Computer Security Awareness Training

Ben Bain gives great coverage of this question in his Federal Computer Week article.

Many are asking if mandatory cybersecurity training or licensing will make government systems more secure. Those in favor of these new mandates point out that there is currently no standard government-wide preparation program required for those who protect government information systems and computer-controlled infrastructure from attack. Others debate whether mandatory classroom training will make a difference.

These mandates would affect tens of thousands of IT workers, and licensing could tie up the industry in red tape, hindering it’s ability to keep training up-to-date with the rapidly changing technology.

While the use of certification as a tool for hiring is nothing new, a mandatory licensing program would be unprecedented.

“A lot of people have problems with where do you draw the line: Who has to get a license, who doesn’t, who would be the licensing authority, what would be the extra cost, what are the liability issues?” said Lynn McNulty, director of government affairs at (ISC) and a former federal information security program manager.

Other issues cited include added layers of federal oversight and a concern the licensing program would be unable to keep pace with new threats.

How would these new mandates effect your job role, your organization, and your ability to keep up?

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity Training, Licensing, and Security Awareness Training solutions.

According to a survey of C-level executives, CEOs appear to underestimate the IT security risks faced by their own organizations. A story by Jaikumar Vijayan with CIO.com gives the full details.

In summary, it seems that most CEOs differed in their understanding of IT security risk factors as compared to other C-level executives and felt more confident that breaches could be avoided. In comparison, most CEOs felt that the CIOs are responsible for protecting data at their companies, where only 24% of other senior managers felt the same way. Over 85% of the respondents shared the opinion that someone else (other than themselves) would be held responsible in the case of a data breach.

How well does your executive team communicate on the importance of mitigating IT security risk factors, executing an IT security policy, and each person’s role in the equation?

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future IT Security News, and Security Awareness Training solutions.

Many analysts have listed insider espionage as a primary security threat this year.

The application layer, or inside-entry point, becomes an easier staging ground for attacks since the firewall and security software and hardware make it harder to break in from the outside. In addition, the insider is often aware of what steps his or her organization has taken to secure the network and which applications sit on it.

Examples including identity theft by bots, malicious spyware, Web 2.0 exploits, event phishing and chain mail attacks are expected to grow over the next year. A common theme of these attacks is that the threats are often unknowingly executed through the end user.

Suggestions for minimizing risk include creating a “whitelist” of acceptable applications, monitoring log-ins and system activity for accountability, and executing an organization-wide security policy, including security awareness training for the end users.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity News, and Security Awareness Training solutions.

Late Thursday night, July 16th, an email message showed up in the boxes of over 800 people at North Carolina State University.

The subject was, “Mandatory Security Update: July 2009,” and the email claimed to be from the IT Help Desk. It claimed that in an effort to block spam, all e-mail users had to click a link to the university’s e-mail sign-in page and enter their user name and password.

Of course it was a hoax and the landing page was a site to collect user information. Fortunately, NC was able to stop the attack before any real damage could be done. They realized the phishers were copying the actual graphics from the school’s site and changed the graphics to read “THIS IS A PHISHING SITE. Do not enter your password.”

It is a good policy not to share your password information with anyone. The appropriate people will not need to ask you for it.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity News, and Security Awareness Training solutions.

According to researchers at Kapersky Lab, more than 25,000 types of malware have been tracked spreading through social networks this year, and they expect the number could exceed 100,000 by the end of 2009.

Rather than targeting technical vulnerabilities, most now focus on social engineering techniques to collect personal data using social media like Twitter and Facebook. In many cases, they pass a malicious link to bogus websites to force-download malware or harvest account information. Often the power of small bits of information is greatly underestimated, and these parts add up to give criminals complete access to a network.

It is important not to follow any URL you don’t recognize (and a good habit with any link, even if it seems harmless) is to check the properties and copy/paste the safe link into a fresh browser window.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity News, and Security Awareness Training solutions.

With the new Presidential administration focusing on cybersecurity, many federal agencies and organizations face increasing pressure to comply with mandates and meet security compliance.

Barbara DePompa wrote a great article for FederalComputerWeek this morning, listing the Top Ten Security Insights from Government IT Executives.

