Monday, December 19, 2011

DHS Cybersecurity Strategy and New California eCrime Unit

WASHINGTON - JANUARY 08:  The Department of Ho...
Image by Getty Images via @daylife
A couple of interesting items within the information security world...

I. The Department of Homeland Security has released a new cybersecurity strategy document with a two-pronged approach:
  1. Protecting critical infrastructure today
  2. Building a more secure cybersecurity ecosystem for the future
Download the Blueprint for a Secure Cyber Future document (PDF).

II. California Attorney General Kamala D. Harris has announced the creation of a new eCrime Unit to investigate and prosecute technology crime.

"The primary mission of the eCrime Unit is to investigate and prosecute multi-jurisdictional criminal organizations, networks, and groups that perpetrate identity theft crimes, use an electronic device or network to facilitate a crime, or commit a crime targeting an electronic device, network or intellectual property." READ MORE

Wednesday, December 14, 2011

America the Vulnerable

Interesting approach to computer security
Image by formalfallacy @ Dublin (Victor) via Flickr

During my commute to and from work I recently began listening to the audiobook, "America the Vulnerable: New Technology and the Next Threat to National Security" by Joel Brenner, narrated by Lloyd James. The audiobook was downloaded from Audible.com.

I’m currently half-way through the unabridged audio and am enjoying it. The book is an eye-opening reminder of what many of us within the InfoSec industry are already aware of as we analyze security events on a daily basis. American national security, our economy, physical and energy infrastructure, financial system and our own privacy are at risk and that if security isn't built into our systems, our systems won't be secure. From what I’ve listened to so far, Brenner does a good job of laying out the cyber-threat facing the United States.

I hope to finish the audiobook by the end of this week as I’m interested in hearing what Brenner has to prescribe as a solution to the problem. Though I have yet to finish the audiobook, I recommend it as a must read for anyone interested or with career in cybersecurity.

Monday, December 12, 2011

New Reader Poll - CISSP Exam

CISSP Logo
Image via Wikipedia
I just posted a reader poll that's now viewable on the right-hand column of this blog. I want to get opinions from those of you that have your CISSP certification. There are two questions in the poll:

  1. If you are a CISSP, did your employer at the time encourage you to take the CISSP exam? (Yes/No)
  2. If you are a CISSP, did your employer pay for you to take the CISSP exam, or did you? (Employer paid/you paid)

The poll can also be accessed directly from here.

As for the value of a CISSP vs. other certifications ... that's for yet another posting.

Friday, December 9, 2011

Free Security Awareness Training - Part 5 of 5

Class 1: Explosives
Image via Wikipedia
Today's post concludes the series of five posts whereby I wanted to give you links to 25 security awareness courses and videos that are publicly available.

I strongly believe that security awareness training is an essential component to good security. Throwing money and technology at the security problem might be worthwhile in the early stages of maturity of an originzatzion's information security program. However, the problem with this approach is that there are diminishing returns; more technology becomes less and less effective at improving security. Something needs to improve beyond installing and patching technology on a daily basis, forever running around attempting to deal with security incidents and emerging threats and doing work simply for work's sake. The human dimension is a critical part of this, and security awareness training helps sharpen this human component; the HumanOS.
  1. Analytical Investigative Tools (Multijurisdictional Counterdrug Task Force Training)
    1. What Every Law Enforcement Officer Should Know About DNA Evidence – Investigators and Evidence Technicians (DNA Initiative)
    2. Food Security Training (US Food and Drug Administration)
    3. Explosives, Booby Traps and Bomb Threat Management (Multijurisdictional Counterdrug Task Force Training)
    4. HAZMAT Transportation Security Awareness Training (Dangerous Goods International)

    Thursday, December 8, 2011

    Free Security Awareness Training - Part 4 of 5

    A U.S. Coast Guardsman searches for survivors ...
    Image via Wikipedia
    This week I'm sharing with you links to 25 security awareness training sites. The training links are being broken up into groups of five, published within five separate postings. Today we reach the forth set of training links for an accumulative total of 20.

