WEBINAR: GSA, DHS, NIST on personal mobile security, THU 11/10 (CPEs)

Securing and managing agency mobile apps.
WEBINAR, THU 11/10, Complimentary, CPEs

This important video webinar will explore how mobile apps
rapidly expand in agency networks and how agency experts
limit security risks while they manage mobile Web devices
to drive agency productivity and mission achievement.

REGISTRATION AND INFO
https://goto.webcasts.com/starthere.jsp?ei=1123951&sti=emc

ALTERNATE REGISTRATION LINK:  http://www.FedInsider.com

WEBINAR TOPIC
The Framework for Mobile Security in Government

DATE: THU 11/10
TIME: 2:00 PM ET / 11:00 AM PT
DURATION: 1 hour
CPE: 1 CPE from the George Washington University,
Center for Excellence in Public Leadership
COST: Complimentary

SPEAKERS
– JON JOHNSON, Enterprise Mobility Team Manager, GSA

– VINCENT SRITAPAN, Program Manager, Cyber Security
Division, DHS Science and Technology (S&T) Directorate

– JOSHUA FRANKLIN, Information Security Engineer, NIST

– JOHNNY OVERCAST, Director of Government Sales, Samsung
Electronics America

– TOM TEMIN, Host and Managing Editor, The Federal Drive,
Federal News Radio 1500 AM

PRESENTED BY: WTOP, Federal News Radio, FedInsider News,
and The George Washington University Center for
Excellence in Public Leadership

*** OTHER GOVT-INDUSTRY CPE CREDIT EVENTS IN THE SERIES ***
Visit http://www.fedinsider.com

CART services provided for captioning for all webinars.

Looking forward to meeting you online!

Peg Hosky, President

Email: peg@hosky.com
Phone: 202-237-0300
http://www.FedInsider.com
LinkedIn: http://www.linkedin.com/in/peghosky
Twitter:  @peghosky

FedInsider News
3811 Massachusetts Avenue NW
Washington DC 20016
F10-171912

diacap-to-diarmf-ca-vs-rmf

diacap to diarmf: C&A vs RMF

DIACAP is transitioning from a Certification and Accreditation to a Risk Management Framework.  Most of the new Risk Manager Framework is in the NIST Special Publication 800-37.  The old NIST SP 800-37 was also based on Certification and Accreditation.  After FISMA 2002, it adjusted to a Risk Management Framework in NIST SP 800-37 Rev 1, Guide for Applying the Risk Management Framework to Federal Information Systems.

diacap-to-diarmf-ca-vs-rmf

diacap-to-diarmf-ca-vs-rmf

NIST SP 800-37 to SP 800-37 rev 1 transformed from a Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF).  The changes included:

  1. Revised process emphasizes
  2. Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls
  3. Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes
  4. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of information systems

Find an IT Security Jobs

So do you have any suggestions for someone starting out in IT Security? What certifications, knowledge, training, forums, do you suggest? They will pay for the A+ cert, Network + and Security + certification. Do you have any suggestions for someone just starting out in security? After CompTia what should I focus on. Although I’m not sure yet of my final career goals, I’d like to first get a job very quickly in IT security, hopefully with the government, state, or any local government; when I say quick I mean within the next few weeks Thanks Rob for whatever info you can suggest

Hello,

If you want a job fast I would suggest checking out simplyhired.com. I would also put my resume out on Monster.com, if you have not already done so. If you want a security job the security+ is the way to go, but also consider doing a search on monster and simplyhired to look at the skills and certifications that employers are looking for. Pay particular attension to keywords and phrases that they are using. You will know the keywords/phrase because they are repeated in nearly every resume for your chosen career path and/or job title.

How I get Jobs Fast
For example, in my career “system security engineer” and “information security officer” I see the following keywords/phrases over and over: security clearance, cissp, 8500, diacap. If noticed that when I have these keywords on my resume, I get calls almost DAILY from all over the US. Here is how you can do the same:
1) Find a good job title that fits what you do or what you want to do
2) Do a search for that job title [use google, simplyhired.com, monster.com, dice.com or any other search engine/job database]
– Read through the job results and try to find keywords/phrases that seem to be in most or all of the jobs listed
3) Try to get as many of the applicable keywords/phrases in your resume
– Either have the skills required for the chosen job title or begin working toward them
– I am not suggesting that you put lies on your resume, you’ll have to look for job titles that you have experience & skills in
– Don’t mess with stuff that completely out of your league or level of expertise, be honest on your resume
– Sometimes employers will take you if you are willing to learn the skills or earn the require certification/degree in a certain time frame. Put that on your resume.
4) Put your resume [with keywords/phrases in place] online, as many places as you can

Research Employer Demand in certain locations
I am from California and I have been trying for years to find a decent job (for what I do) there. They’ve got them in southern California but almost none in Northern. California seems to be lacking jobs and then they don’t want to pay comparable to the cost of living there. I noticed that Cali has a LOT of networking jobs. If you type in CCNP in simplyhired.com for Cali, you’ll find a lot of good paying jobs. The problem is that CCNP is a very difficult certification to get (or so I’ve heard).

