#nationalcybersecuritymonth

now browsing by tag

 
 

#nationalcybersecuritymonth | Pentagon CMMC program to vet contractor cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

The U.S. Department of Defense is aiming to secure its supply chain with the cybersecurity maturity model certification, or CMMC program, which will vet potential third-party contractors.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said at a news conference at the Pentagon that the CMCC program “will measure technical capabilities and process maturity” for organizations in the running for new defense contracts.

Although the full details of the CMMC program won’t be made public until January, Lord described it as a five-tier framework in which each level of certification is specifically designed based on how critical the work of the contractor would be. The CMMC program is scheduled to be fully implemented by June 2020.

Dan Fallon, senior director of public sector systems engineers at Nutanix, said programs like CMMC that “create or enhance standard practices and responsibilities around cybersecurity are essential to improving security posture.”

“It is great to see the DOD engaged in a strategic, comprehensive and measured approach to ensuring the security of the products and vendors with whom they work,” Fallon told SearchSecurity. “Furthermore, the Department’s concerted effort in sourcing input from the private sector in developing these standards is a strong indication of its understanding that even with additional cybersecurity policy, overall security will always remain a shared responsibility between vendors and government agencies. After all, there is no one silver bullet to make an agency invulnerable to attack.”

Theresa Payton, president and CEO of Fortalice Solutions and former White House CIO, said the CMMC program “is a good next step to improve supply chain security for the DOD through its contractors and sub-contractors.” 

“In the wake of data breaches where the weakest link was a contractor, these are important next steps,” Payton told SearchSecurity via email. She added that if she “were to prioritize security elements for every contractor and subcontractor to meet it would be: 1. ensure that all data in rest and in transit and at points of consumption are encrypted; 2. have a regular review process of user access controls and authorizations to include third party applications and system to system interactions that are tested; 3. create kill switches that can be flipped if there is a suspected intrusion; 4. ongoing training and awareness.”

Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, said the requirements should focus on “using virtual infrastructure to manage the connections those persons have into a system, and really solid analytics.”

“They already do basically everything anyone can to vet a singular user, having been through that myself I can tell you it is rough, but ultimately once a person is in a network it’s on [the DOD],” Cunningham told SearchSecurity. “If they don’t monitor [contractors] and have really segmented infrastructure, things go bad quick. Combine well-built zero-trust infrastructures with good behavioral monitoring and analytics and you can fix this problem.”

The full details of the CMMC program requirements won’t be known until next month, but Lord did promise the expectations, measurements and metrics used will be “crystal clear,” and audits of potential contractors will be done by a third party that should be chosen by next month as well.

Additionally, Lord said at the Ronald Reagan National Defense Forum in Simi Valley, Calif. earlier this week that the DOD expects the weakest links in the supply chain to be the lower tier, smaller companies who may not be able to afford to meet the requirements. As such, the DoD is planning ways to ensure smaller contactors can meet a basic level of cybersecurity via “broader certifications” that will be detailed more in the next three months.

Payton said she was “encouraged to see that the DOD specifically noted that it will help smaller contractors to meet requirements.”

“This will encourage many to embark on this endeavor,” Payton said. “A rising tide lifts all boats so if the DOD would extend free software, tools, and tips and techniques to their supply chain they will naturally lift the security of the DOD ecosystem.”

Cunningham disagreed and said if the CMMC program requirements are clear and “your company wants to win the bid, meet the line items.”

“It will still be on the contractor to make things work. When the government is paying the bill, why should they push more help on those companies that want the work and the revenue?” Cunningham asked. “The government honestly shouldn’t be helping too much.”

Government contractor risks

The history of cybersecurity risks and third-party contractors can be traced back years. The most famous example was whistleblower Edward Snowden, a contractor for Booz Allen Hamilton, who stole and leaked information about NSA phone metadata tracking practices in 2013.

In 2015, a breach of the Office of Personnel Management affected millions and the ensuing investigation found that the threat actors gained access to systems in part by using credentials stolen from government contractors.

The DOD had two issues in 2017 linked to contractors. In August, an AWS S3 bucket containing unclassified data from the DOD was discovered to be publicly accessible due to misconfiguration by Booz Allen Hamilton. In November, another S3 bucket containing DOD data, this one built by contractor VendorX, was discovered to be exposed.