In summary, the results of this 1105 survey included:

• Intrusion detection and prevention (IDS/IPS): Over 53% of surveyed IT Execs said that intrusion detection, access control, and identity management were a top concern.
• Staff Training in Cybersecurity: 60% said they would implement security training in the coming months, implementing stronger security procedures this year and training users in security awareness and practice. Barbara points out, “That’s because a lack of security awareness among employees can lead to leakage of classified or sensitive information, especially through personal emails and ‘social engineering’ schemes. Misconfigured systems also present vulnerabilities and can occur from experimentation, accidental employee actions, allowing security fixes to get out of date and failure to periodically review policies.”
  
• National Cybersecurity Initiative: This initiative has three elements:
  • Technical standards for using, storing and destroying cryptographic keys that grant access to authorized individuals on encrypted networks and systems
  • Development of multifactor authentication methods requiring users to verify their identity through multiple methods
  • Extension of the FDCC to optimize security across operating systems, applications, and network devices.
• Migration to Trusted Internet Connections: With an increasing number of internet-based attacks, federal agencies have reduced the number of public internet access points from over 5,000 to less than 100 in the upcoming year in response to the OMB’s Trusted Internet Connection (TIC) mandate.
• Collaboration with Public/Private Sectors for Awareness: This issue was considered key because without information sharing, important clues for prevention are unable to be used effectively in saving lives and protecting national security.
• Managing Security of Mobile Devices: More and greater encryption technologies and stronger physical security measures were key areas mentioned.
• Protecting Critical Infrastructure: Forty-two percent placed great priority on the need to protect critical infrastructure against cyber attacks, including supply chain, power supply, utilities, biohazard monitoring, and other concerns. This concern seems to be impacted by the increasing attacks on government systems and networks by foreign nations looking for intelligence, including China and Russia, criminal groups, and terrorist activity.
• Securing Cloud Networks: With a growing use of virtualized infrastructures and cloud computing environments, More than a third of the survey’s respondents were concerned that these areas have not been properly addressed.
• The Role of the Chief Security Officer (CSO): Over 87% of respondents’ agencies have named a CSO, a growing role since the 2002 Federal Information Security Act was passed by Congress, with OMB and NIST leading the effort. As Barbara points out, “The CSO’s job is to provide the overall leadership, strategic planning and vision for an effective cyber security program within an agency or department. To be empowered in any government organization, industry observers maintain that the CSO must be successful in convincing agency leadership of the importance of security.”

Overall focus on upgrading physical security, securing mobile devices and protecting critical infrastructure seems to point to a convergence of physical and IT security.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity News, and Security Awareness Training solutions.

Security experts studying the massive botnet known as the Conficker worm are concerned that this may be only the beginning.

While the worm has been discovered on over 10 Million machines this year, it is unclear what motive is behind the attack. The worm was protected with a MD6 cryptographic hash algorithm, which slowed researchers trying to block the worm and allowed it to quickly infect machines.

To date, researchers in the Conficker Working Group haven’t been able to track down those behind the attack.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cybersecurity News, and Security Awareness Training solutions.

Microsoft is working with the Federal government to establish security settings for the Federal Desktop Core Configuration (FDCC) for the Windows 7 release this October.

With the alpha version of it’s security guide released earlier this month, Microsoft is working with the DOD to merge this component into the FDCC, providing a single standard for secure configuration.

William Jackson reported in a Redmondmag.com article recently, “Microsoft’s security guide specifies two security configurations for its operating systems: a standard enterprise configuration and the secure limited functionality recommended for organizations with higher security needs. The government’s FDCC for XP and Vista does not correspond exactly to Microsoft’s security guides, but officials hope the settings for Windows 7 will be harmonized into a single industry/government standard.”

While the National Institute of Standards and Technology (NIST) has outlined a process for creating security configuration checklists in it’s National Checklist Program (NCP), Steve Quinn (senior computer scientist at NIST) says the goal of Microsoft’s work with DOD on Windows 7 configuration will be a government-wide standard which applies beyond defense and national security systems. When completed, NIST will check the configuration against the NCP.

