MeriTalk - Where America Talks Government
Steve O'Keeffe


Share
Delicious Digg StumbleUpon
View All Entries
Archive
Categories
Popular Tags
Posted: 10/24/2012 - 1 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

 

Safe Vote?

Just seven days until the big event - no not the election, the Symantec Government Symposium. As we quake at the prospect of the fiscal cliff - it’s good to know that Feds can get smart on cyber security for free, taking the weight off strained training budgets. That’s certainly doing more with less - in D.C., so that removes travel cost for most. 
 
Symposium is Cyber Central. More than 1,000 government IT pros will converge on the D.C. Convention Center. Symposium boasts 34 government speakers - from every cabinet-level agency, DoD and civil. And, that includes a keynote from General Alexander - curious to hear about the offensive game plan.
 
 
 
 
 
 
Security and More
So, yes, this is the mac daddy of Fed cyber security conferences, but it’s much more. Sessions on cloud, data centers, mobility, and international.
 
Cyber Command
Chairman of the Joint Chiefs of Cyber Security, General Alexander will provide the word from the frontier.
 
Over the Hill
Hill speakers will fill us in on legislation - what’s the path for the embattled cyber legislation?
 
Ted Koppel
Okay, we can’t completely ignore the Presidential party. Ted’ll tell us what happened and why - that’s some Monday morning quarterback. Insight and entertainment guaranteed.
 
 
 
 
 
 
Cyber Coalition
Hosted by Symantec, General Dynamics, HP, and NetApp - and many more industry giants - Symposium is public-private partnership in action. Get your fill of the latest and greatest tools and solutions.
 
Register to Vote Today
Obama and Romney both welcome. But space is limited - register today. Symposium - it’s the only safe bet in early November.
 
Let's have a Cup of IT at Symposium – I look forward to shaking your hand.

Opt in today to keep stirring IT up.

Posted: 10/17/2012 - 1 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

Shaken Not Stirred

It’s ELC time again. And yes, I plan to go - despite ELC RIP post. So there’ll be fewer govies - more elbow room at the bar…
 
ELC is all about meeting and greeting - building relationships. Am I the only one that’s increasingly confused about how to say hello? Rock, paper, scissors - comfort of the handshake is being stirred up by new informalities. Are men and women supposed to hug? If so, when? Do we transition to the hug hello after six months or six years? What if you go for the hug and they go for the shake? How do you recover? What if it’s vice versa? You lead with the hand and see the hug coming - do you make a grab for the hand or kiss the cheek? Are you actually supposed to kiss the cheek - or will cheek-to-cheek action cut the mustard? Is flu season a good enough excuse to bow?
 
 
 
 
 
 
 
A Fair Shake?
And let’s just focus on the dude-to-dude connection for a minute. The shake comes in all shapes and sizes. The Buzzer. The Fish. The Sweaty McSweaterson. Heaven forbid, the Mason. Pick your weapon - it speaks volumes about you...
 
Aloha Allsorts
But why stop there? If any shake’s fair game - and hugs and kisses are on the table - why not get creative? At ELC, I’m on the lookout for the courtesy, the salute, the bro-hug, the chest bump, the pound and explode, as well as the double gun. Heck, if we’re getting less formal, what about the butterfly kiss? Why not throw in the nanu nanu for good measure?
 
But, let’s start with the handshake please - live long and prosper.
 
 
 
 
 
 
Face for Radio…
If reading the cup’s not enough for you - now we’re pouring it in your ear on the radio. Tune in to CBS Biz.Gov 1580 on the AM dial Mondays at 8 a.m. to get it while it’s hot - http://cbsloc.al/RUjbWl. Or if you prefer iced tea, you can access the archives here - http://bit.ly/TcVX2v. Yes, I’m joining Rush Limbaugh - but hoping to skip the OxyContin addiction…

 

Opt in today to keep stirring IT up.

Posted: 10/10/2012 - 5 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

 

Knock, Knock – Who’s There?
 
Is Uncle Sam suffering from a false sense of security? We spend one in four precious cyber security dollars on FISMA paperwork – well over $1 billion each year. GAO says HSPD-12 has given us expensive keys with no locks. TIC’s fighting with Cloud First. The iPad’s a moving target. What’s next for the embattled CISO?
  
