown creators. It uses an encryption code so sophisticated that only a very few people could have deployed it. For the first time ever, the cyber-security elites of the world have joined forces in a high-tech game of cops and robbers, trying to find Conficker’s creators and defeat them. The cops are failing. And now the worm lies there, waiting.....' 

( Read More )

Cars' Computer Systems Called at Risk to Hackers 

'....Automobiles, which will be increasingly connected to the Internet in the near future, could be vulnerable to hackers just as computers are now, two teams of computer scientists are warning in a paper to be presented next week. 

The scientists say that they were able to remotely control braking and other functions, and that the car industry was running the risk of repeating the security mistakes of the PC industry. 

“We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on,” they wrote in the report, “Experimental Security Analysis of a Modern Automobile.”.....' 
( Read More )
( Read More )


US Panel Targets Online Bank Fraud
 

"...While banks are not obliged to disclose the extent of fraud to customers or investors, figures they provided to federal examiners showed aggregate losses from computer intrusions and falsified electronic transfers of $120m (€97m, £82m) in the third quarter, more than triple the level of two years ago. Overall identity fraud at banks is costing the system about $700m per quarter, according to the Federal Deposit Insurance Corporation. 

A panel with representatives from the FDIC, the Federal Reserve System and other agencies is reacting to the rapid evolution of malicious computer programs designed to drain accounts. 

Among other measures, the group known as the Federal Financial Institutions Examination Council is considering requirements for so-called “out-of-band” confirmation of big transactions, which would require financial institutions to contact customers through means beside the internet. Banks in Europe already often place calls to clients’ mobile phones to ensure that they intended to transfer money......' 

( Read More )

Plagued by Lawsuits, McAfee Founder Hunts for Cures in Belize 
"....John McAfee, the antivirus-software pioneer, says he's lost most of his fortune -- but doesn't care. To the contrary, he now hopes to give something back by deriving antibiotics from jungle plants in Belize......' 

( Read More )


Companies failing to implement ISO 20071 due to cost reasons and fear

"...A survey by consultancy firm Activity found that one third of respondents have considered, but not implemented, an ISMS such as ISO 27001, but believed that the cost of doing so would be prohibitive. Similar proportions of respondents who have implemented such a system also had cost as their top concern.

The survey also found that 40 per cent of companies had already implemented ISO 27001 or a similar ISMS, while 24 per cent had considered it and decided not to go ahead.

Over one third (36 per cent) have not yet even considered implementing ISO 27001 or an equivalent system..."

( Read More )


Implementing ISO27001 in the real world

"..According to the website iso27001certificates.com there are now over 6,000 organisations worldwide that have attained certification against the ISO27001:2005 Information Security Standard. So what are the real business benefits these organisations have seen as a result of implementing ISO27001? Have there been any other benefits apart from those directly associated with information security that have arisen as a result of these projects? And what should others consider before embarking on the journey to implement the ISO27001:2005 information security standard?.."

( Read More )



Insiders Not The Real Database Threat

"..A Dark Reading article covering the HSBC database hack contends that user access control settings and maintenance were the main issue. For years, we had been hearing about the "insider threat" -- every security vendor mentions it in their product literature. The Secret Service Cyber Threat study on this for the better part of the last decade was accepted because it was the best data we had concerning data breaches. We have now discovered that data theft was far more widespread - and far more subtle - external data theft present with most corporations. The Verizon Breach Report, the Albert Gonzalez trial, and other research has gone a long way to dispel the myth that the insider threat is our greatest challenge..."

( Read More )


Battling cyber threats requires a global security framework, experts

"..BSA releases a 12-point plan for building an international approach to cybersecurity

Government and industry experts say that an international cybersecurity framework that reflects the borderless nature of the Internet is needed to combat cybercrime.."

( Read More )


The top threats to government systems, and where they're coming from

"..Editor's note: This article has been updated to correct the number of malicious code signature Symantec created in 2009 to 2.9 million.
The global government threat landscape was dominated last year by Web-based attacks and targeted, advanced persistent threats intended to quietly steal valuable information, according to the latest annual assessment by Symantec.."

( Read More )

Cyber Challenge: 10,000 security warriors wanted

"..Karen Evans understands the need for online security — and for people who really know how to implement it properly. Evans, who spent 28 years with the federal government in the Office of Management and Budget as administrator for e-government and information technology and chief information officer for the Department of Energy, among other positions, was in charge of a project during the Bill Clinton administration to bring Internet access to the Department of Justice..."

( Read More )

SANS Launches New 20 Critical Controls Interactive

"..WASHINGTON, April 19 /PRNewswire-USNewswire/ -- The SANS Institute released its 20 Critical Security Controls online interactive today, a platform built to simplify the controls and let users choose how to consume them.

The interactive offers abbreviated descriptions of each control delivered through an animated Flex graphic. When selecting one of the interactive's controls, a pop up appears with a control description, a link to the extended control description, a link to user vetted tools, and an audio presentation from Eric Cole, a SANS instructor who helped formulate the controls.."

