David Fletcher: Cybersecurity

Security Checklists at NIST

Fri, 07 Jan 2005 18:04:16 GMT

Karen Evans, the federal egov czar, recently released this report on Expanding E-Government.

An article in FCW discusses the Utah CIO position which currently remains vacant.

NIST has published this draft standard for Personal Identity Verification for federal employees.

This bulletin on securing VoIP networks (from NIST) is also interesting. We are preparing to meet with several customers regarding their interest in VoIP. If you're involved with security, also be sure to check out the NIST security checklist program at checklists.nist.gov

Cybersecurity for the Homeland

Thu, 16 Dec 2004 15:07:53 GMT

Earlier this week the The House of Representatives Homeland Security Committee’s Cybersecurity Subcommittee released a comprehensive report, "Cybersecurity for the Homeland

http://hsc.house.gov/files/cybersecurityreport12.06.04.pdf

The press release can be found at http://hsc.house.gov/release.cfm?id=275

High Stakes for Security

Fri, 24 Sep 2004 21:13:33 GMT

We need no reminder to emphasize the importance of information security, but here are a few headlines from this week:

Services take sick leave as bugs, viruses plague computers (Denver Post)
Computer woes prompt questions on preparedness (The Coloradan)
Want a driver’s license? No luck (Colorado Springs Gazette)
Faculty and staff preparation key to successful for SSN changeover (Penn State U.)
Worm burrows way into state computers (Times Union)
Hacking the Presidential Election
Computer worm impacts drivers license process (Grand Island Independent)
Cyber-nightmare (Forbes)
Hackers or cyber soldiers?
Tech sleuths track hacker
Required computer registration reduces virus attacks
Security failures exposed records

Hackers and viruses are not the only threat. We must all get more serious about business continuity. And here's an interesting article on spyware in the LA Times with this quote:

"Spyware is generally legal (in every state except Utah) as long as its original intent is to monitor browsing and shopping habits.Unfortunately, unscrupulous marketers and criminals have hidden their software under the spyware cloak to avoid being called viruses. Some spyware authors get paid about 15 cents a hit, while virus writers seem to be more motivated by the thrill of hacking into computer networks or disrupting corporations and government."

Utah Information Security Conference

Thu, 29 Jul 2004 14:12:47 GMT

I spent yesterday morning at the State information security conference. Governor Walker (video stream coming) announced an increased focus on cybersecurity and asked for each department to appoint a Chief Security Officer that will be part of the State Information Security Council. She was followed by Rob Clyde, CTO of Symantec, who gave an excellent presentation. While hunting around, I found these video / audio streams of several recent conferences that have some interesting information on current trends. Simple registration is required.

Yesterday afternoon, we signed off on the Omnilink installation at UCAN. I learned that Indiana and Ohio are using the same technology to support their statewide wireless initiatives. Indiana's Project Hoosier SAFE-T is at a similar stage and is being coordinated between all levels of government. Here's a map of their current and planned implementation. The terrain makes the task very different from Utah where we have the mountains to deal with.

Morning thoughts

Wed, 21 Apr 2004 14:52:49 GMT

Jeff says that "web services are really cool." Yes they are and we have only begun to tap their potential.

Kinja is being discussed in Cre8asite. Here's my initial Kinja site.

NASCIO is naming a new executive director on the eve of its midyear conference.

The National Cyber Security Partnership Task Force on Technical Standards and Common Criteria released its recommendations this week. Meanwhile reports are circulating on a new Cisco vulnerability.

John Gotze points out that Denmark garners the #1 spot in this year's eReadiness Report. The U.S. has fallen to number 6 in the report. The report, which is supported by IBM and the Economist, points out that the differences between the top eight were relatively minor. Why is the U.S. falling behind. One major reason is the relatively slow rollout of broadband services. Four of the top five are in Scandinavia.