Critics point out that until the FDCC configurations are actually tested in a production network, it will be unclear what incompatibilities may come up.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Windows 7 Security Configurations, news, and Security Awareness Training solutions.

Microsoft plans to release six fixes in it’s July security update tomorrow.

Jabulani Leffall gives a detailed explanation in his RedmondMag article.

In summary, three “critical” patches will stave off RCE exploits, patch the DirectX multimedia control solution, and fix other RCE exploits. The “important” patches will include a virtualization fix for Microsoft Virtual PC 2004 and 2007 editions and Virtual Server 2005 R2 and R2 ×64, as well as address Microsoft Internet Security and Acceleration Server 2006 vulnerabilities and deal with 2007 Microsoft Office System SP1 and Microsoft Office Publisher 2007 SP1.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cyber Security training news and Security Awareness Training solutions.

Craig Zarley with ChannelWeb posted a great article last October, following the NACISO conference, and I wanted to share that information again in light of what we are seeing this year.

According to Craig, “Solution providers hoping to capitalize on state government business in 2009 must focus on cost-cutting solutions and products.”

The National Association of State Chief Information Officers (NASCIO) released the State CIO’s Top Ten Policy and Technology Priorities for 2009. The lists, based on an annual survey of state CIOs conducted by NASCIO, included one for Priority Strategies, Management Processes and Solutions and another for Priority Technologies, Applications and Tools. (see these lists here)

He goes on to say, “The lists clearly reflect the budgetary uncertainty faced by state governments in the face of what could prove to be an extended economic downturn. But by prioritizing their IT strategies, the lists also serve as a roadmap for solution providers hoping to grow their state government business.

At NACISO’s annual conference in Milwaukee last month, CIOs were quick to lump their top priorities of virtualization and consolidation into overall energy and cost cutting measures seen as part of overall green IT initiatives.

CIOs noted that green technology is no longer a fad or a political ploy. Ken Theis, Michigan’s CIO, said at the conference that CIOs need to take a leadership role in pushing green technology and he even suggested that states appoint chief energy or greening officers. “We are at a crossroads,” he said. “Green technology is something that is critical now but it is soon to be a mandate.”“

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Cyber Security training news and Security Awareness Training solutions.

There is no doubt that Green IT is quickly becoming a necessity. With many organizations in both the public and private sectors (over 86%)* focusing on energy reduction, it’s only a matter of time until recommendations become Green Compliance requirements.

A recent study* by Applied Research showed that 30% of organizations surveyed had already implemented a strategy, and 67% were in the discussion or trial stages for developing one.

Be proactive and look for ways to implement Green IT initiatives that can help you cut cost and save energy.

Several areas to consider include hardware (Green IT can help you save on cooling costs and data center electricity), power management products, and services like SaaS, Virtualization, and Web-Based Training.

A web-based training solution can help you reduce carbon and energy use as well as provide an increased ROI. Instead of a conference room, where energy is used for a projector, multiple computers, and additional cooling, a web-based alternative can provide a green solution that allows for on-demand training, just-in-time answers to quick questions, and faster paced learning.

In addition, an on-demand solution with knowledgebase articles and integrated helpdesk support can reduce the amount of time your helpdesk and IT staff spend answering common questions, and increase their performance on critical tasks and initiatives.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Green compliance news and Security Awareness Training solutions.

I just read a great article in eWeek about a new Green IT and Green Computing certification being developed by DOE.

The U.S. Department of Energy plans to reduce energy use in U.S. data centers by 10% over the next 2 years with a new training certificate for data center managers that focuses on energy efficiency.

The Save Energy Now program will begin October 21st, 2009, at Georgia Tech’s Global Learning and Conference Center in Atlanta.

By targeting power conversion and distribution, server load, computing operations, cooling equipment, and alternative power generation, Save Energy Now aims to reduce energy use by ten percent by the end of 2011. Chris Preimesberger outlines the full story in the eWeek article linked above.

It will be interesting to see how this and other initiatives being pushed by the President create new policies and compliance areas in the next few years.

Subscribe to the CyberSecurity Training and Awareness blog to be the first to learn about future Green IT training news and Compliance Training solutions.