( Read More )

Five Ways To (Physically) Hack A Data Center

"..Many data centers contain easy-to-exploit physical vulnerabilities that don't require hacking into the network

You can spend millions of dollars on network security, but it's all for naught if the data center has physical weaknesses that leave it open to intruders. Red team experts hired to social-engineer their way into an organization say they regularly find physical hacking far too easy.."

( Read More )

Hacker Bypasses Windows 7 Anti-Exploit Features In IE 8 Hack

"..Microsoft's Data Execution Protection (DEP) and Address Space Randomization (ASLR) fail in hacks on IE 8, Firefox

A Dutch researcher won $10,000 in the Pwn2Own hacking contest this week for hacking Internet Explorer 8 on a Windows 7 machine -- bypassing built-in anti-exploit features in the operating system.

Independent researcher Peter Vreugdenhil waged a heap overflow attack on IE 8 and used a zero-day vulnerability he discovered in the browser to bypass Windows 7's built-in anti-exploit features, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)..."

( Read More )



Security Incidents Rise In Industrial Control Systems

"..Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems

While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.." 

( Read More )


New IM Worm Spreading Fast

"..Aggressive new variant of an older worm circulating around Yahoo Messenger lets attacker take over a victim's machine

A smiley-faced instant message with a photo link posing as if it's from someone on your buddy list is actually spreading misery worldwide in the form of a worm on Yahoo Instant Messenger: The IM ultimately delivers a worm that allows an attacker to take over the victim's machine, not to mention spread itself among the victim's contact list.

Researchers at BitDefender, BKIS, and Symantec today each separately warned Yahoo Messenger users about the worm attack, which is rapidly growing. Catalin Coisoi, senior malware and virus researcher for BitDefender, based in Romania, says his team has seen infection rates as high as 500 percent per hour in his home country since they first spotted it last week. "Today it started spreading like wildfire," Coisoi says.."

( Read More )



Cybercriminal Advertising: 1.5 Million Stolen Facebook Accounts

"..Researchers at VeriSign's iDefense trolling an underground black market for stolen social networking credentials found one criminal selling a cache of 1.5 million stolen Facebook account credentials.

The seller, who goes by the handle "kirllos," is offering 1,000 Facebook accounts with 10 or less "friends" for $25, and 1,000 accounts with 10 or more "friends" for $45..."

( Read More )


Breaches are up in the U.K. -- and so is the use of wireless, VoIP, social networking, and cloud-based services, according to recent survey by Pricewaterhouse Coopers.

"..More than 90 percent of large organizations (more than 250 employees) say they suffered a data breach in the past year, up from 72 percent in 2008, the last time the survey was conducted. About 83 percent of small organizations (50 or fewer employees) were hit last year, up from 45 percent in 2008.."

( Read More )



Cisco: SMS, Smartphone Attacks on the Rise
"..New research from Cisco says criminals are finding new techniques, new targets with fraudulent text messages and "smishing" campaigns.. "

( Read More )

How To Become A Hacker In 15 Minutes--Or In 140 Characters Or Less

"..Ligatt Security International's Twitter campaign, called "How To Become A Hacker in 15 Minutes," is aimed at explaining to consumers how hackers operate so they can avoid becoming victims. "You don't have to be a computer security expert or an IT manager or really have a big knowledge of security and computers..."

( Read More )



Hacking The Security Infrastructure

"..Security tools are some of the most trusted and critical devices in an organization -- and that's exactly what makes them so attractive to potential attackers. A trio of researchers who discovered vulnerabilities in Cisco firewalls and in Cisco and McAfee security management software will demonstrate proof-of-concept attacks against these products at the upcoming Black Hat USA conference.."

( Read More )

Building national resilience capabilities

"..For some years, there has been a debate in critical infrastructure preparedness circles about whether to focus on “prevention” or “resilience”. The former emphasizes keeping the wolves away from the door through a combination of guns, gates, and cyber firewalls, while the latter stresses the ability to respond and recover from any incident. Over time, a consensus seems to be emerging that a balanced approach is needed that combines prevention with resilience.
It is fairly clear what is meant by “prevention”, but the operational consequences of a resilience strategy are less defined. We can agree on the goal–to have the ability to take a punch and then get up and return to a near-normal state as quickly as possible–but exactly how to do this is not at all clear.." 

( Read More )

Where policy and preferences diverge


"..Difficult security investment decisions face those charged with protecting national and critical infrastructures. Nowhere was this more evident than over Christmas 2009 and the early part of 2010. In instituting measures to address the security risk of terrorism, the authorities, for various reasons, often relegate consideration of the longer-term economic, social and behavioural impacts to the shorter-term requirements of preventing casualties or other incidents. Novel approaches to understanding the longer-term impacts, however, may permit policy to be better attuned to the likely consequences without undermining any expected security benefit.."

( Read More )

Regulatory Compliance and ISO 27001

"..Today's regulatory environment is increasingly complex, the penalties for failure unattractive and the route to effective compliance not clear. ISO 27001 provides a best-practice solution to a range of regulatory issues faced by directors.."

