STE WILLIAMS

ANALYSIS Thirty-four technology companies inked a “Cybersecurity Tech Accord” on Tuesday which they said represents “a public commitment … to protect and empower civilians online and to improve the security, stability and resilience of cyberspace”.

The 34 vendors include Cisco, SAP, both HPs, Microsoft, Oracle, Juniper, Dell, BT, VMware, Arm, GitHub and plenty of other key enterprise IT suppliers. But there is no sign of Apple, Lenovo, major SaaS players, AWS, Google or IBM.

The Register has read the group’s foundational document and can report that it does not detail how, or when, it will act. Nor does it offer any detail or metric that participants will use to measure progress or success. It offers no hint that the 34 have considered risks, appropriate responses, or what resources are available, the foundations of a security plan.

And while the Accord has said it “will continue to define collaborative activities we will undertake to further this Accord”, there is no timeframe for that or its plans to “report publicly on our progress in achieving these goals”.

Let’s dive in nonetheless.

The group’s first principle is to “protect all of our users and customers everywhere” with efforts to “design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities”.

Nice words. But when were any of the 34 companies not trying to deliver secure reliable products? And how seriously can we take a pledge to do good works on privacy when signatories include LinkedIn and Facebook, two businesses that exist to exploit personal data and have demonstrably failed to safeguard user privacy with a data breach and allowing years of unlimited profile scraping under their respective belts?

Jedi wisdom

There’s also some shifting language here. The principle says signatories “will protect” us all but by the time we get to the bullet points explaining the intent it changes to “will strive”.

Pardon us for bastardising Master Yoda to analyse this one: “Do or do not. There is no strive.”

The group’s second principle is to “oppose cyberattacks on innocent citizens and enterprises from anywhere” accompanied by a declaration that “We will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere”.

The Register can imagine that a producer somewhere is already imagining a CEO singalong of “Cyberwar: what is it good for?” to hammer home the Accord’s opposition to it.

The signatories say they will stop governments doing naughty cybers with efforts to “protect against tampering with and exploitation of technology products and services during their development, design, distribution and use”.

But there is no explanation of what the signatories will do to protect against tampering or a definition of “use”. The language also leaves open the prospect of support for cyberattacks on targets deemed not to be innocent, without mention of how signatories would judge guilt.

And what on Earth is “exploitation”? As Cisco’s ongoing troubles with Smart Install show, one developer’s remote deployment tool is another developer’s attack vector.

Good luck with that anti-tampering plan, too, given the NSA is known to intercept kit so it can insert attacks and known government hoarding of zero-days.

Hooray for empowerment!

The Accord’s third principle is to “help empower users, customers and developers to strengthen cybersecurity protection”.

To do so, signatories will “provide our users, customers and the wider developer ecosystem with information and tools that enable them to understand current and future threats and protect themselves against them”. The 34 will also “support civil society, governments and international organizations in their efforts to advance security in cyberspace and to build cybersecurity capacity in developed and emerging economies alike”.

These are noble intentions that are hard to oppose. But the group has failed to explain what its members will do – or to explain whether those efforts would be net new activity or existing programmes they might re-badge as Accord actions.

The Register has scanned the “we joined!” blog posts of Accord signatories and can’t find mention of new actions, new commitments, new spending or new anything really. Plenty of the posts describe today’s announcement as the first step on a road to … somewhere.

Hey, govt hacker bod. Made some really nasty malware? Don’t be upset if it returns to bite you

READ MORE

The Accord’s fourth principle is to “partner with each other and with likeminded groups to enhance cybersecurity”.

Collaboration across a complex ecosystem as a means to improvement? We’re glad someone finally thought of that!

To chase the fourth principle the group “will establish formal and informal partnerships with industry, civil society, and security researchers, across proprietary and open source technologies to improve technical collaboration, coordinated vulnerability disclosure, and threat sharing, as well as to minimize the levels of malicious code being introduced into cyberspace”.

Nothing in the paragraph above sounds new, but it could hint at interesting efforts like the Microsoft-supported Global Commission on the Stability of Cyberspace’s efforts to make a diplomatic end-run around the US, Russia and China. Absent any specifics on the type of collaborations and partnerships, this appears to be the tech industry saying it will carry on as usual.

