Tumblr is where tens of millions of creative people around the world share and follow the things they love.Sign up to find more cool stuff to follow
USArmy, NSA, GMU: Secure Android Crypto in the Works
GCN reports that an Android cryptographic kernel is being considered for secure government use. Google, the National Security Agency (NSA) and George Mason University assembled a team to build the submission, now under consideration by NIST for FIPS 140-2 certification.
According to the Android Police blog, the desire is for law enforcement agencies as diverse as DOJ, FBI and the Army, to replace traditional insecure radio equipment with Android-secure devices.
A review of the National Institute for Standards and Technology (NIST) list of certified cryptographic modules does not yet show this submission, an indication that the certification is not yet complete.
The very fact that the usually-silent NSA is a party to this effort is a sign of its importance and, to a greater extent, the maturity of the submission. According to these reports, the submission is focused on the Android 3.0 platform, which is not yet in very wide release.
To this point, the fragmented nature of the Android hardware market made a single cryptographic solution for all Android hardware devices earning anything beyond a FIPS 140-2 Level 1 certificate very unlikely.
Several industry experts posited that to run on multiple hardware devices, an Android cryptographic module would require a secured virtual machine running on the Android device that could be certified, and then permit secure applications to run within that sandbox.
While theoretically plausible, it remains to be seen whether such an architecture would be effective. Contemporary mobile devices have sacrificed raw computing power for battery longevity. Until a newer class of low-power, high-performance chips emerges, an application running inside a secured virtual machine running inside the Andoid operating system seems unlikely to be useful for the Army in battlefield conditions.
But perhaps very soon, it will be.
The Cloud Security Part 2: Market Perceptions, Vendors and More
This year, April study conducted by independent research firm Ponemon Institute and sponsored by CA Technologies, surveyed 103 cloud service providers in the U.S. and 24 in Europe representing a mix of cloud service and deployment models. 70% said they allocate 10% or less of IT resources to security and control-related activity.
Who is most responsible for ensuring the security of the cloud resources ?
FISMA Compliance – What’s the big deal anyway?
The article below is a guest post by our US partner Information Systems Laboratories). ISL offers a wide range of services to help companies implement or improve a corporate cyber/information security program, including independent IT security evaluations, threat and vulnerability analysis and incident response plans.
ISL has entered a partnership with IS Decisions, as they recognize UserLock and FileAudit as efficient software solutions to implement FISMA/NIST compliance for 3 key NIST 800-53 control families:
- Access Control (AC)
- Identification and Authentication (IA)
- System and Information Integrity (SI)
UserLock limits concurrent logins, restricts access, monitors, alerts and reports on session activity throughout the corporate Windows network.
FileAudit monitors, archives and reports on access (or access attempts) to sensitive files and folders stored on Windows systems.
Hope you enjoy the article and I look forward to your comments,
President & CEO
In the United States, FISMA Compliance is a matter of national security. To elevate its importance, all federal agencies are given an annual – and very publicly available – grade based on the effectiveness of their IT security programs. As a further incentive, if after failing a compliance assessment, in addition to the publication of your failing grade, your CIO may be greeted with a congressional hearing. If that is not enough, after the hearing, the Office of Management and Budget (OMB) may just cancel or delay funding of your government programs - none of which would be considered welcome news nor career-enabling.
Whether you work for a corporation or government agency, the importance of ensuring your data is safe goes without saying. In fact, the larger your corporation, the government places more importance on your data, thus moving you closer to the same requirements government agencies have.What is FISMA?
The Federal Information Security Management Act (FISMA) was devised to assist agencies and departments of the federal government in securing their data. Chief Information Officers (CIOs), Inspectors General (IGs) and officials of government programs are required to conduct annual reviews of their information security program and report their findings to the Office of Management and Budget (OMB). The OMB then reports to Congress on each agency’s compliance. The annual report also must include an independent cyber security evaluationWhat is NIST?
