11 October 2009 by Jeff Hayes.

I just completed the five-week FBI Citizens’ Academy. We meet once a week in the evening for 3 hours at the FBI offices (mine was in Salt Lake City) and on one Saturday at the firing range (mine was with the Salt Lake County). The best training experience I have ever had.

The curriculum consists of

• Practical problems involving evidence collection and preservation.
• FBI jurisdiction and congressional oversight.
• Structure and operation of FBI field offices and satellite agencies.
• Fingerprint, forensic, technology, training, and other services.
• Policies and issues: ethics, discipline, communications, drug enforcement, civil rights, and future criminal trends.
• Firearms training.

The Special Agent in Charge (SAC) and the Assistant Special Agent in Charge (ASAC) lead the training; the actual Special Agents are the instructors. We covered white collar crime, violent crime, cyber crime, counterintelligence, domestic terrorism, undercover ops, victims, investigations, technology & tools, and careers. We got enter and see the gun vault (including a 1929 Thompson submachine gun) and play in Firearms Training System (FATS simulator).

On Saturday, we saw a sniper demo. We were told roughly were he was concealed; he made 4 precise shots from 100 yards. None of us could spot him until he stood up. We saw an explosive demo; amazing what a little C4 can do. We shot four FBI guns – two handguns and two semi/full automatic guns. We even got to shoot the .45 Tommy gun. We participated in a SWAT team hostage training session (we were the hostages).

There is no doubt that the men and women we met — Special Agents and support staff — are second to none. They are very professional and personable. They are dedicated to their jobs. I was more than impressed.

If you are interested in law enforcement, information security, investigations, forensics, homeland security, this is a must. It was a great experience for all of us. I want to thanks those that participated in the 12th Citizens’ Academy in the Utah Division. I wish them the best, including the SAC who is transferring to the SE USA.

Posted in Homeland Security | Print | 1 Comment »

6 October 2009 by Jeff Hayes.

The U.S. Department of Homeland Security, as part of its National Cyber Security Awareness Month, has created a list of fourteen things home users can do to bolster cyber security.

1. Use a suite of automatically updating security tools that includes anti-Spyware, firewall and anti-virus software.
2. Be sure your operating system and Web browser are set to automatically update.
3. Use long, complex passwords for both your computer and your wireless network that include numbers, symbols and letters, and change them every 90 days.
4. Maintain vigilance online and be skeptical about giving up personal information.
5. Turn off your computer when you are not using it.
6. Employ the same online safety behaviors when “surfing” on a mobile device.
7. Be on the lookout for signs of an infected computer including slower processing times, unwanted pop-up ads and increased spam.
8. Talk to your kids about good online safety and security habits, including protecting their personal information and their reputation.
9. Know what sites your children are visiting online, and check their social networking regularly.
10. Regularly back up your files either online or to an external hard drive (and store in a secure location).
11. Post cyber security tips on your favorite community Listserv.
12. Go to your favorite search engine and search by your name and other family members to see what is on the web about you.
13. Make sure your children know that they can come to you if something online makes them uncomfortable, including what others are posting about them, unwanted contacts, and questions they have about staying safe online.
14. Learn more at www.staysafeonline.org.

Good list? Yes.

What about business? The best checklist I have found for good cyber security for the average business is from the Payment Card Industry within its Data Security Standard:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

Simple? No. But is a great list to build a security plan upon.

Posted in Security Policy, Personal Security, Homeland Security | Print | No Comments »

2 October 2009 by Jeff Hayes.

October is National Cyber Security Awareness Month, as proclaimed by the U.S. DHS. The premise behind this is good: create awareness for cyber security. The DHS’s campaign will seek to: 

• Raise awareness of cybersecurity risks, consequences and available resources to a broad universe
  of information technology stakeholders  
• Reinforce shared responsibilities and provide a call to action to all computer users
• Direct stakeholders to tools, products and services they can use to protect their part of cyberspace
• Leverage Awareness Month events and activities to build a common culture of shared priorities
  across the full range of cybersecurity stakeholders
• Encourage interest of students in the cybersecurity field and help develop the next generation of
  cybersecurity professionals
• Promote the Cyber Security Awareness Volunteer Education Program (C-SAVE)

Security professionals the world over need all the help they can get to create awareness of their craft. For the most part, security measures, be they physical or cyber, are business expenses. The challenge security professionals have is to justify those expenses in a manner that helps improve the overall business appeal from the prospectives of the customers, partners, employees and investors.

