Cybersecurity Includes More than the IT Department

Cybersecurity considerations for both government and industry have to include leadership, supply chains, mobility, and other components in order to be effective, according to experts who spoke at PCM-G’s Mission First event on July 27.

“I’ve watched, over the course of many decades, folks follow shiny objects. Today’s shiny object is called ‘cyber,’ ” said Edna Conway, chief security officer of Global Value Chain at Cisco Systems. “What I’m concerned about is that folks are thinking only about cyber in isolation of a comprehensive view of physical security, logical operational security, as well as security technology.”

“Every once in a while, lift your head up from your own operations and think about what’s going on outside,” said Brig. Gen. Steven J. Spano, president and chief operating officer of the Center for Internet Security and former director of communications at Headquarters Air Combat Command, Langley Air Force Base, Va.

Join us at the sixth annual Cyber Security Brainstorm on Sept. 20 at the Newseum to discuss the cyber strategies and opportunities that can keep our Federal government one step ahead at all times. Click here to learn more and register.

According to Spano, many of today’s biggest cyber events are caused by a lack of basic cyber hygiene.

“About 75 to 80 percent of vulnerabilities could be mitigated, known vulnerabilities, through configuration patching,” said Spano.

He explained that in his experience with the Air Force, it was often difficult to convince leadership to invest in cybersecurity when physical security and resource issues seemed more pressing.

“In the past, I’ve always viewed the focus was always on tactical operations in cyber,” said Spano.

“It was the IT professionals trying to convince the operators and the senior leaders that cyber is a compelling threat. It’s just not wires and nodes and networks and geeky stuff,” he said, explaining that issues like supply chain security, ensuring that the products purchased come from trustworthy sources that focus on security, was one of the issues that fell by the wayside. “Supply chain gets very little attention at the senior levels because they’re focused much more on the tactical levels.”

Conway pointed to the fact that even small changes or deficiencies to the hardware of devices bought by organizations can have huge negative effects.

“You can’t defend your network if you don’t know what’s on your network,” said Lauren Burnell, CISO and engineering services manager for PCM-G and former U.S. Navy Cryptologic Warfare Officer.

Spano said that for him the basics for cyber hygiene were to keep count of all the devices on your network, configure them to work as they should within the network, control what is allowed on the network, patch vulnerabilities quickly, and repeat the process continually.

According to Burnell, Federal agencies are also going to have to get a lot faster at onboarding new technology, particularly mobile devices, due to the millennial workforce moving into the government.

“While we as government really do have to start thinking about mobility strategically and for the masses in our mission, [the reason] we have to start thinking about that adoption now is because, honestly, the next generation of public sector workers are going to have certain expectations of the technology they’re going to need,” said Burnell.

Related:

Here’s how cyber service component mission sets differ from CYBERCOM

“If you look at, for example, the way the spectrum and network world are converging, if you look at the way the information dynamic is playing out, one of the questions that we are trying to come to grips with in the department…how are we going to bring electronic warfare, cyber and the information dynamic. It is all blurring in this digital world we live in. And how do we do this in an integrated way,” he told the committee. “Right now we’re not there yet, we’re still trying to figure out the right way forward.”

Related:

General Dynamics Adds New NSA-certified TACLANE-FLEX Type 1 Network Encryption Platform …

“We designed the TACLANE-FLEX to be scalable and customizable to meet the fluid demands of today’s missions,” said Mike Tweed-Kent, vice president and general manager of the Cyber and Electronic Warfare Systems line of business for General Dynamics Mission Systems. “TACLANE is the most widely deployed HAIPE encryptor in the world, and General Dynamics will continue to invest in and enhance this product family to ensure it addresses customers’ requirements today and supports the unforeseen needs of tomorrow.”

Built upon the market-leading TACLANE technology, the TACLANE-FLEX is the same form and fit of the TACLANE-Micro (KG-175D), allowing simple swap-out for customers in need of increased data rates and security features in a small form factor. The combination of its low size, weight and power (SWaP) and ruggedized design, provides users with the option to use the TACLANE-FLEX in tactical or strategic environments.