I would recommend checking out what sort of IT skills employers are looking for in the area you want to work. For example, even though I have lots of certifications, most of the ones that I have [that are still active lol] won’t help me for moving back to Northern California. I researched it and found that they are mostly looking for Network Engineers [as of 2006-2010] and my Cisco routing and switching skills are still developing.

Play Capitalisms Game: Start a Business
Another option is to start your own business. This may sound daunting, but believe it or not my website elamb.org qualifies as a business. It took me about 1 year to get it making money, but now it makes between $400 – 800/month without me even looking at it. It has made as much as 2k and I know people who make more in a month then many people make in a year with their blogs. It is becoming harder and harder to be an employee. Companies do the bare minimum to take care of employees, the economy goes in a recession (or worse) and hard working people can not find a job and the value of the dollar flutuates on a downward spiral. It seems the only way to be comfortable in this new “capitalism” is to have multiple streams of income.

If you are interested, start at your states business page and here

Thanks,
Rob E.

You Hack US, We Nuke You!

The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.

During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –

Security Focus

I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.

I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.

I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.

Challenges of Internet Security

The primary challenges of Internet security have everything to do with balancing accessibility and functionality with the three pillars of information security: confidentiality, integrity and availability.

The Internet has become an in disposable tool for research, commerce, art, education and virtually every part of modern life. It was the inquisitive, intelligent, intuitive and creative nature of humanity that created the Internet and its those same qualities that put individual systems linked directly to the Internet in peril. The three pillars of information security are at stake for all systems with connectivity to the Internet. The challenge is in the implementation of the necessary security controls to achieve those three pillars.

Confidentiality:

Confidentiality pertains to protecting sensitive information. Sensitive information can be anything from private user information to classified defense data. Many organization live and die by the protection of proprietary information from competitors. During wartime, the armed services literally LIVE or DIE based on how well certain sensitive information is guarded. In the US Department of Defense is called Operational Security. Since the Internet is a critical part of the DoD (and defense organizations around the world) the confidentiality is a HUGE challenge for their Information systems exposed to the Internet. Some of the threats to there systems include: social engineering, leaks of information and accidental release of sensitive data. All of these threats can be enabled via the Internet.

Organizations must educate their user who have access to sensitive information. I’ve heard some security professionals say that educating users is bad.

But if your users have access to sensitive information (and need to have that access to do their jobs) it is imperative that they not only know WHAT is sensitive, but WHO it can be give to, WHEN it can be shared, HOW it can be share and WHY it can be shared.


Integrity:

Data integrity is very important to all systems passing data on the Internet. Integrity has to do with whether or not the message on the other end of your connection is the same one you actually sent. Whether its your passwords being passed to your bank or the DoD passing data over the Internet, the integrity of the data is imperative. Its often taken for granted until, we are sending an email and the receiver says they got the email but the message can’t be read. Sometimes if the messages integrity is garbled or malformed it simply won’t reach its destination. If the integrity of a message can not be protected in some way or verified and checked, it is possible for someone to intercept your message, alter it, and send it on its way. Integrity is especially critical in banking and financial transactions which is why encryption and authentication take on such an important role for sensitive transactions such as ATM withdrawals, and online banking.

The challenge to maintaining Internet integrity is to ensure that link is encrypted when necessary.


Availability:

If there is no availability there is no mission, no business, no functionality. One of the major challenges of Internet security has been Denial of Services attacks. A Denial of Service attack is when your system on the Internet (or within a network) is flooded with useless traffic such that no one else (not even you) can use it. With a misconfiguration, a denial of service can happen by accident. Its important to test the availability of an online system. Its also a good practice to see what kind of availability and access you are giving. After all, too much availability can compromise the security of your system.

Most challenges of Internet security can tie into one or more of the big three: confidentiality, confidentiality or availability. With those in mind most challenges can be overcome. But the double edged sword of security.. the very nature of it on the Internet is to constantly change and evolve with the Internet. The constant change of threats to those three aspects of security is perhaps the biggest over arching challenge.

Dangers on the Internet

Dangers on the Internet
This is a follow up to my post Why is Internet Safety Important

Dangers of the Internet are relative to the perspective of those accessing it. That is to say, on the Internet “dangers” are completely dependent on who is accessing what data from where and what their intentions are for accessing it. For example, researching a list of poisons could be a considered “dangers to the Internet” if a seriously disturbed person intends to kill his or her spouse. On the other hand, if a parent is just wondering what house hold products are poisonous with the intention of protecting her children, can that be considered a danger?

So protection from dangers on the Internet should be proactive and involve human judgment at some level. Policies must be written, planned and implemented in advanced or ad hoc to suit the environment and the users accessing the Internet. Children at a school with access from the classroom will more than likely be different from employees at a skating rink.