For most of us working in the cyber security profession, we are viewed a smart but our value is questioned. “We pay this guy how much for doing what exactly?” “If we did not do ‘this’, what would be the impact?” “Do we really need to jump through all of these hoops?” “Do we really need to buy all of these security tools, applications and appliances?” “Wasn’t our security policy just updated?”

Some things are just hard. Cyber security is one of those hard things. It is tough to see, quantify and qualify. The better we are at creating reasonable awareness of the issues confronting or business and industry, the better and more effective we will all be at performing our security jobs.

Posted in Security Policy, Homeland Security | Print | No Comments »

25 September 2009 by Jeff Hayes.

Politically conservative, I question the value of many government agencies and jobs. By their nature, every single government job consumes taxpayer funds. Not one of them produces a single dollar.

Certainly there are many jobs and roles that are required from government. It is the opinions along this line that significantly define our political differences. Some feel government is the answer to many of our problems, other do not. I am in the later.

Nevertheless, I have many acquaintances that earn their living by working security for the federal, state, country and local governments. I do not have any ill-feelings towards any of them. Some of these jobs are very interesting. But are they absolutely required?

I attended our local InfraGard meeting this week. A good group and a good meeting. We heard a presentation from Access Data on computer forensics, some excellent insights from a civilian security specialist from Hill AFB, and a presentation from a gentleman from DHS. This latter presentation got me thinking about the scope of the DHS. Has it quickly expanded beyond what is reasonable?

There is a role that one of the groups performs:  an infrastructure survey. One or more federal employee will come to your site — any site — and do a 4-7 hour assessment of your physical security, preparedness, etc. The billing fee? Zero. Cost? Not free. Certainly a service like this is useful. Any security officer would be dumb to not take advantage of a service like this. Another set of eyes can only help. But it is the best use of taxpayer funds?

Just like cash for clunkers, it is great deal for those people who needed a new car (or security assessment), but a bad deal for those of use who were  unable to take advantage of the offer (or who did our own either ourselves or paid for a third-party to do it for us). Those that did not need a new car (new assessment) at that time were forced to fund those that did.

If the Department of Labor was completely eliminated, would anyone besides the employees notice? What about the Departments of Education, Commerce or Housing & Urban Development? Does the DHS need a Science and Technology Directorate?

The problem with government in all nations is that it is too big. It does not matter which political party is in power, government grows. Most of the growth is well intended. But the value is very questionable.

In the security world, the powers that be, they justify their positions, programs and plans as necessary to protect us and our operations. Security people over-blow most situations. Without fear, uncertainly and doubt, they would be without a job. Politicians do the same: the other guy’s special interest is corrupt and not required but theirs is.

I appreciate the men and women that are trying to protect us. I just think there are too many of them in roles that do little to reduce or manage risk.

Posted in Homeland Security, Infrastructure Security | Print | No Comments »

2 September 2009 by Jeff Hayes.

I am a big fan of the BBC program called Spooks. It is marketed in the USA as MI-5, viewed on some PBS stations or online from Netflix. (If you like the Fox show, 24, you will like MI-5/Spooks). Most of the episodes deal with terrorism. A key piece of technology they use in their investigations and surveillance is closed-circuit television (CCTV). It got me thinking about the question:  are we better or worse off with a ubiquitous CCTV system?

Britain and many European nations are heavily wired with CCTV. London boroughs have anywhere from 0.25 to 4 CCTV cameras per 1000 people. Back in 2002, the average citizen in the UK was caught on CCTV cameras 300 times a day; this number has increased because the number of cameras have increased. The U.A.E. is deploying thousands of CCTV cameras (and security guards) at an increasing number of locations within their transportation system. The USA is increasing the use of CCTV cameras, deploying them at various locations including public gathering places and major road intersections.

The are good at recording crime in urban areas. But there is a major privacy issue at play. One must avoid the position that “if you are not doing anything illegal, then you should not be concerned; that they are for the public good — for our own safety.” With that argument then why not place government-monitored cameras in your house, backyards, classrooms, churches?

Should we used cameras for catching speeders? Why not? It is in the best interest of society’s safety isn’t it?

The problem is that the scope of the cameras expands from terrorism and serious crimes like rape, assault and robbery. It morphs into the fields of sociology and psychology. It then becomes an invasion of privacy. CCTV cameras have been used to investigate dog fouling, littering, public urination, misuse of a disabled parking passes, false claims for damages, and spying on a person who was working while off sick. We might detest any and all of these but do we want our government policing these at significant tax payer cost?