    The 2008 information security survey by Pricewaterhouse Coopers revealed that investment in security technologies had increased but “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value, such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.” Security awareness training helps address the second item.
    "The security discipline has so far been skewed toward technology - firewalls, ID management, intrusion detection - instead of a risk analysis and proactive intelligence gathering. Security investment must shift from the technology-heavy, tactical operation it has been to date to an intelligence-centric, risk analysis and mitigation philosophy. We have to start addressing the human element of information security, not just the technological one; it i only then that companies will stop being punching bags." - PricewaterhouseCoopers
    Below is the next set of security awareness training links.
    1. The History of Bio-Terrorism (Center for Disease Control and Prevention)
    2. Detecting Bio-Terror (Center for Public Health Preparedness)
    3. Radiological Terrorism: Just in Time Training for Hospital Clinicians (Center for Disease Control and Prevention)
    4. Nuclear Terrorism: Pathways & Prevention (Center for Public Health Preparedness)
    5. Preparedness & Community Response to Pandemics (Center for Public Health Preparedness)

    Wednesday, December 7, 2011

    Free Security Awareness Training - Part 3 of 5

    The flood in Pirna.
    Image via Wikipedia
    This week I'm passing on to you links to 25 free security awareness training sites. Why is security awareness training important? Fundamentally, security is about people. Having worked within the information security world for the past 15 years, it's become very clear that the best defense to internal and external threats is not technology by itself. Rather, people need to have the mindset that helps them to automatically take actions that support security, not circumvent or undermine it. Security awareness training helps raise awareness so as to begin making this a natural mindset that influences behavior.
    "No one wants security; they want the benefits of security. A homeowner does not want the finest deadbolt on the front door because of the excellence of its engineering; they want a comfortable, happy place in which to live." - Steve Hunt
    Below are the next five training links. This now brings us to a total of 15 trainings out of the 25 I promised to give you by the end of this week.
    1. OPPSEC (United States Marine Corps)
    2. Intelligence Analysis Web-based Training (Anacapa Sciences)
    3. SAEDA (553G-NG0001-A) (Espionage Awareness) (United States Army)
    4. Are You Ready? An In-depth Guide to Citizen Preparedness FEMA/EMI Course IS-22 (FEMA)
    5. Personal Preparedness (Center for Public Health Preparedness)

    Tuesday, December 6, 2011

    Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523)

    United States House Permanent Select Committee...
    Image via Wikipedia

    The House Intelligence Committee held a closed-door markup of a bill (HR 3523) with the intention to improve cybersecurity through enabling the federal government to share classified cyber threat information with businesses. To quote two of the primary proponents:
    "There is an economic cyber war going on today against US companies." ... "There are two types of companies in this country, those who know they've been hacked, and those who don't know they've been hacked. Economic predators, including nation-states, are blatantly stealing business secrets and innovation from private companies. This cybersecurity bill goes a long way in helping American businesses better protect their networks and their intellectual property." -- Chairman of The Permanent Select Committee on Intelligence, Congressman Mike Rogers (R-MI)
    "We simply can't stand by if we have the ability to help American companies protect themselves. Sharing information about cyber threats is a critical step to preventing them. This bill is a good start toward helping the private sector safeguard its intellectual property and critical cyber networks, including those that power our electrical, water and banking systems. The bill maintains vital protections for privacy and civil liberties without any new federal spending, regulations or unfunded mandates." -- The committee's ranking member, Congressman Dutch Ruppersberger (D-MD)

    Free Security Awareness Training - Part 2 of 5

    A graphic representation of the four phases in...
    Image via Wikipedia
    This week my goal is to pass along to you links to 25 free security awareness trainings. The trainings are being divided up into groups of five and published in a series of five separate postings. The first set of training links was published yesterday.

    As promised, below is the second set of five trainings.

    1. Anti-Terrorism Awareness Level-1 (Defense Technical Information Center - US DoD)
    2. The Seven Signs of Terrorism (Michigan State Police via YouTube)
    3. AWR-187 Terrorism and WMD Awareness in the Workplace (Rural Domestic Preparedness Consortium)
    4. Kentucky Terrorism Response & Preparedness (University of Kentucky)
    5. Prevention and Deterrence of Terrorist Acts (National Center for Biomedical Research and Training)

    Monday, December 5, 2011

    Free Security Awareness Training - Part 1 of 5

    Poster produced in the US warning the public a...
    Image via Wikipedia

    As a security profesional I believe it's essential that we maintain security awareness and an understanding of the threats we face. Education often isn't cheap and the reality is that for many employers funding for training and education is very limited.

    Fortunately, we're entering into the holiday season, which is a time of giving, and what I'm giving you are 25 security awareness courses and videos that are publicly available. Okay - maybe not the most exciting gift, but it fits the budget.

    I will publish a series of five posts and each post will have links to five training resources. The security awareness courses may be completed online (or on CD-ROM) and are provided without cost to you. This study program is designed to provide you with a broad security awareness. There will be overlap in training that will help you to build depth of knowledge and to emphasize important areas. I emphasize "broad". The material covers many of the domains within security, some of it IT Security, and some of the material may seem a bit Rambo'esque or even doom-and-gloom.

