February 5, 2012

Posts Comments

You are here: Home / 2009 / Archives for December 2009

Cybersecurity 2009 in Review: Unprecedented Attention as a National Priority

December 31, 2009 By Leave a Comment

Cybersecurity was elevated to an unprecedented level of attention by the U.S. Government in the year 2009.  It all began with the January 20th inauguration of Barack Obama, recognized as the most tech-savvy president to ever occupy the Oval Office. 

As we moved through 2009, many “cybersecurity-centric” events happened within the government that most certainly will have — if not already — affected the security and risk management planning groups within organizations both in and outside of the United States.  In most cases, and as a result of these many “cybersecurity-centric” activities, organizations today are revisiting and rethinking elements of their current and long-term strategic business continuity planning processes.

To better understand these government efforts to secure federal digital assets, and to evaluate how those efforts might help or support your own organization’s business continuity and risk management efforts, we would like to bring your attention to a recent article written by Eric Chabrow, Managing Editor on the GovInfo Security website.

In this article, Eric Chabrow, calls out what he believes to be the most important cybersecurity happenings in the government during 2009. And even though 2009 provided more promise than triumph, Mr. Chabrow believes that the foundation was laid for what could prove to be a very productive 2010.

A summary of that list is as follows:

1: That Cybersecurity Vision Thing

Though cautious, President Obama said the right things in his May 29 White House address: “Protecting this infrastructure will be a national security priority … Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.”

2: Czar Wars

At the heart of President Obama’s cybersecurity policy is the creation of a position the chief executive calls a cybersecurity coordinator, a senior White House adviser who would report through the National Security Council.  More detail of this “Czar War” point is presented in the referenced article by Mr. Chabrow.

3: Legislation ‘R’ Us

Some of the pending and ongoing legislative activities concerning cybersecurity were: the U.S. Information and Communications Enforcement Act, legislation aimed to update the Federal Information Security Management Act of 2002 – U.S. ICE, as the bill is known, was one of the more visible pieces of legislation introduced in 2009; Cybersecurity Act of 2009, which included a provision that would allow the president to declare a cybersecurity emergency and shutdown Internet traffic to and from government IT systems and the nation’s critical IT infrastructure; an omnibus cybersecurity bill that could incorporate provisions of both bills and the Cybersecurity Enhancement Act, a nuts-and-bolts IT security bill that would require the president to assess the government’s cybersecurity workforce, including an agency-by-agency skills assessment, and provide scholarship to students who agree to work as cybersecurity specialists for the government after graduation.

4: Summer Breaches

Starting over the Independence Day weekend and continuing for about a week, hackers targeted government and business websites in the United States and South Korea, causing varying degrees of disruption of service. Among federal government websites reportedly assaulted: the White House, National Security Agency, Departments of Defense, Homeland Security, State and Transportation and Treasury; Federal Trade Commission and the Secret Service. Tom Kellerman, who chaired the threats working group of the Commission on Cybersecurity for the 44th Presidency, characterized the attack as “a fact of life now because of Web 2.0 and that’s the real worrisome phenomenon here.”

A month later, hackers defaced the homepages of a dozen House members.

In June, Deputy Defense Secretary William Lynn III revealed that more than 100 foreign intelligence organizations are trying to hack into U.S. information networks, the No. 2 Defense Department official said Monday. “This is not some future threat. The cyber threat is here today; it is here now,” Lynn said.

How pervasive are attacks on government systems? The Government Accountability Office in October said NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008.

5: CAG: A No Brainer

Its common sense: the proper use of controls has a positive influence on securing IT assets. A public-private consortium in February determined the greatest threats to IT systems and developed 20 Consensus Audit Guidelines, or CAG, that federal agencies and others should implement to protect those systems

6: IT Celebrity Cult

What separates 2009 from other years when it comes to government IT and cybersecurity is the cult of personality of those placed in charge.

7: The Departed

How important they were in the overall picture of securing government IT assets is open to debate, but the fact that several highly visible cybersecurity leaders left government service this past year drew considerable attention.

8: Transformational Guidance

The superlatives flowed in November when the National Institute of Standards and Technology (NIST) issued a draft revision to its Special Publication 800-53.

Past NIST guidance focused mostly on steps IT security pros should take to safeguard information assets, processes that didn’t involve the continual monitoring of a systems’ security.

9: Help Wanted

The job market looks bleak almost everywhere, except for the federal government, at least when it concerns cybersecurity.

10: Retooling NIST

New NIST Director Patrick Gallagher, who the Senate confirmed Nov. 5 issues the statement that, “Every manager should be striving to make sure their organization is as effective as possible.”  In fact, Gallagher has asked his top managers to reassess NIST’s organizational structure – a move that could lead to its first reorganization in nearly two decades. All options are in play, including the possibility of merging some of its 10 laboratories, the major units within NIST.

CLICK HERE to read the entire article including important links to other related stories on cybersecurity and then pass this information along to your business continuity manager(s).

Filed Under: Cybersecurity Tagged With: , ,

Business Continuity and Madoff's Ponzi Scheme: Lessons to be Learned?