Spyware Control Debate Continues

Wed, 21 Apr 2004 01:10:00 GMT

Spyware is at the center of a growing debate. Earlier this month, following the passage of the Utah Spyware Control Act, Andis Kaulins of LawPundit wrote,

Utah has thus begun what will surely be a necessary and welcome surge in legislation prohibiting or restricting spyware and/or similarly intrusive unwanted software programs.

The FTC just held a workshop to explore the spyware issue and, while "calling spyware the next great internet scourge" has also urged restraint in adopting new laws to control it. The Center for Democracy & Technology presented what they are calling a "consensus list" of deceptive spyware scenarios at the conference. I expect that we will need both techological and legal solutions to the growth of these practices including hijacking, surreptitious surveillance, and "inhibiting termination". I've already seen a lot of this when you install something and then can't completely get rid of it.

Several weeks ago, Sabrina Pacifici asked if the Utah bill would start a trend. But spyware legislation is not new. Sen. John Edwards introduced legislation in October 2000. Burns, Wyden and Boxer introduced more legislation in February of this year. I have no idea how many spyware bills have been issued in between that time.

Many marketers insist that it is a critical part of their marketing efforts and fully supportable. But opposition is growing. Bambi Francisco of CBS Marketwatch, rebuts the arguments that its simply a marketer's right:

"...it's not just being a smart consumer. We're moving beyond the wild west of the World Wide Web. There should be some protection and controls, like those established in Utah recently."

An America Online exec (quoted in PC World) who opposes excessive legislation argues that the industry will be somewhat self-regulating, "We'll learn what the consumer thinks based on how they respond; it's not tied to any legal definition." I'm not quite convinced of that.

Federal eGov

Fri, 16 Apr 2004 14:58:09 GMT

The Whitehouse website has become much more interactive. Recently, they have added features such as Whitehouse radio and Whitehouse interactive (direct response to email), along with themed sites like Presidents and Baseball and the Easter Egg Roll.

It should be time for the March 31st scorecard to come out for federal agencies. According to the last scorecard, only two federal agencies have met the standards for eGov - the Office of Personnel Management and the National Science Foundation. I am not quite sure what sets these agencies apart from the rest.

I did initiate a customized profile with NSF that provides you with a personalized page along with options for email notifications. In doing so, I noticed an item on data mining for pinpointing network intrusions. The Minnesota Intrusion Detection System (MINDS), funded by an NSF grant looks at the challenging issue of drilling through massive amounts of data to real attacks vs. false alarms.

New Mexico provides an additional incentive for tax filers who file online - they have until April 30th to do it.

Global Assault

Thu, 18 Mar 2004 19:38:04 GMT

A UPI article examines the cyberwar that is taking place on the internet. We are impacted by it everyday. We installed MT blacklist yesterday to ward off the comment spam that had infiltrated the MT stuff that we are using to generate RSS feeds for production services.

"A global assault for control of millions of computers is occurring," Steven Sundermeier, said. "This appears to be a war for power and seniority among these authors."

According to another article in the Detroit News, the annual cost in software and lost productivity related to spam is between 10 and 87 billion dollars.

Bruce Schneier provides his monthly Crypto-Gram newsletter as an RSS feed.

Public Technology also recently published an analysis of global digital warfare.

Cybersecurity Update

Mon, 01 Mar 2004 15:49:02 GMT

Senator Ron Wyden (OR) is sponsoring the Citizens' Protection in Federal Databases Act that prohibits the use of databases to mine for hypothetical scenarios and prevents government agencies from browsing bank records, online purchases or travel plans without regard to actual intelligence or law-enforcement information. That bill was assigned to the Senate Judicial Committee last summer and has not been seen since. Last week, Wyden teamed with Barbara Boxer to sponsor a new anti-spyware bill.

The Judicial Committee held a hearing on cyberterrorism last week. Speaking of cyberterrorism, Bill Gratsch's eGovLinks site was hacked over the weekend by the "EmpEror SeCUriTy Team".

