information security

More than 300 federal IT jobs up for grabs

Judi Hasson — Wed, 19 Nov 2008 11:15:10 -0500

President-elect Barack Obama proposed a major IT agenda during his campaign, and this will require many new skilled federal hires, as well as new technology projects and investments. The Plum Book, which lists presidential appointments within the federal government, includes more than 300 technology positions. Topping the list are 21 chief information officers, four chief technology officer positions and four positions dealing with information security.

The Defense Department listed the most available technology jobs, with nearly 50 openings. Down the road, federal job prospects for IT professionals may be even greater as a large number of Baby Boomer federal workers reach retirement age and leave the government.

For more tips on the job hut:
- check out this nextgov.com article

Next president must deal with information security

Judi Hasson — Fri, 17 Oct 2008 16:38:38 -0400

The next president and the new Congress will have a lot on their plate, including an obligation to move forward on a strategic plan for IT and information security, according to Jon Oltsik, a senior analyst at the Enterprise Strategy Group, in an article for CNET.com. He says the government is treading water on a number of highly-visible, strategic initiatives like the underfunded Comprehensive National Cyber Security Initiative, which is intended to standardize information security practices and oversee critical information security infrastructure across all federal agencies.

Also on Oltsik's list of problems is the implementation of the 2002 Federal Information Security Management Act, which was supposed to provide guidelines and requirements for federal agencies. Many agencies have apparently failed to comply with the law. Finally, there is the failure of Congress to pass a strong national information privacy act and to standardize identity technologies for federal workers and contractors.

Oltsik said the federal government faces "increasingly dangerous information security threats'' that cannot be ignored. Regardless of who becomes our next president, Oltsik said, he will "judge progress in Washington by the government's ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement.''

For more on challenges for the next president:
- check out this CNET.com article

Related Article:
Government, private IT address cyber threats

Warning: Spam posing as CNN.com infects millions of PCs

Judi Hasson — Sun, 10 Aug 2008 14:52:58 -0400

There has been a major ongoing spam attack that has tricked users into clicking a fake message from a CNN.com Top 10 list. MX Logic, a Colorado security vendor, said the Top 10 list peaked at close to 11 million messages per hour one day last week, and has shown no signs of subsiding.

In fact, Sam Masiello, MX Logic's vice president of information security, told Computerworld that the attacks have morphed to include subject headings such "CNN Alerts: My Custom Alert" and have used a variety of file names in the malicious URL. Users who click on the links and download a bogus Flash update have been trapped in an endless loop of pop-ups. The only options for users then has been shut down their browser or and install malware.

For more on this threat:
- see this Computerworld.com article

Microsoft to share more security information

Judi Hasson — Wed, 06 Aug 2008 22:14:24 -0400

Facing countless and unending security issues, Microsoft this week announced a new initiative to help IT administrators evaluate vulnerabilities in the company's software and to share that information with other security vendors.

The Microsoft Exploitability Index, as it is known, is aimed at helping business professionals prioritize patching. But Informationweek.com notes that it is really an attempt to deal with an unfortunate problem: "Microsoft issues a Security Bulletin and cybercriminals answer with code designed to exploit the newly disclosed vulnerabilities.''

Under the new plan starting in October, Microsoft will rate the likelihood that vulnerabilities will be exploited based on three designations: Consistent Exploit Code Likely, Inconsistent Exploit Code Likely, and Functioning Exploit Code Unlikely. Whether this will help remains to be seen. Some experts said it all depends on the accuracy of the information provided by Microsoft.

For more on Microsoft:
- see this informationweek.com article

Gartner: Seven cloud-commuting security risks

Judi Hasson — Sat, 05 Jul 2008 23:20:34 -0400

Cloud computing may be the wave of the future, but one cannot ignore dangers involving data integrity, recovery, privacy and regulatory compliance. Gartner, in a new report entitled, "Assessing the Security Risks of Cloud Computing," cautions that users of cloud computing must ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor.

