Are You Feeling Cybersecure?

userpic=securityContinuing the cleaning of the collected links, here are a few articles and comments related to cybersecurity. Note: Those who read my post yesterday on iPods and other Digital Audio Players should revisit it — I’ve updated it with lots more info.

  • Training the Next Generation. A few interesting articles relating to the training of new Cybersecurity experts — at least ones that caught my attention because of their connections. First, Caltrans is getting involved with Cybersecurity. Sponsored by Caltrans and the California Transportation Foundation, the 2015 CyberCIEGE Competition challenged high school-aged teams to deal with a realistic simulation of a workplace environment that teaches project management and computer network security concepts. Students hired and trained employees, purchased and configured workstations and network devices and defended against cyber attacks while managing their budget. Also focusing on high school students, a program at NSA is working with a number of schools, including UC Berkeley, to educate high-school students about cybersecurity careers. I happen to know one of the folks at NSA behind that program — I’ve known Steve LaFountain for years, going back to when I was at SDC. With Steve involved in this program, you know it is doing good work.
  • Investing in Cybersecurity. In what is surely a sign of the times, there is a new Exchange Traded Fund (ETF) that focuses on Cybersecurity.The fund seeks investment results that correspond generally to the price and yield of an equity index called the Nasdaq CEA Cybersecurity Index.This new ETF includes companies primarily involved in the building, implementation and management of security protocols applied to private and public networks, computers and mobile devices in order to provide protection of the integrity of data and network operations. It is an interesting notion and cybersecurity is a growth field, but as to how this index will perform… I’m not sure about that.
  • Building Blocks. About a year and a half ago, there was an effort to create a NIST FFRDC. It now exists, and I’ve seen the first announcement of its output: a series of building blocks that have been released for community review and comment. The building blocks cover cybersecurity implementations that apply to multiple industry sectors and will eventually be incorporated into many of the National Cybersecurity Center of Excellence’s sector-specific use cases.  The two that have been released are: (1) “Domain Name System-Based Security for Electronic Mail“, which proposes using the DNS-based Authentication of Named Entities (DANE) protocol to help prevent unauthorized parties from reading or modifying an organization’s email or using it as a vector for malware; and (2) “Derived Personal Identity Verification (PIV) Credentials“, which proposes a way for mobile devices to use two-factor authentication without specialized card readers, which read the identity credentials embedded in on-card computer chips to ensure authorized access to computer systems or facilities. With derived credentials, mobile device users could get the same level of security with their mobile devices that desktop users get with card-reader access.
  • Government Cybersecurity. An article on Slashdot today teased with the headline: “Despite Triage, US Federal Cybersecurity Still Lags Behind“. The article demonstrated Slashdot’s usual journalistic sensationalism, stating: “According to the NY Times, U.S. government officials will soon announce all the improvements their IT security teams have made to federal systems in response to the OPM breach. Unfortunately, says the Times, these updates only just scratch the surface, and are more to show that the government is “doing something” than to fix the long-standing problems with how it handles security. “After neglect that has been documented in dozens of audits for nearly two decades, the federal government is still far behind its adversaries. And it is still struggling to procure the latest technological defenses or attract the kind of digital security expertise necessary to secure its networks.”  What the Slashdot article fails to acknowledge is that the government, by definition, cannot easily be bleeding edge in this area. There are so many legacy IT systems across the entire Government that it is difficult to secure them all, especially when many are old and did not have security engineered in. Budgeting for improved cybersecurity is only now getting attention, and Government funding exhibits the battleship problem: it is slow to turn around. Add to that the delays inherent in any large bureaucracy, and you’ve got what we’ve got. In short, governments cannot be nimble. You might think one could only focus on the critical systems; alas, we all know that critical systems are often attacked from stepping stone systems that play the role of trusted connections. The answer isn’t easy, but a lot depends on pushing to engineer security in from the start; to consider security as important as any other mission functionality requirement.  More importantly, even if you can’t get it engineered in, you need to get everyone thinking about it: education, enforcement of policies, and emergency resilience can be as important as what is engineered in. Hmmm, seems like I climbed up onto a soapbox — the view is interesting from here. Articles like this can do it to you. Perhaps I’ll climb down now. Carefully.