uncompiled.com

The Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) is now open for testing.

The industry’s first user certification program for secure cloud computing, the CCSK is designed to ensure that a broad range of professionals with responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.

“Critical services are being provided via the cloud, creating an urgent need for cloud security skills among IT professionals,” said Jim Reavis, CSA executive director. “The CCSK is a low cost certification that establishes a robust baseline of cloud security knowledge. Combined with existing professional certifications, it helps provide necessary assurance of user competency in this important area of growth.”

The CSA’s CCSK already has broad industry support from numerous organizations that plan to certify employees, including eBay, ING, Lockheed Martin, Sallie Mae, Zynga, CA, CaseCentral, HCL Technologies, Hubspan, LogLogic, Fiberlink, McAfee, Novell, Ping Identity, Qualys, Solutionary, Symantec, Trend Micro, Veracode, VeriSign, Vordel, WhiteHat Security and Zscaler.

“We have already been leveraging the CSA’s ‘Security Guidance for Critical Areas in Cloud Computing’ as a best practices manual for our information security staff,” said Dave Cullinane, CISO and VP for eBay. “We plan to make this certification a requirement for our staff, to ensure they have a solid baseline of understanding of the best practices for securing data and applications in the cloud.”

Discounted pricing of $195 for the CCSK exam is available through Dec 31st; regular pricing at $295 begins January 1st.

Source

Red Hat is pursuing a certification for its Linux OS and virtualization, paving the way for government agencies to use the technology to create secure, virtualized IT environments and private clouds.

The Linux vendor has entered into an agreement with Atsec information security to certify Red Hat Enterprise Linux 6 under Common Criteria at Evaluation Assurance Level (EAL) 4, according to a Red Hat blog post.

Common Criteria is a standard evaluation rating issued by the National Information Assurance Partnership that government customers use to evaluate the security of IT products before making purchasing decisions.

The pursuit of certification also will cover the KVM hypervisor on both Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. A hypervisor enables an OS to run virtually without the need for a physical server, reducing the number of energy resources a data center requires.

KVM, or Kernel-based Virtual Machine (KVM), is the virtualization infrastructure for the Linux kernel. Red Hat’s virtualization leverages RHEL’s Security-Enhanced Linux feature, a joint project development by the National Security Agency and the Linux community to provide high levels of security.

SELinux in particular ensures virtual resources run in separate containers, which protects each one individually in case of intrusion. Protecting each virtualized resource individually is one guideline the National Institute of Standards and Technology recently offered as a way to address common concerns about implementing virtualization.

By including hypervisor technology in its certification, Red Hat will enable government customers to host multiple tenants on a single machine, allowing for a private cloud-computing infrastructure, according to the vendor.

The federal government increasingly is using virtualization to create more efficient and cost-effective data centers as part of an agency-wide consolidation effort.

Security often has been an area of concern for people using virtualization technology, but that perception is beginning to change as the technology becomes more sophisticated and widely used, and security issues taken into consideration by those developing hypervisors.

Red Hat already has achieved Common Criteria certification 13 different times on four different Linux platforms.

Source

The FCC on Tuesday began the process of establishing a voluntary cybersecurity certification program for Internet and other communication providers.

The commission announced its plans in this morning’s Federal Register, noting it would solicit comments on its tentative cybersecurity ideas until Sept. 8. The voluntary certification program was first proposed as part of the agency’s National Broadband Plan, the comprehensive agenda the FCC released in March.

Chiefly motivating the FCC’s new cybersecurity certification program are reports that hacks and cyberattacks grew exponentially in 2009. One firm told the commission that the total number of malware samples archived in its database last year reached 40 million — its highest point in 20 years.
At the same time, however, the FCC noted an independent review that found 47 percent of all enterprises studied in 2009 actually reduced their information-security budgets.

“The security of the core communications infrastructure–the plumbing of cyberspace–is believed to be robust,” the FCC noted in the register. “Yet recent trends suggest that the networks and the platforms on which Internet users rely are becoming increasingly susceptible to operator error and malicious cyber attack.

The FCC envisions its system as completely voluntary, “but that by agreeing to participate, such communications providers would be bound by the program’s rules.” It seeks comment on that approach, as well as a proposal that it would collect fees from those companies that choose to participate.

Source

Official government cyber defenders are now required to have the skills of a hacker according to a mandatory certification approved this week by the Department of Defense.

The DoD now requires its computer network defenders (CNDs) pass Certified Ethical Hacker certification program from the International Council of E-Commerce Consultants (EC-Council) to fulfill baseline skills.

The Certified Ethical Hacker qualification tests someone’s knowledge in the mindset, tools, and techniques of a hacker.

CNDs — who are part of the DoD’s information assurance workforce — protect, monitor, analyze, detect, and respond to unauthorized activity within DoD information systems and computer networks.