( Read More )

Office 2010 Beta impersonator is a Trojan

"..It is designed to infiltrate the user’s computer and open a conduit by which large amounts of adware and spyware can be piped into the affected system, therefore generating loads of popup adverts.."

( Read More )

Surviving and recovering from network interruptions


"..This article including:
How can you reduce the risk associated with configuration changes?,
A number of tools on the market that can help you control changes, detect problems, and recover from errors and etc.."

( Read More )

Q&A: Cyber warfare


"..This is interview discussing about cyber warfare with Geoff Harris is the President of the UK Chapter of the Information Systems Security Association (ISSA) a not-for-profit, international organization of information security professionals and practitioners.."

( Read More )


Social networking sites passing on user data to ad agencies

"..The question now raised is this one: "Haven't the social-networking sites been violating their own privacy policies and industry standards?.."

( Read More )


Companies struggling to understand basics of enforcing IT security

"Companies are struggling to get to grips with the basics of vulnerability management.

Chris Schwartzbauer, vice president of development and customer operations at Shavlik Technologies claimed that companies and organisations are working in the dark when it comes to enforcing IT security policy and compliance with external regulations, such as PCI or ISO 27002.."

( Read More )

Cyber Reports Prod Senate Action

"..The federal government is not fully following information security initiatives, according to two separate reports published by the Government Accountability Office on Monday. Senators who requested the audits called for the creation of a permanent cyber czar in response to findings that agencies are not implementing a critical Homeland Security Department cybersecurity system, not reducing connections to external networks and not properly configuring security settings on workstations.."


( Read More )

Virtual Worlds -- Virtually?

"..Today I'm covering the Federal Consortium for Virtual Worlds conference here in Washington. Sure, it's being held just a few miles away from Nextgov's offices, but I decided to try attending the conference about virtual worlds virtually. I had high expectations for this experience -- after all, isn't Second Life, one of the more widely used platforms for virtual interaction, cool?.."

( Read More )
 

What CISOs Have Been Waiting For

"..When NASA's chief information security officer issued a memo on Tuesday directing network managers to stop writing reports on certifying systems complied with a security law and instead focus on canning systems for ways hackers could infiltrate their systems, you could hear security experts exhale a big sigh of relief. This is huge. One security expert told Nextgov that is what they've been working toward for more the past 15 years..."

( Read More ) 

Keep health IT standards simple, says chief technology officer

"..The Health and Human Services Department plans to issue proposed standards for health information technology systems in December, and the government's chief technology officer told an advisory committee on Thursday that policymakers should push for adoption of simple criteria that can evolve.."

( Read More ) 

Adding a second protective layer and effective correlation is the best

"..Adding a second protective layer and effective correlation is the best defence against cyber attacks

Early detection is the best protection method against cyber attacks and a second line of defence should be leveraged.

Senior vice president of marketing at ArcSight, Reed Henry, commented that whitelisting, software patching and other preventive approaches are best practices and must continue when it comes to protecting against attacks, but they will always be one or two steps behind the cyber criminals.."

( Read More )
 

Providing and protecting information is foremost in cyber space


"..Providing and protecting information is foremost in cyber space, as an issue of trust needs to be established

A focus needs to be given on providing and protecting information, as a claim is made that the issue of trust is primary in cyber space.

Jim Stikeleather, CTO of Dell Perot Systems, claimed that the biggest issue in cyber space is trust.

Stikeleather said: “One of the issues is not just cyber security, we really think about regulatory compliance and a bigger issue and look at it. The bigger issue is the issue of trust. When you think about cyber space, the growth of economy and segmentation of population, it is being driven by commerce and economic information. If we lose trust we will lose the vehicle of commerce, I liken it to the fall of the Roman Empire..”

( Read More ) 

A rise in cyber attacks by one third saw 100 per cent of enterprises

"..Under half of organisations rate security as their top issue, while three quarters experienced cyber attacks in the last 12 months.

According to Symantec's 2010 State of Enterprise Security study, 75 per cent of enterprises experienced cyber attacks in the last 12 months and 36 per cent rated the attacks somewhat/highly effective. Also, there was a 29 per cent rise in reported attacks in the last 12 months.."

( Read More ) 

Public-Sector CIOs Feel a 'Higher Calling'

"..CIO - As far as hot topics go, the notion of customer centricity is a real sizzler with CIOs these days. Whatever the industry, the focus on the end consumers of your goods and services seems to be sharper than ever before. We see it in our CIO research results, with big year-over-year jumps in the customer-focus questions. We hear about it at our events, where CIOs trade stories about customer initiatives that elevate IT's reputation or accelerate business results.."

( Read More ) 

Managing the private encryption keys to the kingdom

"..Network World - At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.."


( Read More )

Cyber Threats Developing Faster Than Defenses

"..According to a survey conducted by CSO magazine and sponsored by Deloitte, the threats posed by cybercrime against companies are increasing quicker than defensive measures are put into place. The 2010 CyberSecurity Watch Survey also suggests that current countermeasures against cyber criminals are not particularly effective.While the survey revealed that the number of victims of cyber crime had dropped, it also registered an increase in the number of attacks. One quarter of the attacks were not attributed and over one third of respondents experienced an increase in attacks from August 2008 to July 2009.."

