News, analysis and context on enterprise technology for the CTO
On Friday, 16 December, Michael Howard hosted a webinar for FedCyber on the Microsoft Security Development Lifecycle (SDL), Howard is Microsoft’s Principal Security Architect with nearly 20 years of experience in the field and literally wrote the book on SDL, a topic that keeps growing more relevant. This year, the federal government put into policy with the National Science and Technology Council’s strategic plan for federal … [Read more...]
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program established in December 2011 to speed the adoption of cloud computing. FedRAMP includes a set of requirements for federal cloud computing and universal procedures for approving services and providers to work with the government. When contractors feel that they have met FedRAMP requirements, they must have their security control implementations independently … [Read more...]
2011 was a watershed year for cybersecurity, but it was evolutionary rather than revolutionary. Political hacking, industrial skullduggery, drones gone wild, and mobile malware all made 2011 a year, to borrow CrucialPoint amigo Matt Devost's phrase (since I'm already borrowing his image for the post graphic, why not?), to live cyberdangerously. The Rise of the Political Hacker Anonymous was, in many ways, the biggest cybersecurity story of 2011. … [Read more...]
CTOs , CIOs, and technology reporters are very familiar with the idea of the network. Think of networks and tech and the terms network-centric warfare, netwar, social networks, the wealth of networks, and a host of other terms and ideas immediately roll off the tongue. The network is the defining metaphor of the information age. But while the network is important, so is the swarm. Swarming in warfare has been fairly well analyzed by David Ronfeldt and … [Read more...]
We've recently heard a few big announcements for mobile computing in the military, which has long been blocked by security issues. First, the US Defense Information Systems Agency approved Dell Android 2.2 for use on Department of Defense networks with a few notable limitations. DoD users won't be able to access either classified data or the Android app store. Currently only one device, the Dell Venue smartphone, runs Dell Android 2.2, so the benefits … [Read more...]
In December 2011, the Executive Office of the President’s National Science and Technology Council released Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program, a set of R&D priorities for U.S. government agencies. The White House released Trustworthy Cyberspace to guide research, development, and funding by organizations DARPA, IARPA, and the DHS Science and Technology Directorate towards current … [Read more...]
While popular attention in cyber issues often focuses on the exotic APTs, enterprise security is being rocked by an unpleasant truth. Activist hackers have become a major problem, and not just for obvious targets such as the Church of Scientology or the United States government. Political risk company STRATFOR was recently hacked by elements of Anonymous as part of the AntiSec campaign. The reason why STRATFOR was targeted? [The attack] appeared to … [Read more...]
A very interesting (OK, it was pretty cool) vulnerability in the TCP stack of Windows Vista and above (including 32-bit and 64-bit versions and Windows Server 2008) was recently announced and patched. This vulnerability is of particular note not just because of the wide range of products that it affected, but because of how the vulnerability worked. Microsoft published this in its advisory on the vulnerability: "A remote code execution vulnerability … [Read more...]
USB is a wonderful technology -- it allows us to be platform-agnostic, gives us compatibility, ease of use, and more durability than some previous connectors we have used in the past. It also presents a very difficult security challenge to security professionals. USB devices have become so ubiquitous, we don't think twice about just plugging one into a computer. We have USB plasma balls, drink refrigerators, coffee heaters, thumb drives, keyboards, … [Read more...]
As the high profile breaches and cyberattacks of this past year clearly illustrate, enterprise security still has to catch up to growing and evolving threats such as persistent targeted attacks by criminals and state-sponsored attacks or espionage. Though the government and private sector continue to take steps to protect their networks, unfortunately attackers also aren't standing still and trends such as cloud computing, mobile computing, and the … [Read more...]