Generic

Cybersecurity News

 

US gas stations exposed to cyberattacks: Researchers
Security Week
01/23/15

A security researcher says malicious actors could theoretically shut down over 5,300 gas stations in the U.S. because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet. ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.The researcher said there are approximately 5,300 ATGs nationwide (mostly located in New York, Texas, Florida, Virginia, Illinois, Maryland, California, Pennsylvania, Connecticut and Tennessee) that are accessible via the Internet and without a password to protect them against unauthorized access.


Thousands of U.S. gas stations exposed to Internet attacks
CIO
01/23/15

The chief research officer at security firm Rapid7 says that over 5,000 devices used by gas stations in the U.S. to monitor their fuel tank levels can be manipulated from the Internet by malicious attackers. These devices, known as automated tank gauges (ATGs), are also used to trigger alarms in case of problems with the tanks, such as fuel spills.


Due to hack, Sony requests financial filing extension
SC Magazine
01/23/15

Sony's IT infrastructure has yet to recover from a cyberattack that disrupted network operations, and now reportedly forced it to delay its Q3 financial reporting.Sony reportedly said that its systems, including financial and accounting applications, won't be restored until early February because of the “amount of destruction and disruption that occurred, and the care necessary to avoid further damage by prematurely restarting functions.”


Davos elites warned about catastrophic cyberattacks
Security Week
01/24/15

Attacks on power plants, telecommunications and financial systems, even turning all of Los Angeles' traffic lights green: Davos elites were warned of the terrifying possibilities of modern cyber terrorism. In the wake of the cyberhack on Sony late last year, cybersecurity has been a hot button topic at the four-day World Economic Forum in the swanky Swiss ski resort. The conclusion, in one attendee's words: "Basically nothing is safe."


Demand for cyber liability coverage grows in wake of high-profile breaches
Treasury & Risk
01/15/15

More companies are starting to purchase cyber liability insurance in the wake of a string of high-profile data breaches. But it’s a relatively new type of insurance, and policies can vary from carrier to carrier, so it behooves companies to ask plenty of questions and make sure they understand what they’re buying -- what the policy covers and where there may be gaps. A cyber liability expert discusses the market growth, emphasizing the need for insurance companies to offer larger single policies. Currently, in order to get $100 million worth of coverage, a company may need to secure policies with 10 to 15 different insurance carriers.


Report: NSA efforts influenced U.S. stance on Sony attack
SC Magazine
01/20/15

A report in The New York Times offers more insight on why the U.S. government has taken its resolute stance in attributing the Sony Pictures attack to North Korea. The article detailed the National Security Agency's efforts to penetrate North Korea's cyber fortresses, which eventually succeeded in 2010. Citing former U.S. and foreign officials, a recently disclosed NSA document and security professionals privy to the operations, the Times said that NSA “drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers, and penetrated directly into the North with the help of South Korea and other American allies.”


Idaho’s emergency operating plan updated with cyberattack procedures
Government Technology
01/22/15

Idaho's director of homeland security said cyberthreats remain the "most important and least understood risk" to government and the private sector. He said the Idaho Bureau of Homeland Security is in the process of updating Idaho's emergency operating plan, providing policies and procedures for state agencies to follow in the event of a major cyberattack. The bureau, together with the Pacific Northwest Economic Region, has also sponsored training workshops. The intent is to help companies better understand the vulnerabilities and learn how to respond.


New cybersecurity center in Pennsylvania aims to help fend off attacks
Government Executive
01/22/15

In Pennsylvania, the Harrisburg University Government Technology Institute’s Security Center for Excellence co-director believes he’s seeing a wellspring of enthusiasm and interest from local leaders that gives him hope about getting governments around the country better prepared for the inevitable cyber attacks to come. Center leaders say they plan to focus on two major levels: working with state and local governments to improve their approaches to cyber security threats and in testing new methods and technologies to combat these threats. A number of private sector firms are providing financial support and offering their company resources and research to push forward the center’s goals.


Cyber threats increase, new international net cops needed – Kaspersky to RT
RT
01/24/15

With cyber-attacks on the financial sector and state sponsored attacks on the internet on the up, a new international organization to police cyber space is needed, Eugene Kaspersky, Chairman and CEO of Kaspersky Lab, said in an interview.Kaspersky also discussed some of the challenges facing his company.


