Happy Friday, Federal Friends! Welcome to the weekend, and for those of you who are out next week, happy Fourth of July.
There was a great, short, read from the Washington Post this week about a talk given given by CIA CIO Doug Wolfe at a recent symposium. He was talking about the Agency's coming deployment into AWS but went into the difficulty that many agencies, including Fed & SLED, have in dealing with the private sector, mostly due to the differences in cultures. In the past most of you were able to easily, or more easily, procure IT resources without much oversight. Well, times have changed especially FY13 being a prime example of budgetary headaches. Stemming from that we've seen budgets slashes, new procedures and controls put in place all coming together just as Cybersecurity is becoming more of a focus. While it was easier in the past to procure the tools necessary in order to become compliant, the reality is that compliancy no longer equals security, This means you will have to make strong arguments in order to bring in the needed tools to adequately secure your environment. The key to success here is to treat your vendors as partners and to become more efficient, which Mr. Wolfe highlights, when making your IT purchases. While we all have to do budgetary assessments for the coming FY, it's important to make sure your "wish list" is prioritized effectively. Additionally, not all tools have a cost associated to them. While the thought of leveraging open source tools can be precarious at times, it's important to realize that they can be just as effective, in some case more so, than those tools requiring the use of your budget,
Why would you want to use a mixed bag of free and commercially available tools? To put it simply, it could lead to you better securing your network as well as helping you check the box for compliance. In the recent FISMA Annual Report DHS came out on top again, achieving a score of 99 for the 2nd year in a row. DHS, like many departments, sets the policies but each operational group is responsible for maintaining it's own security under those guidelines. The are especially effective in making this a collaborative effort and putting a lot of onus on the individual as well. The tools they use are mixed from commercial grade and open source solutions but this combination provides them with all of the necessary information to disseminate throughout the organization in order o secure the network. They are able to provide detailed information, including the assets that need immediate attention, and are holding folks accountable for the remediation. DHS as a department has also embraced, and backed, the NIST Risk Management Framework, Thus taking a step back from simply checking the box and refocused on the risk-based approach to manage their cybersecurity posture. My recommendation is for all of us to do just that. By establishing a new culture of understanding and addressing risk, the compliance boxes will get checked and your network will ultimately be more secure because of the new approach.
In other news, the FBI just put out a FLASH warning around a nasty spear-phishing campaign targeting feds, state, local and associated industry employees. While this FLASH specifically highlights Facebook, including the names and IPs that the malicious actors are using, it's important to spread the word that the same thing is most likely taking place amongst most social networks. The goal of the attackers is to ultimately gain access to the users credentials in order to gain entry into the network at large. This campaign can be particularly nasty as it will seem that these are trusted contacts. This can happen by having the threat-actor doing a little recon on the individual and then reaching out to those within their circle of friends. When they then reach out to their intended target they have a paper-trail of mutual contacts, which depending on the vigilance of the target, could immediately lead to an acceptance and by that point it's probably already too late they've been pwn'd. As the line continues to blur between what happens while logged into the network vs. personal use, it's important to let your folks know that what they do online can, in fact, increase the risk on your network.
Stay vigilant and spread the word.