Cybersecurity May 12, 2020
The old saying goes, there are only two kinds of organizations: those that have been breached and those that will be soon. Clearly, the “moat-and-castle” approach to security has not worked. Simply being “inside” a network – behind a firewall, DMZ and other traditional defenses – does not confer trustworthiness, whether it’s a device, a user, network traffic, or an application.
Cybersecurity April 14, 2020
DHS recently published version 3.0 of the Trusted Internet Connection (TIC) architecture. A response to changing IT conditions, Executive Orders, and OMB mandates, the new architecture seeks to support IT modernization through cloud adoption while keeping security as a top priority. The comprehensive set of documents includes an overview, a catalog of security capabilities, a reference architecture, guidance for pilot programs, advice for service providers, and a very helpful set of use cases relevant to agency needs.
Cybersecurity April 14, 2020
The Threat Risk is a function of likelihood times impact.  When it comes to zero-day exploits, particularly those that use return-oriented programming (ROP) or one of its many cousins the likelihood is high, and the impact is higher.  How do these attacks work, and what is the industry doing to stop them?  More importantly, what can you do to stop them?  Is it possible to stop a zero-day without patching or updating systems?  Let’s explore these questions. How ROP Works
Cybersecurity March 20, 2020
The Cyberspace Solarium Commission recently released a groundbreaking report detailing 75 recommendations for improving the cybersecurity of the nation, including both the private and public sectors. The Commission, bipartisan in both name and spirit, conducted over 300 meetings with industry, academia, U.S. government, think tanks and foreign governments. I had the privilege of participating in this effort. The result is a comprehensive report that urges immediate and concrete action on its recommendations, organized into six pillars”:
Cybersecurity March 20, 2020
Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors.
Cybersecurity March 20, 2020
I recently had the opportunity to visit an amazing new facility—the Cyber Range at Tech Data—and got to meet the truly exceptional people who make it happen. The facility has many purposes, stemming from the powerful sense of mission that drives the staff.
Cybersecurity March 19, 2020
At RSA this year, Chris Krebs gave an important talk: “Cybersecurity Has a Posse” where he stressed the importance of collaboration between government and industry to fight the cybersecurity war. He started by pointing out that his agency, Cybersecurity and Infrastructure Security Agency (CISA) is an “all-source” group. He meant that CISA collects threat information from sources all over the world, including government agencies, private industry, and more. Krebs’ group consolidates that information and disseminates it – daily – to security professionals across all industries.
Cybersecurity October 23, 2019
The security of public sector networks is under attack. Each day security and IT professionals work hard to defend the integrity of mission-critical data and systems against increasingly frequent and complex cyberattacks. Staying informed is critical to staying ahead. That’s great, but there are literally dozens of cyber news outlets, journals, and bloggers to follow. Security leaders and practitioners don’t have time to filter what’s urgent and relevant to their organizations. That’s why we’ve created GovCybersecurityHub.
Cybersecurity October 10, 2019
The first half of 2019 continued to be a busy one for cybersecurity teams and their organizations. But the nature of the adversary is changing. New insight from DLT partner, CrowdStrike, finds that attackers are “continuing to ramp up in both their brazen behavior and sophisticated means.”
Cybersecurity September 24, 2019
The DoD Cybersecurity Strategy https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/ stresses nine key points. With the end of FFYE looming, are you aligning your spending with these objectives?
Cybersecurity March 29, 2019
Many government agencies, particularly large agencies, face enormous obstacles in simply compiling and inventory of the software and hardware under in their system. The difficulty is understandable: I know of one agency responsible for 220,000 makes and models of medical devices (note that this number refers to “makes and models” only. The actual number of devices is much, much higher). In addition, the devices are online intermittently, and many of them are on air-gapped (i.e., physically separate networks), complicating the use of automated tools for identification and inventory.
Cybersecurity March 28, 2019
Every government organization has been the victim of a cybersecurity incident. These can range from mundane incidents such as a user leaving their desk without locking their screen, up to a major breach such as the OPM hack in which hackers stole comprehensive and confidential information on millions of government employees and contractors.