GAO: Agencies face cyber risk in building access systems
GCN
01/23/15

The Government Accountability Office says the Department of Homeland Security must do much more to improve the cybersecurity of access and control systems in the thousands of buildings it operates.The GAO says DHS is not "assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) ,” and thatDHS lacks a strategy that “defines the problem, identifies roles and responsibilities … and identifies a methodology for assessing this cyber risk.” The DHS division responsible for physical security standards has not incorporated policies related to cyber threats in building and access control systems, citing other priorities.


Up next at the 'Data Department'
FCW
01/23/15

In this interview, Lynn Overmann, who has been at the Commerce Department for two months and is the department's first deputy chief data officer, discusses her goal -- "to turbocharge our open data initiatives." Among other things, she discusses the challenges she faces at Commerce and the possibility of a department innovation lab.


FedRAMP to release draft standards for high-impact systems
Fed Tech
01/22/15

Draft standards, due out the week of Jan. 26, will provide a baseline for securing the federal government’s high-impact systems in the cloud. The move is a huge step forward for agencies — which until now had been focused on securing low- and moderate-impact cloud computing systems — in terms of how disrupted systems may affect organizational operations and assets. Growing demand from agencies seeking to reap the benefits of cloud computing has shifted the focus to high-impact systems, which are those necessary to support agencies’ continuity of operations. Also included in that category are all cyber critical infrastructure and key resources identified in agencies’ Homeland Security Policy Directive 7 plans.


Lawmakers welcome cybersecurity talks with Obama
Fed Tech
01/21/15

Federal cybersecurity received a much-needed boost last Congress with the passage of five bills, but those measures fell short of setting clear parameters for information sharing between the government and companies, as well as across the private sector. The hope is that additional legislation will enable real-time sharing, “with a speed and a sufficient depth that we can effectively generate almost what I think of as the weather map for cyberspace so that we actually know and have some visibility into what is happening,” according to an administration official. House and Senate Republicans are open to working with the president on cyber legislation, but they criticize his timing.


Charleston students to play a key role in cybersecurity workforce initiative
The Post and Courier (Charleston, SC)
01/22/14

Cybersecurity programs offered at Charleston County (SC) schools are poised to receive an infusion of resources through a new federally funded cybersecurity consortium meant to create a workforce pipeline for the growing field of cybersecurity. The consortium is part of a five-year $25 million grant from the U.S. Department of Energy to grow cybersecurity programs at 13 historically black colleges and universities from five states, including seven institutions in South Carolina. An official with Lawrence Livermore Laboratory, which is among the consortium members, said the idea behind targeting minority students is part of a larger goal to grow and diversify the talent pool for the cybersecurity workforce.


Report suggests most DoD networks susceptible to mid-grade cyber threats
Federal News Radio
01/26/15

A new Pentagon report on the Defense Department's major systems includes some worrying assessments of DoD's overall cybersecurity posture: a troubling proportion of its IT systems appear to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone's worried about.The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD's overall defensive positioning.


Nearly every U.S. arms program found vulnerable to cyber attacks
Reuters
01/20/15

Nearly every U.S. weapons program tested in fiscal 2014 showed "significant vulnerabilities" to cyber attacks, including misconfigured, unpatched and outdated software, the Pentagon's chief weapons tester said in his annual report. He wrote, "The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (DoD) networks, and could be in a position to degrade important DOD missions when and if they chose to."


DISA's 'one belly button' approach to IT services
Federal News Radio
01/23/15

The Defense Information Services Agency is undergoing a radical transformation in how it serves its customers to achieve better collaboration and coordination internally and across the military services and agencies. The reorganization, announced Jan. 11, has been in the works for the better part of a year. Lt. Gen. Ronnie Hawkins, DISA's director, said the new structure will focus on five core tenets: Cybersecurity; Cloud; Collaboration; Command; and Control.


Army communications in Pacific stretched, tested
Breaking Defense
01/23/15

As the US Army deploys more troops to the Pacific, it’s running into the limits of its long-range communications systems. The shortfall in comms capacity is not only becoming an issue as the service ramps up its “Pacific Pathways” exercises with Asian partners: It is also raising concerns about the network’s resiliency against a cyber attack.


Communications networks a top priority for U.S. military in Asia-Pacific
National Defense
01/23/15

Thousands of U.S. soldiers train alongside troops from Southeast Asian countries as part of a larger strategy to strengthen alliances in the region and secure U.S. access to key seaports, airfields and bases during a crisis. But despite a huge investment by the United States — in troops, military trainers, logistics support and weaponry — throughout the Pacific theater, there are persistent shortfalls in communications technology and data networks that keep countries from sharing information and collaborating more closely.


