Author Archives: Shaun Waterman

DHS CISO joins call for an 18F for cybersecurity

Posted on by

The federal government should establish a dedicated team of star performers poached from the private sector along the lines of the General Services Administration’s government technology startup 18F, Department of Homeland Security CISO Jeff Eisensmith said Thursday. “We need to do the same thing we did with 18F and push that deeper into the cybersecurity realm,” he told CyberScoop in a brief interview after his panel discussion at the Dell EMC’s Digital Transformation Summit produced by FedScoop. “18F brought higher pay and prestige” to government service, he said. “They recruited hard in high tech areas. That whole paradigm could work” in cybersecurity. Eisensmith’s call echoes one issued last year by 18F founder Greg Godbout. “It would be really great to have a consultant service in government similar to an 18F or US [Digital Service] model … that’s built around cybersecurity,” Godbout told FedScoop in May last year, about a month after he left his […]

The post DHS CISO joins call for an 18F for cybersecurity appeared first on Cyberscoop.

Continue reading DHS CISO joins call for an 18F for cybersecurity

Congresswoman hopeful on IoT security legislation

Posted on by

The authors of draft legislation to impose security standards on Internet of Things devices purchased by the federal government are in listening mode for now, a senior Democratic congresswoman said Thursday. A discussion draft of the House version of the Internet of Things Cybersecurity Improvement Act of 2017 is out, Democratic Rep. Robin Kelly of Illinois told the Dell Technologies Digital Transformation Summit produced by FedScoop. “We want the stakeholders at the table,” as the bill is tweaked, she told CyberScoop in a brief interview after her keynote address, referring to tech companies, security experts and business lobbyists. “We want to get [those views] so it can be developed in a broad bipartisan way,” she said. Kelly, who is the ranking member of the IT Subcommittee of the House Oversight panel, said the bill is intended as a companion measure to the similar bill introduced in August in the Senate. “It tracks […]

The post Congresswoman hopeful on IoT security legislation appeared first on Cyberscoop.

Continue reading Congresswoman hopeful on IoT security legislation

OMB sees risk management efforts slowly coming to fruition

Posted on by

U.S. officials are finally starting to get the real-time situational awareness cybersecurity data they need to make risk management decisions about their networks, a federal advisory panel was told Wednesday. But much of the news isn’t good and they way decisions are handled can have a big impact on the effectiveness of government-wide efforts like the Department of Homeland Security’s Continuous Diagnostics and Monitoring program, officials said. The report on agency risk — one of two required by President Donald Trump’s executive order on cybersecurity  — has been submitted to the president, NIST’s Information Security and Privacy Advisory Board was told. The report on IT modernization was being finalized for submission after an analysis on the report’s public comments, Joshua Moses, from the office of the federal CIO, said. Moses said officials were keen to leverage the EO’s authorities the EO in order to improve measurability and accountability related to agencies’ […]

The post OMB sees risk management efforts slowly coming to fruition appeared first on Cyberscoop.

Continue reading OMB sees risk management efforts slowly coming to fruition

Federal agencies often don’t know who’s attacking them online, OMB says

Posted on by

In nearly a third of the cybersecurity incidents reported to the Department of Homeland Security by federal agencies, there was no information about what kind of attack took place or where it was targeted, officials said Wednesday. In the annual reporting required by the 2014 Federal Information Security Modernization Act or FISMA, “most agencies didn’t have a handle on where the threat was coming from,” White House Office of Management and Budget official Joshua Moses told a federal advisory panel. “Nearly a third of the the incidents that were reported to Homeland Security last year did not have an associated threat vector or attack vector specified in the reporting,” he explained to the Information Security and Privacy Advisory Board during an update on OMB’s cybersecurity activities. Experts say that while it may not matter for the purposes of foiling any one particular attack, knowing the details of an organization’s threat environment — who might be trying to attack […]

The post Federal agencies often don’t know who’s attacking them online, OMB says appeared first on Cyberscoop.

Continue reading Federal agencies often don’t know who’s attacking them online, OMB says

Bossert doubtful on ‘cyber moonshot,’ preferring to focus on risk management

Posted on by

The problem with thinking about confronting the nation’s cybersecurity challenge in terms of a “cyber moonshot” is that it implies an end-state where the goal has been reached, White House homeland security adviser Tom Bossert said Tuesday. “The call to go to the moon had a clearly measurable end point,” just as do other analogies — for example eradicating a disease — he told reporters Tuesday on the sidelines of the Palo Alto Networks’ Ignite federal cyber conference. “In the cyber space, I think it’s going to be a more appropriate analogy to employ a risk-management set of terminology, the idea being that you will always have to manage that risk and mitigate it.” Cyberthreats wouldn’t end, Bossert pointed out, even if there was a game-changing national achievement such as that posited by the moonshot’s supporters.  The concept has been used with increasing frequency recently to describe a proposal for a huge national effort to […]

The post Bossert doubtful on ‘cyber moonshot,’ preferring to focus on risk management appeared first on Cyberscoop.