December 29, 2009 By Leave a Comment

Lisa DuBrock, a contributing writer for this website, wants to pass along an interesting article for your consideration.  This article was written by John Dodge, and, focuses on a story which was published in a recent edition of Securities Industry News.

John Dodge, who is a freelance writer for the Bank Technology News, writes about and addresses some of the facts behind the Bernie Madoff’s Ponzi scheme.

This article basically arrives at the supposition that “…if “technologists” had replaced the proprietary systems with more modern and open computers, they would have invariably found the absence of data on countless stock trades that supposedly took place. In a sense, the preservation of old computer technology helped Madoff successfully go undetected for years until his massive Ponzi scheme collapsed on December 11, 2008.”

There is a great probability that there is a lesson here to be learned by all business continuity, risk management and contingency planning teams.  Perhaps it is that sometimes the simple issues just get overlooked.

CLICK HERE to read the entire article which goes beyond the court records to construct an extensive picture of how Madoff actually operated: The systems and technology he and underlings used to create – or fake – the most detailed set of customer accounts underlying a fraud in the history of the securities industry and see if you find a lesson for your organization.

Filed Under: Business Continuity Info Tagged With: , ,

2009 Global Security Threats and Trends Report Available from Cisco

December 28, 2009 By Leave a Comment

A great internal library resource report has been released by Cisco Systems, Inc..  All business continuity and risk management teams should include this report for their reading assignments in the coming year.

Cisco Security Intelligence Operations announces the Cisco 2009 Annual Security Report. The updated report includes information about 2009 global threats and trends, as well as security recommendations for 2010.

Report Highlights

  • Online criminals have taken advantage of the large social media following, exploiting users’ willingness to respond to messages that are supposedly from people they know and trust.
  • Politically-motivated threats are increasing, while governments are teaming up and promoting online security.
  • Up to 90 percent of spam is untargeted. That includes spam delivered by botnets that floods inboxes with messages from supposed banks, educational institutions, and service providers.
  • More than 80 percent of the web can be classified as “uncategorized” or “unknown”, making it challenging for traditional URL filtering technology. The new Cisco Cybercrime Return on Investment Matrix tracks the performance of the underground online criminal marketplace, helping organizations understand the latest targets.

CLICK HERE to read the entire report.

Filed Under: Business Continuity Info Tagged With: , , ,

Happy Holiday Season Wish to the Business Continuity Community

December 24, 2009 By Leave a Comment

Season’s Greetings from the Continuity Compliance Team !

We’d like to take this opportunity to wish you and your loved ones a wonderful holiday season.

Thank you so much for supporting our endeavors on this Business Continuity Lifeline website, and, we look forward to continuing to provide you with value-added news and ongoing opportunities to be a part of this growing BC community in the New Year.

The Continuity Compliance Team

Filed Under: Business Continuity Info Tagged With:

Recent Study Finds Many Firms Unprepared for Potential H1N1 Influenza Outbreak

December 23, 2009 By Leave a Comment

Deb Ladendorf, a contributing writer for this website, recently spotted an interesting article by Jeff Casale regarding some recent findings in a study done by Mercer L.L.C. on how employers are handling the challenges of the H1N1 influenza virus to date.

Many of our readers are members of business continuity and risk management teams in their organizations, and, hopefully, in this article, those members with particular contingency planning responsibilities will find value in reading about the results of this study.  The survey for the study included responses from nearly 1,000 organizations of all sizes in the United States, Latin America, Canada, Asia and Europe.

As an example, it was stated in the study that half of the respondents have local contingency plans in place, but only 25% of those respondents have integrated contingency plans in the event of an outbreak.  

CLICK HERE to read more about this study as posted in the Business Insurance website, and hopefully, some of this information will help you improve your own H1N1 Influenza Contingency Plan(s).

Filed Under: Organizational Resiliency Tagged With: , , ,

White House Cybersecurity Coordinator Announced

December 22, 2009 By Leave a Comment

Bill Brenner, a contributing writer on the Computerworld website, announced that a decision was released regarding the selection process of a U.S. cybersecurity coordinator.

In his write up, he states, “….seven months after he announced the creation of a White House cybersecurity coordinator, President Obama has selected industry veteran Howard Schmidt for the job, an administration official confirmed Monday night.

The official told CSOonline.com that the White House will make the announcement today.

“Cybersecurity is critical to both our national security and economic competitiveness, and the president wanted to ensure that the cybersecurity coordinator had the right mix of public and private sector experience,” the official said. “After an extensive search, the president chose Schmidt because of his unique background and skill sets.”

Schmidt has a long history in the IT security sector and has served in the White House before as vice chairman of the president’s Critical Infrastructure Protection Board. He’s a former chief information security officer at eBay, chief security officer at Microsoft and has worked with federal and local law enforcement and the Defense Department.

The administration official said Obama “was personally involved in the selection” of Schmidt, and Schmidt will have regular access to the president for cybersecurity issues”.

This decision is one you should share with your business continuity and risk management team members.