Payton said there’s a simple reason why these past issues didn’t lead to faster action by the government.

“There is a fundamental disconnect between the rate at which technology evolves and the rate at which bureaucracy reacts. What we’re dealing with here is a failure of systems,” Payton said. “It’s never too late to learn from past mistakes, but ultimately, we need real-time solutions not just to today’s obstacles and threats but to tomorrow’s as well.” 

Cunningham said, “This type of requirement should have been in place years ago.”

“The government runs into this as they are lobbied by those big consulting firms that push back on anything they do that could impact their businesses,” Cunningham said. “Obviously having a new set of standards for thousands, or tens of thousands of cleared workers is a problem they didn’t want to deal with.”

Source link

The post #nationalcybersecuritymonth | Pentagon CMMC program to vet contractor cybersecurity appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | Police in states across India are relying on private firms and consultants to solve cybercrime cases

Source: National Cyber Security – Produced By Gregory Evans Cyber forensics firms, such as Volon and AVS Labs, are increasingly being asked to crack cases of cybercrime, even as law enforcers build their own teams of cyber intelligence experts. Take this recent instance. A businessman was accused of deceit in a deal, and a court […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Rachel Noble to become director-general of the Australian Signals Directorate

Source: National Cyber Security – Produced By Gregory Evans Screenshot: Chris Duckett/ZDNet Rachel Noble has been announced as the new director-general of the Australian Signals Directorate (ASD). “Ms Noble’s deep experience in intelligence strongly positions her to lead ASD in executing its important national security mission,” a statement from Prime Minister Scott Morrison said. “She […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Growing The Number Of Students In The National CyberPatriot Program

Source: National Cyber Security – Produced By Gregory Evans DETROIT – Michigan’s IT professionals already know about the crucial shortage of properly trained and educated Cybersecurity professionals.  In fact, you can’t open a newspaper, or a browser, without seeing an article publicizing the critical shortfall of Cybersecurity workers. Worse, the gap shows no sign of […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Alex Pickering, BBC Studios’ Content Security Chief Named as New Chair by CDSA Board of Directors

Source: National Cyber Security – Produced By Gregory Evans The global entertainment industry’s advocate for content security, content protection and information security, the Content Delivery & Security Association (CDSA), has named BBC Studios’ Content Security Director, Alex Pickering as its new Chairman. Pickering will direct the strategy for the Association’s mission of providing global community engagement around […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Digital election interference

Source: National Cyber Security – Produced By Gregory Evans David Warburton, Principal Threat Evangelist at the cyber threat intelligence product company F5 Labs, discusses how cybercriminals aim to disrupt elections. The UK general election is almost upon us, and it is already turning into one of the most divisive and analysed political events in the […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | Fears of Russian interference hit U.K. election as Reddit bans accounts after U.S. trade talks leak

Source: National Cyber Security – Produced By Gregory Evans

LONDON — Fears of Russian interference reared their head in the U.K. election this weekend after social media platform Reddit said it believed confidential British government documents were posted to the site as “part of a campaign that has been reported as originating from Russia.”

Reddit launched an investigation after opposition Labour Party leader Jeremy Corbyn brandished the leaked documents at a press conference last month.

The 451-page dossier appeared to reveal rounds of trade negotiations with the U.S. for a post-Brexit trade deal included mention of the country’s beloved National Health Service. Labour claimed they proved Prime Minister Boris Johnson would put the NHS “up for sale” to secure a deal with President Donald Trump.

The British government has not denied the authenticity of the documents. NBC News has not verified their authenticity.

Johnson, whose ruling Conservative Party leads in the polls entering the final week, has denied Corbyn’s claims about what they show.

A British government spokesperson told NBC News Sunday that “online platforms should take responsibility for content posted on them, and we welcome the action Reddit have taken.”

“The U.K. government was already looking into the matter, with support from the National Cyber Security Centre,” the spokesperson said.

Let our news meet your inbox. The news and stories that matters, delivered weekday mornings.

“We do not comment on leaks, and it would be inappropriate to comment.”

Reddit said late Friday that its investigation into the posts related to the leak revealed “a pattern of coordination” by suspect accounts that were similar to a Russian campaign called “Secondary Infektion” discovered on Facebook earlier this year.