Army takes next step to merge C2, intelligence traffic onto WIN-T
www.army.mil
01/20/15

The Army's science and technology and acquisition communities have teamed with the Army G-3/5/7, G2 and Cyber Command to provide senior leaders a closer look into converging operational and intelligence traffic onto the Warfighter Information Network-Tactical, or WIN-T, transport. Network Transport Convergence describes the merging of command and control, intelligence, logistics and medical systems onto a common network architecture.


NSA report: How to defend against destructive malware
Dark Reading
01/22/15

Prevent, detect, and contain: Those are the key overarching strategies for combating data-destroying malware attacks, according to a new report issued this month by the National Security Agency. The NSA's Information Assurance Directorate (IAD) outlined key best practices for defending against such attacks-- à la Sony or Saudi Aramco -- that require organizations being proactive rather than reactive to a cyberattack.


Growing open source use heightens enterprise security risks
Dark Reading
01/23/15

The data breaches disclosed earlier in January at Park ‘N Fly and OneStopParking.com, two major airport parking services, highlight the continuing risk that enterprises face from using open-source software in their environments without a plan for managing it. Security experts say companies often have little clue about the extent of third-party code in the enterprise or the risks it poses.


New framework helps companies quantify risk
CSO
01/23/15

The World Economic Forum has released a new framework that helps companies calculate the risk of cyberattacks. The risk calculation has three components -- an assessment of a company's vulnerabilities and defenses, the potential cost of data breaches, and a profile of the attacker. Security experts praised the framework's holistic approach towards cyberrisk.


Security for startups
Tech Crunch
01/22/15

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50. In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.


Why cybersecurity will suffer the same fate in 2015 as it did in 2014
CIO
01/20/15

2015 is nearly three weeks young and WE ARE LIKELY to see more of the same exposures as we did in 2014. Not much has changed in organizations. They are fundamentally following the same tactics and techniques to ‘defend’ against adversaries as they have for the past several years. Here are 12 areas that continue to cause problems for the CISO and information security as a whole.


DMARC: The time is right for email authentication
Help Net Security
01/23/15

2015 will be the turning point for Domain-based Message Authentication, Reporting & Conformance (DMARC) implementation by the guys on the other side of the desk -- the world’s largest brands and email senders. The IETF working group is currently putting together the draft specification, DMARC policy deployment is increasing, and early adopter feedback is promising. Many large enterprises will be able to realize huge benefits from converting their domain’s email from a source of mistrust, spoofing, phishing and fraud to a bastion of trust by deploying a DMARC policy – at no cost to the enterprise.


PCI compliance not synonymous with security, panel says
SC Magazine
01/20/15

None of the companies in a soon-to-be released Verizon report that experienced a data breach “were fully PCI [Payment Card Industry Data Security Standard] compliant at the time of breach,” according to an official at Verizon Enterprise Solutions. In a preview of Verizon's "2015 PCI Compliance Report," he said that only “28.6 percent of companies were PCI compliant after one year,” indicating that many organizations “are seeing compliance as a standalone exercise.” PCI 3.0 was released in November 2013 and all organizations were required to start using it Jan. 1 of this year.


HID Global shares top secure identity trends for 2015
AME Info
01/22/15

HID Global has issued its outlook on technology trends for 2015, as well as other anticipated developments across key vertical industries in the secure identity marketplace.The annual assessment is intended to help organizations understand and take advantage of the latest advances to improve security, convenience and the user experience.


Avatier CEO forecasts top 2015 identity management trends
Market Wired (news release)
01/22/15

The CEO of identify management company Avatier Corp. has released predictions that indicate 2015 will focus on the age of identity management authentication. Emphasizing the significant increase in breaches in 2014 and the changing landscape of security, he notes, "In 2015, every industry becomes a target, every identity vulnerability and every app a potential host." He stresses that as the Enterprise of Things (EoT) unfolds, enterprise information security will continue to shift from passwords and access, to authentication and automation.


Demand for cyber insurance skyrockets

The Hill
01/15/15

Demand for cybersecurity insurance is booming as a string of high-profile hacks and data breaches spurs explosive growth in what has suddenly become a $2 billion industry. “Off the charts,” Bob Parisi, the national cyber risk product leader at insurance firm Marsh, said of the spike in business. After two or three years of 35 percent to 50 percent growth, “we saw that pace looking like it was doubling, in some areas tripling” in 2014, Parisi said.