As bandwidth needs grow, and applications and environments change, TACLANE-FLEX offers a cost-effective approach that allows customers to tailor their security solution based on current needs and budget. The innovative design makes TACLANE-FLEX a delivery platform for future software-based capability upgrades, allowing it to scale to meet the dynamics needs customers will face in the years to come.

Customers are able to add functionality to TACLANE-FLEX through two optional software features, TACLANE Trusted Sensor Software and Agile Virtual Local Area Network (VLAN). TACLANE Trusted Sensor Software provides intrusion detection and prevention system capabilities that monitor network traffic, helping customers increase their knowledge of who and what is on their network. Agile VLAN allows users to simultaneously send and receive Layer 2 (Ethernet) and HAIPE traffic, helping to facilitate the flexible deployment of secure networks.

With an expected availability date mid-2017, GEM™ One, an enterprise-level remote encryptor management solution, enables users to configure and maintain a dispersed network of TACLANE encryptors, easing deployment and increasing network situational awareness. INEs are used extensively in the commercial and government sectors to protect critical networks and infrastructures.

“The diverse mission requirements of our customers warrant flexible products and solutions that address critical needs and are easy to use and deploy,” said Paul Pittelli, NSA Chief, Information Assurance Capabilities. “The TACLANE-FLEX encryption platform enables customers to field a single device that allows for various levels of customization including its ability to support layer 2 communications while maintaining interoperability with currently deployed HAIPE devices.”

General Dynamics’ Customer Investment Protection Program encourages organizations protecting critical networks and infrastructure to maximize their investment and maintain their security posture by using General Dynamics’ trade-in programs. A trade-in program will be offered for the TACLANE-FLEX, allowing users of the current HAIPE INEs to take advantage of the new customizable encryption platform’s scalable speed and cybersecurity features. Call 888-897-3148 or email our team for additional information.

General Dynamics Mission Systems is a business unit of General Dynamics (NYSE: GD). For more information about General Dynamics Mission Systems, please visit gdmissionsystems.com and follow us on Twitter @GDMS.

View original content with multimedia:http://www.prnewswire.com/news-releases/general-dynamics-adds-new-nsa-certified-taclane-flex-type-1-network-encryption-platform-to-secure-product-portfolio-300495314.html

SOURCE General Dynamics Mission Systems

Related Links

http://gdmissionsystems.com

Related:

Coding standards — are they necessary?

To address the need for improved safety and security, consistency and to simplify future maintenance and testing, organizations must consider standardizing on a process for software development and a well-defined use of the software language. If this environment is not well defined, there are of course huge potential problems further down the line.

Let’s look at this issue in the , which has defined operators, syntax, functions, etc., in an extremely flexible way. It is possible to write code that may work, but is nearly incomprehensible to others and may contain complexities and hidden errors that wreak havoc under certain conditions. Languages such as C++, , and even — all used in military embedded systems — used indiscriminately, can lead to similar unsupportable conditions. Coding standards provide a consistent, mutually understandable language and approach to software development that help developers avoid any ambiguities in the software language definition and ensures that teams get coding done and done right.

Having such a standards-based approach brings immediate benefits. A coding standard helps define a set of practices that can be understood and used across a team. By collaborating on a common set of coding constructs and practices, team members can easily communicate using the same approach and produce code that is more consistent, maintainable, and testable across the software development organization.

In the military and aerospace domain, there are now programs that must follow , a software standard for developing safety-critical applications. DO-178C requires companies to use coding standards to ensure that safety-critical applications are built on code that is safer and more secure by construction. Standards such as , CERT C/C++, and CWE help eliminate flaws and security vulnerabilities from entering the code in the first place. With languages such as C where many variants have been defined, coding standards ensure consistent, maintainable practices that help reduce risk and support future reusability and testability.

Getting it right

Needless to say, any such set of coding standards will be quite detailed and require constant attention. Checking to ensure that the standards actually have been fully adhered to is potentially an even more daunting task and one that can only be reliably achieved through the use of automated tools. Replacing manual inspection, automated checking is done through of the source code and should be done throughout code construction. This only becomes practical (or bearable) when the tool lends itself to quick and easily comprehensible operation showing developers exactly what they need to know about compliance.

