With the apparent resurgence of hacker community Anonymous, as well as concerns that cybercriminals may have recently penetrated the networks of a number of small utilities, two United States federal government initiatives to improve cybersecurity were launched this past week.
As of Jan. 6, companies awarded contracts and orders by the U.S. General Services Administration (GSA) that include IT supplies, services and systems with security requirements will have 30 days to submit an IT security plan to the contracting officer or the officer’s representative.
The plan, now required under GSAR Amendment 2011-03, must describe IT security processes and procedures to be followed while working under the contract.
Contractors will also submit written proof of IT security authorization six months after the award and verify annually that the plan remains valid.
Meanwhile, the U.S. Department of Energy (DoE) and the U.S. Department of Homeland Security (DHS) have launched the Electric Sector Cybersecurity Risk Management Maturity Project.
The initiative will leverage private and public sector experts to help develop a maturity model that will let utility companies and grid operators measure their current capabilities and analyze gaps in their cyber defenses. Maturity models rely on best practices to identify an organization’s strengths and weaknesses.
Keeping the Wired Nation Safe
“This initiative does have the potential to fall into the category of the many public-private sector coordination committees that have historically achieved mixed results,” Bruce A. Brody, technical director of cybersecurity strategy at CACI and former chief information security officer (CISO) at the DoE, told TechNewsWorld.
“The right stakeholders are involved, and the available information appears to have the right intent,” Brody stated.
As with all effective strategies, this performance-based model must be risk-based, Marc Noble, director of government affairs for ISC2, pointed out. Noble was formerly the CISO at the U.S. Federal Communications Commission (FCC).
“While different approaches might be applied effectively, the human factor is critical,” Noble told TechNewsWorld.
In that vein, it’s important to ensure that measurements are done correctly because “reporting metrics can be manipulated to look better than they actually are” and so staffing is key, Noble said.
The Stratfor Fallout Continues
Customers of consultant firm Stratfor, whose servers were broken into by members of hacker collective Anonymous on Christmas Eve, apparently fell victim to an old-fashioned Rickroll on Friday, according to Sophos.
They received an email purporting to be from Stratfor CEO George Friedman about changes to the company’s services. The email contained a link that, when clicked on, took the victims to a video of Rick Astley singing “Never Gonna Give You Up.”
Symantec’s Slip and Ramnit
Also this past week, a group calling itself “Lords of Dharmaraj” stole and published source code for some Symantec security applications. However, they only got outdated code, Symantec spokesperson Cris Paden told TechNewsWorld. He described the group as a chapter of Anonymous.
Meanwhile, the Ramnit worm stole credentials from a total of 45,000 Facebook users, mainly in the U< and France, Seculert found.
“Thus far, we have not seen the virus propagating on Facebook itself, but we have begun working with our external partners to add protections to our antivirus systems to help users secure their devices,” Facebook spokesperson Gwendolyn Bellomy told TechNewsWorld.
SOPA Slashes at Security
Congress is currently considering the Stop Online Piracy Act (SOPA), also known as H.R. 3261, a piece of legislation designed to fight intellectual copyright violations and protect against counterfeit goods.
However, the bill is strongly opposed by several high-tech firms, including Google, as well as people who figured prominently in the development of the Internet, who argue that it’s much too sweeping.
It will also undermine security on the Internet because the DNS (domain name system) filters it proposes are much less secure than those already in place, contended Paul Ferguson, senior threat researcher at Trend Micro.
“SOPA DNS blocking is incompatible with DNSSec,” Ferguson told TechNewsWorld. “In fact, SOPA forces the exact type of behavior on DNS which DNSSec is designed to prevent.”
DNSSEC, the Domain Name System Security Extensions, is a suite of specifications which authenticate the origin of DNS data and data integrity, among other things.
The result is “big-time danger” because “DNS stability is critical to the overall operation of the Internet,” Ferguson said.