The Department of Homeland Security is working with the National Association of Attorneys General (“NAAG”) to compile the Computer Crime Point-of-Contact List, a 50-state list of state and local prosecutors and investigators who are responsible for computer-related crimes within their respective jurisdictions. This list allows agents and prosecutors from one jurisdiction to call upon their colleagues in another jurisdiction for rapid response in cybercrime matters.

Here's a good powerpoint on legal frameworks for combatting cybercrime.

F-Secure reports that "a new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders." We saw a lot of NetSky last week so I guess we'll be continuing to screen thousands of attempted intrusions.

Security/Privacy Problem

Mon, 29 Dec 2003 15:27:31 GMT

Virginia's auditor during an audit of surplus computers found the following information on old computers being auctioned to the public:

Vaccination information;
Women Infant and Children (WIC) personal information;
Personnel evaluations of individuals;
Personnel records of grievances of individuals;
Scholastic evaluations of individually identifiable students; and
Personal credit card number of a Dean of a college.

With all the effort spent to comply with HIPAA, other privacy laws, and standard information security, this is one hole that needs to be plugged everywhere, not just in Virginia.

December Infragard Meeting

Mon, 08 Dec 2003 15:07:37 GMT

The Infragard meeting on 12/17/03 will be at the Salt Lake City Public Library, 210 East 400 South, Salt Lake City, UT in Conference Room B, Level 1. The speakers for this month's meeting have changed slightly. The speakers and their topics will be as follows:

Ken Crook - "Terrorism - The Threat"
Karl Schmae - "Securing the Homeland and Terrorism Indicators"

Tech

Thu, 18 Sep 2003 15:17:44 GMT

Blogalization has picked up my news feed.

NetWorld Fusion includes two Utah bloggers on its Top Ten list.

Mitch Ratcliffe presents an interesting application for VoIP. VoIP has been slow taking off here and we need to identify a critical mass of business-oriented applications to drive the conversion. Meanwhile, we need to get serious about how we install technology in new facilities, including the new state archives building.

At yesterday's Infragard meeting Brian Grayek suggested that education (colleges, universities, and K-12) presets some of the greatest challenges for cybersecurity. This month's issue of The Journal looks at many of those issues and presents some suggestions.

Update on electronic voting in Utah.

The House just passed an internet tax ban. It does not ban taxes levied on goods sold via the internet.

Here's an interesting site that is tracking the growth of weblog activity in Portugal, a country which supports weblogs for all of its legislators. Jose Luis Orihuela references an article in Jornal de Noticias on the growth of blogging in Portugal.

DARPA is exploring Brain Machine Interfaces. A Carnegie-Mellon scientest has been charged by NSF with designing a new national communications infrastructure.

Weather.gov is down today. Probably overwhelmed by Isabel.

In Washington, some are calling the departure of three people a "brain drain" on the nation's eGov efforts and Intel is claiming it can't find enough good IT workers in this country of 292,107,007 people.

Total Security Management

Tue, 16 Sep 2003 00:36:20 GMT

The next InfraGard (of the Wasatch) meeting will be on 9/17/03 at 12 pm. The meeting will be held at the Parks Department, 2nd Floor, 1965 West 500 South, Salt Lake City, UT instead of at the usual location at the City & County Building. If you will be attending the meeting and have not yet rsvp'd, please e-mail Cheney to let him know that you will be attending.

The speaker will be Brian Grayek, Technology Strategist to the Office of the CTO, Computer Associates. Brian has over 20 years experience in security and is highly regarding for his security expertise in the industry. The topic of his presentation will be "Total Security Management".

Infragard meeting scheduled for September

Wed, 27 Aug 2003 20:42:07 GMT

The third quarter meeting of the InfraGard of the Wasatch has been scheduled for 9/17/03 at 12 pm. This meeting is being sponsored by Computer Associates. The speaker will be Brian Grayek, Technology Strategist to the Office of the CTO, Computer Associates. Those planning to attend should RSVP to Cheney Eng-Tow via e-mail as soon as possible. The meeting will be held at the Parks Department Building located at 1965 West 500 South, Salt Lake City, UT. If there are any questions, please contact me.