Look for a static analysis tool that lets you select from established standards along with rules that have been adopted within an organization. These advantages enable teams on the same project to bring together their results based on the same set of practices and standards they’ve been using. There are a lot fewer questions, conversations, and explanations trying to figure out what others are trying to do. While not exactly quantifiable, this means spending less time on comprehending the code and communicating about it, which over the life of a project can result in enormous savings.

Automated checking for compliance speeds the iterative development effort. With respect to security, coding standards help solve a piece of the overall security puzzle. They don’t address encryption, isolation, quarantining, nor ensure data is secured at rest and in transit, etc., but they do help avoid subtle coding errors that could be exploited. Such standards would have eliminated the notorious heartbleed bug that was caused by simply failing to limit the size of a variable—a risk that cannot be justified in a . A tool set up for in-depth analysis can also collect internal information about the code and understand more in-depth topics like true data coupling and control coupling, necessary for safety- and security-critical applications.

Dynamic testing goes beyond static analysis in that it involves actually compiling and running the code with inputs and looking for expected outputs. Dynamic unit and integration testing requires a set of test vectors and a test harness derived from a deep understanding of the code gained by the static analysis. The harness is a piece of software that surrounds the code under test and enables the presentation of test inputs and the extraction of the resulting outputs.

Standards — foundational!

Think of coding standards as both a piece of the process and a foundation. Adopting a set of standards that a team understands, combined with robust tool support, leads to a smoother workflow and results in code that immediate and future teams can understand. Because it is comprehensible, areas that may need tweaking or modification can be easily identified, leading to easier maintenance. And, the in-depth analysis can enormously ease the burden of setting up and carrying out detailed testing to fully assure developers (or compliance organizations) of the solid functionality of their efforts.

So, yes, coding standards are necessary to form the foundation of solid software quality process. Development organizations that adhere to rigorous coding standards will create more consistent, maintainable, reusable, and testable code. Ultimately, this results in higher quality application software.

Coding standards compliance is displayed inline with file/function name to show which aspects of the system do not comply with the standard. Bar charts compare violations across the MISRA standards to give a clear understanding of conformance to the models and to show necessary code changes to update or move to a different MISRA standard.

Related:

Oak Ridge licenses quantum encryption method

Cybersecurity

Oak Ridge licenses quantum encryption method

  • By Mark Rockwell
  • Jul 27, 2017
ORNL Single-Photon Source Approach for Quantum Encryption (Photo by Qubitekk)

A Qubitekk prototype will incorporate ORNL’s single-photon source approach, thereby bringing the device closer to generating pairs of quantum light particles in a controlled, deterministic manner that is useful for quantum encryption. (Photo by Qubitekk)

Oak Ridge National Laboratory has licensed a method its researchers developed to keep encrypted machine-to-machine data from being intercepted.

San Diego-based quantum technology company Qubitekk has signed a non-exclusive license for the lab’s method of “down-conversion” of photons, which produces random, unpredictable pairs of the particles to confound the interception of data, the lab said in a July 25 statement.

“Current encryption techniques rely on complex mathematical algorithms to code information that is decipherable only to the recipient who knows the encryption key,” according to the statement. “Scientists, including a team at the Department of Energy’s ORNL, are leveraging the quantum properties of photons to enable novel cryptographic technologies that can better protect critical network infrastructures.”

According to lab officials, the technique harnesses quantum physics to expose, in real-time, the presence of bad actors who might be trying to intercept secret keys to encryption algorithms used by the energy sector.

Qubitekk President and CTO Duncan Earl said in the ORNL statement that his company plans to enhance its existing single-photon quantum information prototype by integrating the lab’s design. Earl is a former ORNL researcher who worked with the lab’s Cyber Warfare group and Quantum Information Sciences team.

The company’s work could lead to a tenfold increase in quantum encryption rates and the ability to maintain high data transmission speeds over longer distances, he added.

Earl said the firm plans to conduct field trials with its customers, which include California utility companies.

About the Author

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.

Related:

Hegemony is a Three-Player Game

[Ed. Note: Jim Rickards’ latest New York Times bestseller, The Road to Ruin: The Global Elites’ Secret Plan for the Next Financial Crisis, is out now. Learn how to get your own free copy – click HERE. This vital book transcends geopolitics and rhetoric from the financial press to prepare you for what you should be watching now.]