Cybersecurity March 27, 2019
Identity and Access Management (IAM) is the art and science of ensuring that someone is who they say claim to be. This ensures that they have the correct level of access to systems and data – enough to do their job, but no more. IAM systems cover a wide range of features, but typically include:
Cybersecurity March 26, 2019
Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002.  The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies.
Cybersecurity March 25, 2019
“Hope for the best, plan for the worst”. This ancient principle still applies, especially for systems with high availability requirements. Principles are easy to quote, but how does an organization implement them effectively?
Cybersecurity March 22, 2019
The “Internet of Things”, or IOT: we’ve all heard the term, but what does it really mean? More importantly, how do we secure all of these … “things”?
Cybersecurity March 21, 2019
Cell phones, tablets, wearables, and other mobile devices dominate our lives. I personally bring my trusty iPad to everywhere, and, like everyone else, have my phone with me at all times. The biggest attack surface for any enterprise, then, may well be these devices. How can we assess the threats? What are the components in need of protection? What are some key methods of protecting them?
Cybersecurity March 20, 2019
Earlier this month, I wrote about the Zero Trust model for security. As I proceed through these daily blogs, I find many of them complement the ZT model; data security is one. Outside the IOT world, the goal of cybersecurity is to protect data. The Zero Trust model recognizes this and focuses on keeping security close to the asset, and portable.
Cybersecurity March 19, 2019
Configuration management is a many-headed beast, but the biggest beast with the sharpest teeth is the patch monster.  Every day, a new vulnerability, a new patch – and an old decision:  patch and maybe break something (I’m looking at you, Spectre and Meltdown), or stay online and be vulnerable.  This model – “panic patching” -- is in wide practice, but not sustainable.  For now, an efficient and reliable system is essential; for the long term, we need an entirely new model.
Cybersecurity March 18, 2019
By now, you’ve heard it a hundred times: the perimeter is breaking down, no more “crunchy outside” to protect a “chewy inside”, no more castle-and-moat model of network infrastructure security. If there is no inside and outside, then where do defenses belong? What security architectures make sense for such amorphous network?
Cybersecurity March 15, 2019
Once upon a time, endpoint security was just a hall monitor: it watched for known bad files identified with a simple signature and sent you an alert when the file was blocked. To be safe, it would scan every machine daily, an intrusive activity that slowed down machines, and sped up the heart rates of affected users and hapless analysts at help desks.
Cybersecurity March 14, 2019
Insider Threat: it’s one of the biggest and most persistent issues in cybersecurity. High-profile cases – Manning, Snowden, and others – have kept the issue in the public eye; government security personnel are rightfully concerned. In addition to the willfully malicious, though, many insiders lack ill intent, but pose a threat just the same.
Cybersecurity March 13, 2019
Do developers at your company keep application security top of mind when coding? Do they have training in secure code development?  Do they have the tools to develop code securely? If they find a security issue, can they quickly fix the issue in all instances throughout a large-scale application? If they use open-source code, do they verify its security?
Cybersecurity March 12, 2019
“Build it in, don’t bolt it on” is a mantra we all learn when we study cybersecurity, yet we see it in practice far too rarely. Our adversaries also know this principle and have begun to implement it by infecting the supply chain – hardware and software – as close to the source as possible. DLT technology partners Crowdstrike and Symantec both note the trend in recent threat reports. In their July,2018 report1, Crowdstrike notes that:
Cybersecurity March 8, 2019
Phishing, vishing, whaling, spear-phishing: the list of clever new terms seems constantly to change. A successful attack by any other name, though, is just as sweet to the adversary. Terminology aside, the fundamental problem is this. Phishing is the most common and effective way to steal data because it goes after the weakest chain in our cybersecurity armor: the human being. Even high-profile people, including one CEO of a major cybersecurity firm and major figures in law enforcement, have fallen victim to phishing attacks.
Cybersecurity February 28, 2019
“Trust but verify”:  a Russian proverb Ronald Reagan often used to characterize U.S.-Russia relations, especially regarding nuclear weapons. The Internet has made it clear that the “trust” part of the proverb may not work so well. Today, we may have to say “Never trust; only verify”.
Cybersecurity February 28, 2019
Every security professional knows that the adversary has the advantage. Security professionals have to find every vulnerability (good luck with that) and remediate it, and the enemy only needs to find one vulnerability and exploit it. This asymmetry underlies their economic advantage: finding one vulnerability gives access to a huge number of systems. In addition, for those willing to forego their conscience and risk jail, it is possible to make large sums of money in a short time, even with a minimum of technical expertise.
Cybersecurity February 28, 2019
You have heard it enough to make you aim a fire extinguisher at your firewall:  “compliance does not mean security”. Compliance work can consume up to 70% of security budgets in Federal government agencies, and it is common to spend more money identifying, documenting, and gaining approval for a remediation than the remediation itself costs.
Cybersecurity February 28, 2019
Return on investment: is it worth the money? That is the central question in both government and industry when deciding on any procurement. Demonstrating ROI on cybersecurity products is notoriously difficult, and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture.
Cybersecurity February 7, 2019
On January 22, the Department of Homeland Security (DHS) issued a directive to government agencies in response to breaches of the Domain Name System (DNS). The attackers used stolen credentials to alter DNS entries and steal certificates used for encryption and decryption.
Cybersecurity December 28, 2018
The “National Cyber Strategy”, released recently by the White House, offers a broad blueprint for America’s approach to cybersecurity.  Let’s look its four “pillars”, and their key elements.
Cybersecurity November 26, 2018
“Cyber Hygiene”:  you know the term, but what does it really mean? Some say it is an ill-defined set of practices for individuals to follow (or ignore). Others say it is a measure of an organization’s overall commitment to security.  Still, others think of “cyber hygiene” as simple, readily available technologies and practices for cybersecurity.
Cybersecurity October 3, 2018
This month, Symantec caught up with Don Maclean, Chief Cyber Security Technologist, DLT, to get his thoughts on today’s top cyber challenges. You can hear more from Don at the Symantec Government Symposium on Oct. 30, as he shares his perspective on the “Aligning Cyber Priorities and Modernization Policies” panel.
Cybersecurity September 27, 2018
To improve the federal government’s cybersecurity posture, the Department of Homeland Security created the Continuous Diagnostics and Mitigation (CDM) program.  On September 6, the House of Representatives voted to codify CDM, and barely two weeks later, the White House’s National Cyber Strategy assigned to DHS still more authority over cybersecurity in the United States.  What’s more, government contractors are winning 9- and 10-figure CDM contracts, so it’s clear that CDM’s time has come.
Cybersecurity July 31, 2018
As hackers get more sophisticated, endpoint protection (EP) systems have grown more sophisticated. While no one claims to catch everything, endpoint protection matures each year. Let’s see what modern EP products have to do these days.
Cybersecurity January 18, 2018
From Equifax to Yahoo, WannaCry and Petra, every month seems to bring with it yet another high-profile attack. Vendors roll out patches and fixes, and questions are asked across the political and security communities.
Cybersecurity, Technology January 16, 2018
There’s a lot of buzz about blockchain these days, even in government. In fact, we predict that 2018 will be the year of blockchain in government. Blockchain’s inherent security makes it resistant to data manipulation, making it a great tool for securely recording transactions between two parties, everything from medical records, contracts, transactions, even online voting.
Cybersecurity December 5, 2017
Defending against insider threats is a top priority for the U.S. government. When surveyed by MeriTalk, 85% of federal cybersecurity professionals say their agency is more focused on combating insider threats in 2017 than they were just a year ago.
Cybersecurity October 30, 2017
Containers offer many advantages for management, deployment, and efficient development of applications.  Like any technology, however, they are subject to attack from malicious actors, and require diligent security.  Vulnerabilities can appear in the container images themselves, in the registry where they are stored, or in the orchestration and deployment of the images.  Let’s take a look. Image Vulnerabilities & Countermeasures
Cybersecurity October 16, 2017
Earlier this summer, we wrote about how the Department of Defense is eyeing blockchain technology to improve cybersecurity. Now, Meritalk reveals that the State Department is also seeking the use of blockchain (the technology behind digital currency like Bitcoin) to protect its cyber infrastructure, improve its IT platforms and restructure the agency.