Gartner says customers should avoid vendors that do not provide detailed information on security programs or make available the qualifications of policy makers, architects, coders and operators. The Gartner report also outlined seven specific security issues that should always be be raised with the cloud vendor. They include: knowing whether there is privileged user access to sensitive data and what kinds of controls are in place; whether the cloud computing provider undertakes external audits and security certifications; knowing where your data is hosted; and confirming that they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

For more advice:
- See this networkworld.com article

More tech stories from the FierceCIO network:

> Hackers hijack Internet organizations. Article
> Microsoft stops offering boxed Window XP. Article
> New hands-free cell phone law takes effect in California. Article

Watch out for your IT security scorecard

Thu, 06 Mar 2008 06:59:58 -0500

A quarterly review of a company's information security is essential for top IT personnel trying to ensure their systems are airtight. While it's important for the IT department not to get lost in trivial details, it's key to recognize the company's vulnerability. And that means sharing the results of the information security scorecard with the IT team and moving quickly to seal any security holes. For most CIOs, it's essential to know about viruses and a system's susceptibility to an attack.

For more on the importance of the scorecard:
- see this ComputerWorld article

Bluetooth security still a challenge

Mon, 24 Sep 2007 06:59:58 -0400

Bluetooth offers a tremendous opportunity for mobile users, but Ooi Szu-Khiam, senior security consultant at Symantec, says that security is still a big issue. Indeed, research firm InsightExpress revealed that 73 percent of mobile device users are not aware of security issues that could put mobile devices such as cell phones and Bluetooth-equipped notebooks at risk. "There are many other methods that (launch) a variety of denial-of-service attacks, and even some that could allow an attack to eavesdrop on private conversations," Szu-Khiam told Cnet. He also noted that "numerous instances of mobile viruses, worms and Trojan horses" have occurred in the last year. Some of the terms used to describe these security vulnerabilities: bluejacking, bluespamming and bluebugging.

For more information on Bluetooth security:
- see the article in Cnet

CIOs and CSOs: Why can't they get along?

Mon, 17 Sep 2007 06:59:59 -0400

CIOs and CSOs don't always see eye to eye. That, at least, was the message last week in Chicago at The Security Standard conference. Geir Ramleth, senior vice president and CIO at Bechtel and Andy Ellis, senior director of information security and chief security architect with Akamai, took the stage to discuss priorities of the two disciplines: as it turns out, they do not always match up. Ellis contends that CIOs should be more forthcoming with their technology plans and should consult CSOs in advance. Security professionals shouldn't be put in the position of always having to retrofit security, he said. Meanwhile, Ramleth said that security professionals are not always open to suggestions from IT. "Security people have this phrase, 'yes, but…'" he said, explaining that the phrase generally translates as: "I agree with you, but I don't agree with you, and therefore I'm going to mess you up," he said. Fixing the problem has a lot to do with communication, both execs agree. Having more information about the business drivers behind technology decisions would help CSOs understand strategic priorities.

For more information:
- see the article in NetworkWorld

SaaS-based security gets some buzz

Thu, 23 Aug 2007 06:59:58 -0400

Executives are learning that security technologies delivered via the SaaS (software-as-a-service) business model are proving to be a big success. Imperial Chemical Industries--a London-based maker of paints and chemicals, which is in the process of being acquired by industrial conglomerate Akzo Nobel for $16 billion--is engaged In a focused effort to secure its assets and data. The company is using SaaS applications--like vulnerability scanning tools, email and spam filtering and Web filtering. "We're pushing the envelope in terms of what's out there with security SaaS, but so far, it's been a fantastic success," Paul Simmonds, global information security director at ICI, told Infoworld. Still, he says that not all security applications should be offered using a SaaS model, including security tools like NAC systems and endpoint-oriented products.

For more on delivering security tech through SaaS:
- read the article in Infoworld

Department of Homeland Security CIO comes under fire

Wed, 20 Jun 2007 20:01:39 -0400

Department of Homeland Security, CIO Scott Charbo, has not been setting a good example and hasn't shown he's serious about fixing his departments vulnerabilities. That, at least, is the position of Bennie Thompson (D-Miss.), chairman of the House of Representatives Homeland Security Committee, who says the agency has experienced a continuous flow of cybersecurity flaws under the CIO's tenure. "How can we ask the private sector to better train employees and implement more consistent access controls when DHS allows employees to send classified emails over unclassified networks and contractors to attach unapproved laptops to the network?" He was referring to the Homeland Security department's revelation, as part of an ongoing subcommittee probe into its information security practices, that it experienced 844 security-related "incidents" on its computer systems in 2005 and 2006. Charbo, downplayed the list and said that line items didn't indicate actual penetrations of the system and that they varied widely in the level of severity.

For all the coverage on Capitol Hill:
- read this CNET article