The site also said it had banned 61 accounts suspected of violating policies against vote manipulation related to the original post, which was published in October.

Corbyn has not revealed how his party obtained the documents but defended the decision to use them.

Asked about Reddit’s conclusions at a campaign stop Saturday, Corbyn said the news was an “advanced stage of rather belated conspiracy theories.”

“When we released the documents, at no stage did the prime minister or anybody deny that those documents were real, deny the arguments that we put forward. And if there has been no discussion with the USA about access to our health markets, if all that is wrong, how come after a week they still haven’t said that?” he added.

He also criticized the government for failing to release a Parliamentary intelligence committee report on Russian interference in British politics before the election campaign began.

Thursday’s vote was called in an effort to break the deadlock that has left the future of the country’s relationship with the European Union uncertain.

But the future of Britain’s health care has emerged as a powerful rejoinder to the notion of a purely ‘Brexit election.’

Asked about the source of the leak this weekend, Johnson said: “I do think we need to get to the bottom of that.”

Culture minister Nicky Morgan claimed the leak raises concerns of Russian influence on British democracy and said the government is taking steps and “watching for what might be going on.”

“From what was being put on that (Reddit) website, those who seem to know about these things say that it seems to have all the hallmarks of some form of interference,” Morgan told the BBC. “And if that is the case, that obviously is extremely serious.”

But if Russia was behind the leak, its aim may not have been to help any particular side in the election, Lisa-Maria Neudert, a researcher at Oxford University’s Project on Computational Propaganda, told Reuters.

“We know from the Russian playbook that often it is not for or against anything,” she said.

“It’s about sowing confusion, and destroying the field of political trust.”

Michele Neubert contributed.

Source link

The post #nationalcybersecuritymonth | Fears of Russian interference hit U.K. election as Reddit bans accounts after U.S. trade talks leak appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | General election 2019: Source of UK-US trade document leak must be found – PM

Source: National Cyber Security – Produced By Gregory Evans Image copyright Getty Images Image caption Jeremy Corbyn holds up the leaked documents at a press conference on 27 November Boris Johnson has said an investigation is needed into the source of leaked documents on UK-US trade negotiations posted on Reddit. Labour says the documents show […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | UK minister says concerned about election interference after…

Source: National Cyber Security – Produced By Gregory Evans * UK-U.S. trade documents were leaked last month * Reddit believes Russian campaign behind the leak * UK fears attempt to influence the Dec. 12 election * British spies investigating the matter By Michael Holden LONDON, Dec 7 (Reuters) – The leak of classified UK-U.S. trade […] View full post on AmIHackerProof.com

#nationalcybersecuritymonth | What’s been done to fight cybercrime in East Africa

Source: National Cyber Security – Produced By Gregory Evans

East Africa attracts millions of tourists every year. Over the past 10 years, its earnings from tourism have doubled. Compared to the rest of Africa, the region is experiencing healthy economic growth. This makes it a promising investment destination.

Factors like regional tourism, movement of workers and technology development have catalysed East African integration and cross-border banking.

Many cross-border banks originate from Kenya with branches across the region. One example is Kenya’s Equity Bank, which relies heavily on digital technology. The digital space has many positive attributes but the threat of cybercrime and insecurity is prevalent.

Uganda lost 42 million shillings to cybercrime in 2017. In 2018, Rwanda lost 6 billion francs. In Kenya, between April and June 2019 alone, the country experienced 26.6 million cyber threats.

Across the region, with the increase of digital banking, financial institutions have become targets. These institutions are attractive to cyber criminals because they hold the biggest cash reserves. Africa’s digital infrastructure is ill-equipped to manage the continent’s growing cyber-security risk.

Equity is a pioneer in online and mobile banking with technology that merges banking and telephony. However, it recently suffered a cyber-attack. Last month, Rwandan authorities arrested a cybercrime syndicate comprising eight Kenyans, three Rwandans and a Ugandan. The syndicate had attempted to hack into the Equity Bank system. The group has been involved in similar attacks in Kenya and Uganda.

Early in the year, Kenya’s director of criminal investigation issued warrants of arrest against 130 suspected hackers and fraudsters for alleged banking fraud.