Moynihan: BofA's cyber security given unlimited budget 'to keep us safe'
Charlotte (NC) Business Journal
01/21/15

Signaling the abundant and high-risk nature of hack-attacks, Bank of America Corp. CEO Brian Moynihan says the Charlotte-based lender has no spending limits in place for its cyber security teams. Moynihan says the cyber security teams for the nation's second-largest bank will spend more than $400 million this year. He says it's the first time in 20 years of corporate budgeting he has overseen a business unit with no budget.


IT buying experiments preview 'Acquisition of the Future'
FCW
01/22/15

Acquisition of the Future is an initiative that seeks to frame a vision in which acquisition creates significant new value for the government through fresh approaches, modern technologies and a new generation’s capabilities. Participants include a growing number of federal executives, industry leaders, notable academics and rising acquisition professionals who have been meeting since 2013 to create a framework for what federal acquisition can become, to meet the demands of the Collaboration Age -- and beyond.


Governments struggle to respond to hackers
Defense News
01/16/15

Former CIA and NSA chief Michael Hayden recently said that the U.S. has not yet worked out how to fight in this new realm of cyber attacks and counter attacks."We have not yet worked out a taxomony" for action in the cyber domain like the U.S/ has for land, sea and air warfare, he said. "How do you categorize an event in the cyber domain that tells you what is or is not a proportional response?"


FedRAMP to release draft standards for high-impact systems
FedTech
01/22/15

Draft standards about to be released will provide a baseline for securing the federal government’s high-impact systems in the cloud and is a huge step forward for agencies — which until now had been focused on securing low- and moderate-impact cloud computing systems — in terms of how disrupted systems may affect organizational operations and assets. The Federal Risk Authorization Management Program (FedRAMP) office will release the draft standards for public comment Jan. 27 and hopes to finalize them by the end of 2015.


Goodrich: 'FedRAMP high' baseline coming soon
FCW
01/22/15

Federal Risk and Authorization Management Program Director Matthew Goodrich said Jan. 22 that a draft baseline for cloud computing systems that require FISMA high-impact level security is nearly ready for public comment. Currently, FedRAMP authorizes systems only at the low- and moderate-impact levels set by FISMA. But adding high-impact cloud systems is part of the FedRAMP roadmap, and Goodrich said his office is also open to establishing other baselines if there is sufficient agency demand.


Science and Technology Directorate wants to talk
FCW
01/14/15

The Department of Homeland Security's Science and Technology Directorate has begun casting a wider net in its hunt for innovative security technologies. S&T launched a new public engagement strategy Jan. 12 that it calls the National Conversation on Homeland Security Technology, to inject new, outside innovators into its tech development processes. The program comprises a series of online and in-person discussions aimed at fostering discussions among the public, first responders, industry representatives, academia and government officials that will shape the agency's technology.


Vice President Biden announces $25 million in funding for cybersecurity education at HBCUs
The White House - Office of the Vice President (news release)
01/15/15

Vice President Biden and other Administration officials traveled to Norfolk State University in Norfolk, Va. Jan. 15 to announce the Department of Energy will provide a $25 million grant over five years to support cybersecurity education to meet the demand for skilled cyber professionals through creation of a new cybersecurity consortium consisting of 13 Historically Black Colleges and Universities (HBCUs), two national labs, and a k-12 school district. Here are some of the details of the initiative.


Experts say to expect action after State of the Union cyber shout out
Next Gov
01/21/15

After a week of cybersecurity-related congressional proposals, speeches and global talks, President Barack Obama's one-paragraph mention of cyber in the State of the Union address may have seemed a bit anticlimactic, but some Capitol Hill denizens expect Obama's 14-page legislative offer to speak for itself and gain momentum. Within the next month, several congressional committees are expected to introduce legislation that speaks to Obama's proposal, in some shape or form.


Does President Obama's bid to bolster cyber security go far enough?
Fortune
01/21/15

President Obama is urging Congress to pass cyber security reforms, including legislation to increase information sharing among private companies and the government, introduce new penalties for cyber criminals and streamline data breach notification laws. While many agree the proposals would be a positive step, some industry leaders argued that the government’s efforts are too little, too late and mostly focus on what happens after a breach has already taken place, rather than how to prevent them.