As an agency of the U.S. Department of Commerce, the National Institute of Standards and Technology (NIST) has developed a set of controls and guidelines supporting FISMA which Federal agencies and organizations supporting them must follow.NIST 800-53 Control Families
The 18 control families and their 205 respective controls covered by NIST 800-53 encompass everything from physical security to information systems security to spam prevention and has been designed to work for any organization - as long as the controls are selectively chosen and implemented. For the cyber security novice, though secure, implementing all the controls to their fullest extent would not only be prohibitively expensive but would severely cripple the organization’s ability to function efficiently which is in direct conflict to the purpose of these controls. The intent is to take a calculated risk-based approach to security by implementing just the right amount of controls. Doing so not only saves money, but also helps to improve your organization’s operational efficiencies. Maximizing these benefits is where the assistance of trained Cyber Security professionals is critical. The best Cyber Security Evaluation companies are those who take the necessary time to learn your environment and processes to ensure the optimum controls are selected and adhered to.NIST 800-53 Control Family Summaries
Below are some of the points contained within each of the control families. For a complete view into each control, we recommend ISL’s Cyber Security Search Engine.Access Control (AC)
Control: 22 | Class: Technical
The 22 controls making up this family provides security guidance with a focus on access control-based policies and procedures, remote access, access control lists (ACL), etc. helping to ensure access to physical and computer-based information systems are restricted to authorized individuals only.
Access Control: a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system.Awareness and Training (AT)
Control: 5 | Class: Operational
The intention of these 5 controls is to ensure a Security Awareness and Training policy is established along with its respective procedures and sufficient security awareness training programs are employed.
Awareness: Activities which seek to focus an individuals attention on an (information security) issue or set of issues.
Training: strives to produce relevant and needed (information) security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individuals attention on an issue or set of issues.
Control: 14 | Class: Technical
The purpose of this set of 14 controls is to have the organization identify, audit, track and report on particular events that could be a security risk.
Audit: Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
Control: 7 | Class: Management
This set of 7 controls ensures the organization has a Security Assessment Plan which specifies the included controls and enhancements, their procedures and the selection of an independent assessment team to conduct an impartial assessment. In the event the assessment is conducted by an internal team (because the company is small for instance), the results of the assessment are to be reviewed and analyzed by an independent team of experts such as by ISL’s Cyber Security Evaluation team (Information Systems Laboratories).Configuration Management (CM)
Control: 9 | Class: Operational
The intent of these 9 controls is to ensure the organization has a Configuration Management policy and formalized procedures in place to establish baseline configurations, change control, security impact analyses, component inventory, etc. to help ensure changes to systems are tracked since even minor changes can have severe security implications.
Configuration management is unique identification, controlled storage, change control, and status reporting of selected intermediate work products, product components, and products during the life of a system.Contingency Planning (CP)
Control: 10 | Class: Operational
Contingency planning for information systems is part of an overall organizational program for achieving continuity of operations for mission/business operations. Contingency planning addresses both information system restoration and implementation of alternative mission/business processes when systems are compromised.Identification and Authentication (IA)
Control: 8 | Class: Technical
Identification: An act or process that presents an identifier to a system so that the system can recognize a system entity (e.g., user, process, or device) and distinguish that entity from all others.
Authentication: A process that establishes the origin of information or determines an entity’s identity.
Control: 8 | Class: Operational
The 8 controls contained within this family guide the organization in the creation of a incident response policy and procedures to assist the proper response to an incident that may jeopardize the organization’s information system.Maintenance (MA)
Control: 6 | Class: Operational
The intent of these 6 controls is to have the organization develop a System Maintenance Policy and supporting procedures to ensure the organization schedules, documents and reviews all maintenance and repairs of systems; uses approved maintenance tools; employing strong identification and authentication for remote maintenance, etc. In other words, these are operations required to keep hardware, software, data, etc. in good working order.Media Protection (MP)
Control: 6 | Class: Operational
The 6 controls within the Media Protection family is to ensure the organization creates a Media Protection policy and supporting procedures to ensure proper steps are taken to protect data and prevent unintentional access and loss.Physical and Environmental Protection (PE)
Control: 19 | Class: Operational
The 19 controls within this family help to enforce measures to protect information systems from unauthorized physical access.Planning (PL)
Control: 6 | Class: Management
This family of 6 controls encourages the development of a System Security Plan, online rules of behavior for employees along with a security planning policy and procedures.Personnel Security (PS)
Control: 8 | Class: Operational
The intent of the Personnel Security control family is to provide guidance in the hiring, security management and termination of employees.Risk Assessment (RA)
Control: 5 | Class: Management
