The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.
These short videos answer frequently asked questions and highlight features of the CSIAC.org website you may not have known existed.
FREE CSIAC Webinar 17 Aug @ 12 pm EDT – Defense Modeling and Simulation (M&S) Catalog: 2017 Update - CSIAC
One goal of the DoD Net Centric vision is to provide visibility into the M&S resources across the DoD enterprise. The Defense M&S Catalog was established to support the visibility component of the net centric data strategy and to provide an avenue for M&S organizations to make resources available for reuse. This presentation will provide an overview of the Defense M&S Catalog and the Defense Enterprise Metacard Builder Resource (EMBR) tool that complements the Catalog.
This webinar will talk about some of the industry guidelines that exist, how they are related, which ones need to be created, and how an assessment framework can be created that is standards based for consistent risk assessment results.
Learn the basics about what encryption is and how it works. This short video describes symmetric and asymmetric encryption. This is part 1 of a 3 part series on the topic of encryption.
Read the Latest CSIAC Journal – Design and Development Process for Assured Software – Volume 1 - CSIAC
This edition explores different aspects of developing, deploying and training on how to build assured software. Articles are contributed by software assurance practitioners from the DoD and civil government that are devoted to the advancement of secure development principles in U.S government critical systems.
Researcher: Metadata the ‘Most Potent Weapon’ Against Critical Infrastructure Security - Federal Times
The threat is what might be called "weaponized metadata," and the risks are detailed extensively in a new report, Metadata: The Most Potent Weapon in this Cyberwar, recently published by the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank. ICIT produces many publications annually, but the 28-page report on metadata is notable for its urgent tone and sharp criticism of governments and businesses globally.
Veracity Industrial Networks said it has delivered on the first phase of its contract with the Department of Energy to provide SDN-based network infrastructure designed to help the U.S. industry, including power utilities, defend against cyberattacks. After several recent hacking events that many security analysts believe were instances of cyberwarfare, protecting utilities and other industries is certainly a timely issue.
Defending Against Cyberwar: How the Cybersecurity Elite Are Working to Prevent a Digital Apocalypse - TechRepublic
Locked Shields is run by NATO's Cooperative Cyber Defence Centre of Excellence (CCD COE) and bills itself as the largest and most complex international technical network defence exercise and involves 900 participants from 25 nations. This year there were 18 national teams, plus one team from NATO itself playing the game.
Tags: Network Security
The House Homeland Security Committee will consider legislation this week that would reorganize and elevate the Department of Homeland Security’s cybersecurity branch.
The draft bill, from committee Chairman Michael McCaul (R-Texas), would replace the National Protection and Programs Directorate (NPPD) at DHS with the Cybersecurity and Infrastructure Security Agency.
Late last week, news broke that the US Army had issued a memo asking units to discontinue the use of DJI drones while the military investigated potential cyber vulnerabilities. There wasn’t much detail on what the exact concerns were or where they stemmed from, but it turns out that another federal agency recently looked into the issue.
To be clear, there's no evidence any votes were hacked during the 2016 presidential election. But there hasn't been much research on the voting machines to see if it's possible.
"The exposure of those devices to the people who do bug bounties or actually look at these kind of devices has been fairly limited," said Brian Knopf, an internet of things security researcher for Neustar, a security analysis company. "And so Defcon is a great opportunity for those of us who hack hardware and firmware to look to these kind of devices and really answer that question, 'Are they hackable?'"
Tags: Secure Software
The surge in far-flung and destructive cyber attacks is not good for national security, but for an increasing number of hackers and researchers, it is great for job security.
The new reality is on display in Las Vegas this week at the annual Black Hat and Def Con security conferences, which now have a booming side business in recruiting.
The non-profit Center for Cyber Safety and Education last month predicted a global shortage of 1.8 million skilled security workers in 2022. The group, which credentials security professionals, said that a third of hiring managers plan to boost their security teams by at least 15 percent.
WannaCry, Petya Ransomware Attacks Were ‘Non-events’ for DoD Systems - Federal News Radio
If one is looking for evidence that the Defense Department has gone some distance toward better managing and defending its famously decentralized collection of thousands of disparate IT networks, the aftermath of this past spring’s WannaCry and Petya ransomware attacks is a good place to start.
Although they did severe damage to hundreds of thousands of global computers, the military services — like most civilian federal agencies — escaped both episodes essentially unscathed, officials say. But that’s not to say that IT leaders didn’t learn a thing or two about what they need to do to improve their response to cyber attacks in the future.
Brig. Gen. Maria Barrett, the deputy director for operations at U.S. Cyber Command, said the quick defensive response that CYBERCOM and the rest of DoD was able to mount against the potentially crippling attack showed that the military has made major strides in governing and securing its networks at an enterprise level.