Security Groups

Mon, 23 Jun 2003 21:39:55 GMT

The first national Infragard conference is being held today in Washington, DC. I just came across the local ISACA website. Many ISACA members are also involved with Infragard. The fifth annual Network Security Conference sponsored by ISACA will be held in Las Vegas in September. The agenda looks useful.

Enterprise Security

Fri, 23 May 2003 16:16:26 GMT

Dave McNamee said something VERY important the other day regarding security. He referred to a Gartner study that says that the average employee has access to 15 to 17 applications during employment and that the same employee may still have access to about 10 of those applications after termination. Obviously, this supports the positon of implementing security at the enterprise level where access can be linked to human resource information. We have many critical pieces of that model in place with the Utah Master Directory.

A recent series in the Washington Post points out how hackers in Russia are affecting businesses throughout the U.S.

Broadband in the Navajo Nation

Tue, 20 May 2003 16:00:45 GMT

The US Department of Agriculture is spending about $20 million on broadband services in rural America. Some of the money will go to help Native American communities in Utah and other states.

One company involved in the Navajo nation is Skyframes, Inc. which is providing satellite connectivity into northern Arizona. The Digital Divide Network suggests that the extension of internet services will help unite the Navajo Nation. The University of New Mexico supports the Native American Distance Education Community Web which is aggressively supporting a variety of wireless projects throughout the area.

Ariana Cha with the Washington Post is on a live chat right now (9 am MST) discussing Cybercrime in the US.

Building the Information Society in Ireland

Wed, 14 May 2003 20:42:32 GMT

Yesterday, I mentioned Simon Moore's excellent report on trustworthy computing. Ireland's Information Society Commission produced a report several months ago entitled, "Building Trust through the Legal Framework." The suggestion is that government has an over-riding responsibility to create a trusted digital environment in order for a society to transform into a true "information society" which has become a major objective for the Irish. They would like to move from 27th into the top tier of European nations in areas like eGovernment. In order to build trust, they are suggesting measures like the creation of a "trust and confidence" mark that could be used by Irish electronic commerce providers and the appointment of "data protection commissioners." Another report, Building the Knowledge Society, more specifically addresses the issue of building eGovernment.

Ireland's Electric News Network has a regular column dedicated to eGovernment issues.

eGovernment and Trust

Wed, 14 May 2003 00:39:05 GMT

Dr. Simon Moores, owner of the Zentelligence weblog, has authored an excellent report entitled, "A Matter of Trust: A Special Report on Trustworthy Computing." Read it and let me know what you think. I find his perspectives to be excellent on matters of importance to the success of eGovernment and this is certainly one of those.

Another report (MS Word document), recently released by the Office of Intergovernmental Services discusses the payoff and measurements associated with the implementation of eGov programs.

Critical Infrastructure Report

Fri, 11 Apr 2003 22:52:09 GMT

Sabrina Pacifici points out the latest GAO report on critical infrastructure. Like always, the report stresses major weaknesses in the nations computer networks.

Capitol Connections and breaking news and hacker battle

Fri, 28 Mar 2003 15:05:40 GMT

The March issue (isn't it almost April) of Capitol Connections is online. Included in this issue are an article on DEQ's efforts to support NEIEN development and the One-Stop Reporting Project, as well as an article by Doug Chandler on ITS wireless operations.

The Salt Lake Tribune reports that hackers redirected an Al Jazeera site to a site supported by a Salt Lake-based ISP.

I just heard on the radio that there is a major denial-of-service attack coming from France, Russia, and China against NetWorld which is the ISP where the Al-Jazeera site was re-directed to...

Zeichner Report Hammers State Cybersecurity Efforts

Mon, 24 Mar 2003 16:43:16 GMT

A report released this morning by Zeichner Risk Analytics criticizes the states for not developing appropriate cyber-security programs. The report states that:

"At some point, the states may need to leave development of all cyber-security and critical infrastructure guidance exclusively to the Federal government supported by professional organizations."