( Read More )

U.S. cyber war policy needs new focus, experts say

"..IDG News Service - U.S. policies toward defending against cyber warfare need to take a different approach than the government has against other forms of attack, three cybersecurity experts said today.

It will be difficult for the U.S. government to voice and follow through with a policy of cyber deterrence, like it has with nuclear attacks, said Martin Libicki, a senior management scientist specializing in cybersecurity at Rand, a nonprofit think tank. First, it's difficult to identify attackers, especially when some nations appear to be sponsoring private attackers, he said during a meeting of the Congressional Cyber Caucus in Washington.."

( Read More )


The inconvenient public interest: Policy challenges in the age of info

"..The emerging information infrastructure presents a number of complex challenges to policymakers. Current information policy—as expressed in the Clinton-Gore Agenda for Action report and most recently on the Senate floor—promotes private sector development of the National Information Infrastructure (NII). With current policy discourse revolving around issues of deregulation, unregulation and free-market development, there is cause to question whether a market-driven infrastructure will be responsive to public interest concerns. A lack of responsiveness could serve to widen existing gaps between the information-rich and information-poor. If the primary uses of the NII are communication-seeking rather than information-seeking, as many observers have noted, then a lack of critical mass could well undermine the overall utility of the infrastructure. An alternative policy approach is presented in which development focuses on the least-abled rather than most-abled users.."

( Read More )

Secure Global Collaboration Among Critical Infrastructures

"..Information sharing and collaboration on critical infrastructure protection efforts are major drivers of interest for national security, law enforcement, first responders, and environmental regulators. Critical infrastructure protection information, as stated in the U.S. Patriot Act, are “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health, or any combination of those matters.” Due to the unique, blended nature among customers, suppliers, and contractors within the aerospace and defense industry, a secure method for collaboration is a critical issue that requires remediation.."

( Read More )

The Challenges for European Critical Infrastructure Protection

"..Critical Infrastructure Protection has become a new field of European integration. This article identifies some of the challenges on this road towards a more shared approach. It argues that while the very concept of critical infrastructure is in flux, the whole approach is challenged by the more general approach that concentrates on resilience of societal functions instead of mere protection of infrastructures. The article also claims that it is not completely clear against what kind of threats the critical infrastructures should be protected and by whom. The article further points out the limits of the regulatory efforts of the governments or the EU in trying to protect infrastructures that are mostly owned and operated by private actors.."

( Read More )

U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION

"..This report responds to the mandate for the Commission ‘‘to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China.’’ In this Report, the Commission reached a broad and bipartisan consensus; it approved the Report unanimously, with all 12 members voting to approve and submit it.."

( Read More )

Findings of the Q1 2010 “State of the Web” security report



"..Zscaler's newly released Q1 2010 State of the Web report details the enterprise threat landscape and the variety of Web-based issues plaguing Internet users.."

( Read More )

Securing our Critical National Infrastructure

"..Former US president Bill Clinton once famously described CNI as "so vital that its incapacity or destruction would have a debilitating impact on the defence or economic security of the nation.” This statement has been reflected in the UK, with the establishment of the Government's Centre for the Protection of the National Infrastructure which sets out nine CNI sectors covering communications, emergency services, energy, finance, food, government services, health, transport and water. Without these services, any state could suffer serious consequences, including economic damage, social disruption or even the large-scale loss of life.."

( Read More )


Critical information infrastructure


"..This article will show how and why cybersecurity has come to dominate ... critical information  infrastructure: vulnerabilities, threats and responses.."

( Read More )


Adding a second protective layer and effective correlation is the best

"..Adding a second protective layer and effective correlation is the best defence against cyber attacks

Early detection is the best protection method against cyber attacks and a second line of defence should be leveraged.

Senior vice president of marketing at ArcSight, Reed Henry, commented that whitelisting, software patching and other preventive approaches are best practices and must continue when it comes to protecting against attacks, but they will always be one or two steps behind the cyber criminals.."

( Read More )


Providing and protecting information is foremost in cyber space

"..Providing and protecting information is foremost in cyber space, as an issue of trust needs to be established

A focus needs to be given on providing and protecting information, as a claim is made that the issue of trust is primary in cyber space.

Jim Stikeleather, CTO of Dell Perot Systems, claimed that the biggest issue in cyber space is trust.

Stikeleather said: “One of the issues is not just cyber security, we really think about regulatory compliance and a bigger issue and look at it. The bigger issue is the issue of trust. When you think about cyber space, the growth of economy and segmentation of population, it is being driven by commerce and economic information. If we lose trust we will lose the vehicle of commerce, I liken it to the fall of the Roman Empire..”

( Read More )

A rise in cyber attacks by one third saw 100 per cent of enterprises

"..Under half of organisations rate security as their top issue, while three quarters experienced cyber attacks in the last 12 months.