Even the items commonly considered dangers on the Internet relate directly to how much access individuals and organizations allow to and from the web. Common “dangers” may include (but should not be limited to) the following:

Accessibility to personal – applies to educating users on the dangers of putting personal information on the Internet and protecting organizational data bases

Sensitive data – For a school sensitive data is likely linked to the grades and personal information of staff and student, but for a business sensitive information could include proprietary information that would hurt the bottom line if it were leaked to competition.

Financial fraud & criminal hackers/scammers- This applies to educating users about criminal hacker techniques such as malware, social engineering, email and website phishing

The access of impressionable and/or psychologically disturbed individuals to potentially harmful and destructive information – This is rather subjective however it should be a concern to schools from elementary – colleges, rehabilitation facilities and mental institutions. There are ways to block certain obvious material with web-blocker type applications, but no one can stop them all. Monitoring is a must if this danger is to be handled seriously.

The risks and damage of these dangers are dependent on the environment & the users involved. It is up to the system owners to ensure that the policies are properly planned, implemented and maintained as exposure to any Internet danger can disrupt the safety, mission and/or values of an organization or individual.

Certification & Accreditation Change

Standard-issue security
Certification and accreditation process for national security systems to extend to the rest of government. A two-year-old effort to standardize processes for certifying and accrediting government IT systems could soon bear fruit, according to officials from several agencies.

The Committee on National Security Systems is preparing instructions for implementing a unified certification and accreditation (C&A) process that could be used on all national security systems, including those in the Defense Department and intelligence community, said Tony Cornish, chairman of the CNSS’ C&A working group.

At the same time, the National Institute of Standards and Technology plans to update its C&A guidance for systems covered by the Federal Information Security Management Act, said Ron Ross, a senior computer scientist and FISMA implementation lead at NIST.

“We are very close to producing a unified C&A process for the entire federal government,” Ross said in July at a government security symposium hosted by Symantec. “Within the next six to eight months, you are going to see a plethora of new things coming out” from CNSS and NIST.

CNSS’ instructions will be incorporated into NIST guidelines in its 800 series of special publications. Ross said a major update of SP 800-53 Rev. 2, “Recommended Security Controls for Federal Information Systems,” is expected in December, and a draft of the first revision of SP 800-37, “Guide for the Security Certification and Accreditation of Federal Information Systems,” is expected to be released for comment soon.

A single, governmentwide approach would make it easier for agencies to share data and cooperate with one another and with states, foreign allies and the private sector.

It could enable reciprocity, or the acceptance of other agencies’ C&A processes, without requiring recertification, and also could streamline acquisition processes by making it easier for vendors and developers to meet one set of standards.

C&A is a process for ensuring that IT systems are operating with an appropriate level of security. In the certification phase, the security of the system is documented; for accreditation, a designated authority signs off on the system’s fitness to go into operation. The concept has been around for some time, but there has been little standardization.

“In the past, we each had our own set of policies, and we didn’t look at each other’s,” said Sherrill Nicely, deputy associate director of national intelligence at the Office of the Director of National Intelligence.

FISMA requires C&A of information technology systems, but that does not apply to national security systems. And within the national security community, the military and intelligence sectors each have had their own way of doing things.

“Since about 1993, the Defense Department had its program, the Defense IT Security Certification and Accreditation Process,” said Eustace King, DOD chief of acquisition and technology oversight. “It worked pretty well” in a time before DOD’s emphasis on network- centric systems and information sharing, but it lacked enterprise visibility.

That C&A program was replaced with the Defense Information Assurance Certification and Accreditation Process. DOD was moving to the program in 2006 to harmonize military and intelligence processes when, a year later, it was expanded to include the rest of the national security community by bringing in the CNSS.

Through NIST, C&A procedures eventually will be standardized across all of government. However, policies do not change mind-sets, and old habits still remain one of the primary challenges to a standardized process. At DOD, there is a reluctance to accept reciprocity — that is, to give full credit to another agency’s C&A process without recertification, King said.

The intelligence community faces a similar hurdle, said Sharon Ehlers, an assistant deputy associate director of national intelligence.

“The cultural change has been the biggest challenge,” Ehlers said. “When it is not invented here, people don’t want to look at it.”

Standard Desktop Configuration (SDC) everywhere

For the last year I’ve been working on the DoD’s SDC implementation.  Standardizing ALL common use desktops is a very good idea for security.  But the problem I have with it, is that they are forcing SDC on mission systems as well.  They allow extension for some systems. 

This is a problem because mission systems are NOT standard.  Each mission system is different with different requirements.  Also, common desktops are in giant homogenous networks that can keep up with the changes in SDC with relative ease with applications like SMS.  Mission system are often controlled by a different entity than host so they must be updated manually.

So bottom line: SDC – great for desktops, VERY bad for many mission systems. 

Now SDC will be pushed to ALL government systems.