uncompiled.com

Pennsylvania’s chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealth’s online driving exam scheduling system.

A source close to the matter said Maley was terminated for not getting the required approvals from the Commonwealth’s authorities to talk publicly about the incident.

Commonwealth rules explicitly require all employees to get approval from the appropriate authorities before they publicly disclose official matters, the source said.

A spokesman for the state’s governor, Edward Rendell, today confirmed that Maley is no longer working for the Commonwealth. But he refused to say if Maley had been terminated, citing privacy rules.

Maley, who was Pennsylvania’s CISO for more than four years, was part of a RSA conference panel discussing state cybersecurity issues last Thursday.

During the discussion, Maley talked about a recent incident involving a Philadelphia-area driving school that was trying to get early driving tests for its students. The source said someone at the school exploited a configuration “anomaly” in the Department of Transportation’s online driver’s test scheduling system.

The vulnerability allowed the school to essentially cut the line and schedule “a whole bunch of driver’s license exams” for its students, the source said.

The incident was reported to the state police, and the matter is currently under investigation, the source said.

Danielle Klinger, a spokeswoman for Pennsylvania’s Department of Transportation, confirmed today that a problem had been uncovered in the driver test scheduling system, and that the matter has been turned over to state police.

However, she contested several media reports that have described the incident as a hacking attack, and said that as far as the the department was aware, there had been no hack or breach of the system.

Maley’s dismissal comes amid ongoing budget and staff cuts at Pennsylvania’s IT security organization, the source said. Over the past 18 months to two years, the administration has cut information security budgets by close to 38%, and staff by 40%. They also put a “lockdown” on talking about cybersecurity, the source claimed.

Source

The International Secure Systems Development Conference, taking place in London during May 2010, addresses the key issues around designing-in security for standard and web-based software and systems, both in terms of developing new applications securely and also in adding security to legacy applications.

The aim is to attract complete Policy-level, Project and Technical implementation teams responsible for developing secure systems within an organisation. This would include Lead Developers, Systems Architects, CISO’s, CTO’s, Compliance, Risk & Audit Professionals, Government Policymakers and others involved in systems development.

Whilst external threats (and internal subversions) have for years grabbed the IT security headlines, there has been an increasing realization amongst many experts that the vast majority of today’s vulnerabilities can be tracked back to shortcomings in application coding, and repeated design failures whereby business-critical applications are simply not able to function as part of today’s pervasive security and authentication architectures.

Source

It’s an observation a lot of IT security practitioners are making of late: That companies are so obsessed about compliance and getting through a list of checkboxes that security technology is being haphazardly implemented — in ways that actually increase a company’s risk.

At the recent ShmooCon security conference in Washington D.C., CSO Senior Editor Bill Brenner asked Ontario-based CISO and security consultant James Arlen for examples of the problem. Here is what he has seen, and what — if anything — we can do about it.

There are a lot of tech-heavy talks going on at ShmooCon this year. As a CISO, what are your biggest technological concerns?
James Arlen: We need to be focusing more on the quality of security technology implementation. It’s no longer enough just to buy the thing; to have that technological doo-dad. When you get through all your PCI security checkmarks and get through your SAS70 requirements that’s great, but are you really getting the value that you’re supposed to be getting?

And you don’t see that happening?
Arlen: In a lot of cases there really is no way to get that value because of the implementation. You buy it, you turn it on, the red light is blinking and it’s making the peeping sound. But it’s not doing anything for you. You’re not getting any risk reduction. You’re not increasing your situational awareness. We need to find a way to get better at that stuff faster.

Given an example of where, in your business travels, you see this sort of problem unfolding.
Arlen: In my long, sordid history as a security consultant I see it all the time. You’d see these firewalls implemented with hugely long rule sets and all kinds of effort put into them. But then you go down to the bottom of those rule sets and discover that somebody slipped in an “any-any” rule because it would make testing easier or allow them to get something into production faster. So it’s an example of taking all this hard work you’ve done and undoing it in the name of expediency.

The flip side of that is that, in being a security operational person, you go out and get the tool, and you train one or more people to use it, and because the security industry is as fast paced as it is — fast paced being another way of saying “high turnover,” — you end up in a situation where three to six months down the line you’re in a position where you don’t have that practitioner excellence and you have a tool that has essentially been shelved because there’s no one who knows how to pick it up and use it.