Drug and vaccine maker Merck & Co Inc (MRK.N) said it suffered a worldwide disruption of its operations when it was the victim of an international cyber attack in June, halting production of its drugs, which will hurt its profits for the rest of the year.
The company said it does not yet understand the full magnitude of the impact as it is in the process of restoring manufacturing operations. It disclosed the attack last month, but did not disclose the manufacturing shutdown at the time.
"Full recovery from the cyber-attack will take some time, but we are making steady progress," Chief Executive Ken Frazier said on a conference call as the company reported quarterly results.
Verizon, the major telecommunications provider, has suffered a data security breach with over 14 million US customers' personal details exposed on the Internet after NICE Systems, a third-party vendor, mistakenly left the sensitive users’ details open on a server.
Hacking A $1500 ‘Smart Gun’ With $15 Magnets - TheHackerNews
I think we should stop going crazy over the smart things unless it's secure enough to be called SMART—from a toaster, security cameras, and routers to the computers and cars—everything is hackable.
But the worst part comes in when these techs just require some cheap and easily available kinds of stuff to get compromised.
Want example? It took just cheap magnets purchased from Amazon online store for a security researcher to unlock a "smart" gun that only its owner can fire.
Researchers Find Phishing Site Encrypted With AES - Threat Post
"This technique uses AES encryption instead of B64 or simple XOR routines write new content to the page at load time," said a Ring 0 Labs representative in an email to Threatpost. "Since this is a newer technique, it can be fairly effective at avoiding scanning services and crawlers that aim to detect these types of sites. But like anything, these services will surely catch on to this technique and adapt accordingly."
Tags: Advanced Encryption Standard (AES), Apple, Phishing
The attack works on any Docker installation which exposes its API through TCP, which has (until recently) been the default for Windows PCs running Docker for Windows, an application used by developers to create and test containerized applications. "The attack endgame is a persistent remote code execution within the enterprise’s network," Dulce said. "Persistence on the host computer is practically undetectable by existing security products from the host."
Tags: Persistent Threat
Marcus Hutchins, the researcher, was widely praised for identifying a way to disable the WannaCry malicious software, or malware, attack that seized hundreds of thousands of computers this year. Researchers credited Mr. Hutchins’s discovery of a so-called kill switch in the malware for stopping its spread and preventing the attack from infecting millions more computers.
According to an indictment filed in federal court in Milwaukee that was unsealed on Thursday, Mr. Hutchins, 23, and an unidentified accomplice conspired to create and sell malware intended to steal login information and other financial data from online banking sites.
Though it seems small, the change from a 5-inch phone screen to an 8-inch tablet screen offers greater flexibility and an improved user experience.
"DISA understands global senior leaders require highly secure mobile solutions/devices to be always on and always connected," said Leticia Parra, DMCC-S tablet pilot program manager. "The program is focused on listening to customer needs and providing them with larger viewing screens for real-time missions."
Cyber Security of Critical Infrastructure - Department of Homeland Security
CSIAC serves on the EO 13636/PPD-21 Research & Development (R&D) Working Group (WG) run by DHS S&T. If you would like further information, contact Dr. Paul Losiewicz at firstname.lastname@example.org
The Cyber COI engages in multiple activities and forums for coordinating cyber S&T strategies, sharing innovative ideas and technical approaches, promoting technology transfer and upcoming business opportunities, and in jointly planning programs across the Department of Defense and other government agencies. Membership is based upon approval by the Cyber COI group administrator.
DOD OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses -and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts. During the review, GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defense small businesses.
DHS S&T Collaboration Community - Ideascale
The National Conversation is intended to bring together everyone to play a role in shaping the future of homeland security technology. This means responders, operational users, citizens, academia, and industry.
The Department of Defense Cyber Strategy - Department of Defense
The purpose of this strategy is to guide the development of DoD's cyber forces and strengthen our cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD's three primary cyber missions.
Tags: Cybersecurity Strategy
The Information Sharing Environment (ISE) broadly refers to the people, projects, systems, and agencies that enable responsible information sharing for national security.
Standards & Reference Documents - CSIAC
View all Best Practices and Reference Documents on the CSIAC website.
DoD Cyber Domain Resources - Department of Defense
DHS Cyber Security Strategy (“Blueprint for a Secure Cyber Future”, 2011) - Department of Homeland Defense
DIB CS/IA Voluntary Information Sharing Program - DoD DIBNet
DoD's DIB CS/IA program is a voluntary program to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.
US-CERT Bulletins - Department of Homeland Security
Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
US-CERT Alerts - Department of Homeland Security
Alerts provide timely information about current security issues, vulnerabilities, and exploits.
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Trustworthy CyberSpace: Strategic Plan For The Federal Cybersecurity Research and Development Program - NITRD
Committee on National Security Systems (CNSS) - Committee on National Security Systems
The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.