There’s also a pledge to “encourage global information sharing and civilian efforts to identify, prevent, detect, respond to, and recover from cyberattacks and ensure flexible responses to security of the wider global technology ecosystem”.

Oh thanks for that, vendor-land. It’s just grand that you will encourage this stuff. I’m sure the likes of Maersk feel so much better now (after having spent $331m cleaning up NotPetya).

Omissions from the Accord also deserve mention. Microsoft fought long and hard to oppose US government access to emails stored in Ireland. But the company has seemingly rolled over now that the Cloud Act legislated away its resistance. Surely an organisation dedicated to security and privacy would also oppose such measures and lobby for users?

We could go on but you get the idea: absent any information on what the Accord will actually do, this reads like well-intentioned stuff that seems likely to lead to some lovely meetings and deliver some nice white-papers to download. But unless it requires the signatories to spend new money on new activities, it’s hard to see it making much difference to anyone other than graphic designers who get to put the Accord’s logo on those white-papers, or try to figure out how to get all 34 signatories’ logos onto slideware.

As an exercise in demonstrating the Accord’s members have a sincere desire to improve security, and the skills to enact that desire, it falls well short. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/cybersecurity_tech_accord/

Nearly a year has passed since the unprecedented WannaCry cyber attack and the UK’s NHS has yet to agree an action plan, according to a report by MPs.

Following the incident last June, which caused 20,000 hospital appointments and operations to be cancelled, a Lessons Learned review was published with 22 recommendations for strengthening the NHS’s cyber security.

However, implementation plans have yet to be agreed, while the Department of Health does not know exactly how much the recommendations will cost or when they will be implemented, the Public Accounts Committee report found.

It added that some NHS organisations still have a lot to do to improve their cyber security including Barts Health NHS Trust, one of the largest affected by WannaCry.

200 NHS trusts have failed an on-site assessment for cyber security resilience, MPs previously heard.

That was apparently because “a high bar” had been set for NHS providers, although some trusts failed purely because they had still not patched their systems – the main reason the NHS had been vulnerable to WannaCry.

Committee chair Meg Hillier said: “The extensive disruption caused by WannaCry laid bare serious vulnerabilities in the cyber security and response plans of the NHS.

“But the impact on patients and the service more generally could have been far worse and government must waste no time in preparing for future cyber attacks – something it admits are now a fact of life.

“It is therefore alarming that, nearly a year on from WannaCry, plans to implement the lessons learned are still to be agreed.”

Vast majority of NHS trusts have failed cyber security assessment, Brit MPs told

READ MORE

She added: “I am struck by how ill-prepared some NHS trusts were for WannaCry, in many cases failing to act on warnings to patch exposed systems because of the anticipated impact on other IT and medical equipment.”

Cyber security investment cannot be properly targeted unless this information is collected and understood, she said.

“There is much important work to do and we urge the Department to provide us with an update by the end of June.

“Meanwhile, this case serves as a warning to the whole of government: a foretaste of the devastation that could be wrought by a more malicious and sophisticated attack. When it comes, the UK must be ready.”

Immediately following the WannaCry attack, the department reprioritised £21m in funding to address key vulnerabilities in major trauma centres and ambulance trusts, while a further £25m was allocated for 2017/18 to support organisations most vulnerable to cyber security risks.

The report recommended the Department of Health should provide an update by June on its national estimate of the cost to the NHS of WannaCry and how national bodies should target investment appropriately in line with service and financial risks.

It also said the department and its arm’s-length bodies should support local organisations to improve cyber security and be ready for a attack by developing a full understanding of the security arrangements and IT estate of all NHS organisations.

In addition, the department should: set out how local systems can be updated while minimising disruption to services; ensure all IT suppliers are accredited and that local and national contracts include standard terms to protect the NHS against cyber attacks; and that local and national workforce plans include a focus on IT and cyber skills. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/mps_slam_nhs_for_lack_of_action_plan_one_year_on_from_wannacry/

RSA 2018 “You don’t launch a cyber weapon, you share it.”