CLICK HERE for more details and information on this decision by President Obama.

Filed Under: Cybersecurity Tagged With: , ,

Business Continuity Writing Contest Launched by Continuity Central

December 22, 2009 By Leave a Comment

In a recent posting on the continuitycentral.com website, an announcement was made stating:

“Continuity Central and its sister publication, the Business Continuity Journal, have jointly launched a competition which aims to discover the best new business continuity articles and papers.

Authors of any status, whether established business continuity professionals, academics, students, or journalists, are invited to submit articles and papers written within the last twelve months. These will be judged by David Honour, editor of both Continuity Central and the Business Continuity Journal, and by a judging committee drawn from the Business Continuity Journal’s editorial review panel.

The winning entry will be rewarded with a £500 ($US 800) prize and the best entries will be published in either Continuity Central or the Business Continuity Journal, as appropriate.

Entries must meet the following criteria:

- They must have been written between 1st January 2009 and the closing date of January 15th 2010;
- Copyright must be owned by the person submitting the entry;
- Entries must be previously unpublished in any commercial publication;
- Entries can be between 500 and 5,000 words long;
- Entries should be emailed to editor@continuitycentral.com  an attachment in any Word processing format. PDFs or PowerPoint formats will not be accepted.
- The subject matter of any entry can relate to any of the following topics: business continuity, disaster recovery, resiliency management, enterprise risk management, operational risk management or IT continuity.
- Multiple entries from individual authors will be accepted.
- Entries must be written in English.”

Please pass this announcement along to members of your organization’s business continuity planning teams.

If you need more information or want to know how to have your groups or members submit an entry to the contest ….CLICK HERE.

Filed Under: Business Continuity Info Tagged With: ,

Critical Infrastructure Resiliency Webinar Offering from DHS

December 21, 2009 By Leave a Comment

One of the Critical Infrastructure and Key Resources (CIKR) Learning Series webinars, offered by the Department of Homeland Security (DHS), is available today, free of charge, and is recommended for all DHS private sector and government partners with responsibility risk, security, and emergency management functions.

The title of this free webinar is “Critical Infrastructure Resiliency: The Next Frontier in Homeland Security” and is being presented by Rand Beers, Under Secretary for National Protection and Programs Directorate at 4:15 – 5:15 PM (EST).

Under Secretary Beers will discuss the Infrastructure Protection mission and the important role of resiliency. He will address the complex interdependencies and important steps the Department of Homeland Security and its partners are taking to protect our nation’s critical infrastructure.

To register for this event please go to:

https://connect.hsin.gov/e33382319/event/registration.html

Filed Under: Homeland Security Dpt Tagged With: , , , , , , ,

Actions Taken Against Cybersecurity by Department of Justice

December 21, 2009 By Leave a Comment

A consistent topic being discussed among business continuity strategy and planning groups is the growing risk management requirements and potential economic impact(s) that may occur from a negative cybersecurity event.  That event could be effecting just their organization or it could be effecting the larger environment in which their organization exists.

Relative to these issues, and perhaps being shared as a risk management topic by our government, we are beginning to hear more about actions being taken at the Department of Justice regarding this No. 1 cybersecurity challenge.

In a recent video, Justice Chief Information Officer, Vance Hitch, addresses why being proactive to cybersecurity threats is so important, and what the Justice Department is doing to become more proactive.  Mr. Hitch co-chairs the Federal CIO Council’s Information Security and Identity Management Committee with Navy CIO Rob Carey.

We believe that this presentation, which took place at a council cybersecurity conference held recently in Arlington, VA, is a valuable resource of information, strategy and implementation advice not just for our government and its people, but also for individual companies to understand and potentially consider for incorporating similar actions within their organizations.

To learn more about this information, and to view this video…. CLICK HERE

Filed Under: Cybersecurity Tagged With: , , , , , ,

Information Security Lessons to be Learned from 2009 Data Breach Listing

December 21, 2009 By Leave a Comment

As you would expect at this time of the year, many 2009 events are being chronicled and organized into some kind of list for publication.  One such list that our staff found interesting and appropriate for our business continuity and information security community was recently posted on the Computerworld website. 

The name of the list cited, in an article written by Jaikumar Vijayan, is  “The 2009 Data Breach Hall of Shame”.  

The reason our staff decided to bring this list to your attention, was to offer your information security managers and risk assessment team members a resource reference that – while it may seem at first  to be more of an example of what not to do – actually points out potential case studies for your network security and information systems security teams to read, evaluate in terms of applications and decisions that might work well in your organization, and finally, select those practices of companies on that list that your organization should benchmark  and consider introducing into your organization as a 2010 continual improvement project activity for your company.   

You might be surprised to read that many of the data breaches on this list stemmed from familiar and rather mundane security failures – not just those “sneaky new attach techniques or devastating new hacker tools”.

To read this article and view the entire list of companies “that made headlines for all of the wrong reasons” ….. CLICK HERE

Filed Under: Information Security Tagged With: , , , , , ,
« Older Posts