In the fight between implementing security and continous monitoring of compliance we normally (and with some justification) lean toward the former. But when an organizations ability to effectively exercise its enterprise security we often jump and immediately add more monitoring measures. Either way it is extremely difficult to look an Inspector General in the eye and tell them you have an effective Cyber Security program after admitting that in “March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station.” To give you an idea of how behind NASA is with encryption of notebook computers this was required and addressed by the majority of agencies in 2006 – a 6 year lag is unacceptable.
I’m not sure about you but if you are entering a future and environment where Cyber War is a possibility it is probably not the best plan to allow the largest continously space borne craft to have its C2 algorithms lost. Sounds like NASA needs the helping hand from a few of my Information Dominance Corps members – specifically from Information Warfare and Information Professionals that are also Space Cadre members. You want a catastrophic type of event? Lose control of the Space Station and it’s orbit parameters.
The IG for NASA went on to continue the main issues which need to be addressed:
- Lack of full awareness of Agency-wide IT security posture;
- Shortcomings in implementing a continuous monitoring approach to IT security;
- Slow pace of encryption for NASA laptop computers and other mobile devices;
- Ability to combat sophisticated cyber attacks; and
- Transition to cloud computing.
Another major organizational issue which points directly at the leadership of NASA is that the “Chief Information Officer Lacks Visibility of and Oversight Authority for Key NASA IT Assets.” This leads to a direct reminder that Lord Kelvin (yeah the temperature guy) once said “If you cannot measure it, you cannot improve it.” And if you don’t own it there is no way you’ll be able to get the measurements you need.
[via House of Representatives]
Windows 8 Consumer Preview was just made available for download and install.
There are some major changes between what has been available in Windows for the past decade or so. You can see immediately that this Operating System (OS) is much more widget based and heavily incorporates the touch screen environment for tablets and handsets.
I’ve made it a habit to grab a PC that I have available to install every OS that Windows has produced since the days of Windows 3.0. The minimum hardware requirements are relatively low so if you can’t run this Preview then you should probably upgrade from that Commodore 64 you are sporting (the old one; not the cool new one I linked to).
Hidden inside the Windows 8 Consumer Preview is the Internet Explorer 10 Consumer Preview. I know, who uses IE anymore. Well we can hope right? Either way the Browser
wars competition is beneficial for consumers.
The key feature I’m extremely interested from the Cyber Defense piece are the new options to refresh your PC, Windows 8 has incorporated the ability to make it simple to go back to a fresh installation of Windows without losing your personal files or settings. We’ve somewhat done this with porting our files over to cloud based capabilities like Dropbox, Skydrive, etc. but this will make it a bit easier to get back to that “known good” baseline that my Cyber Defense brothern dream of at night.
Either way this will be another enjoyable exploratory install and learning experience.
So Interpol’s website is down in a possible retaliation as they just picked up 25 suspected Anonymous members. Or the other reason could be that Interpol simply has a low cap in relation to the amount of attention this story is getting and the story itself is causing the Distributed Denial of Service. That is all part of the fun in Cyberspace; what is the true cause and attribution.
The arrests followed an ongoing investigation begun in mid-February which also led to the seizure of 250 items of IT equipment and mobile phones in searches of 40 premises in 15 cities, Interpol said.
Anonymous recently got attention by secretly recording a conference call between U.S. and British cyber investigators tasked with bringing the group to justice. But the information within the call was fairly germane. Part of the overall difficulty beyond compromising a system is actually getting through the minutia and getting the gems within. If you can’t get the gemstones there is ultimately no end affect.
Anonymous executed this plan well with the Stratfor hack. Only a few days ago they delivered their ex-filtrated gemstones to Wikileaks for publication.
Rarely do you get to watch a CEO like George Friedman detail the hacking incident and its implications. publicly acknowledge their major failures in the information war component in Cyber Battle against malicous Hackers like Anonymous.
Stratfor’s immediate actions included:
- Ensured the prompt notification of credit card issuers about the compromised credit cards.
- Offered all current and former paid subscribers identity protection services from CSID, a leading identity protection company.
- Commissioned SecTheory, a respected Internet security firm, to work with us to rebuild our website, email system and internal infrastructure.
- Hired Verizon Business Network Services to conduct a forensic investigation in cooperation with the FBI’s ongoing investigation.
- Moving our entire e-commerce process to a highly secure, PCI compliant third-party system, which eliminates the need for us to store any credit card information.
- Enhancing the way we encrypt and store passwords, and implementing new password requirements.
Stay tuned. I’m sure there is more to follow…