State of the Union address disappoints security experts
CSO
01/21/15

In his State of the Union address Tuesday night, President Barack Obama promised to protect a free and open Internet and urged Congress to pass cybersecurity legislation, but the lack of concrete movement forward was a disappointment for many security experts. The proposed cybersecurity legislation touched on several important issues, but there was doubt as to whether it could be passed, and, if passed, if it would do any good.


President's plan to crack down on hacking could hurt good hackers
Dark Reading
01/21/15

President Obama dedicated more time on cybersecurity than any other president has in a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many in the security community believe the president's proposed legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.


Is Barack Obama a cybersecurity leader?
Gov Info Security - The Public Eye (blog)
01/22/15

When President Obama unveiled his latest cybersecurity legislative initiative and began to promote it in a series of speeches, culminating in his State of the Union address, I began to look at his latest proposals and his actions over the past six years. With this in mind, I pondered and asked others whether he was a true leader in the cyber dominion.The responses varied, and determining whether Obama is a true cybersecurity leader could be shaded by one's own agenda.


What government can (and can’t) do about cybersecurity
Dark Reading (commentary)
01/22/15

President Obama has recently proposed a number of interesting, if not terribly novel, proposals, which are reviewed in this article.These proposals are not very likely to have a substantial effect on the software market. They are all reactive, attempting to target the bad guys rather than focusing on enhancing our own defenses. We are capable of producing radically more secure software than we do today, but we’re going to have to raise the bar for developers everywhere.


DHA readies $10 billion IT contract
FCW
01/22/15

The top procurement manager at the Defense Health Agency said DHA is in the final stages of developing a solicitation for an indefinite-delivery, indefinite-quantity IT services contract worth as much as $10 billion over five years. The agency will hold its last industry day for the Health Information Technology Services IDIQ contract on Feb. 17, and the final solicitation is expected in the third quarter of 2015.


DoD intel chief Vickers gives cyber premier priority status
Federal News Radio
01/22/15

Cybersecurity for the intelligence community has become what terrorism was in the early 2000s — an all-encompassing priority. So much so that Michael Vickers, the undersecretary of Defense for intelligence, is making cybersecurity transformation the hallmark of his tenure. Vickers' recent comments voicing concern about the cybersecurity of space systems is also a fairly new focus for the intelligence community.


Dempsey: Cyber vulnerabilities threaten national security
DoD News
01/21/15

Cyber vulnerabilities in the private sector pose a serious threat to national security, the chairman of the Joint Chiefs of Staff said recently.While military cyber defenses are formidable, civilian infrastructure and businesses often are targeted first and "present a significant vulnerability to our nation," Army Gen. Martin E. Dempsey said.He also urged passage of cyber legislation to protect the nation and to allow information sharing between the government and the private sector while safeguarding civil liberties.


Bold Alligator training elevates cyber as a domain
C4ISR & Networks
01/16/15

A training exercise held late last year incorporated new cyber concepts into the combat scenario, seeding radio traffic meant to simulate the radio noise of a populated area with a stream of nefarious messages. The purpose of the Bold Alligator 14 exercise was to train the Marines taking part to identify and interpret the chatter that could help them know when the enemy planned to attack. About 11,000 Marines, U.S. sailors and members of other nations' navies took part in the exercise, held in November off the coasts of Virginia and North Carolina.


DoD: CENTCOM hack to have no effect on social media policy
C4ISR & Networks
01/21/15

Despite the high-profile Jan. 12 hacking incident that resulted in the takeover of U.S. Central Command's official Twitter and YouTube accounts, Defense Department officials called for passwords to be changed at more than 50 Office of the Secretary of Defense-level social media accounts, but said they have no plans to reevaluate policy on the use of social media. Currently, official DoD social media accounts are subject to guidance from September 2012 that outlines military members' use of social media.


Feds roll out secure card tech
The Hill
01/22/15

The GSA will soon begin issuing new charge cards equipped with a microchip and requiring users enter a PIN number instead of a signature. Cards with those technologies are considered to be more secure than credit and debit cards with magnetic strips, which are much more common in the U.S. The new chip-enabled cards will be used by more than 350 agencies, organizations and tribal governments for purchases, travel and other purposes, and more than 1 million new cards are expected to be issued this year. Retailers have long pushed for financial services companies to switch to the new chip technology in combination with a PIN number, and these calls have only mounted amid recent high-profile data breaches.


