Much Anticipated Cyber Policy Review Out Today

I haven’t had a chance to read it but here is the Cyber Policy Review doc released today by the White House.

http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf

Near Term Action Plan
1.
Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.
2.
Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.
3.
Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.
4.
Designate a privacy and civil liberties official to the NSC cybersecurity directorate.
5.
Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.
6.
Initiate a national public awareness and education campaign to promote cybersecurity.
7.
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
8.
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement
9.
In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
10.
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.

cyberDefense Competition Preps Students

This looks like a great competition and it's nice to see kids getting this kind of education.

http://current.com/items/90072618_cyberdefense-competition-preps-students-for-real-world-information-assurance.htm

Will Windows 7 Overcome Anti-Virus Fear and Loathing?

Will Windows 7 Overcome Anti-Virus Fear and Loathing?:
"But beyond that obvious complaint, over and over, I find that security suites are the buggiest, most troublesome applications on my systems. I’ve spent innumerable hours nursing these “solutions” along, working around them, fixing them, reinstalling them."

I have had very similar feelings to the author with regard to anti-virus software. I haven't yet had a chance to install the Windows 7 RC, however I've been impressed with Microsoft's effort on securing Vista and Windows 7. Unfortunately, as with UAC, you can't always do everything you want. However I think one of the biggest leaps in security with these versions of Windows has been the unprivileged user.

I would never advocate running without anti-virus software, though as it is a necessary part of a defense-in-depth strategy for either home or business use. Maybe someday anti-virus vendors will put as much effort into streamlining and cleaning up their applications as Microsoft has to making their OS more secure out of the box. Maybe...

Security Updates available for Adobe Reader and Acrobat

Time to get patching...

Adobe - Security Bulletins: APSB09-06 Security Updates available for Adobe Reader and Acrobat

Freedom to surf: workers more productive if allowed to use the internet for leisure

Those of you tasked with filter internet usage in your company may want to forward this to the decision makers. It is by no means definitive, but it is an interesting take on internet usage at work.

Freedom to surf: workers more productive if allowed to use the internet for leisure : News : The University of Melbourne: "“People who do surf the Internet for fun at work - within a reasonable limit of less than 20% of their total time in the office - are more productive by about 9% than those who don’t,” he says."

How a man off the street infiltrated a FTSE finance firm | 8 May 2009 | ComputerWeekly.com

This is a truly amazing social engineering story.

How a man off the street infiltrated a FTSE finance firm | 8 May 2009 | ComputerWeekly.com:
"He spent a week in the building undetected, during which the following took place:

Greenlees spent the first morning watching people entering and leaving the premisesto get an idea of security in reception.

After lunch on that first day he decided to gain access by tailgating people as they swiped their access cards. He pretended to be on the phone and signalled to people that he wanted the third floor.

He entered a glass meeting room, calmly hung up his jacket and started to work on his laptop.

Within 20 minutes he had seen a confidential document, which had been left on a desk. It concerned the merger of two household names worth £434m.

He accessed different floors, rooms, store rooms andfiling cabinets, and found information on desks. He used tricks such as holding two cups of coffee so people would open normally secure doors for him.

He gained access to the data room by pretending to carryout a security audit. He was given information about the company's network and was able to plug his laptop in as a result. This gave him access to confidential customer, employee and company data.

Greenlees got hold of an internal phone directory and, using an internal phone, he pretended to be an IT support worker. Hemanaged to get usernames and passwords from 17 of the 20 people he asked.

He even smuggled another, more technical, consultant in to help him analyse IT systems.

Greenlees was soon on first name terms with security staff.

"

Steve Riley on Security : Good bye, and good luck

Steve Riley on Security : Good bye, and good luck

Wow! While I know that Steve will go on to help many, many organizations, this is a huge loss to Microsoft. Hopefully this will not set back the Trustworthy Computing initiative, but I'm skeptical.

Data Ransom Scheme a Surprising Play for Hackers

"But at a time when botnets are quietly stealing mountains of financial and corporate data and slinking off into the cyber-crime underworld, data being kidnapped and held for ransom is not among the top threats enterprises should be worried about, security pros say. Truth be told, the biggest threats are the ones that attempt to leave no trace for victims to pick up on."

Data Ransom Scheme a Surprising Play for Hackers

Virginia Health Data Potentially Held Hostage -- Data Breaches -- InformationWeek

"It's not immediately clear whether this note is genuine. The Virginia DHP hasn't responded to repeated calls and e-mail messages seeking comment."

Virginia Health Data Potentially Held Hostage -- Data Breaches -- InformationWeek:

The only thing scarier than having your data stolen, is to not know whether the data has in fact been stolen. Hopefully the lack of response from the DHP is because they're too busy tring to figure out what to do, not because they're trying to figure out if the data-napper is telling the truth or not.

Adobe Fixes Announced

Adobe has announced the release of a Flash Media Server vulnerability fix as well as the expected date of the fix for the Reader zero-day.

The Reader fix is expected on May 12. Details below:
Adobe Product Security Incident Response Team (PSIRT): Adobe Reader Issue Update

Here is the Flash Media Server information:
Security advisory APSB09-05