President Obama’s 10-point Cybersecurity Action Plan – Part 10
Step 10 is:
Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.
Step 10 is definitely needed.
Step 10 mentions privacy which is generally more about collection and dissemination of sensitive and personally identifiable information (PII) than securing or protecting sensitive information. Privacy is generally more about People and Processes and security is generally more about Technology; however I think President Obama is smart to mention the need to build an identity management vision and strategy that addresses privacy and civil liberties.
I have to say….I am surprised that President Obama has not named the Cybersecurity Adviser yet. On May 29th, President Obama said he would personally pick a Cybersecurity Adviser and I was hoping by the time I got to Step 10 that President Obama would have made his pick known.
So for now, I will focus on Lessons Learned as my stack of Lessons Learned stories continues to grow taller and taller!
And just in case you missed the press release, be sure to check out Ira Somerson’s new book called “The Art & Science of Security Risk Assessment” as I was a primary contributor to Chapter 8 of the book regarding Human Factors.
President Obama‘s 10-point Cybersecurity Action Plan – Part 9
Step 9 of President Obama’s 10-point action plan is:
In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.
I love the sound of Step 9! It is like a great pre-game speech from a well respected coach talking about game-changing strategies and teamwork and relying and trusting each teammate to do their part in their goal to win the game.
I also have to wonder about Step 9 being a bit too focused on Technology, when Lessons Learned show anywhere from 50% to 88% of cybersecurity breaches has been due to Processes and People. The most recent Verizon Business 2009 Data Breach study found that nearly 9 out of 10 breaches could have been avoided if security basics had been followed.
So Cybersecurity, like public and private entities, is dependent on three strong legs – Technology, Processes and People. Step 9 mentions game-changing technologies as well as collaboration, strategies, reliability and trustworthiness, but these terms are used to describe digital infrastructure.
Let’s hope the new Cybersecurity Adviser realizes that Technology tools, Process tools and People tools are all going to be needed to create workable solutions and a framework that will enable and empower government and private entities to enhance security, reliability, resilience and trustworthiness and deliver game-changing results.
Stay tuned for Step 10…and hopefully the announcement of the Cybersecurity Adviser will be coming soon also…
President Obama’s 10-point Cybersecurity Action Plan – Part 8
Step 8 of President Obama’s 10-point action plan is:
Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement.
Keywords in Step 8 include: Prepare, Initiate, Dialog, Partnership, Streamlining, Aligning, Optimize.
Preparing an incident response plan is a great idea and can play a critical role in the success of a cybersecurity action plan, however a lot organizations have incident response plans that are not producing much if any feedback.
Why are traditional response plans not working?
Problems with traditional incident response plans lack anonymity on the front-end and they lack innovative tools to manage Dialog, Partnerships, Streamlining, Aligning and Optimizing on the back-end. As incident response incidents become more sophisticated, more sensitive and more regulated by federal and state mandates, organizations will need more innovative tools to manage the entire incident reporting and response process while also building trust and ensuring confidentiality.
Lessons Learned include the DOJ incident where human error exposed the email addresses of approximately 150 employees who had used a House Judiciary Committee whistleblower website to submit tips about “alleged politicization” at DOJ.
I hope the incident response plan that the new Cybersecurity Adviser prepares is more like Awareity’s new incident reporting services and not just another toll free telephone number that is blasted out in a national public awareness campaign or printed on bumper stickers.
Awareity’s next generation incident reporting solutions are coming soon…stay tuned!
Twitter, Your Employees, Hackers and Awareness?
Lessons Learned continue to identify new and changing threats, but are organizational managers helping their organization’s personnel keep up with ongoing awareness or are they falling farther and farther behind?
For example, a recent article highlighted an attack that hit Twitter and may be one of the first time hackers to use the micro-blogging site for profit.
So why do hackers love social networking? Because unaware users (Boards, management, employees, vendors, contractors, consultants, business partners, etc.) will click on interesting links to things like “Best Video” or “Funniest Video” and unknowingly end up on a Russian domain that serves up malware or other exploits that can endanger your data or place “scareware” on their PC.
You mean your organization has not informed you about “scareware” yet? Scareware can be many things but in this case it was fake security software that, once installed, nags users with so many alerts that some users will fork over $50 or more to get rid of the bogus alerts.