Continue reading Bossert doubtful on ‘cyber moonshot,’ preferring to focus on risk management

Bossert promises new national cybersecurity strategy

Posted on by

Trump administration officials are working on a new national cybersecurity strategy, building on the president’s executive order earlier this year, homeland security adviser Tom Bossert said Tuesday. “The president moved in his first months to put out an executive order to do the trench work necessary to put us in a position of putting forward a cybersecurity strategy,” he said at a Palo Alto Networks event Tuesday in Washington, D.C. “As soon as we’re prepared to issue a strategy that will be beneficial to the government and the nation, we’ll do so.” During a conversation on stage with Palo Alto Networks CEO Mark McLaughlin, Bossert said he was surprised and disappointed that the 2008 Comprehensive National Cybersecurity Initiative he had helped craft during his time serving President George W. Bush still appeared to be the blueprint for U.S. strategy in cyberspace. “If you had told me that ten years later, I’d come […]

The post Bossert promises new national cybersecurity strategy appeared first on Cyberscoop.

Continue reading Bossert promises new national cybersecurity strategy

Rep. Ratcliffe pushes to define ‘cyber moonshot’ goals

Posted on by

The United States needs to carefully define the goal of a “cyber moonshot” before embarking on a national mission to make the internet safe, Rep. John Ratcliffe said Tuesday. The original moonshot “wasn’t easy to do, but it was easy to define,” he said at an event hosted Tuesday by Palo Alto Networks. “Before we work towards our own cyber moonshot, we need to define the objectives of that moonshot with great precision and clarity.” Ratcliffe, R-Texas, is chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, and the author of several cybersecurity bills. The cyber moonshot is an analogy that has been used with increasing frequency to describe a proposal for a huge national effort to secure the digitally connected world. At a meeting earlier this month at a federal telecommunications advisory panel, a number of leading government scientists debated its usefulness. “I don’t mean to […]

The post Rep. Ratcliffe pushes to define ‘cyber moonshot’ goals appeared first on Cyberscoop.

Continue reading Rep. Ratcliffe pushes to define ‘cyber moonshot’ goals

New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging

Posted on by

The latest draft of the Open Web Application Security Project’s list of Top 10 software vulnerabilities, a replacement for the draft that caused such pushback earlier this year, includes three new categories of security flaws. The three new vulnerability categories are: XML External Entity (XXE), the kind of vulnerability that powered the Billion Laughs attack Insecure Deserialization, like the Apache Struts vulnerability that was left unpatched at Equifax, enabling the massive data breach there over the summer Insufficient logging and monitoring The new categories were derived from more than 40 vulnerability datasets submitted in response to an OWASP data call; and from 515 responses to a questionnaire emailed to members of the security community. The top two on the canonical list — injection vulnerabilities, like those found in SQL databases and broken authentication and session management — remain unchanged from the last version, published in 2013. Sensitive data exposure moves up from sixth to […]

The post New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging appeared first on Cyberscoop.

Continue reading New OWASP Top 10 includes Apache Struts-type vulns, XXE and poor logging

China’s vulnerability disclosure system twice as fast as U.S. version

Posted on by

China’s National Vulnerability Database works more than twice as fast on average than its U.S. counterpart, according to new research. On average, U.S.-CERT takes 33 days after the public disclosure of a software vulnerability to complete the cataloging process and create an entry in the National Vulnerability Database (NVD), whereas China’s version (CNNVD) is updated an average of just 13 days after public disclosure, according to research published by cybersecurity firm Recorded Future. In its posting, the firm analyzed two years of vulnerability reporting  data from both NVD and CNNVD. Because averages can be distorted by a small number of outlying data points (in this case, very long delays in vulnerability cataloguing) Recorded Future analyzed the data based on percentiles as well. “Within six days of initial disclosure, 75 percent of all vulnerabilities published on the web are covered in CNNVD. The U.S. NVD takes 20 days,” the researchers write. “CNNVD captures […]

The post China’s vulnerability disclosure system twice as fast as U.S. version appeared first on Cyberscoop.

Continue reading China’s vulnerability disclosure system twice as fast as U.S. version

Check Point warns of ‘vast’ new IoT botnet

Posted on by

Hackers have been assembling a large botnet consisting of internet-connected devices, mainly webcams and consumer routers, which they’ll soon be able to use in massive denial-of-service attacks, according to new research. Researchers from Israeli firm Check Point Technologies say they are seeing activity from infected devices in 60 percent of the networks that use their ThreatCloud product. “In just the last two days, we have seen more than 20,000 IP addresses scanning,” meaning the device at the address is infected, Group Manager for Threat Intelligence Maya Horowitz told CyberScoop Friday. Each infected device is given a list of IP addresses to scan for other vulnerable devices by its command and control, or C2, server. “When the scan is complete, the device sends the results back to the C2, telling it where there are more vulnerable devices,” Horowitz said. Given that only a few hundred networks use the ThreatCloud product, she said, “That’s a […]

The post Check Point warns of ‘vast’ new IoT botnet appeared first on Cyberscoop.

Continue reading Check Point warns of ‘vast’ new IoT botnet