Shaun Waterman – Page 11 – WindowsTechs.com

No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out

Posted on August 16, 2017 by Shaun Waterman

The National Institute of Standards and Technology has removed the word “federal” from the title of its magisterial catalogue of cybersecurity and privacy controls — one of a series of proposed changes they rolled out this week after a long delay. “The reality is, today we’re all of us — federal, state and local government and the private sector — using the same technologies … and facing the same [cyber] threats” as a result, said NIST Fellow Ron Ross. As they were doing the re-write — a year-and-a-half long process — the authors realized that in addition to their traditional “customer base” in the federal agencies mandated by law to use the controls in the catalogue, there were many others who might find it useful. So they changed the name of the catalogue, known as NIST SP-800-53, from Security and Privacy Controls for Federal Information Systems and Organizations, by cutting the word federal. SP 800-53 […]

The post No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out appeared first on Cyberscoop.

Continue reading No longer ‘federal,’ no longer exclusively ‘cyber’ — NIST security controls break out→

This one matters, too: Carnegie Mellon issues guide to disclosing software vulnerabilities responsibly

Posted on August 16, 2017 by Shaun Waterman

Over the past year or so, there’s been an explosion of interest in vulnerability disclosure policy — the question of what to do about flaws in software found by security researchers that should be patched lest they get used by hackers to break into computer systems. Both the Defense Department and the General Services Administration have launched bug bounty programs to reward researchers who responsibly report security flaws they find, and the National Telecommunications and Information Administration’s multistakeholder process published a guide to coordinated vulnerability disclosure, or CVD. Even the Justice Department has gotten in on the act — putting out a set of legal guidelines for companies and other organizations interested in establishing a vulnerability reporting and fixing process. So you would think the publication of yet another set of guidance would be anti-climatic and might even be ignored. But you’d be wrong. The prestigious Software Engineering Institute at Carnegie Mellon University […]

The post This one matters, too: Carnegie Mellon issues guide to disclosing software vulnerabilities responsibly appeared first on Cyberscoop.

Continue reading This one matters, too: Carnegie Mellon issues guide to disclosing software vulnerabilities responsibly→

Uber reaches deal with FTC on consumer privacy, agrees to new program

Posted on August 15, 2017 by Shaun Waterman

Ridesharing behemoth Uber agreed Tuesday to institute “a culture of privacy” in how it handles personal information from its passengers and drivers, following a Federal Trade Commission investigation that revealed the company misrepresented its internal data access policies and failed to take reasonable security measures to safeguard data in the cloud. The FTC announced the proposed settlement — which does not include any financial penalty on Uber — in a press call held by the agency’s acting Chairwoman Maureen Ohlhausen. The settlement, she said, will last for 20 years and “requires a culture of privacy at Uber” — which has to appoint a privacy officer, institute a privacy program and get it audited by an independent third party. FTC officials say that they don’t have the power to impose penalties — except for violations of existing orders. The commission also generally doesn’t seek financial redress for consumers unless there is a tangible […]

The post Uber reaches deal with FTC on consumer privacy, agrees to new program appeared first on Cyberscoop.

Continue reading Uber reaches deal with FTC on consumer privacy, agrees to new program→

Ray Kelly, Elaine Duke on short list for Homeland Security secretary

Posted on August 15, 2017 by Shaun Waterman

Officials have narrowed the list for the vacant secretary of Homeland Security position as the White House aims to find a replacement for retired U.S. Marine Gen. John Kelly, former DHS officials tell CyberScoop. Current DHS Deputy Secretary Elaine Duke, who has been the department’s acting secretary since Kelly left to become White House chief of staff two weeks ago, is among the leading candidates, one former senior DHS official in touch with the administration said. Several former officials from the last two administrations spoke to CyberScoop, which granted them anonymity to candidly discuss internal deliberations they had been briefed on and give their unvarnished views on the candidates. In addition to Duke, the list of possible candidates for the secretary’s post, according to the former senior DHS official in touch with the administration, includes: Former New York Police Chief Ray Kelly Former Coast Guard Commandant and Deputy DHS Secretary James Loy Former DHS […]

The post Ray Kelly, Elaine Duke on short list for Homeland Security secretary appeared first on Cyberscoop.

Continue reading Ray Kelly, Elaine Duke on short list for Homeland Security secretary→

DHS promotes from within to fill cyber deputy assistant secretary role

Posted on August 14, 2017 by Shaun Waterman

Rick Driggers, one of two deputy directors at the Department of Homeland Security’s 24-hour watch operation, the National Cybersecurity and Communications Integration Center, has been promoted to be DHS deputy assistant secretary for cybersecurity and communications, a DHS official confirmed Monday. Driggers is taking over the post vacated by DHS veteran Danny Toler, and once held by former Federal CISO Greg Touhill. The official told CyberScoop Driggers “will gradually assume the responsibilities of his new position over the next few weeks.” In his new position, Driggers reports to Assistant Secretary for Cybersecurity and Communications Jeannette Manfra. In a brief statement emailed to reporters, Manfra said she was “extremely grateful” to Toler. “He has done a great job keeping the ship afloat as the acting assistant secretary. His contributions to the organization over the past five years will endure. I believe the department is in a better place as a result of his work, […]

The post DHS promotes from within to fill cyber deputy assistant secretary role appeared first on Cyberscoop.