Assistant Secretary of Defense John Grimes officially instated the Certified Ethical Hacker requirement in late February under DoD Directive 8570, which provides guidance for how DoD information workers should be trained and managed.

The move is significant because it solidifies the practice of ethical hacking — also known as penetration testing — in mainstream IT practices, said Jay Bavisi, co/founder and president of EC-Council. The council is a vendor-neutral organization that certifies IT professionals in security-related skills.

“Now hacking is no longer a bad word in mainstream IT community,” he said, adding that ethical hacking is not exactly what people think of when they hear that word anyway.

“What we are doing is not hacking — we are seeking permission from the owners of the network to beat the hackers at their own game,” Bavisi said. In fact, the tag line for the EC-Council’s Certified Ethical Hacker educational program is: “To beat a hacker, you must think like one.”

IBM coined the term “ethical hacking” in the 1960s to define a way for IT security researchers to emulate the work of hackers so they can better defend networks, Bavisi said.

Ironically, though ethical hacking was first adopted in covert practices by the U.S. military, in the last decade or so it has become a common practice among Fortune 500 companies to employ ethical hackers to defend networks, he added.

The practice seems to have come full circle with the DoD directive, which Bavisi said the department took three years to approve.

“We were put through a lot of hoops before the DoD accepted us,” he said. “It was a very well-thought, very well-planned, researched movement.”

Source

Kingston, SanDisk and Verbatim all sell quite similar USB Flash drives with AES 256-bit hardware encryption that supposedly meet the highest security standards. This is emphasised by the FIPS 140-2 Level 2 certificate issued by the US National Institute of Standards and Technology (NIST), which validates the USB drives for use with sensitive government data. Security firm SySS, however, has found that despite this it is relatively easy to access the unencrypted data, even without the required password.

The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that has quite obviously slipped through testers’ nets. During a successful authorisation procedure the program will, irrespective of the password, always send the same character string to the drive after performing various crypto operations – and this is the case for all USB Flash drives of this type.

Cracking the drives is therefore quite simple. The SySS experts wrote a small tool for the active password entry program’s RAM which always made sure that the appropriate string was sent to the drive, irrespective of the password entered and as a result gained immediate access to all the data on the drive. The vulnerable devices include the Kingston DataTraveler BlackBox, the SanDisk Cruzer Enterprise FIPS Edition and the Verbatim Corporate Secure FIPS Edition.

When notified by SySS about this worst case security scenario, the respective vendors responded quite differently. Kingston started a recall of the affected products; SanDisk and Verbatim issued woolly security bulletins about a “potential vulnerability in the access control application” and provided a software update. When asked by heise Security, Verbatim Europe said that none of the affected drives have been sold in Europe – and that none will be shipped before the hole has been closed.

The real question, however, remains unanswered – how could USB Flash drives that exhibit such a serious security hole be given one of the highest certificates for crypto devices? Even more importantly, perhaps – what is the value of a certification that fails to detect such holes?

Source

As Congress debates legislation to improve cybersecurity, one problematic idea that appears to have gained some traction is developing a national certification program for cybersecurity professionals.

If certifications were effective, we would have solved the cybersecurity challenge many years ago. Certainly more workforce training, although not a panacea, can help teach workers how to respond to known cyberattacks. However, workforce training is not certification, and organizations, not Congress, are in the best position to determine the most appropriate and effective training for their workers.

Organizations know that simply getting their employees certified will not solve their security challenges. Although a good certification standard might be a measure of a baseline level of competence, it is not an indicator of job performance. Having certified employees does not mean firewalls will be configured securely, computers will have up-to-date patches, and employees won’t write passwords on the backs of keyboards. Nor has the increase in the number of certified cybersecurity workers nationwide resulted in any noticeable decrease in the number of computer vulnerabilities, security incidents or losses from cyber crime. Between 2001 and 2005, although the number of Certified Information Systems Security Professionals in North America quadrupled, the number of vulnerabilities cataloged by the U.S. Computer Emergency Readiness Team more than doubled, the dollar loss of claims reported to the Internet Crime Complaint Center increased more than tenfold, and the number of complaints the center referred to law enforcement increased more than twentyfold.

Source

The Defense Department has approved new credentials for information security professionals. The directive is expected to result in more than 100,000 personnel obtaining professional credentials.

DOD approved the (ISC) 2 Certification and Accreditation Professional (CAP), which requires that all DOD information assurance workers obtain a professional certification accredited under the global ANSI/ISO/IEC Standard 17024.

CAP certifies that the holder has in-depth knowledge of Certification and Accreditation, a formalized process for assessing IS risks and security requirements and ensuring that the systems have adequate security in place.

DOD and the National Institute of Standards and Technology are jointly trying to create a single C&A process across the government. CAP is undergoing changes to comply with the new C&A requirements, which go into effect March 2010.

Source