Survey says young people ready to replace passwords with biometrics
BiometricUpdate.com
01/21/15

A new survey reveals that 76% of 16- to 24-year-olds surveyed in the U.K. are ready to replace passwords with biometric authentication methods such as facial recognition, fingerprint and retina scanning.Survey respondents said that they would prefer using fingerprint scanning over all the other biometric payment methods available to consumers, with 70% predicting that this will be the primary form of identification by 2020. The report also found that 39% of respondents are interested in using retina scans and 27% opted for facial recognition.


N.S.A. tapped into North Korean networks before Sony attack, officials say

The New York Times
01/18/15

The trail that led U.S. officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the NSA scrambled to break into North Korean computer systems. Spurred by growing concern about North Korea’s maturing capabilities, the NSA reportedly drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other U.S. allies.  A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers.


Reports: Leaked documents show China hacked F-35 plans
ITV News
01/19/15

Leaked documents reportedly show that Chinese spies hacked large amounts of data relating to the design of the F-35 Joint Strike Fighter jet.   Media reports suggest the alleged cyber theft is revealed in documents leaked to the German magazine Der Spiegel by former US security analyst Edward Snowden about the stealth aircraft developed by Lockheed Martin.


Cyber warfare: Capitol staffers aren’t ready
Politico
01/19/15

Capitol Hill’s networks are under constant cyber attack. But the thousands of men and women who keep Congress running every day are committing the basic cybersecurity mistakes that attackers can exploit to do harm. Interviews with nearly a dozen current and former staffers, as well as congressional IT security staff, reveal a typical array of poor cyber habits.


China suspected of cyberattack on Microsoft
The Hill
01/19/15

The Chinese government could be behind a cyberattack on Microsoft’s email system in China, according to GreatFire, a nonprofit that monitors censorship in China. GreatFire believes the email site Outlook.com was subjected to a so-called man-in-the-middle attack, in which hackers insert themselves into systems to eavesdrop while relaying messages between users. The attack lasted most of the day January 17, GreatFire said.


US, UK to stage joint cyber 'war games' to ramp up cyberdefenses
The Associated Press
01/15/15

The United States and the U.K. will stage cyber "war games" together, starting this year, to boost both countries' resistance to cyberattacks, Britain's government announced Jan. 15.  The two Western powers have also agreed to launch a joint "cyber cell" to share information on cyberthreats, as both countries seek to ramp up their cyberdefenses in the wake of alarming attacks. The FBI and the National Security Agency will be involved, along with Britain's GCHQ and MI5 intelligence and security agencies.


Britain announces new support for cyber security firms
Global Times (U.K.)
01/17/15

The British government has announced a series of new measures to help its businesses face the "cyber security challenge" and support its cyber security firms to tap into the US market. A group of 12 British cyber security firms were to travel to Washington to meet a host of US businesses, in a bid to win more British business for the growing sector. As part of the new measures, Britain appointed a new cyber security envoy to help British small businesses and first-time exporters promote their business interests across the U.S.


19,000 French websites suffer cyber attack in ‘unprecedented surge’
IT Governance
01/16/15

Around 19,000 French websites have been attacked in the last few days by “more or less structured” groups, according to France’s cyber defense chief. The attacks were primarily minor denial-of-service attacks and hit a wide range of websites. Some of the attacks are believed to be from some well-known Islamist hacker groups and are thought to be in response for Anonymous’ vow to avenge the Paris shootings. The hacker’s messages have appeared on multiple French sites, so it is likely that attackers broke in by exploiting a commonly available platform or other security flaw.


North Korea's official news website serves malware
Computer World
01/13/15

Users who visited the site of the state-run North Korean news agency, to see the country's response to the Sony hacking accusations or for other reasons, might want to scan their computers for malware. A security researcher found that the site hosts a malicious file. One security expert said a quick look at the executable files suggests that the malware might steal passwords from browsers, and that it might also do other things, but more time is required to perform a thorough analysis.


New year, new threats: Electronic health record cyberattacks
Government Technology
01/19/15

The recent flood of cyberattacks means that hackers are relentless and more sophisticated than ever before. And there is another cyber-risk that is looming and warrants attention of our emergency management community and government: electronic health records. The American Recovery and Reinvestment Act of 2009 authorized the federal government to incentivize EHRs, but since health-care providers have been installing EHRs, the number of cyber threats and attacks has grown.


