Children won’t be the only ones trick-or-treating this month. Last year, federal agencies reported an estimated 3,574 incidents every month in 2011 according to the Government Accountability Office. The same office also said incidents reported have increased nearly 680% in the last six years. Due to rising cyber terrorism and the need for increased cyber security, President Obama has designated October “National Cyber Security Awareness Month”.

The following noteworthy identity management statement comes from the Cyberspace Policy Review issued last year by President Obama: “Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.” To be clear, I am an avid opponent of “anonymity for all” on the web. I do not think it is in our common interest to have anonymous communication in the public sector. I know that I will draw the ire of many who view the Internet as a constitutional right, but I persist with this view because the very nature of our constitution provides for the free and open exchange of ideas in the public forum. With this protection in place why would we need anonymity given the extreme handicap that it places on us in processing information?

Privacy vs. Security The AFCEA Global Intelligence Forum was scheduled for this June but given the ongoing debate in Congress on the conference topic and the FY13 budget uncertainties, the event has been postponed. Nevertheless, they have proposed some interesting questions: • What does it mean to be a citizen of the information nation? • Who are the protectors of that nation and what is the appropriate balance between personal privacy and public security? • Is the choice between security and privacy a false one? Can technology itself enable safe and secure citizenship? • Who and how should the ethics of information technology be determined? How does the next generation – the generation of cyber “citizens” – view the issue of privacy and security? It is easy to believe that there are more questions than answers but that is not a particularly useful ground to stand on for analysis. Let’s explore these questions.

An agency’s computer system is under constant cybersecurity threats from several factors. While many of them are intentional, such as fraud and theft, there are also the unintentional errors and omissions that threaten a systems security. Let’s take a closer look at some examples. The Intentionally Malicious Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. Unfortunately, insiders who are authorized users of a system perpetrate the majority of the fraud uncovered on computer systems. Since insiders not only have access to, but are also familiar with the victim computer system (including what resources it controls and where the flaws are), authorized system users are in a better position to commit crimes. Former employees may also pose threats, particularly if their access is not terminated promptly.

Last month, we began addressing some frequently asked Security Content Automation Protocol (SCAP) questions. Now that we have clarified what SCAP is, what it consists of, and how it helps with compliance issues, let’s look at FAQs about how validation and independent testing factor in. What is validation? The SCAP Program is responsible for maintaining established standards and ensuring that validated products comply. Validation is achieved through proving that the testing performed by the laboratory has been carried out correctly. Who does independent testing? Test results for validation are accepted from laboratories that are accredited by the National Voluntary Laboratory Accreditation Program (NVLAP). This accreditation is earned after full review of the laboratories’ Quality Management System (QMS) and passing of the technical proficiency tests.

Continuous monitoring involves assessing an agency’s information security posture based on changes to risk resulting from new threats or newly discovered vulnerabilities. The National Institute of Standards and Technology’s (NIST) Guide for Applying the Risk Management Framework to Federal Information Systems (Special Publication 800‐37, Revision 1) specifies continuous monitoring as one of the six steps in information security. As agencies begin looking at cloud initiatives, the challenge is implementing a continuous monitoring program that reduces risk and ensures compliance with NIST and other relevant guidance in an environment of decreased control. The solution begins with knowing where compliance ends and risk begins.

In our last discussion, we aspired for automated provisioning and continuous monitoring of Network Security Management. The National Institute of Standards and Technology (NIST) has spearheaded Security Content Automation Protocol (SCAP) efforts for the last ten years. NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation's first federal physical science research laboratory. In essence, SCAP is a NIST-sponsored effort for both pieces (automated provisioning and continuous monitoring). As a refresher: SCAP, pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is a method for using those open standards for automated vulnerability management, measurement and policy compliance evaluation and was the next logical step in the evolution of our compliance automation tools for Federal Agencies. SCAP defines how the following standards (referred to as SCAP 'Components') are combined and allows results to be easily shared for Federal Information Security Management Act (FISMA), Office of Management and Budget (OMB), Department of Homeland Security (DHS) and others.

We are approaching the end of national “Cyber Security Awareness Month,” so let’s take a look at some top cybersecurity tips we should all adhere to:

“It's not the loud pronouncements by hacking groups or the highly visible denial-of-service attacks that scare cybersecurity experts. It's silence,” claims a recent Federal Times article. The article “Programs aim to get the word out when cyber attacks occur” brings light to the idea that one of the greatest tools against cyber attackers is the “relatively low-tech approach of sharing information about attacks.” The article continues on about a push for disclosure, explaining that the DoD has put forth ideas for a new Defense Federal Acquisition Regulation Supplement (DFARS) rule. The proposed DFARS rule would require contractors to provide “adequate security”, report cyber incidents within 72 hours, and review their networks to search for additional attack information. As always, the issue of cost tops the concerns about this communication technique. Not only would there be increased costs for the companies providing the “adequate security”, but government resources would have to be tapped in order to provide data analysis and enforcement of any resulting mandates.

Part 2 o2: A few weeks ago, we looked at the current state of information security and implementations from the Ten Domain Model. Using this information, we can now look at where we need to be. Due to the rapidly changing threat landscape two key requirements for information security are becoming increasingly critical. These requirements are automation and continuous monitoring. 1) Why Automation? Only automated approaches can scale and respond rapidly to large-scale incidents. a. Preventative policy enforcement reduces risk: i. overall number of security vulnerabilities ii. the success of any particular attack technique. b. Automated remediation systems have a positive impact on a large number of hosts with a relatively small time investment from computing staff. 2) Why continuous monitoring? A primary goal of continuous monitoring is, as much as is practicable, to apply automated remediation to security vulnerabilities that are found. That takes the need for human intervention out of the picture. Human intervention and the errors and delays that result from it are credited for many of the lapses in IT security.