According to Symantec's 2010 State of Enterprise Security study, 75 per cent of enterprises experienced cyber attacks in the last 12 months and 36 per cent rated the attacks somewhat/highly effective. Also, there was a 29 per cent rise in reported attacks in the last 12 months.."

( Read More )

Public-Sector CIOs Feel a 'Higher Calling'

"..CIO - As far as hot topics go, the notion of customer centricity is a real sizzler with CIOs these days. Whatever the industry, the focus on the end consumers of your goods and services seems to be sharper than ever before. We see it in our CIO research results, with big year-over-year jumps in the customer-focus questions. We hear about it at our events, where CIOs trade stories about customer initiatives that elevate IT's reputation or accelerate business results.."

( Read More )

Managing the private encryption keys to the kingdom

"..Network World - At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.."

( Read More )

Cyber Threats Developing Faster Than Defenses

"..According to a survey conducted by CSO magazine and sponsored by Deloitte, the threats posed by cybercrime against companies are increasing quicker than defensive measures are put into place. The 2010 CyberSecurity Watch Survey also suggests that current countermeasures against cyber criminals are not particularly effective.While the survey revealed that the number of victims of cyber crime had dropped, it also registered an increase in the number of attacks. One quarter of the attacks were not attributed and over one third of respondents experienced an increase in attacks from August 2008 to July 2009.."

( Read More )

U.S. cyber war policy needs new focus, experts say

"..IDG News Service - U.S. policies toward defending against cyber warfare need to take a different approach than the government has against other forms of attack, three cybersecurity experts said today.

It will be difficult for the U.S. government to voice and follow through with a policy of cyber deterrence, like it has with nuclear attacks, said Martin Libicki, a senior management scientist specializing in cybersecurity at Rand, a nonprofit think tank. First, it's difficult to identify attackers, especially when some nations appear to be sponsoring private attackers, he said during a meeting of the Congressional Cyber Caucus in Washington.."

( Read More )


Finding Your Way: An Overview of Industry Qualifications & Associations

"..The proliferation of information security qualifications, standards and membership associations has reached a level whereby a degree of confusion is understandable. Peter Drabwell introduces some of the qualifications and associations out there.."


( Read More )


Lack of precise definitions plagues cybersecurity legislation

"..According to one security expert, anywhere from 14 to 35 pieces of legislation aiming to effect cybersecurity are in the works, depending on how one defines its role within the genre. These bills range from comprehensive to very focused, but, as some security experts claim, they all have common drawbacks.."

( Read More )


Energy Sector is Hackers’ Biggest Target

"..The oil and gas industries are natural targets for cyber-criminals due to sensitive data and very deep pockets. With the introduction of newer IT technologies, such as wireless and even social networking, the jobs of the information security teams are not getting any easier. John Sterlicchi reports.."

( Read More )

U.S. federal data security vulnerabilities

Data security vulnerabilities that exist within U.S. Federal agencies due to employees' use of unsecure methods to exchange information, such as FTP - despite the Secure File Sharing Act, which the U.S. House of Representatives passed on March 24, 2010 to prevent government employees from using peer-to-peer file-sharing software, including FTP. This is one of the results of a survey by MeriTalk and Axway.

( Read More )

Agencies overlook file transfer security

The government spends $7.9 billion annually on sophisticated cybersecurity measures, but agencies too often ignore the basics of protecting files, according to a new survey on federal encryption and other security measures. In April, MeriTalk, a government information technology provider, teamed with Axway, a business interaction networks company in Phoenix, to survey 200 federal IT and information security professionals on file transfer practices and potential security improvements.

( Read More )


Officials Warn of 'Phishing' Scams Targeting Troops

U.S. Strategic Command officials are urging renewed vigilance against Internet-based identity theft after detecting a widespread "phishing" expedition against servicemembers. Phishing is a term used to describe deceiving people into divulging personal information such as passwords or account numbers over the Internet.__Beginning as early as May 2009 and lasting as late as March 2010, numerous fraudulent e-mails were sent to financial customers of USAA and Navy Federal Credit Union, Stratcom officials said in a recent news release.

( Read More )


Google ditches Windows on security concerns

"..Windows is known for being more vulnerable to attacks by hackers and more susceptible to computer viruses than other operating systems. The greater number of attacks on Windows has much to do with its prevalence, which has made it a bigger target for attackers.."

( Read More )

National Security Strategy is Empty on "Cyberspace"

"..We will deter, prevent, detect, defend against, and quickly recover from cyber intrusions and attacks by:

1) Investing in People and Technology: We will continue to invest in the cutting-edge     research and development necessary for the innovation and discovery we need to meet these challenges
2) Strengthening Partnerships:We will work with all the key players — including all levels of government and the private sector, nationally and internationally — to investigate cyber intrusion and to ensure an organized and unified response to future cyber incidents. Just as we do for natural disasters, we have to have plans and resources in place beforehand.."

