An agency’s computer system is under constant cybersecurity threats from several factors. While many of them are intentional, such as fraud and theft, there are also the unintentional errors and omissions that threaten a systems security. Let’s take a closer look at some examples.
The Intentionally Malicious
Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods.
Unfortunately, insiders who are authorized users of a system perpetrate the majority of the fraud uncovered on computer systems. Since insiders not only have access to, but are also familiar with the victim computer system (including what resources it controls and where the flaws are), authorized system users are in a better position to commit crimes. Former employees may also pose threats, particularly if their access is not terminated promptly.

Last month, we began addressing some frequently asked Security Content Automation Protocol (SCAP) questions. Now that we have clarified what SCAP is, what it consists of, and how it helps with compliance issues, let’s look at FAQs about how validation and independent testing factor in.

What is validation?
The SCAP Program is responsible for maintaining established standards and ensuring that validated products comply. Validation is achieved through proving that the testing performed by the laboratory has been carried out correctly.
Who does independent testing?
Test results for validation are accepted from laboratories that are accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). This accreditation is earned after full review of the laboratories’ Quality Management System (QMS) and passing of the technical proficiency tests.

In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management. The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation’s first federal physical science research laboratory. In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring).
As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP ‘Components’) are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others.

We are approaching the end of national “Cyber Security Awareness Month,” so let’s take a look at some top cybersecurity tips we should all adhere to:

“It’s not the loud pronouncements by hacking groups or the highly visible denial-of-service attacks that scare cybersecurity experts. It’s silence,” claims a recent Federal Times article.
The article “Programs aim to get the word out when cyber attacks occur” brings light to the idea that one of the greatest tools against cyber attackers is the “relatively low-tech approach of sharing information about attacks.”
The article continues on about a push for disclosure, explaining that the DoD has put forth ideas for a new Defense Federal Acquisition Regulation Supplement (DFARS) rule. The proposed DFARS rule would require contractors to provide “adequate security”, report cyber incidents within 72 hours, and review their networks to search for additional attack information. As always, the issue of cost tops the concerns about this communication technique. Not only would there be increased costs for the companies providing the “adequate security”, but government resources would have to be tapped in order to provide data analysis and enforcement of any resulting mandates.

Part 2 o2:
A few weeks ago, we looked at the current state of information security and implementations from the Ten Domain Model. Using this information, we can now look at where we need to be.
Due to the rapidly changing threat landscape two key requirements for information security are becoming increasingly critical. These requirements are automation and continuous monitoring.
1) Why Automation? Only automated approaches can scale and respond rapidly to large-scale incidents.
a. Preventative policy enforcement reduces risk:
i. overall number of security vulnerabilities
ii. the success of any particular attack technique.
b. Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff.
2) Why continuous monitoring? A primary goal of continuous monitoring is, as much as is practicable, to apply automated remediation to security vulnerabilities that are found. That takes the need for human intervention out of the picture. Human intervention and the errors and delays that result from it are credited for many of the lapses in IT security.

Part 1 of 2:
What is information security?
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
Why do we need it?
Now, more than ever, IT security is a critical element in the system life-cycle. Security must be incorporated and addressed from the initial planning and design phases to disposal of the system. Without proper attention to security, an organization’s information technology can become a source of significant mission risks. With careful planning from the earliest stages, however, security becomes an enabler, supporting and helping to achieve the organization’s mission.

It is already the second half of August and we are quickly approaching a busy conference time for DLT. Up-coming events will take DLT all over the country, but some of the best are local ones happening just down the road. The annual Innovation Nation Forum, hosted by MeriTalk, will take place Tuesday, August 23 at the Washington Convention Center. Aiming to “Shake IT Up,” Innovation Nation will focus on three Federal IT hot topics- cloud computing, cybersecurity and data center consolidation.

“Good security doesn’t stop with just an anti-virus client and a perimeter firewall.”

Government Security News (GSN) recently published an article written by DLT Engineer, Aaron Payne, about bringing “Security back to the basics: Managing the threat” that addresses the concern that there are many layers necessary to keeping enterprise IT systems secure.

Taking a look at the latest quarterly update on security from Symantec, there are still some basic steps that system administrators can do to protect their network and endpoints. These are the low-hanging fruit that can help prevent attacks and comprise of confidential data.
Education is still one of the top three returns on investment on the security side. An educated end-user will not click on links in emails that aren’t from trusted parties, open password-protected zip files and run their contents, and question suspicious emails with the help desk. An educated management team understands that Security is not just a line item that can be eliminated or reduced. As treats become more sophisticated at penetrating networks and endpoints, increasingly more sophisticated tools are needed to prevent, find, and remove these threats.