Source

SecureCloud 2010 is a premier educational and networking event hosted by ENISA, the Cloud Security Alliance and ISACA, three of the leading organizations shaping the future of cloud computing security. The event takes place in Barcelona, Spain in March 2010.

It is the first event to focus specifically on state of the art practices to promote security, privacy and trust within cloud computing from technical, assurance and governance perspectives.

SecureCloud 2010 will feature presentations by thought leaders from industry, academia and government, including keynote speeches by Dr Udo Helmbrecht, Executive Director of ENISA; and Dave Cullinane, CISO at eBay, and Chairman of the Board of the CSA.

Jim Reavis, Executive Director, Cloud Security Alliance commented for Help Net Security: “Cloud Computing represents a important milestone in the history of technology, as we begin the shift towards the adoption of computing as a utility. Securing the cloud is a shared, global responsibility, and Secure Cloud 2010 provides a forum for a truly global dialogue of cloud providers, government, enterprise users and other key stakeholders to achieve this mission”.

Source

Robert Mueller, Director of the Federal Bureau of Investigation, will deliver a keynote address at RSA Conference 2010 RSA Conference 2010. Mueller’s keynote will detail cyber threats through the years – from criminal threats like computer intrusions and identity theft to the use of the Internet by extremists and hostile foreign powers.

The Director will also highlight the changing role of the FBI in addressing cybercrime, both in terms of our economic security and our national security, while focusing on the importance of public and private sector partnerships in identifying, preventing and investigating these threats.

Sandra Toms LaPedis, Area Vice President and General Manager of RSA Conference said: “As information security moves beyond the confines of research labs and IT departments and into the lives of all Americans, it becomes even more essential to arm our attendees with guidance from influential government officials. The addition of Director Mueller to our keynote lineup gives us first-hand insight into how the threats of the past can shape our understanding of the cyber attacks of the future.”

Source

Stretch your travel dollar further by registering now for
NANOG 48, February 21-24, co-hosted by Data Foundry and
Giganews in Austin, Texas. The early registration rate
prevails through January 21, and the discounted hotel
rate expires February 5 or when the room block is full.
Rooms are limited so make your reservation soon.

We have a great meeting planned, and you can review the
draft agenda at

http://www.nanog.org/meetings/nanog48/agenda.php.

Hotel and travel information, meeting registration, and a
list of meeting sponsors and sponsorship opportunities
are available through

http://www.nanog.org/meetings/nanog48/index.php.

Look forward to seeing you there,

David Meyer
(for the NANOG Program Committee)

Source

There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive–if the security team in an organization doesn’t define its goals and parameters ahead of time, experts say.

Security professionals have been measuring things such as vulnerabilities in a given application and the time it takes to fix flaws for years. Those things are easily quantifiable and it’s fairly simple to define the value in doing so. But there’s likely more value in finding ways to measure things such as the cost of fixing a vulnerability at various stages of the software development lifecycle and the cost of a data breach relative the cost of fixing a flaw before a breach occurs, said Chris Wysopal, CTO of Veracode, in a talk at the AppSec DC conference here Friday.

“Evaluating your spend on this is something that’s really hard to do,” he said. “You want to be headed toward mapping the cost of fixing vulnerabilities up front to the cost of a data breach.”

Source

The Combined Arms Center Capability Development Integration Directorate hosted a Cyberspace Operations Symposium Oct. 27-30 at Fort Leavenworth.

More than 100 attendees from more than 25 organizations across Training and Doctrine Command and the greater community of interest actively participated in the symposium to further cyberspace operations capability development work. Working groups spent the first two days refining the Cyberspace Operations Concept Capability Plan.

“This document is really the first Army effort to standardize terminology and tie all the elements of cyberspace operations together,” Thomas Jordan told the participants during his welcome to the group. “The Army’s reliance on information sharing and cyberspace technologies echoes that of our nation and even the world – this event and your work here this week are critical steps in advancing our capabilities in cyberspace because it will pave the way for future analytical efforts.”

The third day of the symposium was an executive session. In addition to reviewing the draft briefing that will present the final Cyber CCP to the Senior Oversight Group in early November, this venue provided an opportunity to share ideas.

Source