( Read More )


Public-Private Partnerships are no silver bullet

For more than a decade, efforts have been underway to establish Public-Private Partnerships (PPP) for Critical Infrastructure Protection (CIP). Due to issues arising in connection with their implementation, there has been increasing criticism in recent years questioning the usefulness of such PPP. However, cooperation between the state and the private corporate sector in CIP is not only useful, but inevitable. This paper will therefore sketch a new and above all broader approach to public–private cooperation to help solve some of the problems that have become apparent. Based on the network approach developed by governance theory, it is argued that CIP policy should increasingly rest on self-regulating and self-organizing networks. Thus, the government’s role would no longer consist in directing and monitoring, but of coordinating the networks and identifying instruments that can help motivate networks to meet the task of CIP.


( Read More )



Identity: the new critical information infrastructure?


What happens when the lights go out? Not just for a short period, but when it may take weeks or months to reestablish a reliable mains electrical network. We now take for granted that our various
local, national and international networks for services and commerce will only suffer very short
interruptions.

( Read More )

Early Warning for Critical Infrastructure Protection

This article shows that information-sharing between the public and private sectors is indispensable for improving early-warning capabilities in the field of cyber-security. It discusses the challenges of such collaboration and highlights the crucial role of mutual trust for information-sharing. Finally, it describes how governments could actively motivate private companies to participate in information-sharing with government agencies.

Critical Infrastructure Protection (CIP) is universally acknowledged as constituting a vital component of national security policy. Since most of the critical infrastructures are highly dependent on information and communication technologies, the protection of critical information infrastructures (CIIP) has become a central focus of the debate. The protection of infrastructures against cyber-attacks is hampered by the diffuse nature of cyber-threats and the resultant difficulties in assessing the risks accurately. While early warning could help to improve the protection efforts, it is hard to establish, since only the private companies know the vulnerabilities of their information infrastructure and only the state is able to monitor malicious actors and assess their capacities and motivations.

( Read More )


Critical Information Infrastructure: Vulnerabilities, Threats

Critical Information Infrastructure: Vulnerabilities, Threats and Responses

Critical infrastructures (CI) are systems or assets so vital to a country that any extended incapacity or destruction of such systems would have a debilitating impact on security, the economy, and national public health or safety, or any combination of the above. The most frequently listed examples encompass the sectors of banking and finance, government services, telecommunication and information and communication technologies, emergency and rescue services, energy and electricity, health services, transportation, logistics and distribution, and water supply. Besides physical assets, their importance is due to the services, the physical and electronic (information) flows they deliver, and their role and function for society. For these reasons, critical infrastructure protection (CIP) is currently seen as an essential part of national security in numerous countries around the world.

In this project, we track the transformation and evolution of critical infrastructures (and closely related issues of homeland security) into a security problem and analyze how practices associated with critical infrastructure protection constitute, and are an expression of, changing notions of security and insecurity. This research also explores the rationalities at play as well as the effects of these security practices, and looks at the implications for our understanding of security and politics today.

( Read More )


Strategic Foresight in Public Policy


In an interdependent and complex world, only few public policy challenges can be confined to one particular policy area anymore. Many governments have realized that a single-issue focus is often insufficient in dealing with emerging threats and opportunities. They have therefore started to experiment with strategic foresight that deliberately cuts across the traditional boundaries of policy areas and government departments. This article reviews the foresight activities of three countries that have been at the forefront of this trend: the United Kingdom, Singapore, and the Netherlands. To this end, the article discusses the concept of strategic foresight and explains the two distinct ways in which it contributes to public policy-making: on the one hand, it informs policy by providing more systematic knowledge about relevant trends and developments in an organization's environments; on the other hand, it acts as a driver of reflexive mutual social learning processes among policy-makers that stimulate the generation of common public policy visions. The article concludes by drawing lessons with regard to the key success factors allowing strategic foresight to make an effective contribution to public policy-making.

( Read More )

Cyber-Security

This chapter first sets out to define the nature and connotations of the cyber-security concept. It shows how a convincing case for security is argued in various instances of cyber-security in the US. This sheds some light on threat clustering over the years and shows how and why two rationales – a business rationale and a national security rationale – became interlinked. The result of this is that cyber-security is imagined as a shared responsibility that cannot be accomplished by the government alone: The maintenance of ‘business continuity’ for an individual, corporate, or local actor is often regarded as being equally important as national or even international security efforts in the cyber-realm, since the one ensures and reciprocally influences the other. The chapter then specifically focuses on countermeasures as the consequence of these threat representations. It will be shown that cyber-security emerges as a strange animal: It does not quite fit into any known categories, neither conceptually nor theoretically. Because of persuasive threat clustering, it has become more than just a technical issue, but there is nothing exceptional or extraordinary about it. This inevitably focuses our attention on the question of what security is and how it is practised, but also on how we should approach it theoretically, which is addressed in the concluding section.

( Read More )


Cyberwar

This chapter starts off with a short overview of the relevant literature available to any scholar delving into the issue of cyberwar. The second section looks at definitional issues in more depth and will trace how meaning of 'cyberwar' evolved from the narrow conception referring exclusively to military interaction to its broad meaning, which has become detached from ‘war’ and encompasses almost every activity linked to the aggressive use of computers. The third section investigates four cases between 1999 and 2007 that have been labelled 'cyberwar' by a variety of actors. In the fourth section, a reality check based on these cases is performed. We see that while cyber-vandalism is an everyday reality, cyberwar is not. After speculating on possible restraints for the use of cyberwar tools in the future, the chapter concludes with thoughts on the danger inherent in cyberwar ideas due to the realities of a globalised, interdependent, and networked world.

