PENETRATION TESTING
CYBERSECURITY: How DHS Hacks Agency Networks to Make Them Stronger, More Resilient. The Homeland Security Department’s National Cybersecurity Assessments and Technical Services team (NCATS), in the National Cybersecurity and Communications Integration Center (NCCIC), has been building up its technical capabilities over the last seven-plus years to provide a service to civilian agencies like none before. Rob Karas, the director of the NCATS team, said his organization has 615 federal, local and state government, and private-sector customers who receive reports on critical, high, medium and low vulnerabilities and how to close them from the 38 million scans of internet addresses the office does daily. Read more
[FEDERALNEWSRADIO.COM]
FEDS: State Department Faces Mounting Cyber Threats. A new directorate in the State Department’s law enforcement branch is working to combat cyber threats to the nation’s diplomats, in what officials describe as an increasingly perilous and dynamic threat landscape of criminal and state-sponsored hackers. The Cyber and Technology Security (CTS) directorate was quietly launched in late May, just as Secretary of State Rex Tillerson came under scrutiny for a nascent plan to shutter a separate office charged with engaging other nations on cybersecurity policy. The directorate carries out traditional cybersecurity functions, such as cyber incident response and penetration testing of networks to guard department systems, personnel, and information from ransomware, cyber crime and other hacking threats. Read more
[THEHILL.COM]
HOW: The New Science of Vulnerability Management Can Help Struggling Federal Networks. Computers and networking aren’t getting any simpler. Every time a new application, technology, client, server, cloud, device or almost anything else is added to a network, the number of potential vulnerabilities that an adversary could use to successfully attack it grows. And most of the time, each additional item added brings with it multiple vulnerabilities, so the attack footprint grows much faster than the network. Even older devices and programs can hide previously unknown vulnerabilities, which means no part of a network is truly safe ground in terms of cybersecurity. When networks were smaller, IT teams simply tried to find and fix vulnerabilities as soon as possible, generally performing that task chronologically as problems were discovered. This gave rise to vulnerability and penetration testing to unmask as many vulnerabilities as possible with the goal of enabling the fixing of problems before an attacker could exploit them. The problem today—especially in federal IT where manpower shortages are a big issue—is not finding the vulnerabilities, it’s figuring out when to fix them all. Read more.
[NEXTGOV.COM]
INSURANCE: NAIC Adopts Model Law on Cybersecurity…Will States Adopt It? On Oct. 24, the National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law). The NAIC is a standard setting and regulatory support organization consisting of the top insurance regulators from the 50 states, District of Columbia, and five U.S. territories. The model law applies to “licensees” which are defined as persons and nongovernmental business entities subject to the insurance laws of the state adopting the model law. In Pennsylvania, for example, this would encompass insurance companies and insurance producers (i.e., agents, agencies and brokers). Notably, this applies to nonresident licensees except for purchasing groups, risk retention groups or when acting as assuming insurer. For example, a broker resident in a state that has not adopted the model law, is potentially subject to the model law if they are also licensed in another state that has adopted the model law. Thus, it will be important to track what states enact the model law and also how uniformly the model law is enacted state to state. Find out more
[LAW.COM]
==========
IT SECURITY SUPPORT: Blue Mountain Data Systems is actively involved in implementing FISMA and NIST standards with Federal Civilian Agencies. Due to our extensive experience in this area, Blue Mountain has developed processes and organizational techniques to help ensure security deliverables are completed on time, and performed in the most efficient manner possible. We ensure that NIST-800-53 control requirements are treated consistently during definition, analysis, implementation, auditing, and reporting phases of a system. Find out more about Blue Mountain Data Systems IT Security Support Services. Call us at 703-502-3416.
NOW ON SLIDESHARE: Tech Update Summary from Blue Mountain Data Systems November 2017 https://www.slideshare.net/BMDS3416/tech-update-summary-from-blue-mountain-data-systems-november-2017.
BLUE MOUNTAIN DATA SYSTEMS HAS THE EXPERIENCE: 1994 to Present – U.S. Dept. of Labor, Employee Benefits Security Administration. Responsible to the Office of Technology and Information Systems for information systems architecture, planning, applications development, networking, administration and IT security, supporting the enforcement of Title I of the Employee Retirement Income Security Act — ERISA. Within the EBSA, Blue Mountain is responsible for design, development and support for its various enforcement database management systems, as well as all case tracking and customer service inquiry systems. Blue Mountain also provides IT security services to the EBSA, in the form of FISMA Assessment and Authorization, System Security Plans, Risk and vulnerability assessments, monitoring and investigation support. Read more.
==========