Three-player games are easy to model — it’s always two against one. The art of geopolitics and examining hegemony powers in such situations is to be part of a duo that pressures the remaining player, or, at a minimum, keep the other two players separated.

This is basic balance-of-power politics as practiced since the rise of Napoleon (1799), with antecedents in the Treaty of Westphalia (1648), and Machiavelli’s The Prince (1532).

The case for normalizing relations between Russia and the U.S. rests on the coming confrontation between the U.S. and China. This confrontation stems from China’s refusal to help the U.S. deal decisively with North Korea, which is pushing the U.S. toward a pre-emptive war on the Korean peninsula.

Other flashpoints with China include conflicting claims in the South China Sea, currency manipulation, trade subsidies, theft of intellectual property, and cyber-warfare.

These conflicts were held in abeyance while China was given “100 days” (from the Mar-a-Lago summit on April 6, 2017 to July 15, 2017) to help with North Korea. Now that the 100 days are up and China has failed to deliver, the gloves are off. The months ahead will witness increasing tension and specific actions by the U.S. aimed at China.

To secure the U.S. position in this conflict and as a simple matter of statecraft, the U.S. needs improved relations with Russia as an offset to deteriorating relations with China.

Russia can assist the U.S. is numerous ways. First and foremost is Syria. Russia and the U.S., along with indigenous forces from Iraq, Jordan and the UAE, are well down the path of eliminating ISIS as a political entity. (ISIS will remain as a terrorist incubator along with Al Qaeda franchises and their respective sympathizers).

A modus vivendi can be reached where Russia and their Ba’athist allies, U.S.-backed rebels, Kurds, and Turkey all have separate spheres of influence in Syria. The loser in this scenario is Iran, which has been a leading backer of Syrian dictator Bashar al-Assad.

Russia can also help the United States on the North Korean dossier even though China has proved unable or unwilling to do so. Russia has enormous economic leverage in North Korea. Private intelligence service STRATFOR reported the following on July 11, 2017:

Russia shipped $2.3 million worth of oil products to North Korea between January and April 2017, a 200 percent increase, Yonhap and Korea Times reported July 11. Last year, North Korea reportedly turned to Russia after experiencing difficulty securing oil supplies from China. A North Korean defector suggested Russia supplies North Korea with 200,000 to 300,000 tons of fuel annually via a company in Singapore. North Korea’s increased dependence on Russian fuel indicates its anticipation of tougher international sanctions following its recent intercontinental ballistic missile launch on July 4.

By stepping into China’s shoes as a supplier to North Korea, Russia has increased its leverage over North Korea and therefore has increased its ability to assist the United States. This type of leverage is one of the few paths to a resolution of the North Korean nuclear issue without resorting to war. It is of enormous value to the U.S. and argues in favor of improved U.S.-Russian relations.

The foregoing is an overview of the greatest political struggle in the world today. The nationalists and realists want to improve U.S. relations with Russia. The globalists are horrified at the prospect and want to maintain warm relations with China while isolating Russia.

Hegemony and Geopolitical Struggle

The White House has already decided in favor of Russia. The problem is how to execute that plan in the face of withering attacks about phony scandals from the media, Democrats, resistance and globalists.

The standard globalist attack on Putin says he is an autocrat at best, a dictator at worst, who murders some political enemies, jails others, and suppresses dissent in Russia. This is all true.

The rebuttal is that China is worse. President Xi is an actual dictator, not a presumed one. He presides over a top-down Communist dictatorship. China slaughtered thousands of innocent protestors in the Tiananmen Square demonstrations in 1989 and has refused to allow any acknowledgement of it ever since.

The Chinese dissident, Liu Xiaobo, won the Nobel Peace Prize in 2010 for his efforts to advance the cause of human rights and political freedom in China. He died while in custody on July 13, 2017 after decades in prison and political reeducation camps. Xi’s political enemies, such as former Chongqing party chief Bo Xilai, have been arrested and subjected to torture and imprisonment.

In short, human rights and respect for political dissent leaves no basis for choosing between Russia and China. Both Putin and Xi are thuggish, with Putin being subject to slightly more pluralistic constraints, while Xi basks in the glow of globalist approval.