( Read More )

Cyberwar: Concept, Status Quo, and Limitations

Political, economic, and military conflicts are increasingly also being carried out in cyberspace. However, conceptually, the notion of “cyberwar” only includes a narrow sub-section of all conflicts in cyberspace. At the operative level, capabilities for cyberwarfare are becoming increasingly important. Nevertheless, the prospects for strategic IT wars that only take place in the virtual space remain extremely unlikely. For many states, there is a particular need for action in the area of cyberdefence.

( Read More )

The Reality and Future of Cyberwar

Conflicts in cyberspace are a reality: elements of any political, economic and military conflict now take place in and around the internet. Not surprisingly cyberwar has become a buzzword in the media and in the political debate, but broad and imprecise use of the term cyberwar must be avoided. Different forms of cyber conflict can be distinguished by focusing on the extent of damage and a cyber-escalation ladder can be built with rungs expressed by 'severity of effects'. This helps policy-makers to prioritize: only computer attacks whose effects are sufficiently destructive or disruptive are an issue that needs to be addressed at the political level.

( Read More )


Finding Your Way: An Overview of Industry Qualifications & Associations

"..The proliferation of information security qualifications, standards and membership associations has reached a level whereby a degree of confusion is understandable. Peter Drabwell introduces some of the qualifications and associations out there.."

( Read More )

Lack of precise definitions plagues cybersecurity legislation

"..According to one security expert, anywhere from 14 to 35 pieces of legislation aiming to effect cybersecurity are in the works, depending on how one defines its role within the genre. These bills range from comprehensive to very focused, but, as some security experts claim, they all have common drawbacks.."

( Read More )

Energy Sector is Hackers’ Biggest Target


"..The oil and gas industries are natural targets for cyber-criminals due to sensitive data and very deep pockets. With the introduction of newer IT technologies, such as wireless and even social networking, the jobs of the information security teams are not getting any easier. John Sterlicchi reports.."

( Read More )

U.S. federal data security vulnerabilities


Data security vulnerabilities that exist within U.S. Federal agencies due to employees' use of unsecure methods to exchange information, such as FTP - despite the Secure File Sharing Act, which the U.S. House of Representatives passed on March 24, 2010 to prevent government employees from using peer-to-peer file-sharing software, including FTP. This is one of the results of a survey by MeriTalk and Axway.

( Read More )

Agencies overlook file transfer security

The government spends $7.9 billion annually on sophisticated cybersecurity measures, but agencies too often ignore the basics of protecting files, according to a new survey on federal encryption and other security measures. In April, MeriTalk, a government information technology provider, teamed with Axway, a business interaction networks company in Phoenix, to survey 200 federal IT and information security professionals on file transfer practices and potential security improvements.

( Read More )

Canada spies say tracking over 200 terror suspects

Canada is tracking more than 200 people linked to al Qaeda and other organizations considered to be terrorist, the head of the nation's spy service said in a rare public appearance on Tuesday. Richard Fadden, head of the Canadian Security Intelligence Service (CSIS), also said he was particularly concerned by radicalized youths, whose families may have been in Canada for several generations, but who have become disenchanted with Canadian society.

( Read More )

Officials Warn of 'Phishing' Scams Targeting Troops

U.S. Strategic Command officials are urging renewed vigilance against Internet-based identity theft after detecting a widespread "phishing" expedition against servicemembers. Phishing is a term used to describe deceiving people into divulging personal information such as passwords or account numbers over the Internet.__Beginning as early as May 2009 and lasting as late as March 2010, numerous fraudulent e-mails were sent to financial customers of USAA and Navy Federal Credit Union, Stratcom officials said in a recent news release.

( Read More )

The inconvenient public interest: Policy challenges in the age of info

The emerging information infrastructure presents a number of complex challenges to policymakers. Current information policy—as expressed in the Clinton-Gore Agenda for Action report and most recently on the Senate floor—promotes private sector development of the National Information Infrastructure (NII). With current policy discourse revolving around issues of deregulation, unregulation and free-market development, there is cause to question whether a market-driven infrastructure will be responsive to public interest concerns. A lack of responsiveness could serve to widen existing gaps between the information-rich and information-poor. If the primary uses of the NII are communication-seeking rather than information-seeking, as many observers have noted, then a lack of critical mass could well undermine the overall utility of the infrastructure. An alternative policy approach is presented in which development focuses on the least-abled rather than most-abled users.

( Read More )

Secure Global Collaboration Among Critical Infrastructures

Information sharing and collaboration on critical infrastructure protection efforts are major drivers of interest for national security, law enforcement, first responders, and environmental regulators. Critical infrastructure protection information, as stated in the U.S. Patriot Act, are “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health, or any combination of those matters.” Due to the unique, blended nature among customers, suppliers, and contractors within the aerospace and defense industry, a secure method for collaboration is a critical issue that requires remediation.