Continue reading DHS promotes from within to fill cyber deputy assistant secretary role→

Double role for White House cyber aide shows challenges for new administration

Posted on August 11, 2017 by Shaun Waterman

The remarkable decision to have a single official fill two key White House cybersecurity posts has highlighted both the Trump administration’s commitment to securing federal IT networks as a national security priority and its inability to fill key cyber jobs. Grant Schneider, the current deputy federal CISO, who has been acting CISO since his boss left mid-January, will also begin doing the job of senior director within the cybersecurity directorate of the National Security Council staff, the White House let slip this week. The federal CISO job is based in the Office and Management and Budget, which, like the NSC, is within the Executive Office of the President. Several former NSC staffers told CyberScoop the dual-hatting arrangement makes sense in the short term, but they questioned its viability in the long run. The administration made fixing federal government IT systems a priority under the cybersecurity executive order President Trump signed in May. The CISO’s office is operationally responsible for […]

The post Double role for White House cyber aide shows challenges for new administration appeared first on Cyberscoop.

Continue reading Double role for White House cyber aide shows challenges for new administration→

Hackers use ‘cloud-on-cloud’ attacks to evade detection, attribution

Posted on August 10, 2017 by Shaun Waterman

A stealthy group of hackers is using cloud infrastructure to attempt “low and slow” brute force attacks on Microsoft Office 365 logins of senior executives at a broad swath of Fortune 2000 companies, according to recent research. The cloud-on-cloud attacks, spotted earlier this year by Skyhigh Networks, appear to be an early example of a criminal or espionage group leveraging cloud infrastructure to hide not only their identity and the origins of their attack; but also the attack itself. The research highlights the increased complexity of security issues companies face when they move to the cloud. The attacks “came from multiple [cloud] providers and targeted multiple [Skyhigh] customers over a period of time,” explained Slawomir Ligier, the company’s senior vice president of engineering. “They were low and slow … designed to get under the radar.” In fact, Ligier said, Skyhigh only detected the attacks because they were able to correlate Office 365 API […]

The post Hackers use ‘cloud-on-cloud’ attacks to evade detection, attribution appeared first on Cyberscoop.

Continue reading Hackers use ‘cloud-on-cloud’ attacks to evade detection, attribution→

Report: Dropbox, Google, LinkedIn among services that allow repeated single-character passwords

Posted on August 10, 2017 by Shaun Waterman

Many major internet businesses catering to consumers and companies — including Dropbox, Amazon and Google — allow users to create passwords that consist of strings of a single character that are crackable in seconds, according to new research. The study, produced by password manager company Dashlane, checked the practices of 37 consumer-facing websites and apps for five basic password security measures — including whether new customers could create an account protected by a password using only a repeated single character. More than half of all the consumer sites researchers tested allowed a password with fewer than eight characters. Additionally, “researchers created passwords using nothing but the lowercase letter ‘a’ on Amazon, Google, Instagram, LinkedIn, Venmo and Dropbox, among others,” according to Dashlane. Of the consumer sites, only one, GoDaddy, implemented all five of the basic security measures. Netflix, Pandora, Pinterest, Spotify and Uber all got zero, because they implemented none. On the enterprise side, two of the […]

The post Report: Dropbox, Google, LinkedIn among services that allow repeated single-character passwords appeared first on Cyberscoop.

Continue reading Report: Dropbox, Google, LinkedIn among services that allow repeated single-character passwords→

Federal CISO to get second hat as National Security Council’s cyber director

Posted on August 8, 2017 by Shaun Waterman

Grant Schneider, the acting federal CISO who has been running the shop since his boss left just before the inauguration, is getting a second hat within the White House as a senior director for cybersecurity at the National Security Council, an administration official tells CyberScoop. Schneider will take over one of the “recently vacated senior director positions within the Cybersecurity Directorate on the NSC led by Rob Joyce,” the official said in an email. Schneider is the deputy CISO, but has been acting up since federal CISO Gregory Touhill departed in mid-January. “In order to increase synergy and alignment of national and federal cybersecurity strategy, policy, and guidance,” Schneider will continue to do his job at the Office of Management and Budget, the official added. “He will continue to lead and manage the Federal CISO team at OMB as well as the ‘Homeland’ portfolio within the NSC Cybersecurity Directorate.” That position was most recently filled […]

The post Federal CISO to get second hat as National Security Council’s cyber director appeared first on Cyberscoop.

Continue reading Federal CISO to get second hat as National Security Council’s cyber director→

Citing ‘confidence gap’ in American tech workforce, CompTIA creates professional association

Posted on August 8, 2017 by Shaun Waterman

A leading association of technology companies, citing the looming workforce crisis in cybersecurity and other IT fields, announced Tuesday it was re-launching a professional organization that would represent and offer certifications to those seeking employment in the sector. The Computing Technology Industry Association, known as CompTIA, formally rolled out its new workforce program — the Association of Information Technology Professionals or AITP, in a press release after months of preparation. There are projected to be 1.8 million unfilled job vacancies in the tech industry by 2024, CompTIA says. That skills gap, the release says, is “also a confidence gap — where many don’t think they have the background or support to be part of the technology industry.” AITP launches with chapters in 20 states, and plans to open more, according to the release. Membership is free for students, $99 a year for professionals and $249 for recruiters. The association says it will offer members a menu of […]

The post Citing ‘confidence gap’ in American tech workforce, CompTIA creates professional association appeared first on Cyberscoop.

Continue reading Citing ‘confidence gap’ in American tech workforce, CompTIA creates professional association→