This was a reminder issued to RSA Conference attendees, in San Francisco on Tuesday, by two security researchers, who warned that advanced malware strains, particularly those developed by government hackers, can be captured and repurposed by cash-strapped miscreants to build a controllable arsenal of software nasties.

Kenneth Geers, senior research scientist at Comodo, and Kārlis Podiņš, a threat analyst with Latvia’s CERT, also said governments should be more aware of how their own advanced malware is being lifted by other countries and potentially repackaged for attacks on them and their allies. Sorta like what happened with the NSA’s stolen and leaked EternalBlue exploit and the WannaCry ransomware that wielded it.

“It’s faster and easier than one might imagine to build an arsenal of cyber tools,” explained Geers. “It is going to lead to complexities on the battlefield as tools get out and get repurposed.”

Podiņš explained how a savvy government agency under attack by malware could, in a matter of hours, modify portions of the malicious code to download different payloads and use new command-and-control servers, then redeploy the cyber-weapon for their own use.

This is especially tempting if the malware exploits a zero-day vulnerability – a bug for which no patch or mitigation exists – that the victim was unaware of; now the target agency or organization can work out the exploited flaw, and use it to infiltrate others.

This, the pair contend, should give nations pause when looking to deploy an advanced malware package against a hostile nation or terrorist group, least it be repackaged with a more destructive payload – such as a disk wiper as opposed to stealthy spyware – and used to create havoc.

“It is a matter of awareness up front on both sides,” explained Geers.

“If you have an offensive team you have to be aware that someone might steal your tools, so you have to be more judicious in your operation.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/researchers_warn_of_regifted_malware/

Comment There’s a curious legal situation developing in Nova Scotia, Canada, right now.

A teenager is suspected of breaking the nation’s hacking laws by downloading PDFs containing personal information from a public government website after officials failed to redact the documents.

The 19-year-old was arrested after more than a dozen cops raided his home last week. He faces a criminal charge of “unauthorized use of a computer,” although he has yet to be formally arraigned and thus publicly named.

Here’s how it all started. The provincial government of Nova Scotia provides a website called the Freedom of Information and Protection of Privacy (FOIPOP) portal. It is an online database of government records and files made available to everyone on the planet.

These documents are released following successful freedom-of-information requests from journalists and other citizens. Basically, if you request a document, and it is allowed to be handed over, it eventually appears on the public portal so everyone can see it, not just the person who coughed up the five bucks to file the request. The PDFs should have any personal or private information in them redacted prior to publication.

Toe Curl’ing error

In early March this year, someone fetched 7,000 publicly available documents from the site, presumably using a simple script or Curl command line to automate the download. It’s pretty easy to do. According to privacy lawyer David Fraser and software engineer Evan d’Entremont, you simply had to change the document ID number at the end of a URL and fetch it. So, you’d download document number 1234, then 1235, 1236, and so on, working through all the digits, one by one, pulling in each file associated with each ID value. It’s basic enumeration.

Don’t forget, this fetches records and government files that have been released to the general public. So public, in fact, that they were picked up by Google’s webcache bots.

However, it turned out about 250 of those PDFs served by the FOIPOP portal had not been properly redacted prior to being made available to the public. These files, we’re told, held thousands of Nova Scotians’ sensitive private details, such as their social insurance numbers, dates of birth, and home addresses.

On April 5, a government staffer apparently noticed that, yup, you can enumerate all the documents in the database from the website, including the non-redacted PDFs that shouldn’t have been there.

A day later, an IT contractor behind the site, Unisys, dug through the logs, and let government officials know that 7,000 files has been slurped by a “non-authorized person.” Within 24 hours, police were tipped off, and officers showed up at the teenager’s house, suspecting him of illegally extracting information from the portal. He was arrested and charged, and faces up to 10 years in the clink if convicted.

Nova Scotia Premier Stephen McNeil went as far as claiming the data was “stolen.” The teen’s family are hoping the allegations are formally dropped before it gets to court.

Watchdog probe

Around that time, the FOIPOP website was also offline for about a week for unscheduled maintenance, which raised everyone’s suspicions that something was up. Officials later claimed the site had been “breached.” Privacy watchdogs announced they were shoving a probe into the affair – including investigating whether or not the portal and its information was properly secured. Top tip: it wasn’t.