APT SOS 
 

And, if that wasn’t enough alphabet soup, here’s a new TLA for you – welcome to the Advanced Persistent Threats, or APTs to his friends. APTs aren’t things, they’re sophisticated actors – typically hostile foreign governments – with the cyber smarts and resources to target specific entities. No script kiddies here. They’re focused on getting into our networks and siphoning off sensitive data. And, they use infected media, supply chain compromise, and social engineering to get in.

 

 

 

Gone Phishing

Think of APTs as very malicious knock-knock jokes – and hackers are focused on getting the last laugh. APTs typically launch their attacks via email – phishing, but not your standard “Nigerian Prince Kidnapping” scam. What Fed exec would fall for that malarkey?

No, APTs often hunt their quarry by spear phishing. Think phishing meets social engineering. Far from sending out blanket spam email, hackers identify high-impact, well-placed individuals within agencies – people with privileged security access. Then, they do their homework. Who do you know? What type of email would catch your attention? When the knock-knock comes in your email, you’ll know the sender of the message – or think that you do.

You’ve Got Mail

You receive an email from your colleague Dave. It flags a new expense approval process and includes an attachment. You know Dave, you care about your expenses, you click on the attachment. The hacker’s in. Now, they have a foothold in the network. Some are coy – they stay quiet for awhile. But soon enough, they start to siphon off data, passwords, and connect to other networks from the inside.

Pedicure Anyone?

Depending on how deep into the APT you want to go you could ask, how valuable are your users’ web browsing histories and habits? If they’re valuable enough for the USDA, (http://www.dm.usda.gov/privacy/) why wouldn’t a foreign state embed malicious code into a website that your execs are likely to, or do, visit? Still think we shouldn’t secure the networked printers? A quick look at the logs of the URLs being printed by users can reveal a lot – pedicure anyone?


 

 

Chumming the Water


Then again, what about browser-based email access still using only username and password? We hear a lot about enabling two factor login – 2FA – for logical access, but why phish one email at a time when you can chum with a free-to-download password-cracking utility? Maybe the threatening “U. S. Government” warning banner will make our capable adversaries think twice…?

No Laughing Matter

The net takeaway here – phishing’s not just for scammers. It’s really grown up. And, the biggest threats to Federal security may come from the people you know and trust – or appear to…

The world’s a hostile place. Cyber’s the new frontier. We need to unfetter Uncle Sam’s cyber defenders to prioritize threats and put first things first. If we spend too much on compliance, the last laugh will be on America.

 We need to refocus on APTs and a new class of phishing – it’s no joke.

Opt in today to keep stirring IT up.

Posted: 10/1/2012 - 3 comment(s) [ Comment ] - 0 trackback(s) [ Trackback ]

Cloud Conflict?

The fox and the hen house. As the deadlines for response to GSA and DISA Cloud Broker RFIs came and went this fall - I had to wonder what questions would be made public - and what answers would be forthcoming? Are these public opportunities for input real - or merely a mollifying maneuver?
 
Well, here are a few questions that will definitely make it into the court of public opinion.
 
 
 
 
 
 
Why are GSA and DISA giving up their natural role as stewards of the public purse?
 
Why do we need intermediaries to “broker” cloud solutions for agencies?
 
Why can’t agencies buy services directly from industry - or through GSA schedules or DISA service catalogues - as they’ve always done?
 
What makes cloud different – isn’t buying cloud supposed to be the same as buying dial tone?
 
Why do agencies need to go through an industry broker to get to Google or Amazon or whosoever?
 
What’s the value add - and how much more will the additional layer cost Uncle Sam?
 
Is GSA so beaten from its contracting gaffes on Alliance and the like - and so embarrassed by Vegas ventures - that it’s ready to give up its reason for being?
 
 
 
 
 
 
And if so, what’s the future for GSA and DISA in a cloud world - does Uncle Sam need them?
 
And, last but not least - the fox and the hen house. Does it make sense for industry brokers to do the IV&V work and offer the solution?
 
Smart shops like SAIC are splitting in two to avoid OCI. Cat among the pigeons. Tin open, worms everywhere…

Opt in today to keep stirring IT up.