Shaun Waterman – Page 23 – WindowsTechs.com

What’s in the NIST cybersecurity controls catalogue update?

Posted on April 4, 2017 by Shaun Waterman

NIST Special Publication 800-53 isn’t the most exciting book, but for federal IT managers, the canonical catalogue of cybersecurity controls is like the English Hymnal and the Book of Common Prayer rolled into one. Changes to it are a very big deal. The latest version, put together by top federal scientists from the U.S. National Institute for Standards and Technology, incorporates privacy controls as well, one of its principal authors told CyberScoop. “It’s a leap ahead document,” NIST Cybersecurity Advisor Ron Ross said of the new draft of NIST SP 800-53: “Security and Privacy Controls for Federal Information Systems and Organizations.” Ross and other cyber experts from NIST last week briefed the agency’s Information Security and Privacy Board about the latest, long-awaited set of proposed revisions to the magisterial index of security controls — 800-53 Rev5. SP 800-53 lists the security controls federal managers have to choose from to ensure their IT systems comply with the security standards […]

The post What’s in the NIST cybersecurity controls catalogue update? appeared first on Cyberscoop.

Continue reading What’s in the NIST cybersecurity controls catalogue update?→

Report: Smaller banks not shouldering email security burdens

Posted on April 3, 2017 by Shaun Waterman

The top five U.S. banks have all adopted an email security protocol that helps guard customers against phishing — but none of the 50 fastest growing community banks in the country have done so, according to new data. Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a way of preventing email spoofing — when hackers or cybercriminals send messages purporting to come from someone else’s email address. Because spoofed messages often contain malicious links or attachments designed to infect the recipient with malware and steal financial information, “adopting DMARC helps companies protect their customers, protect their brand and make their email more trustworthy,” according to Phil Reitinger of the Global Cyber Alliance. “When correctly implemented, DMARC ensures that the vast majority of consumers will no longer receive spoofed email purporting to come” from the DMARC-implementer’s domain,” Reitinger said. The alliance has a portal where consumers can check if their bank or any other […]

The post Report: Smaller banks not shouldering email security burdens appeared first on Cyberscoop.

Continue reading Report: Smaller banks not shouldering email security burdens→

IARPA director: New homomorphic crypto is ‘math magic’

Posted on March 30, 2017 by Shaun Waterman

The latest kind of advanced encryption could soon allow classified computing to be done on unclassified computer systems, a senior intelligence official said Thursday. “That’s really one of the next places [we’re] likely to look — Can we use homomorphic encryption to do secure multiparty computation?” Jason Matheny, director of the Intelligence Advanced Research Projects Activity, told the Billington Cybersecurity Summit. Matheny said that his agency had first started researching homomorphic encryption in 2011 to fix a gap in the way data was kept secure. The method allows analysis on encrypted data without the need for decryption. “We were good at protecting [data] at rest, we were good at protecting it in transit, but not while it was being processed,” Matheny said. The problem: In order to perform any computational function, even as simple as a search, the data had to be decrypted, then processed. And at that point an adversary who […]

The post IARPA director: New homomorphic crypto is ‘math magic’ appeared first on Cyberscoop.

Continue reading IARPA director: New homomorphic crypto is ‘math magic’→

DHS on elections systems as critical infrastructure: ‘It was already the law’

Posted on March 29, 2017 by Shaun Waterman

A Homeland Security official gave some more insight into their efforts on designating election systems as critical infrastructure shortly after the 2016 presidential election, saying it helped the department streamline communication in the event of a incident. Neil Jenkins, from DHS’s Office of Cybersecurity and Communications, gave the first detailed account Wednesday of the process leading up to the controversial decision, which was made by departing officials in the final days of the Obama administration and widely panned by state and local authorities. DHS designated election systems in 30,000 jurisdictions as critical infrastructure to ensure there would be someone in regular communication with state and local election officials about cyber threats to national polls. Jenkins told NIST’s Information Security and Privacy Advisory Board that in August and September, when officials first became aware of Russian efforts to interfere with the election, the “started trying to catalogue the services we could offer to state authorities,” to help them […]

The post DHS on elections systems as critical infrastructure: ‘It was already the law’ appeared first on Cyberscoop.

Continue reading DHS on elections systems as critical infrastructure: ‘It was already the law’→

DHS on elections systems as critical infrastructure: ‘It was already the law’

Posted on March 29, 2017 by Shaun Waterman

The post DHS on elections systems as critical infrastructure: ‘It was already the law’ appeared first on Cyberscoop.