( Read More )


The Challenges for European Critical Infrastructure Protection

Critical Infrastructure Protection has become a new field of European integration. This article identifies some of the challenges on this road towards a more shared approach. It argues that while the very concept of critical infrastructure is in flux, the whole approach is challenged by the more general approach that concentrates on resilience of societal functions instead of mere protection of infrastructures. The article also claims that it is not completely clear against what kind of threats the critical infrastructures should be protected and by whom. The article further points out the limits of the regulatory efforts of the governments or the EU in trying to protect infrastructures that are mostly owned and operated by private actors.

( Read More )


U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION

This report responds to the mandate for the Commission ‘‘to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship
between the United States and the People’s Republic of China.’’ In this Report, the Commission reached a broad and bipartisan consensus; it approved the Report unanimously, with all 12 members voting to approve and submit it.


( Read More )

Findings of the Q1 2010 “State of the Web” security report


"..Zscaler's newly released Q1 2010 State of the Web report details the enterprise threat landscape and the variety of Web-based issues plaguing Internet users.."

( Read More )

Securing our Critical National Infrastructure


"..Former US president Bill Clinton once famously described CNI as "so vital that its incapacity or destruction would have a debilitating impact on the defence or economic security of the nation.” This statement has been reflected in the UK, with the establishment of the Government's Centre for the Protection of the National Infrastructure which sets out nine CNI sectors covering communications, emergency services, energy, finance, food, government services, health, transport and water. Without these services, any state could suffer serious consequences, including economic damage, social disruption or even the large-scale loss of life.."

( Read More )

Critical information infrastructure

"This article will show how and why cybersecurity has come to dominate ... critical information  infrastructure: vulnerabilities, threats and responses.."

( Read More )

Adding a second protective layer and effective correlation is the best

Adding a second protective layer and effective correlation is the best defence against cyber attacks

Early detection is the best protection method against cyber attacks and a second line of defence should be leveraged.

Senior vice president of marketing at ArcSight, Reed Henry, commented that whitelisting, software patching and other preventive approaches are best practices and must continue when it comes to protecting against attacks, but they will always be one or two steps behind the cyber criminals.

( Read More )




Providing and protecting information is foremost in cyber space

Providing and protecting information is foremost in cyber space, as an issue of trust needs to be established

A focus needs to be given on providing and protecting information, as a claim is made that the issue of trust is primary in cyber space.

Jim Stikeleather, CTO of Dell Perot Systems, claimed that the biggest issue in cyber space is trust.

Stikeleather said: “One of the issues is not just cyber security, we really think about regulatory compliance and a bigger issue and look at it. The bigger issue is the issue of trust. When you think about cyber space, the growth of economy and segmentation of population, it is being driven by commerce and economic information. If we lose trust we will lose the vehicle of commerce, I liken it to the fall of the Roman Empire.”


( Read More )
 

A rise in cyber attacks by one third saw 100 per cent of enterprises

"..Under half of organisations rate security as their top issue, while three quarters experienced cyber attacks in the last 12 months.


According to Symantec's 2010 State of Enterprise Security study, 75 per cent of enterprises experienced cyber attacks in the last 12 months and 36 per cent rated the attacks somewhat/highly effective. Also, there was a 29 per cent rise in reported attacks in the last 12 months.."

( Read More ) 

Public-Sector CIOs Feel a 'Higher Calling'

CIO - As far as hot topics go, the notion of customer centricity is a real sizzler with CIOs these days. Whatever the industry, the focus on the end consumers of your goods and services seems to be sharper than ever before. We see it in our CIO research results, with big year-over-year jumps in the customer-focus questions. We hear about it at our events, where CIOs trade stories about customer initiatives that elevate IT's reputation or accelerate business results.

( Read More )


Managing the private encryption keys to the kingdom

Network World - At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.

( Read More )

Cyber Threats Developing Faster Than Defenses

"..According to a survey conducted by CSO magazine and sponsored by Deloitte, the threats posed by cybercrime against companies are increasing quicker than defensive measures are put into place. The 2010 CyberSecurity Watch Survey also suggests that current countermeasures against cyber criminals are not particularly effective.
While the survey revealed that the number of victims of cyber crime had dropped, it also registered an increase in the number of attacks. One quarter of the attacks were not attributed and over one third of respondents experienced an increase in attacks from August 2008 to July 2009.."

( Read More )

U.S. cyber war policy needs new focus, experts say

"..IDG News Service - U.S. policies toward defending against cyber warfare need to take a different approach than the government has against other forms of attack, three cybersecurity experts said today.

It will be difficult for the U.S. government to voice and follow through with a policy of cyber deterrence, like it has with nuclear attacks, said Martin Libicki, a senior management scientist specializing in cybersecurity at Rand, a nonprofit think tank. First, it's difficult to identify attackers, especially when some nations appear to be sponsoring private attackers, he said during a meeting of the Congressional Cyber Caucus in Washington.."

( Read More )