As more and more users sign up for Twitter and because one of the main functions of Twitter is to share links with other people, organizational managers should be taking proactive actions to:
- Ensure all types of users are aware of risks and threats
- Help users know how to report potential attacks
- Help users know how to prevent attacks
- Help users know how to respond to an attack
- Help users know how to recover from an attack
- Help users know how to keep up with more sophisticated and changing threats that social networking can present
- And other organization specific awareness and guidelines
Lessons Learned are only valuable if they are implemented at the individual level and within your organization and across third-parties too…how is your organization keeping up??
Most Dangerous Search Terms & Most Dangerous Management Terms
A CNN article recently caught my attention regarding a new study by antivirus software company McAfee that identified the most dangerous Internet search terms that can lead users (your employees, vendors, contractors, business partners, etc.) to web pages with a higher likelihood of cyber attacks.
The study examined more than 2500 popular keywords on five major search engines – Google, Yahoo, Live, AOL and Ask – and analyzed 413,000 web pages. The categories that had highest risk of leading to malware infested web sites included: screen savers, free games, work from home, Olympics, videos, celebrities, music and news. The riskiest terms included: word unscramble, lyrics, myspace, free music downloads, phelps, game cheats, free ringtones and solitaire.
David DeWalt, president and CEO of McAfee, made these comments regarding cyber attacks and malware (“badware”)… “It went from hacker in a basement, to organized cybercrime to now, literally, terrorism and other forms of organized geopolitical attacks”.
The study also showed that cyber criminals are increasing in sophistication and constantly changing. So the most dangerous Management terms are: “Once-A-Year Training”.
Lessons Learned? Organizational leaders/management need better tools to implement and manage:
- Ongoing Situational Awareness of Internet Threats
- Ongoing Understanding of Organizational Risk Management
- Ongoing Updates of Acceptable Usage and Unacceptable Usage
- Accountability at the Individual Level – It only takes one individual’s lack of awareness
- Auditability at the Individual Level – To meet Compliance, Legal, Regulatory obligations
How is your organization keeping up with the sophistication and constant changing threats from bad guys?
President Obama’s 10-point Cybersecurity Action Plan – Part 7
Step 7 is:
Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.
Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as:
cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure. The scope does not include other information and communications policy unrelated to national security or securing the infrastructure.
Step 7 is also very complex because of:
- International partnerships and
- Creating initiatives that address the full range of activities, policies and opportunities associated with cybersecurity.
The easy part of Step 7 is “developing U.S. Government positions”, because Lessons Learned have proven over and over that developing a position is fairly simple to do and all it takes is a PC and a megaphone or Press Release.
However, implementing and managing the “cybersecurity policy framework” across international partnerships (different languages across all appropriate individuals) and “creating initiatives that address the full range of activities, policies and opportunities associated with cybersecurity” will require extensive situational awareness, accountability, measurability and audit-ready documentation to ensure the initiatives are working.
If you can’t measure it…you can’t manage it.
Stay tuned for Step 8…
President Obama’s 10-point Cybersecurity Action Plan – Part 6
Step 6 of President Obama’s Cybersecurity plan is a great idea and it states:
Step 6 – Initiate a national public awareness and education campaign to promote cybersecurity.
Lessons Learned from national public awareness and education campaigns show that they can work very well with “simple and straightforward” issues such as drunk driving, seat-belts or forest fires. For example, most of us have heard of “over the limit, under arrest” or “click-it or ticket” or “only you can prevent forest fires”. But cybersecurity is not “simple and straightforward”.
Lessons Learned, experts and reports unanimously agree that cybersecurity related attacks are becoming more and more sophisticated and the threats are constantly changing, which makes it difficult for traditional awareness and education campaigns to keep up. Drunk driving, seat belts and forest fires are static, simple and straightforward.
National public awareness and education campaigns utilize “many types of megaphones” including TV, radio, web sites and newspapers. However, Lessons Learned also show that “megaphones” are not effective education tools and “megaphone management” is not effective in managing people’s behaviors or managing sensitive and confidential information.
Because good guys are already one or more steps behind the bad guys, blasting out a national campaign regarding cybersecurity will only put people and organizations more at risk and further behind with information that is two, three and four steps behind the bad guys. To make matters worse, bad guys will see the national public awareness campaign and be able to adjust their attacks much faster than the campaign can keep up and even faster than the masses can keep up.
For President Obama’s Step 6 to be effective, innovative and visionary approaches will be necessary to ensure better results in dealing with more sophisticated, more complex and constantly changing cybersecurity threats.