    There are several separate agencies and organizations that are offering the courses. Certificates of training can be printed following completion of the courses. You can enroll in any individual course, or if you're more highly motivated, aim for completing all of them. Personally, I believe that anyone who completes all of the courses will become a much more valuable security asset to their employer as well as their community.

    Bring out the leftover turkey, stuffing and cranberry sauce ... it's time to cram in some free security awareness classes!

    1. Phishing Awareness (Defense Information Systems Agency - US DoD)
    2. Personally Identifiable Information (PII) (Defense Information Systems Agency - US DoD)
    3. Security & Privacy Awareness Training (National Institute of Health Information)
    4. Information Assurance Awareness (Defense Information Systems Agency - US DoD)
    5. Information Assurance Awareness shorts (Defense Information Systems Agency - US DoD)

    Tuesday, November 29, 2011

    FCC Small Biz Cyber Planner

    English: A candidate icon for Portal:Computer ...
    Image via Wikipedia

    The FCC has launched a Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans in conjunction with DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The complete set of guidance can be downloaded as a PDF at fcc.gov/cyber/cyberplanner.pdf while the interactive online tool is available at FCC.gov/cyberplanner.
    "The Small Biz Cyber Planner will be of particular value for businesses that lack the resources to hire a dedicated staff member to protect themselves from cyber-threats. Even a business with one computer or one credit card terminal can benefit from this important guidance.  The tool will walk users through a series of questions to determine what cybersecurity strategies should be included in the planning guide. Then a customized PDF is created that will serve as a cybersecurity strategy template for a small business. 
    This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at FCC.gov/cyberforsmallbiz."
    Sections in the complete set of guidance are:
    • Privacy and Data Security
    • Scams and Fraud
    • Network Security
    • Website Security
    • Email
    • Mobile Devices
    • Employees
    • Facility Security
    • Operational Security
    • Payment Cards
    • Incident Response and Reporting
    • Policy Development, Management
    • Cyber Security Glossary
    • Cyber Security Links

    Enhanced by Zemanta

    Friday, November 25, 2011

    Protecting Kids Online

    Texting on a keyboard phoneImage via Wikipedia


    One of the issues I’ve been struggling with over the past ten or so years is how to protect kids online. The Internet offers a world of opportunities. People of all ages share photos and videos, build online profiles, text each other and create alter egos in the form of online avatars. These ways of socializing and communicating can be fulfilling, and yet, they come with risks:

    • Inappropriate Conduct: The online world can convey a false sense of anonymity and kids sometimes forget that their online actions have real-world consequences. 
    • Inappropriate Contact: There are people out there that have bad intentions; predators, bullies and scammers.
    • Inappropriate Content: Kids can easily come across pornography, violence or hate speech online.

    Some questions to ask yourself as an adult:

    1. Do you think your child knows more about the Internet and technology than you do?
    2. Do you think you know more about communicating respectfully off-line than your child does (parents don’t have to be tech-savvy to know a lot that’s relevant to this topic)?
    3. How much time do you think your kid spends online each day? Each week? That includes time on their phones!
    4. What are your kids’ favorite websites or online games?
    5. Do your kids have their own computers? Do they have cell phones?
    6. Do you supervise what your kids do while online and offer guidance, or are they allowed free rein?
    7. What are your main concerns about online safety?
    8. Do you text? Do you text with your children?

    It’s also a good idea to talk with your kids about online safety. To kick things off, here are some questions you can ask your kids:

    1. How much time do you spend online?
    2. What do you like to do online?
    3. Do you sleep with your cell phone in reach?
    4. Do you post pictures online? 
    5. Have you every posted or sent anything you later regretted?
    6. Have you or one of your friends ever received a text message that was hurtful or mean-spirited?
    7. Have you ever talked to your parents about something that bothered you online?
    8. Have you ever talked to another adult bout something that bothered you online?

    Make your conversation interactive. Ask your kids how they might have handled an incident that involved sharing too much information, cyberbullying, posting embarrassing photos or sexting.

    For more information, the US Government has created OnGuardOnline.gov, a site that provides practical tips from the federal government and the technology community to help you guard against internet fraud, secure your computers and protect your privacy. The project is managed by the Federal Trade Commission, the nation’s consumer protection agency, and includes more than a dozen federal agencies.