Continue reading DHS on elections systems as critical infrastructure: ‘It was already the law’→

Not just cyber: NASA CIO says all IT is about risk management

Posted on March 28, 2017 by Shaun Waterman

It’s axiomatic that cybersecurity is all about risk management, but NASA CIO Renee Wynn said Tuesday that all IT, indeed all technology, has a “dark side” that must be contained. In a federal agency like NASA “the IT spend is all about managing risks — what are you buying?,” Wynn said Tuesday during FedScoop’s IT Modernization Summit. “Where’s it from? How well does it fit with your ecosystem? And can you protect it when it gets there?” “Cybersecurity is about that last piece,” she added. But long before IT is actually installed, the risk has to be assessed. “It’s coming into to an [IT] environment from 1977,” she said. In fact, parts of NASA’s legacy IT were even older than that, since they dated back to the earliest days of space exploration. “Before it flew you had to invent it, and it had to be on the chalkboard …probably for 10 years […]

The post Not just cyber: NASA CIO says all IT is about risk management appeared first on Cyberscoop.

Continue reading Not just cyber: NASA CIO says all IT is about risk management→

Mozilla weighs following Chrome in mistrusting Symantec certs

Posted on March 28, 2017 by Shaun Waterman

Mozilla, maker of the open-source browser Firefox, is weighing whether to join Google’s Chrome in its crusade against Symantec. A Mozilla blog post says Chrome engineers are correct in their assessment of the problems with Symantec-issued internet security certificates, but they may have gone too far by proposing to distrust them. Security certificates underlie the little green padlock in the browser address bar that tells consumers it’s safe to shop and bank online. It’s a high-stakes game — if Chrome goes ahead with its plan to progressively stop trusting the certificates, its users will see a warning message or might even be blocked from visiting e-commerce sites that use Symantec certificates. And currently, that’s at least a third of the internet. But the more browsers that join Chrome in distrusting Symantec certificates, the more likely it becomes that Symantec’s customers will simply get their certificates elsewhere. In a blog post from Mozilla Policy Engineer Gervase […]

The post Mozilla weighs following Chrome in mistrusting Symantec certs appeared first on Cyberscoop.

Continue reading Mozilla weighs following Chrome in mistrusting Symantec certs→

Symantec says it will reissue digital certs distrusted by Chrome

Posted on March 27, 2017 by Shaun Waterman

Symantec looks to be caving in its dispute with Google’s Chrome over the trustworthiness of digital certificates — which underlie the green padlock in the browser’s address bar that tells consumers it’s safe to bank or shop online. Chrome, citing what it says are repeated failures by Symantec to comply with the issuance rules regarding digital security certificates, last week threatened to stop fully trusting them. Chrome’s proposal demands that Symantec re-validate and re-issue the millions of certificates it’s created and would strip Symantec of the authority to issue extended validation, or EV, certificates at all. Because the proposal could mean Chrome users would no longer be able to shop or bank safely at many major e-commerce sites that currently use Symantec certificates, the proposal effectively challenged Symantec to a game of chicken. Over the weekend, Symantec blinked. In a blog post titled “A Message to our [Certificate Authority, or] CA Customers,” Symantec Senior Vice President and […]

The post Symantec says it will reissue digital certs distrusted by Chrome appeared first on Cyberscoop.

Continue reading Symantec says it will reissue digital certs distrusted by Chrome→

Citing compliance failures, Chrome will distrust Symantec certificates

Posted on March 24, 2017 by Shaun Waterman

Two of the biggest names on the internet embarked on a game of chicken this week over the little green padlock in the address bar. Browser behemoth Chrome, citing what it says are repeated failures by security giant Symantec to comply with the rules governing the issuance of internet security certificates, is threatening to stop fully trusting them. At stake is the browser experience for millions of consumers who use the Google-backed browser to shop and bank online. The security certificates are the basis for TLS, the encrypted connection between a website and a visiting computer that’s denoted by the green padlock. TLS — and the outdated SSL system it’s replacing — make it possible for users to send credit card details, social security numbers and other sensitive information safely and privately across the public internet. If Chrome stopped recognizing Symantec certificates — which are behind at least a third of the TLS traffic on the […]

The post Citing compliance failures, Chrome will distrust Symantec certificates appeared first on Cyberscoop.

Continue reading Citing compliance failures, Chrome will distrust Symantec certificates→

Americans ignorant on cybersecurity, Pew poll shows

Posted on March 23, 2017 by Shaun Waterman

Most Americans don’t understand the security measures that can keep them safe online, according to new data from the Pew Research Center. A survey published Wednesday shows a large majority of Americans can pick the strongest password off a list and know that public WiFi isn’t safe. But only a third knew what HTTPS (the green padlock next to the web address bar) means, and only one in ten could distinguish two-factor authentication from other forms of login security. The survey, of 1,055 American adults, was conducted last June for the center. It consisted of a 13-question pop quiz respondents took online. The questions “cover many of the general concepts and basic building blocks that cybersecurity experts stress are important for users to protect themselves online,” said the center in an analysis. The multiple choice questions range from selecting the strongest password from a list, to identifying which login screen shows two-factor authentication, as opposed […]

The post Americans ignorant on cybersecurity, Pew poll shows appeared first on Cyberscoop.

Continue reading Americans ignorant on cybersecurity, Pew poll shows→