Wednesday, June 17, 2015

Now if you are investigated it is by a guy with Gmail account - What I am reading 6/17/2015

Network World - 6 free network vulnerability scanners -

Last night I was poking around some threads on and came across this one - SOC what do I need to learn - Somewhere in the thread they mentioned get familiar with vulnerability analysis tools.  I realized that I really only every use Nessus.  Some googling and the above link came up.  I tried out the Microsoft Baseline Security Analyzer on my system ( I had used it before but it has been a while) and had good results, it found a missing security patch which I then downloaded and installed, and it will join my monthly security ritual.

For those of you who aren't familiar with my rather anal practice (and by this I mean that one voice in my head that just refuses to listen since I have no real readers) - I run anti-virus software on all my systems.  Once per week I run Malwarebytes Antimalware (free version).  Once per month I download one of the standalone scanners from a company other than my ordinary A/V supplier and run it, usually while I am out doing my normal Sunday visit to Powell's Books .  I don't generally consider myself at risk but the amount of effort is so required is so minor I think it's worthwhile.  I am now going to add the vulnerability scanner into the monthly equation.

SANS - Reducing Federal Systems Risks with the SANS 20 Critical Controls -

Protecting our information systems is a top priority for all levels of leadership. The White House has budgeted $769 million for fiscal year (FY) 2013 (up from $459 million for FY 2012) for the National Cyber Security Division of the Department of Homeland Security (DHS). Teri Takai, Department of Defense Chief Information Officer, has a single quote on her homepage: “Information is our greatest strategic asset.” Her 10-Point Plan for IT Modernization emphasizes leveraging automated tools and continual assessments to strengthen cybersecurity.

At the RSA® Conference 2012, there was talk of U.S. and Canadian government agencies adopting the SANS 20 Critical Security Controls (20CSC) as a standard. Potential cyber attackers are guided by many principles, some of them centuries old. The Chinese military strategist Sun Tzu wrote, “Speed is the essence of war. Take advantage of the enemy’s unpreparedness; travel by unexpected routes and strike him where he has taken no precautions.” This strategy is a proven recipe for successful cyber attacks. As cyberdefenders, we must take precautions to prepare for these incidents. We, too, have principles and guidelines to orient our defenses. One of the best tools available for protecting federal systems is the 20CSC.

Obviously in light of the OPM breach that first paragraph is almost laughable, but I can tell you that on the network I work on we do make a definite effort to integrate all 20 controls into our day to day activities.  That isn't to say we can't improve but we do take it seriously.

Ars Technica - Encryption “would not have helped” at OPM, says DHS official -
But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."
I don't even know where to begin except with "Come the revolution ..."

Tech Crunch - Sean Parker’s Brigade App Enters Private Beta As A Dead-Simple Way Of Taking Political Positions -

For example, a trending topic today is “Trade With Asia.” You can flip through a series of cards with statements like “Massive international trade agreements hurt small businesses in America” or “International trade deals expand opportunities for American goods abroad.” If you take a position, you’ll see a polling chart that shows the percentage of Brigade users who are either for or against your side. If you’re not sure, you can flip through reasons that argue for both sides.
Parker said they wanted to pare the experience down to its basics and take out policy makers or parties at the start. (The company stresses that they’ll be layering on a lot more features later like the ability to start groups with like-minded friends and analytics for campaign partners as they grow the user base though.)
 Interesting concept.  I want to see it when it hits public beta.
Post a Comment

So whats going on here

Not much.  Started indexing my ICS456 books (Fundamentals of Critical Infrastructure Protection).  I am still on track to be one of the fi...