These incidents show that financial losses to cyber insecurity are a growing threat to East Africa’s economy.

Cybercrime occurs through the use of computers, computer technology or the internet. It often results in identity theft, theft of money, sale of contraband, cyber stalking or disruption of operations.

Within East Africa, Kenya, Rwanda and Uganda are taking steps to manage the huge cybercrime risk. But the cyber attack on Equity Bank is proof that these countries need to do more to protect their financial institutions from massive losses going forward.

Regional instruments

The African Union’s Convention on Cyber Security and Personal Data Protection is East Africa’s overarching policy guideline on cybercrime. It was adopted by member states in 2014. The Convention is similar to the Council of Europe’s Cyber Crime Convention which established a cyber security on the European continent.

Rwanda signed the Convention earlier this year, but it’s the only East African country to have done so.

The Convention requires member states to share responsibility by instituting cyber security measures that consider the correlation between data protection and cybercrime. These measures will keep data safe from cyber criminals and preempt its misuse by third parties. It also encourages the establishment of national computer emergency response teams.

The Convention advocates closer cooperation between government and business.

The Convention also creates a provision for dual criminality. This means that cybercrime suspects can be tried either in the country where the crime was committed or in their home country. This provision is meant to ensure smooth cooperation and sidestep any conflict of laws.

There is also a provision on mutual legal assistance. This allows for member states to share intelligence and collaborate on investigations.

Even though Uganda and Kenya aren’t yet signatories, they have nevertheless been establishing legal and policy frameworks provided for under the convention. Rwanda is doing so too, and as a signatory is one step ahead.

Rwandan approach

In 2015, Rwanda came up with a national cyber security policy that established a National Computer Security and Response Centre. The centre detects, prevents and responds to cyber security threats. And in 2016, the Regulatory Board of Rwanda Utilities rolled out network security regulations to protect the privacy of subscribers. They also empower the government to regulate and monitor internet operators and service providers.

The country also has a National Cyber Contingency Plan to handle cyber crises.

Further, Rwanda’s telecom network security regulations require service providers to secure their services by protecting their infrastructure. Every service provider must be licensed and must guarantee the confidentiality and integrity of their services. They must also set up incident management teams. These teams work with the government to manage cyber security threats effectively.

Additionally, Rwanda passed an information and communication technology law in 2016. This contains provisions on computer misuse and cybercrime which criminalise unauthorised access to data.

The country has managed to build the foundations of a strong regulatory framework. It has also taken measures to raise awareness around cyber security. In fact, in the attack on Equity Bank, the authorities acted on a tip from members of the public.

Kenyan measures

In 2014, Kenya launched its National Cyber Security Strategy to raise cyber security awareness and equip Kenya’s workforce to address cyber security needs.

In line with this strategy, Kenya amended its information and communications law to criminalise unauthorised access to computer data.

Kenya has also set up a national computer incident response coordination centre to consolidate key cyber infrastructure and create pathways for regional and international partnership.

Generally, Kenya has a robust cyber security policy which includes a legal and regulatory framework. The result has been that impending cyber attacks are discovered before massive damage is done and ongoing attacks are rapidly arrested.

Uganda’s security

Uganda has legislation to protect cyber security. This includes the Computer Misuse Act which ensures the safety and security of electronic transactions and information systems, and the Regulation of Interception of Communications Act to monitor suspicious communications. It also has a national computer emergency response team.

This regulatory framework is similar to those in Kenya and Rwanda. But in addition, Uganda has a National Information and Technology Authority that provides technical support and cyber security training. It also regulates standards and utilisation of information technology in both the public and private sectors. These measures have boosted the countries’ cyber security strategy.

While Uganda has these measures in place, Kenya and Rwanda are two of the top three cyber secure countries in Africa.

Moving ahead

Kenya, Uganda, and Rwanda have taken solid steps to harmonise cybersecurity processes, data protection, and collaborative prosecution and investigation measures.

They have criminalised cybercrime and established frameworks to manage cyber attacks. International cooperation within the region has also enhanced cyber security.

Source link

The post #nationalcybersecuritymonth | What’s been done to fight cybercrime in East Africa appeared first on National Cyber Security.

View full post on National Cyber Security