Among the report's findings:

36 states have failed to prepare, adopt, and implement adequate cyber-security policies, as required by Congress.
The lack of progress in the states requires insurance companies (and other companies regulated by the states) to waste considerable expense tracking implementation status.
States have fallen even further behind the Federal government and financial services industry in developing appropriate cyber-security programs.

I met with our State risk manager recently to discuss our cybersecurity efforts and am unaware of any insurance company efforts to track our cybersecurity program. I am not aware of any such inquiries. The report recommends adopting the proposed national regulation developed by the National Association of Insurance Commissioners. I'm trying to figure out what that is. The State's Insurance Dept. is just down the hall from me. [followup: the Deputy Insurance Commissioner passed along this link to Utah's rule on safeguarding customer information] The NAIC is certainly an active association based on their regular press releases.

The report shows that 15 states are in full compliance with the Gramm-Leach-Blilely Act which requires the states to take specific action with respect to cyber-security measures and guidance. Utah, along with Washington and Virginia, is among the 15 states in compliance. Utah was very involved in infrastructure protection efforts and cyber-security measures prior to 9-11, partially due to its preparations for the 2002 Winter Games, but also in relation to its Y2K preparations.

Increased Cyber Activity

Tue, 18 Mar 2003 15:29:56 GMT

On the eve of war with Iraq, we are seeing significant increases in cyber activity. Tighten your security and be vigilant. After the elevation of the Homeland Security System to Orange-High, the Internet Storm Center is now showing a yellow alert status. There is definitely an increase of port 80 attacks. If you're running on IIS, be sure to check the latest CERT advisory with an echo from the NIPC.

Emerging Storm: A Gartner Weblog

Mon, 17 Mar 2003 15:20:47 GMT

Gartner has created a weblog entitled "Emerging Storm" that regularly discusses issues like cybersecurity and business continuity. In a recent post, Rich Mogull discusses the role of government agencies in protecting cyberspace:

"Despite the recent involvement of the U.S. Department of Homeland Security (DHS) in coordinating response to the latest Sendmail vulnerability and the development of an EU cybersecurity center, governments play a minor role in the management of cyberincidents. In the U.S., DHS is still in a formulative stage, without a leader for cyberdefenses or a fully defined organizational structure and operating process. DHS is combining a series of cyberagencies - such as the National Infrastructure Protection Center and the Critical Infrastructure Assurance Office (and has dissolved the President's Critical Infrastructure Protection Board) - but none of these agencies have been as effective or responsive as private industry cybersecurity initiatives."

I think Rich is correct, none of these agencies seems to have the reach of something like Symantec, CERT, or the Internet Storm Center. I am hoping that the effectiveness of the Infragard effort will continue to grow.

Gartner's weblog was mentioned in a recent Newsfactor article, "Blogging Goes Corporate."

Compromise of Personal Information

Fri, 07 Mar 2003 15:42:00 GMT

Barbara Haven, blogging from California, refers to a major hack of a University of Texas administrative data reporting system which compromised information on 55,000 individuals. According to Infoworld, the attacker used a "blunt force" technique by programming inputs of millions of Social Security numbers into the system. Matched records were captured by the intruder.

On the last night of the legislative session, the state legislature passed substitute House Bill 105. Part 4 is now referred to as the Government Internet Information Privacy Act. This act applies to any state agency that maintains a public website. For purpose of the bill, personally identifiable information means name, account number, physical address, electronic address (I guess that could mean email or IP address), telephone number, or social security number.

According to the bill, before a government website can collect personally identifiable information, the website must contain a specific policy statement which (among other things) includes a general description of the security measures in place to protect a user's personally identifiable information from unintended disclosure. I think our standard privacy policy statement addresses the issues as outlined. We just need to review it to make sure.

The bill also requires the IT Commission to study the issue of popup ads. It would be nice to eliminate them, wouldn't it?

I am glad that Google is beginning to address issues associated the security of the Blogger product.