Apparently many societies say yes. Others, including me, say no.

Posted in Physical Security, Homeland Security, Privacy | Print | 1 Comment »

20 August 2009 by Jeff Hayes.

We have all heard politicians and security pundits say that a terrorist attack on a chemical plant could cost us hundreds or thousands of deaths and even more injuries.

Why is it that the chemical plant owners/operators and the government officials and politicians are at odds with each other over regulation?

Is it that the chemical plant owners just don’t want to incur the expense of the government mandates? Do the politicians think the plant owners are incompetent? Are plant owners deliberately putting people at risk, including their own workers? Do the politicians think they most do something to prove their value? Is there just a general movement that more government is just better? Does those that set the laws increase their power and staying potential?

The answers to these goes to the core of our political divide in America — anywhere for that matter. There are people that think that government is the only answer to these big problems. That if the government were involved and could set strong processes, procedures and safeguards, we will all be better off. Others will say that the free market system will work. I am more aligned with the latter.

There are already existing plant regulations, inspections, etc. There is no proof that more regulations will make us any safer. That the cost to do so is justified, taxpayer be damned.

The owners are very much aware of the risks associated with their plants. Good owners are going to take prudent actions to protect their assets, employees, and community, based on their risk assessment.

There is is good evidence that says whenever the government gets involved in excessive regulation and procedures, they add unnecessary costs with no proof of improved safety, greater efficiency or better quality. Quite the opposite. I’ll bet on the private sector every time.

Posted in Homeland Security | Print | No Comments »

1 June 2009 by Jeff Hayes.

On Friday, President Obama made some remarks on securing our nation’s cyber infrastructure. Some highlights are:

• It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.
• America’s economic prosperity in the 21st century will depend on cybersecurity.
• Cyber threat is one of the most serious economic and national security challenges we face as a nation.
• This status quo is no longer acceptable — not when there’s so much at stake.
• Protecting this infrastructure will be a national security priority.  We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

All accurate. All worthy comments. Obama then went on to describe his strategy in five key areas:

1. Working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks
2. Working with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents.
3. Strengthening the public/private partnerships that are critical to this endeavor.
4. Continuing to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time.
5. Beginning a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.

So will it work? Will an Internet czar help protect against cyber attacks? Is the praise being heaped upon the new cybersecurity direction merited? Can a cybersecurity czar make a difference in a government full of turf wars, departmental budgets, and various opinions on what to do and how to do it?

A cyber defense should be part of our military defense. For the most part, it is. Key to most information security programs and policies is to promote the confidentiality, integrity and availability of information. The problem is that collectively, we have done a poor job ensuring this is collectively the case. This is not because of a lack of effort or expenditure. There are smart IT and security personnel working in the various agencies. They know what they are doing. The question we must ask is:  What makes Obama think that having a czar that reports to him — but who has no budgetary or personnel control over the various agencies — will be successful in making cyber space safer for the nation? Are we just adding another bureaucrat that returns and reports, but accomplishes little?

Government is rarely the answer. Obama has already established his own record of how not to use goverfnment for the betterment of all. In order for cybersecurity to work as a nation, it will be up to each agency, state, city, country, industry and private firm to defend its portion of cyber space. Having a solid, national cyber security blueprint with funding hooks and accountability might help the various entities get on the same page.

Posted in Homeland Security | Print | 1 Comment »

8 May 2009 by Jeff Hayes.

According to a recent article in Computerworld by Jaikumar Vijayan, Internet Warfare: Are We Focusing on the Wrong Things?, some are concluding:

More than seven years after the terrorist attacks of Sept. 11, 2001, there’s widespread consensus that federal efforts to secure cyberinfrastructure are bogged down by a lack of vision, planning and leadership. While the government has struggled to come up with a cohesive national strategy for defending its interests on the Internet, threats in cyberspace have continued to grow and today pose a grave risk to national and economic security.

Adversaries, which include unfriendly governments and militaries, intelligence agencies, organized criminals groups and hactivists, have by most accounts already penetrated U.S government and private networks or are actively engaged in doing so.

We certainly have the technical no-how to defend our computing systems. But like most things government does, it gets bogged down in bureauracracy, egos and shear scope of the tasks.