Obama's proposed data breach notification law bodes well for businesses
Security Info Watch
01/15/15

President Obama wants Congress to pass legislation that would create a new federal standard for data breach notification. Under the proposal, companies would be required to inform customers within 30 days if their personal information had been compromised as the result of a breach. Rather than having to navigate various state laws, it would create a single standard for organizations to follow. Some believe that this newly proposed legislation would actually be of greater benefit to businesses than consumers.


Malware getting more advanced, easier to use in 2015
Federal Times
01/19/15

Reports of breaches at private companies and federal agencies piled up throughout 2014. While security officials scramble to shore up defenses and shorten response time, experts say the malware threat is only going to get more sophisticated and easier to deploy in 2015. Much of the discussion in 2014 centered on leaks from insiders, whether malicious or accidental. However, of the 10 breaches and vulnerabilities reported by federal agencies in 2014, eight were a direct result of hackers attempting to put malware on government systems.


Industry backing Obama's cybersecurity agenda
Federal Times
01/19/15

Cybersecurity will be a focal point of President Obama's State of the Union address, including a proposal to standardize how private companies share and report information on cyber crime. The administration is also planning to create private-sector Information Sharing and Analysis Organizations (ISAOs) to manage threat reporting and disseminate important information and offer limited liability protection to companies that participate. Some 70 percent of private sector cybersecurity professionals agree or strongly agree with the president's proposal, according to a survey by the Information Systems Audit and Control Association (ISACA).


State of the Union: Ready for bipartisan cyber action
Government Technology
01/19/15

This should be the year that significant bipartisan progress is made on cybersecurity legislation, with new laws set to pass on issues ranging from data breach notification to sharing sensitive cyber intelligence between the public and private sectors. In fact, since President Obama and Republican congressional leaders can't agree on much else, cybersecurity action is moving to center stage.  When President Obama delivers his seventh State of the Union address, cybersecurity plans will be one of many topics but cyber action is at the top of a short bipartisan “to do” list after years of disagreements and dashed expectations.


Vice President Biden visits Norfolk, Va., talks cybersecurity
Government Technology
01/16/15

Vice President Biden visited Norfolk State University Jan. 15 to highlight a program that will give historically black colleges and universities millions of dollars to train students for jobs in cybersecurity. NSU will be the lead campus in a new consortium that will includes 12 other historically black colleges, two national research labs and a school division in South Carolina. The Department of Energy will supply the national cybersecurity consortium with $25 million in grants over the next five years.


Proposed U.S. cyber-security legislation worries researchers
eWeek
01/18/15

Changes proposed by the Obama Administration to a variety of laws used to prosecute cyber-crime have raised concerns among security professionals and vulnerability researchers, who worry that activities meant to improve security could lead to criminal charges. The proposed changes could make accessing public documents illegal, if the owner would not have approved; creates stricter punishments for anyone convicted of a cyber-crime; and allows the government to seize assets linked to cyber-crimes, security researchers said, which could have a chilling effect on researchers' activities.


Toward better privacy, data breach laws
Krebs on Security
01/13/15

President Obama has outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.


Sony hack is a corporate cyberwar game changer
CIO
01/16/15

The 2014 cyberattack on Sony Pictures, which the FBI has attributed to North Korean hackers, represented a major escalation in digital hostilities that could reignite the long-simmering policy debate over how to better protect systems in the public and private sectors, a panel of former top intelligence officials said Jan. 15. As the purported work of hackers representing a nation-state, the incident was the rare breach of a private-sector network where the intruders destroyed troves of corporate data. The question now is how the administration and Congress will respond.


Lawmakers, former officials debate next move in cyberspace
FCW
01/15/15

The conversation in Washington has moved from North Korea's alleged complicity in the hack of Sony Pictures Entertainment to whether the Obama administration has responded effectively to the hack, and whether it needs more tools from Congress to do so.  President Obama's vow of a "proportional" response to Pyongyang’s alleged cyber siege on Sony Pictures raises the possibility of the U.S. carrying out its own cyberattack, a scenario the administration has planned for via U.S. Cyber Command.


What do DISA’s new cloud security requirements mean for classified information?
Next Gov
01/16/15

The Defense Information Systems Agency has released updated cloud security requirements, consolidating six previous “impact levels” of information sensitivity into four in an effort to simplify the process for cloud providers and the Defense Department alike. That follows recent moves by DISA to speed up the pace at which DoD customers can explore opportunities in the cloud. In addition to creating security requirements, DISA will still play an active role in the development of cloud access points – the physical connections where information will be exchanged between DOD networks and the cloud.