The choice between them boils down to power politics, not who wins a globalist beauty contest. Trump is tilting toward Russia for good reasons of realpolitik.

As evidence for this tilt, following the July 7 meeting between Trump and Putin at the G20 summit in Hamburg, Germany, Trump said:

People said, ‘Oh they shouldn’t get along.’ Well, who are the people that are saying that? I think we get along very, very well. We are a tremendously powerful nuclear power, and so are they. It doesn’t make sense not to have some kind of a relationship.

The bottom line is that relations with Russia will improve materially while relations with China will deteriorate materially in the months and years ahead.

This has huge implications for capital markets and your portfolio.

It is up to the United States to defend its monetary ground. However, the likelihood of that is low because the U.S. does not even perceive the problem it’s facing, let alone the solution.

This evolving state of affairs creates enormous opportunities for investors in the coming months ahead.

Regards,

Jim Rickards

for The Daily Reckoning

Related:

Here’s how to become an ethical hacker

For a deep dive into professional cyber security, check out the Super-Sized Ethical Hacking Bundle, featuring 9 courses and over 75 hours of hands-on training. It normally costs over $1,000, but you can get it at GDGT deals today for just $43.

Here’s what you’ll get in these nine courses:

Bug Bounty: Web Hacking: Because of their huge volume of valuable user data, high-traffic web apps like Gmail, and Facebook are immensely attractive hacking targets. To ensure their defenses stay strong, big services like these often rely on independent security bug bounty hunters to search for holes. You can learn how to get paid to search for app vulnerabilities with the Bug Bounty: Web Hacking course.

CompTIA Security + Exam Preparation: The CompTIA Security + is a globally recognized exam for professional certification. It’s a way to show potential employers that you know how to keep IT systems safe, and that you have expert knowledge in a wide range of information security strategies for protecting networks and applications. This prep course will help you pass this important exam the first time.

Ethical Hacking Using Kali Linux From A to Z: Having the right tools for the job is critical, especially in the field of cyber security. Kali Linux is an operating system that’s purpose-built for penetration testing, and you can get up to speed with its hacking and information-gathering powers in just a few sittings with Ethical Hacking Using Kali Linux From A to Z.

Ethical Hacking From Scratch to Advanced Techniques: This course offers a broad survey of information security skills and topics. You’ll learn the ways in which attackers gain access to systems by actually doing the password-cracking buffer-overflowing yourself. To pick up some hands-on, professionally relevant hacking skills, check out the Ethical Hacking From Scratch to Advanced Techniques course.

Learn Social Engineering From Scratch: Unfortunately, even the strongest encryption can’t protect against a well-crafted deception. You can learn how to create and defend against backdoors, convincing fake login pages, and credential-stealing keyloggers in Learn Social Engineering From Scratch.

Learn Website Hacking and Penetration Testing From Scratch: Compromising a website is often a matter of finding out something about your target that points to an unpatched vulnerability. In the Learn Website Hacking and Penetration Testing From Scratch course, you’ll practice gathering information from DNS, exploiting holes, and elevating your privileges.

Hands on, Interactive Penetration Testing & Ethical Hacking: Get a step-by-step guide to performing an actual penetration test with this interactive course. You’ll use the Metasploit framework to break into systems and elevate privileges without being seen by antivirus or other pentesters.

Complete WiFi and Network Ethical Hacking Course 2017: Wireless networks are immensely convenient, but they aren’t always the safest option for moving private data. To understand why that is, the Complete WiFi and Network Ethical Hacking Course offers a condensed guide to effectively bypassing WiFi security measures.

Cyber Security Volume I: Hackers Exposed: The rise in high-profile digital attacks and government surveillance has compounded the value of information security. In Cyber Security Volume I: Hackers Exposed, you’ll study the tools of cyber warfare used in major hacks, explore the dark net, and learn how to protect yourself online.

All of the courses included in the Super-Sized Ethical Hacking Bundle normally cost over $1000 when bought separately, but you can get all of them for just $43.

Engadget is teaming up with StackCommerce to bring you deals on the latest gadgets, tech toys, apps, and tutorials. This post does not constitute editorial endorsement, and we earn a portion of all sales. If you have any questions about the products you see here or previous purchases, please contact StackCommerce support here.

Related: