Computer Security Awareness Training

The 76-page Cybersecurity Policy Review President Obama assigned to Melissa Hathaway earlier this year initiated some movement toward a U.S. cybersecurity policy, and experts agree that the road ahead will not be easy.

In summary, the report found most American architectures (both public and private) to be lacking, and stated that “Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.”

In her Redmond article last month, Jabulani Leffall presented feedback from some leading software security experts.

Chris Schwartzbauer, senior VP of Shavlik Technologies said there was not enough focus on where the threat is coming from as well as reducing response time when threats occur. Phil Lieberman, president of Lieberman Software, said the report did not have enough to say on the legal front and should have provided legal safe harbor for organizations who implement security, and a waiver of liability for those that share breach information.

The biggest challenge for the Cybersecurity Coordinator, said Abe Kleinfeld, CEO of nCircle, will be that “the Internet itself, and the majority of Internet infrastructure, is in the hands of the private sector.” Kleinfeld also spoke of the need for increased response time when cyber attacks occur.

Regardless of the parties involved, what remains clear is that this undertaking will be difficult, complicated, and require new levels of cooperation between both public and private sectors. It remains to be see whether security cooperation on this scale can be effectively achieved.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cyber Security training news and Security Awareness Training solutions.

Defense Secretary Robert Gates has stated that the DOD is strengthening its responses to cybersecurity threats. Gates says, “There is no doubt that the integrity and security of our computer and information systems will be challenged on an increasing basis in the future… Keeping our cyber infrastructure safe is one of our most important national security challenges.”

His budget request increases funding for a range of capabilities centered on information assurance and information security, including how it is generated, stored, processed, and transported. Further, he specifically is requesting a cyber test range for cyber defenses and weapons to be tested in a real environment. Gates says they hope to be able to increase the number of cyber experts his department trains from 80 to 250 per year by 2011.

Of course, the key element in resource effectiveness will be how well the DOD and other government agencies can share information and use each others strengths.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity training news and Security Awareness Training solutions.

The 2009 AFCEA DC Cybersecurity Symposium will be held June 25, 2009 from 8am to 5pm at the Capital Hilton, Washington, DC.

This event will highlight the Administration’s elevation of Cybersecurity to the number one technology priority and lay a foundation for the various communities in the government and private sectors that will be working together in this arena. For more information please visit the AFCEA DC Cybersecurity Symposium website.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity training news and Security Awareness Training solutions.

This question of U.S. Cyber Security oversight has been a hot topic this year. Rod Beckstrom’s resignation earlier this year centered on criticism that NSA played too large a role in the national cybersecurity effort. Following this, the NSA Director stated that he did not want sole responsibility for running U.S. cyber security.

At the RSA security conference in San Francisco, NSA Director Lt. Gen. Keith Alexander focused on the need for a group effort rather than a centrally managed operation, while the President’s response to the Cybersecurity Report spoke of the need for a new centralized position to oversee the joint efforts. It will be interesting to see what approach is taken, if one is committed to, in the upcoming year.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cyber Security training news and Security Awareness Training solutions.

When an organization is subpoenaed for documents in litigation, its IT Department is under a lot of pressure to find every relevant document or email, including disaster-recovery backups stored off-site. An oversight can result in additional legal costs and search expenses in the millions of dollars. To avoid this, it is imperative that IT and legal departments to work hand in hand to build policies for Electronic Discovery and a plan for execution when litigation hits.

A good way to avoid oversight is by creating E-Discovery Teams with both IT and legal principals. These E-Discovery Teams are responsible to set policies for data retention, preservation, and discover-ready organization.

Andrew Conry-Murray, in his InformationWeek article on June 1st, demonstrates how three different companies pulled together the key people needed to reduce the complexity and cost of E-Discovery. He also highlights three phases of discovery including The Identification Phase, Preservation Phase, and Collection Challenge.

The Identification Phase is focused on finding all sources of electronic data that may be relevant. Defining relevant search terms will provide the best results. The Preservation Phase is the process of making sure that potentially relevant information is not destroyed (example, past employee email, HR records, and work files) from all sources, including PCs, shared files, and removable media. Data can be copied and moved to a secure repository, or preserved in place with legal holds on who can open, write to, or copy the data. The Collection Challenge requires that relevant data is gathered and delivered to attorneys. Based on legal analysis, the search may be expanded

Though solid E-Discovery policies will not guarantee a win in court, they can ensure that a case is not lost based on oversight or a misstep with data identification, collection, and preservation.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future E-Discovery news and E-Discovery Training solutions.

While browsing some of the archives on CSO, I found another great article by Scott Berinato providing five information security metrics and how to effectively present them.

For each metric, he demonstrates what is measured, how to get the information, what the information tells you, and what it should not be used for. Very insightful.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity training news and Security Awareness Training solutions.

I read a great article today on CIO.com by Dave Taylor, founder of PCI Knowledge Base, which gave a fresh look to Payment Card Industry Data Security Standard (PCI DSS) Compliance.

In his “Guide to Practical PCI Compliance,” Dave provides some great ideas for re-visiting PCI DSS in a way that will resonate with the Executive team.

His first suggestion is, “Connect PCI compliance to fraud and risk management.” It is important to demonstrate that security spending is actually resulting in reduced fraud rates. In order to be effective, the right data needs to be collected.

Second, Dave suggests introduce new sales channels like mobile payment. If consumers can buy products from their cell phones and mobile devices, it will provide both a new revenue stream, and open the conversation of securing the payments. As he points out, “Most boards would welcome a tempered presentation on how to effectively secure and integrate the mobile payment process into the business.”

Finally, consider outsourcing. Payment outsourcing will reduce risk and cost, thus reducing the PCI DSS Compliance scope and making it more attractive. A presentation of the pros and cons for this strategy would be, in Dave’s words, “worthy of a trip to the boardroom.”

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future PCI DSS Compliance news and PCI DSS Training solutions.

Scott Berinato with CSO provides an excellent resource and state by state map for Data Breach Notification Laws.

While most states follow the basic tenets of the California law, some allow for more exemptions or do not allow a private right of action.

Scott lists a few other important details to consider including:
1. Notification guidelines: how soon a company is required to inform customers of a data breach. In California, this is “as soon as possible, without unreasonable delay.”
2. Penalty for failure to disclose: whether or not there are civil or criminal penalties for a failure to disclose. In California, a company cannot be penalized for its lack of promptness alone.
3. Private right of action: whether this option exists for consumers in that state. In California, this is available.
4. Exemptions: what kinds of breaches, if any, companies are exempt from reporting. California allows exemptions for encrypted data that’s lost and publicly available government data. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity training news and Security Awareness Training solutions.

Philip Reitinger has been named director of the National Cybersecurity Center by the U.S. Department of Homeland Security. Janet Napolitano named him to replace Rod Beckstrom, who resigned earlier this year due to “turf battles” with other agencies.

Beckstrom, who resigned in February, said his decision was in part due to the NSA’s interference in domestic cybersecurity and DHS’ unwillingness to provide needed resources to the NCSC.

While few will argue the need for DHS’ operational role in cybersecurity, it has been pointed out that the White House must take on the task of developing and enforcing a comprehensive national cybersecurity strategy. While Obama announced the creation of a White House level cybersecurity coordinator last week, he has yet to make the appointment, and no one knows how the official will work with the various agencies involved in securing national cybersecurity.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity news and Security Awareness Training solutions.