DISA releases cloud security requirements guide
FCW
01/14/15

The Defense Information Systems Agency has released a security requirements guide laying out the criteria for commercial and non-Defense Department cloud providers to operate within DoD. The SRG stipulates the policies, requirements, and architectures for DOD mission owners’ use of commercial cloud. In an interconnected commercial world in which more than one party might be involved in a cloud offering, the SRG makes clear that the security responsibility ultimate lies with the primary cloud provider.


DISA reorg to emphasize collaboration, cyber, cloud
C4ISR & Networks
01/13/15

As part of ongoing efforts to reorganize the DISA, officials are emphasizing efficiencies and effectiveness through DoD -wide partnerships to streamline defense IT operations. The reorganization includes four centers -- business and development, implementation and sustainment, resource management and operations -- to centralize requirements and analyses within organizations, as well as communications efforts, engineering, solutions, development, testing and evaluation. DISA's reorganization also hinges on launching the Joint Force Headquarters – DoD Information Networks and close collaboration between at least 39 Defense organizations.


A new era in DoD cyber defense begins
Federal News Radio
01/13/15

The Defense Information Systems Agency is launching a new cyber defense organization, the Joint Task Force-DoD Information Networks, as part of a broader DISA reorganization effort.  For DISA, the reorganization is centered on making the agency more responsive to its customer needs by becoming more agile and adaptable. But it's the JTF-DoDIN that likely will have the more immediate impact. The new cyber organization will take over the operations or defensive work from the U.S. Cyber Command.


New rules could speed up DoD cloud migration
Federal Times
01/19/15

Until now, the Defense Department has trailed considerably behind civilian agencies when it comes to taking advantage of new commercial cloud capabilities, namely because of stringent procurement and security rules. But that's about to change. Pentagon leaders last month announced new procurement rules that empower DoD agencies to buy cloud services more quickly and easily. And this month, tight security rules that effectively closed off the option of using public cloud services in most cases were loosened. Experts say the changes will set in motion a flurry of projects across the Defense Department to migrate networks, data and applications to the cloud.


U.S. Cyber Command, NSA commander discusses state of cyber efforts
www.army.mil
01/15/15

Navy Adm. Michael S. Rogers, commander of the U.S. Cyber Command and NSA director, told a West Point audience Jan. 9 how the Army is helping to contribute to the demanding cyberspace that the nation operates in. Rogers said that by the end of fiscal year 2016, USCYBERCOM will have created a dedicated cyber mission force made up of approximately 6,200 people, formed into 133 teams with three missions: defending the DoD information network; providing support to Combatant Commanders; and, when directed by the president or the defense secretary, applying DoD capability to defend critical U.S. infrastructure against cyber attacks.


Do as I say, not as I do: Most law firms lack adequate cyber protection
Property Casualty 360
01/16/15

For law firms, protecting the confidential data of clients and the firm is imperative as any unintended leak of information related to intellectual property or a prominent legal case can be disastrous. A security breach could potentially harm business transactions, halt a pending merger or acquisition, or damage relationships. Furthermore, firms could face financial burdens associated with the expenses following a breach. Yet, many law firms lack in their preparedness against a significant event, a new survey reveals.


The cost of malware containment
Help Net Security
01/19/15

Enterprises spend $1.3 million a year dealing with false positive cyber security alerts, which equals nearly 21,000 hours in wasted time.  The Ponemon Institute surveyed over 600 US IT and IT security practitioners to help understand the true cost of dealing with today’s volume of malware threats. Organizations receive an average of nearly 17,000 malware alerts per week, but only 19% are deemed reliable or worthy of action. This can distract security teams from dealing with threats that actually can lead to compromise. Respondents also believe their prevention tools miss 40% of malware infections in a typical week, and the longer malware goes undetected, the greater the risk of a breach.


Top enterprise GRC and security predictions for 2015
Search Compliance
01/13/15

The threat landscape has changed, and hackers' motivations are now more complicated than ever -- putting companies at even greater risk. So the question was posed to SearchCompliance GRCChat participants: Where does this leave today's organizations as they struggle to improve enterprise governance, risk and compliance (GRC) and security processes to better protect both corporate and personal information?


2015 will see a shift from identity management to identity access security
First Post
01/19/15

CA Technologies has announced five key trends for security and identity and access management (IAM) that will impact organizations and security professionals in 2015 as they compete in the application economy.  Here's what the firm seems for the coming year.