The Risk Assessment control family directs the organization in the creation of a Risk Assessment Policy and resulting procedures in order to assess the potential and magnitude of harm in the event of unauthorized access of information systems. In addition to the understanding of the potential risks, software and hardware solutions are implemented to help mitigate risk by identifying and addressing vulnerabilities.System and Services Acquisition (SA)
Control: 14 | Class: Management
The System and Services Acquisition control family exists to ensure the budgetary means to support the ongoing security needs of the organization are established; systems are properly documented; software licensing is documented and enforced; peer-to-peer file sharing is not used to share unauthorized data or copyrighted material, etc.System and Communications Protection (SC)
Control: 34 | Class: Technical
The System and Communications Protection control family consists of 34 controls. However, this is a little misleading as 11 of the controls have been withdrawn leaving 23 active controls. The breadth of this control family covers topics such as the physical and/or logical separation of system management interfaces from user functionality; security from non-security functions of the system; the prevention of unauthorized transfer of information from a commonly shared resource such as system memory; the protection of systems from Denial of Service attacks (DoS attacks); even the priority of system resources is called into question to ensure low priority services don’t negatively impact those of a higher priority.System and Information Integrity (SI)
Control: 13 | Class: Operational
Some of the purposes behind the 12 controls within the System and Information Integrity control family are to identify, report and correct flaws in code including proper error handling; protection from malicious code such as viruses, Trojans, and spyware; monitoring of systems; the reception and reaction to internal and external security alerts; detection of unauthorized changes to data and software; protection from spam and predicting and preventing the failure of systems.Program Management (PM)
Control: 11 | Class: Management
The 13 controls within the Program Management family directs the organization to develop an Information Security Program Plan, a process to ensure Plans of Action and Milestones (POA&M) are properly worked, etc.. Appointing a Senior Information Security Officer (SISO) or if your organization is a federal agency, a Senior Agency Information Security Officer (SAISO) are among some of the other directives to ensure the information security program is established and in working order.
Though this overview vastly simplifies the complexities and nuances of cyber security, we hope you have found this helpful. Should you have questions or would like to explore how your organization measures up to these and other controls, let us recommend our partner, Information Systems Laboratories (ISL).
Contact them if you are interested in receiving an Independent Cyber Security Evaluation.
optumGRC - GRC Software Product Release (Governance, Risk & Compliance Software)
optumGRC (Governance, Risk & Compliance Software) - New GRC Software Platform Product Release
Asparian, LLC and SolutionLab, LLC has announced the official product launch of a new Governance, Risk and Compliance (GRC) Software Management Toolset - optumGRC (www.optumGRC.com).
GRC Press Release: http://www.prweb.com/releases/grc_software/grc_services/prweb8999807.htm
optumGRC simplifies the management of multi-regulatory cross policy updates, internal and external Standards, Policies and Procedures with real-time dashboards to monitor all GRC activities.
In development, Asparian, LLC designed the platform with pre-loaded NIST 800.53 templates that assists business entities to quickly standardize multi-GRC processes (i.e. PCI-DSS, HIPAA, GLBA, ISO27002 & SOX).
For a demonstration of optumGRC - GRC Software or to discuss optumGRC’s GRC Services, please contact us @ (949)349-4790 or visit http://www.optumgrc.com/demo_request.html.
IEEE and DMTF Define Cloud and SaaS Standards
Continue from my last post about NIST, I found the IEEE targets Cloud Interoperability Standards and for that matter the organization established 2 work groups
P2301 - Guide for Cloud Portability and Interoperability Profiles (CPIP): ”This guide advises cloud computing ecosystem participants (cloud vendors, service providers, and users) of standards-based choices in areas such as application interfaces, portability interfaces, management interfaces, interoperability interfaces, file formats, and operation conventions. This guide groups these choices into multiple logical profiles, which are organized toaddress different cloud personalities.”
P2302 - Standard for Intercloud Interoperability and Federation (SIIF): ”This standard defines topology, functions, and governance for cloud-to-cloud interoperability and federation. Topological elements include clouds, roots, exchanges (which mediate governance between clouds), and gateways (which mediate data exchange between clouds). Functional elements include name spaces, presence, messaging, resource ontologies (including standardized units of measurement), and trust infrastructure. Governance elements include registration, geo-independence, trust anchor, and potentially compliance and audit. The standard does not address intra-cloud (within cloud) operation, as this is cloud implementation-specific, nor does it address proprietary hybrid-cloud implementations.”
Another organization DMTF that aim to define the IT industry including cloud computing as part of it. Recently they announced a new Software License Management Incubator - “The Software License Management Incubator will develop whitepapers focused on the challenges identified to enable the industry to manage licensed software product(s) and product usage, and to move closer to interoperable solutions. The Incubator will identify real world use cases and scenarios, and capture existing or proposed solutions that identify licensed software products and product usage based on a common set of definitions.” They partnered with organizations such as ISO and with companies such as IBM and CA. Click here to read more about this interesting initiative.
What about EU with its strict approach regarding technology ? Click here to learn more about EU initiatives of cloud comptuing standardizations.