    Additional Resources

    • OnGuardOnline.gov - Practical tips from the federal government and the technology community to help people be on guard against Internet fraud, secure their computers and protect their privacy.
    • FTC.gov/idtheft - The Federal Trade Commission's website has information to help people deter, detect and defend against identity theft.
    • StaySafeOnline.org - The National Cyber Security Alliance seeks to create a culture of cyber security and safety awareness by providing knowledge and tools to prevent cyber crime and attacks.
    • CommonSenseMedia.org - Common Sense Media is dedicated to improving the lives of kids and families by providing trustworthy information, education and voice they need to thrive in a world of media and technology.
    • GetNetWise.org -  A project of the Internet Education Foundation, the GetNetWise coalition provides Internet users the resources to make informed decisions about their and their family's use of the Internet.
    • CyberBully411.org - CyberBully411 is an effort to provide resources for youth who have questions about or have been targeted by online harassment.
    • ConnectSafely.org - ConnectSafely is for parents, teens, educators and advocates for learning about safe, civil use of Web 2.0 together.
    • iKeepSafe.org - iKeepSafe educational resources teach children of all ages, in a fun, age-appropriate way, the basic rules of Internet safety, ethics and the healthy use of connected technologies.
    • NetFamilyNews.org - A nonprofit news service for parents, educators, and policymakers who want to keep up on the latest technology news and commentary about online youth, in the form of a daily blog or weekly email newsletter.
    • NetSmartz.org - The NetSmartz Workshop is an interactive, educational safety resource from the National Center for Missing & Exploited Children.
    • WiredSafety.org - WiredSafety provides help, information and education to Internet and mobile device users of all ages.


    Enhanced by Zemanta

    Thursday, November 24, 2011

    Schedule Emails to be Sent Later in Gmail


    Image via Boomerang for Gmail
    I have happily been a Gmail and Google Apps account holder for several years. A feature that I felt had been lacking was the ability to schedule emails to be sent at a later date. I've searched for various solutions ... all of them disappointing ... until recently when I came across Boomerang for Gmail which does just that; it lets you write an email now and schedule it to be sent automatically at a scheduled time. There are both Google Chrome and Firefox plugins for Boomerang. The plugin adds a “Send Later” button in Gmail. It doesn’t get much easier than that to schedule emails for sending at a later date.

    If you're interested in using Boomerang for free, here's the link: Boomerang for Gmail

    Monday, November 21, 2011

    Water System Attack on City Water Station Destroys Pump

    Clean drinking water...not self-evident for ev...Image via Wikipedia

    Last week a disclosure was made about a public water district SCADA system hack. There have been several reports in the press concerning the attack on control system of the city water utility in Springfield, Illinois and the resulting burn-out of a pump. Law enforcement is investigating.

    [UPDATE] 11/29/2011 - Department of Homeland Security officials are now saying that the water-pump failure in Illinois wasn't cyberattack after all. READ MORE

    ICS-CERT Report - (ICSB-11-327-01—ILLINOIS WATER PUMP FAILURE REPORT)

    Enhanced by Zemanta

    Friday, November 18, 2011

    Operation Ghost Click

    The FBI is seeking victims in a DNS Malware Investigation for the case of UNITED STATES v. VLADIMIR TSASTSIN, ET AL. Specifically, the FBI is seeking information from individuals, corporate entities and Internet Services Providers who believe that they have been victimized by malicious software related to the defendants. As you know form the news blurbs that I've been sending out, this malware modifies a computer’s Domain Name Service settings, and thereby directs the computers to receive potentially improper results from rogue DNS servers hosted by the defendants. 

    On your own systems, and the systems you manage, it's recommend you check the DNS settings and register as a victim of the DNSChanger malware if the DNS entries have been modified to point to the defendants' DNS servers. Complaints can be filed here: https://forms.fbi.gov/dnsmalware

    For more information, including steps on how to check your DNS settings, go to http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf.


    Enhanced by Zemanta

    Wednesday, November 16, 2011

    Department of Defense Cyberspace Policy Report

    The Pentagon, looking northeast with the Potom...Image via Wikipedia
    The Pentagon published their most explicit cyberwarfare policy to date. The report states that, if directed by the president, the DoD will launch "offensive cyber operations" in response to hostile acts. Hostile acts may include "significant cyber attacks directed against the U.S. economy, government or military,".

    Here's a link to the report:
    http://www.defense.gov/home/features/2011/0411_cyberstrategy/docs/NDAA%20Section%20934%20Report_For%20webpage.pdf

    Enhanced by Zemanta