Cybersecurity September 25, 2017
The 2017 DefCon conference featured former World Chess Champion Garry Kasparov, who spoke about artificial intelligence, computers, and of course, chess.  After losing a match to a purpose-built computer in 1997, Kasparov realized that the machine, although it had beaten him, was not truly intelligent:  it had simply out-calculated him, by examining over 200 million chess positions per second.  Kasparov soon devised “advanced chess”, in which a strong human player teams up with a computer.   Advanced chess combines the best human qualities of imagination, judgment,
Cybersecurity July 25, 2017
The Cyber Shield Act, commissioned by Senator Ed Markey, recommends the establishment of a voluntary program to institute uniform cybersecurity and data benchmarks for consumer devices. The goal of the bill is to improve consumer decision making from the point of purchase, standardized by industry and maintained by manufacturers – similar to an EPA energy rating on appliances, or NHTSA safety rating on automobiles.
Cybersecurity June 13, 2017
The theme of the recent ICIT Forum was “Rise of the Machines”, a call to recognize the vulnerability of an infrastructure increasingly under control of computers.  The steady increase in connected systems mandates a broad range of strategies – managing supply-chain risk, analysis of huge amounts of data through machine learning, dealing with the insider-threat problem, sealing up holes in applications.  I had the privilege of discussing threat intelligence sharing on a panel with Todd Helfrich of Anomali, John Kupcinsky of KPMG, and Ana Besk
Cybersecurity May 15, 2017
On May 12 a ransomware virus, WannaCry, was released on the Internet and rapidly spread to hundreds of thousands of Microsoft Windows based computers in over 150 countries.  The malware encrypts critical files on a computer, such as Excel, Word, and other important files, and seeks out backup copies for encryption as well.  Once it infects a system, it requires the victim to pay approximately $300 in digital currency (Bitcoin), and immediately tries to find other systems to infect.
Cybersecurity May 15, 2017
The White House has recently issued an Executive Order, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Order is broad in scope, and features positive provisions, some unfortunate omissions and a seemingly excessive set of reporting requirements.  Let’s take a look.
Cybersecurity April 17, 2017
On the heels of their big announcement, McAfee hosted the recent “Security Through Innovation” conference sponsored by DLT, where government and industry executives touted key ideas, changes of mindset that we need to start to win the cybersecurity war.  Covering everything from Cloud to private/public partnerships, to CDM and infrastructure, here are the top 3 key takeaways from DLT's Chief Cyber Technologist Don Maclean.
Cybersecurity March 2, 2017
Compromised credentials are a leading cause of security breaches.  According to Verizon’s 2015 Data Breach Investigations Report, 95% of security incidents involved stealing credentials from customer devices, and using them to web applications.  So many stolen credentials are available to hackers, generally on the Dark Web, that passwords are no longer effective.
Cybersecurity February 8, 2017
The history of hacking shows that bad actors use good technologies for bad purposes.  Machine learning is no different: it has never been easier for white hats and black hats to obtain and learn the tools of the machine learning trade. Software is readily available at little or no cost, and machine learning tutorials are just as easy to obtain.
Cybersecurity August 24, 2016
Last year, we reviewed threat reports from numerous companies and organizations.  At the time, a couple of simple themes emerged: too many systems were unpatched, and phishing was a predominant means of intrusion.  These themes are still present a year later, but some new trends have arisen to keep them company.
Cybersecurity, Uncategorized July 1, 2016
I’m fed up. Better yet, I’m “F.U.D.-ed” up.  In every cybersecurity conference, in every threat report, in every blog and every bit of cybersecurity marketing literature I see one tiresome theme:  “The bad guys are after us!  It’s getting worse every day!  How will we fix it?  Can we fix it?  There’s no magic bullet! The cyber sky is falling, run for your cyber life!”  In other words, an unrelenting stream of– Fear, Uncertainty, and Doubt.