Initiating a national public awareness and education campaign sounds good and could be a great first step to bring attention to cybersecurity, however implementing and managing customized knowledge at the individual level will require innovative tools and proven solutions like Awareity delivers.
Lessons Learned are not always bad experiences….Awareity’s successful Lessons Learned with cybersecurity awareness and education as well as compliance, legal due diligence and regulatory requirements provide an excellent model for better knowledge, better decisions and better results.
SPAM and Junk Mail Jumps to 90%
As May ended, the percentage of SPAM and junk mail jumped to 90.4 percent of e-mail. Are your people aware and prepared to avoid and prevent risks and threats associated with SPAM?
To make matters worse, the spamming techniques are successful because the e-mails are being sent from valid accounts hosted by the social-networking sites and not being spoofed. And because the e-mails are coming from valid accounts, technology devices checking the validity of e-mail headers are ineffective as a countermeasure.
In many cases, the junk mail contains only a subject line and a hyperlink and many times the links led to social-networking site profiles. Social-networking sites have become a hotbed for spreading viruses and other malware.
Another twist to the bad guys are using is image spam, where the e-mail message is an image and is more difficult for spam filters to detect. And another new trend is using Russian language character sets to hide English content.
Are your people and your third-parties prepared to detect these risks and avoid these risks?
Are your people and your third-parties prepared to report these attacks and threats?
Lessons learned clearly show that bad guys are using more sophisticated attacks and getting better at avoiding technology. Lessons learned also show these more sophisticated attacks make it critical for ongoing updates to ensure your people are aware of your organization’s detection, prevention, response and recovery efforts and requirements to prevent expensive and embarrassing incidents.
President Obama’s 10-point Cybersecurity Action Plan – Part 5
Ok, now we are starting to get into the action points that have a lot more complexity and will absolutely require an “intelligent playbook” and innovative tools to implement appropriate mechanisms, priorities, processes, policies, roles, responsibilities, activities and more across the federal government.
Based on Lessons Learned, Inspector General Reports and a recent May 2009 GAO Report that stated 23 out of 24 major federal agencies had weaknesses in their agencywide information security programs…it is obvious that action point 5 is going to be extremely difficult to implement and manage.
Action Point 5 – Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for Cybersecurity-related activities across the federal government.
So why is Action Point 5 going to be so difficult to implement and manage?
First, too many Cybersecurity efforts focus too much on Technology products. It will be critical for the Cybersecurity Adviser to realize that a successful Cybersecurity program must include an equal and ongoing focus on Technology, People and Processes.
Take a closer look at Action Point 5 and you will see it is mostly about People and Processes – mechanisms, analyses, issues, processes, guidance, roles, responsibilities, authorities and activities.
Second, most organizations do not have the right “tools”. Organizations need better tools to replace manually intensive methodologies and megaphone management efforts that are well documented as not working. Visionary tools, like MOAT from Awareity, are needed to implement and manage:
- People and Process Controls
- Lessons Learned
- Accountability and Auditability at the Individual Level
- Situational Awareness as Cybersecurity Threats Change…continuously
I hope the new Cybersecurity Adviser calls me!
Stay tuned for action point 6…
President Obama’s 10-point Cybersecurity Action Plan – Part 4
As I mentioned in previous blogs, the new Cybersecurity Adviser will essentially be the “Head Coach” and he/she will need to create an “intelligent playbook” to lead the offense and the defense and to ensure all appropriate individuals are aware of their roles and responsibilities.
Action Step 4 in President Obama’s Cybersecurity plan is:
Designate a privacy and civil liberties official to the NSC Cybersecurity directorate.
On paper, designating an official or officials to focus on privacy and civil liberties makes good sense, however lessons learned have clearly shown that government officials continue to look at privacy and civil liberties as too much of a Technology issue, which leads to gaps and weaknesses with People and Processes.
Technology, People and Processes are the three key pillars that will need to be managed efficiently and effectively if any Cybersecurity action plan is going to be successful and deliver immediate and ongoing results.
Hundreds of Lessons Learned clearly reveal the following:
- Having the best Technology rarely ensures the best results
- Organizations that manage their People and Processes better achieve better results
If you understand privacy and civil liberties, it becomes obvious that both of these issues are more about People and Processes than Technology….so I hope the Head Coach or the Privacy and Civil Liberties official understands the keys to managing People and Processes…
Stay tuned for Action Step 5…
