CSIA 459

For your Week 6 discussion. "Verizon's '2013 Data Breach Investigations Report' Expands Types of Threats Analyzed to Present Even Broader, More Extensive Picture of Cybercrime"

This standards publication (FIPS 140-2) is a key standard's document. Skim through it and see if you can find some ideas for emerging threats against the standard(s).

Any time you are allowed to introduce code into a program, you have a chance for error. By allowing cryptographic software and firmware to be updated, I think you will always have the chance for emerging threats to be introduced in the form of malware. Recently, the U.S. has stopped allowing the use of Chinese built hardware for certain DOD/ Federal agencies. if we allow the enemy to build the devices we use to form our security foundations, we have already lost the war.

I believe the frequency of review of this policy is untimely to the speed technology advances in. If they could move the review from 5 years to 2 years will suffice. At times, once the policy is published folks are already working on the revision to keep up with technology growth. "Since a standard of this nature must be flexible enough to adapt to advancements and innovations in science and technology, this standard will be reviewed every five years in order to consider new or revised requirements that may be needed to meet technological and economic changes."

Using the links to the left of the screen, click around the SCAP website and think about how this protocol could help organizations manage their security vulnerabilities. Does your organization use SCAP?

When you access this web resource you can select to download the full PDF file or you can click to read online.

Read and explore this NIST website. Do you see any products that are you are familar with? Can you determine how this program enhances the security of these products?

After looking through the website, I found the Vendor list for 140-2, which provides what I would think is the complete product list of Vendors and products which meet the standard. A couple items which meet the standard are Microsoft Windows 7 Bitlocker Drive Encryption, and Research In Motions Blackberry Cryptographic Kernel. It is important that the CMV Program is in place within the U.S. If we are going to rely on encryption to keep our secrets safe, then the products we use to encrypt our data, need to be checked to ensure they are secure.

Researcher uncovers hundreds of different custom malware families used by cyberspies -- and discovers an Asian security company conducting cyberespionage

This article raises some serious questions in my opinion. As we move more into an environment where cyber warfare is to be used against different countries, where are the lines drawn between declaring war. As this article discusses, it is not as easy to see who actually was behind the attack, and an attack coming from Chinese, or some other countries IP space, is not neccessarily a state sponsored attack, nor is it neccessarily coming from someone inside the country. In a hack back scenario, it could be determined after the fact that whatever country was thought to initiate the first move, was actually a victim of a "zombie/bot" type of controlled attack that was actually initiated in another country. Can you say, Wargames? Edited 3222013: as I spoke yesterday, today guess what? http://news.yahoo.com/skorea-misidentifies-china-cyberattack-origin-071350510.html

Does this article from 1998 still hold true today?

I believe this article is still very relevant. After reading Bruce Schneier's article, one of the things I took away was his comment regarding the inherent lack of security created by implementers of tamper resistant methodologies, such as smart cards, and biometric technologies. If these systems fail, we want to make sure that we can still access the resource which is being protected, so we tend to build insecure systems in place to bypass the tamper resistant security. In the end, things like biometrics and smart cards seem to be built more for convenience, instead of security. A similar affect is pointed out in the article when users give their access tokens to others so they can do their work. As long as the human element has control in the implementation of security, the risk of failure will always be there, no matter how great the security method is.

This is a cool and insightful article regarding emerging cyber security technologies. 

I think the part about centralizing a "single federal enterprise network" is a great idea. The federal government has started doing this with things such as the FDCC (Federal Desktop Core Configuration), as well as SCAP (Security Content Automation Protocol), but I think there still needs to be much more. Allowing each federal agency to have their own cyber security within the U.S. seems a little crazy. I think setting one agency to protect the national infastructure, ie the borders of the U.S., down to each agencies front door needs to be standard. Agencies like DOD who have their own Cyber operations centers need to be properly trained and educated if they are going to defend infrastructure. Formalized training needs to be done at the federal level as well as the Civilian level. If you are going to be a security practioner, you must have the credentials, and I am not talking just a Sec+. I think it is time we up the standards on who we call a CyberSecurity professional.

Interesting article and objective given. Connecting government cyber operations centers, I think that this will be a hugh, and important step toward achieving a higher level of security. Good read!

This video is 90 minutes long. However, if you open the link, the video is separated by nine chapters. You can put your cursor on the bottom of the video and see each of the chapters and the topic. Find at least one chapter of interest to you and watch it. Each chapter tells you how long it is after you start it.

What I found most interesting in this video was the research being conducted regarding students who multitask, and their perceived ability of doing it well. In fact, as the experiments and testing show, the researchers are proving just the opposite. The younger generation that believe they are multitasking well are only able to work in small chunks, and their work tends to show this. Students are unable to carry out long tasks, they get bored, and they put together papers in sections which directly correlates to their on and off study habits. I also found myself relating to the discussion of needing to satisfy a thought at the moment it pops, and change from doing one thing say, watching the video, into another, listening to the video, and looking at the photographs I took today. In either case, not accomplishing either with the same effectiveness that I would have had I completed them one at a time. The internet, and multiple monitors, helps feed this addiction.

Optional web resource for week 2.

This document is part of your Week 2 DQ. It is 289 pages so I do not expect you to read the entire document. However, open the Voicethread to see the key areas for the DQ and you can search the document for those key words.

For your Week 6 discussion.

For Week 6.

I wonder if they had cake... DoD/DISA's email system signed-up its 1 millionth user last week. Now that's a lot of Exchange mailboxes. This article has it listed as a cloud service... is it? It's true that DISA doesn't keep it's cloud presence a secret, a quick google search will tell you the URL is https://web.disa.mil - but since you can't get very far without a CAC.. is this truly cloud? What is the definition of cloud?

This ranking of cloud start ups could be helpful to you for your research project.

Very interesting report. People voted, not technicians, nor security agencies, just people who use the system. It seems a lot like how the personal computer came and the internet was created. Just get it up and running and security will come later. How can that be? A countries banking system just got compromised. No inspection standard to say this cloud solution is safe, just a group of people who say they can access that information when they want and the company saying it is perfectly safe. Little do they know it could also be accessed by others just as quickly - just my opinion, not quite facts yet.

This website gives information about Cyber Threats to Mobile Phones. The US-CERT provides valuable information on this site concerning recent threats.

How can you tell who is servicing your systems if they are in the clouds? Should the ATM network be placed in the clouds? Something to ponder about

Evaluating technologies