There are so many agencies, departments, divisions with overlapping initiatives. Each of these entities has its own cyber security strategy. National cyber security plans exist. But core to the problem is that there is not a unified mandate or declaration that our cyberinfrastructure is a vital asset for national and economic security. If we threw the right resources at it as we do many other less important things, we could get our hands around the problem.

Like most things with the federal government, money is spent on either some politician’s latest project that benefits his constituencies alone, the latest emergency of the day, and most recently the federalizing of private industries. They can hold hearing, form committees, create strategies, but nothing will happen until a MAJOR cyber incident shuts down and/or compromises a significant aspect of our society, infrastructure or commerce.

Cyber defense is not a technical problem; it is a people and organizational problem.

Posted in Homeland Security | Print | No Comments »

5 May 2009 by Jeff Hayes.

What keeps you up at night? What wakes you in the middle of the night? Besides a crying baby, barking dog or noisy neighbors, most of us have something that stresses us out. Personal finances, job security, relationships are at the top of the list for many.

I tend to have business concerns, those that come from running a business with a few colleagues. How can we meet our financial obligations? What can I do to identify and get in front of new customers? Are we going to get paid this month?

For Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, it’s the world’s digital infrastructure. For her, it should be. Anyone that accepts a high-ranking position in the government or industry better have sleepless nights.

Criminals never sleep. Cyber-crime is 24×7. Tools designed to probe, exploit and manipulate are at it non-stop. Because we live in a cyber-world, our defenses never rest. They can never take a day off.

For the small business owner or general manager, selling products, meeting payroll and keeping employees, partners and customers happy are paramount. 

Just as our digital infrastructure was driven more by considerations of interoperability and efficiency than of security, most of our IT systems have evolved rather than getting built with an underlying security plan.

Every business, regardless of the size and industry, needs to take an occasional step-back and assess the risks posed to the on-going operations of the business. Do we have a realistic and tested business continuity plan? Do we have a data back-up and recovery plan? Do we have a plan to deal with “Joe, the IT guy, getting hit by the bus?”

I suspect few CEOs and GMs are kept awake at night due to cyber-security risks. But if one expands it to include all business operations, then that which might have been consider to be unlikely, quickly becomes something with a probability that needs some attention.

In today’s world, information security and availability are everyone’s concern.

Posted in Homeland Security | Print | No Comments »

12 April 2009 by Jeff Hayes.

The 1 April 2009 Senate Bill S.773 is no joke, though much of might fit that label. The so-called Cybersecurity Act of 2009, sponsored by Sen. John Rockefeller [D, WV] and co-sponsored by Sen. Evan Bayh [D, IN], Sen. Bill Nelson [D, FL] and Sen. Olympia Snowe [R, ME] is designed to:

To ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.

Some of the key items are:

• The Secretary of Commerce shall provide assistance for the creation and support of Regional Cybersecurity Centers for the promotion and implementation of cybersecurity standards in order to enhance the cybersecurity of small and medium sized businesses. However it appears the federal government will only fund up to half of the costs.
• National Institute of Standards and Technology will be the entity that will the cybersecurity standards.
• There will be a national licensing, certification, and periodic recertification program for cybersecurity professionals.
• Federal government will take control of IP addresses and DNS.
• The National Science Foundation shall take control of computer and information science and engineering research as well as academic scholarship.
• NIST will head cybersecurity competitions and challenges as well as established a secure products and services acquisitions board.
• The Department of Commerce shall serve as the clearinghouse of cybersecurity threat and vulnerability information.
• The White House will create a cybersecurity plan, risk management plan, and an identity management and authentication program.

Whereas having a national cybersecurity program is merited, one must be careful in how much control to give the federal government. It is one thing for it to put restrictions on the what, when, why and how of federal agency security, it is another when it starts mandating what states, local governments and private businesses must do.

The bill will give the federal government (the President) the power to “order the disconnection of any Federal government or United States critical infrastructure information systems or networks in the interest of national security.” They shut down air traffic in the country in 2003 for a few days after 9/11; this would be similar.

How much power and control would it allocate to the major ISPs? How will the states fund the requirements? Will the business requirements and costs be overbearing for businesses? The federal government did it with Sarbanes-Oxley; this smells similar.

This is one to watch closely. Because it is sponsored by Democrats (Snowe is closer to a Democrat than a Republican), most of their bills look plausible at first glance but are binding and liberty-restricting when the details are examined.

Posted in Homeland Security | Print | No Comments »