The young adult in question denies any wrongdoing, and insisted all he wanted to do was download public documents. “I just had no malicious intent and I shouldn’t be charged for this,” the teenager told Canadian telly news CBC this week. His supporters argued he could have had no idea there was sensitive personal information in that 7,000 document trove he grabbed in bulk.

The authorities, somewhat predictably, claim this was a deliberate attempt to swipe folks’ private details. Which is exactly what we’d imagine you would allege if you were trying to deflect attention away from the fact someone on your staff bungled and put the wrong files on the public internet.

“There’s no question, this was not someone just playing around,” Nova Scotia’s Deputy Minister Jeff Conrad briefed journalists. “It was someone who was intentionally after information that was housed on the site.”

Jeff, who isn’t intentionally after information on a website when they visit it?

We’re not the only ones who reckon this looks just a little bit like someone being positioned squarely under a ton of plummeting bricks to bury the fact that Nova Scotia’s government screwed up.

“If any of the records contained private information that should not have been released, the government is responsible for that, not the teen,” EFF staff attorney Aaron Mackey told CBC.

Nuff said. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/nova_scotia_teenager_hacking_allegation/

IKEA’s TaskRabbit app and Website, which links buyers with people skilled with Allen key experts and other errand-runners, remain offline a day after the company announced a data breach.

Ominously, the operation’s announcement (currently in place of its home page) advises users that if they re-use their username or password on any other sites, “we recommend you change those now.” To a pessimist, this would indicate the attackers have access to personal information.

We’re investigating a cybersecurity incident, and our app and site are down while the team works on this. Thank you for your patience while we look into this matter. pic.twitter.com/d61J1c3eh1

— TaskRabbit (@TaskRabbit) April 16, 2018

The organisation also promises to “update affected individuals as more information becomes available”.

Once it’s got the site back online, “Taskers” should change their passwords there as well.

The post says the outfit has called in law enforcement, and to keep those flatpacks flowing, “we have dispatched a large team to work with Taskers and clients via phone to help them schedule and complete pending tasks.”

IKEA acquired its rabbit last September, maintaining it as a separate operating company so it could continue offering services other than furniture assembly.

According to the Beeb, the UK’s Information Commissioner’s Office is aware of and investigating the breach. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/hop_to_it_bunnies_taskrabbit_breach_means_new_passwords/

RSA 2018 Speaking at the 2018 RSA conference, a board of some of the most respected names in security spoke on Tuesday and were scathing about Facebook – and the industry’s response to the Spectre processor bug.

The Cryptographers’ Panel, an annual tradition at the event, this year included Ronald Rivest of MIT and Adi Shamir of the Weizmann Institute (the ‘R’ and ‘S’ of RSA, respectively), public key encryption co-creator Whitfield Diffie, researcher Paul Kocher, and Signal co-author Moxie Marlinspike.

Among the hot topics in this year’s discussion was how society needs to view Facebook in light of its latest user privacy disaster. In particular, how we should handle a massive company that has little apparent regard for protecting information.

“In many ways Facebook is the Exxon of our time, it is this indispensable tool that is a part of everyone’s life that everyone also despises,” the Marlinspike explained.

“It doesn’t matter how many gallons of oil Exxon dumps in the ocean or how egregious Facebook’s policies are.”

At the same time, Marlinspike points out that it won’t be as easy as simply telling people to walk away from a platform that, for many, has become most if not all of their online activity.

“There were a lot of things Facebook could have done, but it wasn’t in their interest to protect our data,” Kocher noted.

“It was very much in their interest to take advantage of all the data they collect. We can’t look to the companies that benefit from the status quo to fix these problems.”

CPU bug hunting

Also confounding the panel was the issue that confronted Kocher for much of last year: how to deal with a massive hardware flaw. When he and Google researchers separately uncovered and reported the bugs that would become the Spectre and Meltdown side-channel vulnerabilities last year, Kocher said he faced a new challenge in how to deal with a flaw that is present in the silicon itself, and who should be told among a long chain of designers, fabricators, vendors, and resellers.

“Who can fix a hardware problem in Arm processors? Who should know about a vulnerability in Intel processors when you have got Intel, and cloud providers, and customers using them?” Kocher asked.

“We need ethicists and people thinking what to do in those situations. We need a roadmap of what to do.” ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/04/17/facebook_exxon/

Not so fast, say women.

Add another data point to the growing body of evidence on the deep gender divide in the high-tech industry.

A new survey by ISACA shows that far more men than women think women have equal career advancement opportunities in cybersecurity.

ISACA surveyed more than 2,300 cybersecurity professionals holding certifications such as Certified Information Security Manager (CISM) and Cybersecurity Nexus Practitioner (CSXP) on a variety of issues related to their jobs and careers.

The survey found 82% of male respondents saying women have the same opportunities as men for career advancement. In contrast, just 51% of female respondents said the same thing.

The startling disparity in perspective between the genders was somewhat smaller in the 51% of organizations in the ISACA survey that had a formal diversity program in place. In these organizations men and women appeared somewhat more aligned in their thinking on the matter compared with organizations without a diversity program. Eighty-seven percent of male respondents and 77% of females believed that men and women had equal career advancement opportunities in cybersecurity.

The sharply differing views on career advancement between men and women reflected in the ISACA study mirror those in other studies that have found similar disparities in other areas as well. Numerous studies, for instance, have shown that male employees in Silicon Valley are routinely paid substantially more for the same work than women in identical roles and with the same experience and qualifications. Men in high tech are also far likelier to advance more quickly in their careers than their female counterparts.

“In practice, cybersecurity jobs should be competency-based,” says Susan Snedaker, director of infrastructure and operations at Tucson Medical Center. But in reality, there is a gender gap in all technology fields. “The reasons are many, but part of the problem is that women drop out of tech jobs at a higher rate than men,” she says. Driving that statistic is a male-dominated culture at some tech companies and in some cybersecurity training programs. “It’s really difficult working in a job where you are constantly challenged, not because you aren’t smart, but because you aren’t ‘us’,” she says.

Given the skills crisis in the industry, it would seem obvious that cybersecurity is a great career for women, “but the hurdles can be daunting,” Snedaker says. “Cybersecurity leaders need to do a better job ensuring they build inclusive teams and merit-based rewards.”

Rob Clyde, vice-chair of ISACA, points to a PricewaterhouseCoopers report showing men are four times as likely to hold senior cybersecurity positions than females. “Women are underrepresented at every level in cybersecurity, and recruitment and retention programs need to focus on how to change that,” Clyde notes.

An effective diversity program that offers employees career development opportunities, mentoring, access, and support are critical, he says. Also vital is inclusive leadership. “IT leaders need to be educated so they can run effective teams, which includes hiring, training, and retaining diverse talent,” Clyde says.

“Training programs need to meet the needs of the organization and be gender-neutral,” Clyde adds. Training needs to be conducted in a manner where it is equally effective for both men and women, he says.

Another key finding in the ISACA report is just how persistent the skills gap continues to be for organizations across the board.

“Cybersecurity skills shortages have been major headlines for years now, but finding qualified candidates with solid technical skills is still a significant challenge,” Clyde says.

The ISACA survey found 25% of the respondents believe it takes six months or more to fill an open cybersecurity position, Clyde says. “Fortunately, since enterprise cybersecurity budgets are increasing at a faster rate than ever, there are more dollars available for training to develop hands-on technical skills,” Clyde says.

Related Content:

• How to Build a Path Toward Diversity in Information Security
• 10 Women in Security You May Not Know but Should
• How Diversity Can Bridge the Talent Gap
• Small Changes Can Make a Big Difference in Tech Diversity

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/majority-of-men-think-women-have-equal-opportunity-to-advance-in-cybersecurity-career/d/d-id/1331566?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Working in conjunction with SAFECode, NIST is opening the floor to suggestions at RSA about secure software development life cycle guidelines.

RSA CONFERENCE 2018 – San Francisco – The standards keepers at the National Institute of Standards and Technology (NIST) are turning their eyes to the world of application security. Working together with the nonprofit secure development coalition SAFECode, NIST has revved up its engines to work on a new special publication titled the Guide to Secure Software Development Life Cycle (SSDLC) Practices: A Producer and Consumer Perspective. The title might be a mouthful, but its purpose is fairly simple: to set the bar on what it means to securely develop software.

The guide is a work in progress with a still uncertain publication date, but NIST and SAFECode have made enough early conceptual headway that they’re comfortable turning to the security community to help them flesh out ideas for the standards. That public opinion gathering will commence Wednesday at RSA Conference in the form of a public working group session at the InterContinental Hotel at 4:30. In the run-up to this kickoff workshop, Dark Reading caught up with Steve Lipner, SAFECode’s executive director, to discuss the work his organization is doing to spearhead the publication and what he hopes its dissemination will do for application security industry-wide.

 

Dark Reading: Can you tell us a little about the genesis of this project and your collaboration with NIST?

Steve Lipner: One of the things we at SAFECode have been doing for probably more than 10 years is publishing best practices and recommended approaches for secure development, basically getting the developers to build secure software rather than trying to test it in after the fact.

There’s been a lot pickup of those sort of processes in the industry at large. But government guidance has been really silent on secure development practices up to today. And so we’ve been talking with NIST management for some time about producing a special publication on that topic. 

After a lot of conversation, NIST has stepped up and they’ve done a lot of work internally, thinking about the issues and getting prepared. I think they’re a while away from issuing something, but they’re at the point where they’ve thought about it enough that they want to get public input.

 

Dark Reading: Once this publication does get issued, what do you hope its existence will actually do for the industry?

Steve Lipner: So, I think there are three things. Number one, it’ll provide another element of guidance for developers. There’s SAFECode guidance out there, and there’s other guidance out there that rules by simple numbers, but I think some organizations will look to this guidance and say, “That’s something we’re especially willing to rely on.”

I think it will provide a vehicle for customers to ask for secure development in an authoritative way. That will incentivize more developers to step up and start to adopt secure development processes, because they’re going to be faced with these, hopefully, realistic and well-aligned requirements that will move them that way.

And then the third thing is specifically for government procurements, which is a small subset, but it’s important. I think it will give government program offices, government system integrators, a tool to understand what best practices are and to integrate some of those things into the way they build software for the government.

 

Dark Reading: Obviously, with your presence here at RSA to stage this working group, SAFECode and NIST are reaching out to the security community, but can we also expect similar input-gathering from the development tribe that’s most likely to be impacted by these standards? 

Steve Lipner: SAFECode members and other commercial organizations that have secure development processes involve their developer communities (in developing these standards). So, I’m hoping that the bridge will get crossed by the impetus of the commercial players who see this being done and that they’ll make sure that their development organizations are on board. You can’t really do a secure development life cycle or create a security development life cycle process without having your developers bought in.

 

Dark Reading: In that same vein, will NIST be working to tie in a lot of the new development practices and standards that are cropping up as IT shops move to DevOps software delivery methodologies?

Steve Lipner: When we started building software security processes (at SAFECode), that was consistent with a two- or three-year development life cycle. But in my experience, just a year or two after we created our initial development process, we had to say, “Okay, how do you apply this process to Agile (and DevOps)? 

And so we started to think about “What does that mean?” and “How do we adapt?” The answer is that secure code is still secure code, but you have to have different ways of parsing the tools, testing the delivery, [and knowing] where the feedback loop goes. Just because you’re doing DevOps or just because you’re doing Agile doesn’t mean you can’t do secure development, if you decide that secure development is important. [We’ll be] getting that reflected in a NIST special publication that is specific enough so that customers can tell whether developers have done it. But it will also be general enough so that there is flexibility for other processes and different tools. 

There are going to be challenges in getting the document right, but I don’t believe it’s an impossible task, by any means.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/application-security/nist-seeking-comments-on-new-appsec-practices-standards/d/d-id/1331570?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

First year of Trump White House’s cybersecurity policy mostly followed in the footsteps of the Obama administration.

RSA CONFERENCE 2018 – San Francisco – White House cybersecurity coordinator for the National Security Council and former National Security Agency official Rob Joyce plans to step down from his post and rejoin the intelligence agency.

Joyce, who was widely respected among cybersecurity industry experts, left on the heels of his supervisor, Tom Bossert, homeland security advisor, this month after President Trump named John Bolton as his new National Security Advisor replacing H.R. McMaster. While Bossert’s departure is believed to be tied to Bolton’s arrival, Trump administration officials have said Joyce is leaving on his own accord, and will remain in his position until Bolton selects a replacement.

Kirstjen Nielsen, who delivered a keynote address here today, told reporters that Joyce likely will remain on the job at the White House for another 30 days.

Joyce, the former chief of the NSA’s elite hacking team’s office of Tailored Access Operations (TAO), led the administration’s cyber security policy for the past year for the White House. Overall, Trump’s cybersecurity policy didn’t veer much away from that of his predecessor: his May 2017 Executive Order for the most part echoes and builds on policies of previous administrations, including FISMA and the Obama administration’s critical infrastructure EO. 

The White House initially extended Obama’s December 2016 “national emergency” EO that ultimately led to sanctions against Russia for hacking and other attempts to tamper with the outcome of the US election. In March of this year – one year later – the administration levied financial sanctions of its own against five organizations and 15 individuals in Russia, and also issued an alert on that nation’s targeting of US critical infrastructure and energy networks.

Joan O’Hara, acting National Security advisor to the Office of the Vice President, here today made it clear the administration considers cyberthreats a priority. “The administration is very clear-eyed about the threats we face from nation-states,” O’Hara said today prior to a federal cyberattack threat simulation exercise at the RSA Conference. “Cyberattacks are among the most serious attacks we face in terms of national security … The administration takes this very seriously and is doing a lot to face this challenge.”

Among the Trump administration’s efforts, she said, are calling out malicious nation-state actors, and placing sanctions on those adversaries, in an apparent nod to recent sanctions on Russian and Iranian officials for their attacks on US organizations and agencies. “President Trump has elevated the US CyberCommand,” she noted, and is working to improve the security of federal agency networks as well as helping the private sector “leverage the best of American skill and ingenuity,” she said.

Suzanne Spaulding, former DHS undersecretary for the National Protection and Programs Directorate (NPPD) in the Obama administration, said in an interview here that there’s been “a lot of continuity” with the current administration’s cybersecurity policy and activity with that of Obama’s.

Spaulding, who is now a senior advisor for the Center for Strategic and International Studies, said she’s not concerned about the current administration turning up the heat on nation-state adversaries: “I don’t worry they aren’t going to be proactive” or aggressive in their cyber response, she said. “But I do worry whether they have the ‘troops’ in place. So they may have the intentions and instincts … but you really do need to have people confirmed in positions to implement it.”

“I feel good about the team at DHS, and the Secretary Nielsen has a cyber background. My sense is they are moving out in really smart ways,” she said.

Michael Daniel, who served as Obama’s cybersecurity coordinator, pointed to a tradition of relative continuity down the line of presidents, from Bill Clinton to George W. Bush, Obama, and then Trump. “Most policy changes tend to be evolutionary versus revolutionary,” Daniel said of US cybersecurity policy. Even so, he said, “Rob’s departure is going to slow down policy work,” in the interim.

Bossert’s and Joyce’s departures come at a sensitive time geopolitically, given tensions between the US and Russia, North Korea, and Iran. “My question is where is the overall cybersecurity policy?” says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors.

Related Content:

• Trump Administration Slaps Sanctions on Russian Hackers, Operatives
• Trump Administration to Craft New Cybersecurity Plan
• Trump’s Executive Order: What It Means for US Cybersecurity
• Stats on the Cybersecurity Skills Shortage: How Bad Is It, Really?

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/perimeter/trump-administration-cyber-czar-rob-joyce-to-return-to-the-nsa/d/d-id/1331571?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

On RSA Conference keynote stage, execs from Microsoft and McAfee push the cybersecurity industry to use a louder voice, foster a deeper security culture, and introduced a new Cybersecurity Tech Accord.

RSA CONFERENCE 2018 — SAN FRANCISCO — Amid the echoes of a hard-shredding string quintet rapping about WannaCry, tech executives on the RSA conference keynote stage here today called for fostering cybersecurity culture and announced a compact between tech companies that agreed to provide defense for all, and offense for none. 

Microsoft President Brad Smith said “If there is one message that we need to come together to convey to the governments of the world” it is that cyber attacks are not just attacks on machines, but on people. He detailed how the WannaCry attacks directly impacted British hospital patients and how the NotPetya attacks not only infected half of Ukraine in less than three hours, but put Ukrainian companies out of business, and how governments attacking other governments can have real impacts on civilians. “That is the call that we need to answer,” said Smith. 

He spoke of the new Cybersecurity Tech Accord, announced today in a joint press release by 34 companies including across security providers, forensics investigators, software developers, hardware manufacturers, telecommunications companies, social media giants, and more. Microsoft, RSA, FireEye, Trend Micro, Symantec, Avast!, F-Secure, BitDefender, Oracle, SAP, Cisco, Dell, HP, Arm, CA, Nokia, BT, Facebook, and LinkedIn are among those on the list.

The four tenets of the accords are: to undertake more collective action and information sharing; to help customers build their own capacities to protect themselves; to provide a stronger defense against cyber attacks for all customers across the globe, regardless of the motivation for the attacks; and to conduct no offensive actions.

As the press release states, “we will not help governments launch cyberattacks against innocent citizens and enterprises from anywhere.” 

“We need to lead not only by example,” said Smith, “we need to lead with our voice, because as we’ve seen, we need governments to do more.” He renewed his call for the creation of a “Digital Geneva Convention,” which he has mentioned in previous RSA conference speeches, suggesting that nations set rules of engagement for both wartime and peacetime to protect civilians from the impacts of cyber conflict.   

Smith also mentioned Microsoft’s new Azure Sphere announcement or IoT defense, which they are licensing to every chipmaker, quipping “did anyone ever think that anyone from Microsoft would ever come here and say that we are shipping a custom linux kernel?” 

Christopher D. Young, CEO of McAfee, continuing on the theme of safety, spoke of the rash of airplane hijackings decades ago (24 in the US in 1970) before cautionary procedures on air transit were put into place. While airlines have learned, Young said, that not all everyday items can be trusted – like a shoe or a too-large bottle of shampoo – cybersecurity professionals are learning that not all everyday items can be trusted once they’re connected to the internet. 

One lesson Young said the cybersecurity should learn from airlines, is “they are absolutely obsessive about safety and security.” For everyone who works in the air travel ecosystem, safety and security is job one, says Young. “My ask is that we all go out and that we try and drive a culture in which cybersecurity truly gets the priority it deserves.”

Events like hijacking forced culture change in the flight industry; culture change is necessary in cybersecurity, and simply getting users to “do” things like change their passwords when the policy demands is not enough, says Young; “doing is different than being.” 

RSA President Rohit Ghai, however, pointed out several “silver linings” for the security industry to take pride in.

Ghai said security departments are moving away from “silver bullet” strategies, instead recognizing that small improvements all over an environment add up to big gains. “Our knowledge of our business is the only asymettric advantage we have against the bad guys,” he said. 

Artificial intelligence is also helping security tools get to or ahead of attacks more quickly, and in some applications even reducing user friction while reducing fraud. “We are getting better at ‘getting to the ball before our opponent,'” said Ghai (borrowing a phrase, he noted, from Boston Celtics legend Bill Russell). 

Teamwork, both within the security and risk management fields, and with outside entities like end users, government, and policy makers is also improving, says Ghai.

Ghai did however, leave attendees with a few words of caution, noting security professionals’ responsibility to maintain trust – not only of their own organizations and brands, but in technology and the systems that use it. “It takes a lifetime to build trust but only a moment to lose it. …  Our collective risk is that we fail to avoid a breach of trust.”  

Related content:

• DevOps May Be Cause and Solution to Open Source Component Chaos
• Microsoft to Roll Out Azure Sphere for IoT Security
• INsecurity Conference Seeks Security Pros to Speak on Best Practices

 

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

Article source: https://www.darkreading.com/risk/2018-rsa-conference-execs-push-cooperation-culture-and-civilian-safety-/d/d-id/1331563?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple