Government Information Security Podcast

As the government adds new applications to its information systems, the more openings it creates for attackers to gain access, creating a continuing battle between IT security professionals charged with safeguarding the systems and those seeking to cause them damage. "The more functionality that's there, the more ways there are for an attacker to get it to operate it in way that no one ever conceived," Dickie George, the National Security Agency's Information Assurance Directorate technical director, said in an interview with GovInfoSecurity.com. "The better the system is, the more interesting it is, the more capability it has, the more opportunities there are for an attacker to find the way in. We are notorious for always needing new types of functionality. We want our equipment to do be able to do more things, and every time we increase the functionality, we allow for problems." In the first of a two-part interview with GovInfoSecurity.com's Eric Chabrow, George discusses: The strength of today's techno

The National Institute of Standards and Technology characterizes its new guidance released this past week as transformational, and no one can speak more authoritative about it than Ron Ross, NIST's highly regarded senior computer scientist, information security researcher and FISMA implementation project leader who co-authored the guide. Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, encourages continual system authorization by implementing robust continuous monitoring processes. Why is this revision of SP 800-37 significant? Here's Ross' response: "There are a lot of reasons; I think the obvious one that everybody is talking about are its continuous monitoring aspects. This really reflects the significant uptake in the threats and the type of attacks that we've seen grow almost exponentially over the past couple of years. The adversaries are launching more attacks; they're more sophisticated, and we

What have been the biggest privacy issues of 2009, and what emerging trends should you watch heading into 2010? We posed these questions to J. Trevor Hughes, Executive Director of the International Association of Privacy Professionals (IAPP). In an exclusive interview, Hughes discusses: The role of the IAPP; Key legislation in the U.S. and internationally; Where organizations need to improve privacy protection. Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as Executive Director of the IAPP, Hughes leads the world's largest association of privacy professionals. Hughes has provided testimony before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission, and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Pri

As the federal government begins to pilot the use of third-party credentials to authenticate users at three websites, the advocacy group Center for Democracy and Technology this month has published a white paper, Issues for Responsible User-Centric Identity, raising questions it feels must be addressed before user-centric identity systems are fully deployed throughout the government. User-centric identity refers to systems where users, rather than service providers, control their identity credentials. "User-centric federated identity systems have the potential to improve the security and privacy of authentication and services for users, but if improperly designed, these systems can negatively impact users and become a burden instead," says white paper author Heather West, a CDT policy analyst. In an interview with GovInfoSecurity.com, West explains: How user-centric identity works; Who are the major players; and Why the government should not regulate user-centric identity. West was interviewed by Eric

It's time for information security professionals to give back to their communities - to reach out and educate businesses, schools and citizens about cybersecurity and other relevant issues. This is the message from John Rossi, professor of systems management/information assurance at National Defense University. In an exclusive interview, Rossi discusses: Why security professionals should practice outreach; Potential venues for public speaking How to get started. Rossi is a Professor of Systems Management/Information Assurance in the Information Operations and Assurance Department at the National Defense University (NDU) Information Resources Management College (IRMC). Prior to joining the NDU/IRMC faculty, he was a computer scientist for information security, research, and training with the U.S. Federal Aviation Administration Headquarters. He was Security Division Manager of the U.S. Department of Energy's Nuclear Weapons Production Security Assessments Program and National Program Manager for Computer

Melissa Hathaway, who led President Obama's 60-day cybersecurity policy review, says it would be a mistake to place the nation's top cybersecurity adviser in the Department of Homeland Security, as proposed by an influential senator, and not in the White House. Asked, in an interview with GovInfoSecurity.com whether the idea forwarded by Sen. Susan Collins, R.-Maine, was a good one, Hathaway responded: "No. I believe there is a need to have leadership out of the White House. There have been many reports that have been written that if you establish a lead in one particular agency, they don't necessarily have the authoritative responsibility over all of the other departments and agencies. And, while I think it's important to have leadership at the Department of Homeland Security, I think that without having the leadership at the White House, we will not be able to really drive the federal government in the direction that it needs to go." Among the topics Hathaway addresses in the second of a two-part inter

Government and business must think creatively to help safeguard America's digital assets, says Melissa Hathaway, the former White House acting senior director for cybersecurity who led President Obama's 60-day cybersecurity policy review. Hathaway, an interview with GovInfoSecurity.com, cited the innovative coupling of cell phone and global positioning technologies to authenticate a user withdrawing money from an ATM or making a credit card purchase. With the cell phone turned on, a GPS can verify that the consumer is where the transaction takes place. "That's not what cell phones were originally designed for, but I thought it was a creative solution on how to defeat the fraud or at least make it much more complicated for the criminal or thieves to take our information or take our personal data," Hathaway said in a conversation with Eric Chabrow, GovInfoSecurity.com managing editor. In the first of the two-part interview, Hathaway also discussed: The critical posture of cybersecurity in the United States

After fingerprints, iris recognition is the second most supported biometric characteristic, and its popularity as a means of authentication is growing. Patrick Grother is among the computer scientists at the National Institute of Standards and Technology's Information Technology Laboratory who are collaborating with their international colleagues to revise iris recognition standards and to advance iris images as the global interchange medium. In an interview, Grother discusses: Advances in iris recognition technology; When one biometric is better than another as a means of identification and authentication; and The IREX Exchange, or IREX, a program NIST founded to encourage collaboration in development of iris recognition algorithms operating on images conforming to the new ISO-IEC 19794-6 standard. Grother was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.

Tough times require "softer" leaders. This is the perspective of careers coach Heidi Kraft, who says that today's senior leaders need to focus more on emotional intelligence and other "soft" qualities to be able to better recruit and retain quality employees. In an exclusive interview, Kraft discusses: Which "soft" skills are most important; How managers and employees alike can change a culture to embrace these skills; Where to start to develop and nurture "softer" leaders. Kraft is a Leadership and Career coach and founder of Kraft Your Success Coaching and Consulting. Prior to launching her business, she spent 17 years on the agency side of the advertising industry, including a stint as SVP Media Director at Boston-based Hill Holliday, developing and implementing media strategies for high-profile clients such as Microsoft, Intel, Intuit, Siebel Systems, 24 Hour Fitness and Harley-Davidson. She holds a CPCC (Certified Professional Coactive Coach) and is a graduate of the Coaches Training Institute

Interview with Kevin Sanchez-Cherry, IT Security Specialist What does it take for an information security professional to make it into the United States Secret Service? We asked Kevin Sanchez-Cherry, IT Security Specialist within the agency's Information Security Operations. In this exclusive interview, Sanchez-Cherry discusses: Types of Secret Service careers available to security professionals; What to expect during the hiring process; Myths and realities of a job in the Secret Service. Sanchez-Cherry is an IT Security Specialist for the United States Secret Service's Information Security Operations sub-division and is responsible for leading the Secret Service's Certification and Accreditation (C&A) Program and Information Systems Security Officer (ISSO) Program. He also assists in the management of the enterprise Information Assurance (IA) Program for the Secret Service. Prior to joining the Secret Service in 2006, Mr. Sanchez-Cherry served two years as Principal Security Specialist with the Dep

Allan Bachman has fought fraud since the early 1970s, and he's seen the crimes evolve in both sophistication and scale. In an exclusive interview, Bachman, Education Manager for the Association of Certified Fraud Examiners (ACFE), discusses: The evolution of fraud schemes; The most common types of fraud seen today; Types of training available to help detect and prevent fraud. Bachman, CFE, MBA, is responsible for seminar development and the educational content of all ACFE conferences and online learning. Most recently he worked in Higher Education as director of an audit unit and was project manager on several IT implementations specializing in security. His largest fraud investigation for over $1.5 million was conducted during this time. Previously Bachman worked in or consulted for retail, real estate, manufacturing and has done extensive small business consulting where he has actively worked a number of fraud cases. His fraud investigation experience extends back to the mid- 70's and has continued th

Malware, Consumer Technology, Social Networks Head the List of Vulnerabilities Know what scares security expert John Pescatore the most? The image of a remote employee sitting at a home office or public setting, plugging into an unsecured network, accessing critical business data via a personal laptop or PDA. Organizations have never had so many security risks in so many remote locations, says Pescatore, VP and Distinguished Analyst with Gartner, Inc. Mitigating these risks will be among the primary challenges for information security leaders in 2010. In a discussion of security trends, Pescatore offers insight on: Emerging threats; Emerging solutions; The role of education and training to help meet security needs. Pescatore has 31 years of experience in computer, network and information security. Prior to joining Gartner, he was senior consultant for Entrust Technologies and Trusted Information Systems, where he started and managed security consulting groups. His previous experience includes 11 year

Interview with Pete Fahrenthold of Continental Airlines, RIMS Enterprise Risk Management (ERM) is a topic of interest throughout an organization - and increasingly at the board of director level. But how does a security leader engage the board on ERM - and keep it engaged? Pete Fahrenthold of Continental Airlines and RIMS discusses: The top current ERM issues; How to engage the board - what works, what doesn't? How to measure the ongoing engagement of the board. Fahrenthold is the Managing Director of Risk Management and the ERM Team Leader for Continental Airlines. He has over 20 years of risk management experience. Prior to entering the risk management field, he worked in public accounting and in various corporate functions including financial reporting, treasury operations, and employee benefits management. He is currently the Vice Chair of the RIMS ERM Development Committee, and he is the Chair of the AFP Risk Newsletter Editorial Advisory Board.

We all can see the technological and market forces converging to necessitate and enable electronic healthcare records. But how does this transition impact privacy and compliance within an organization? What are the ramifications for IT and security departments? Kim Singletary, Solutions Marketing for McAfee, discusses: The electronic healthcare records revolution; Impact on privacy and compliance; How IT departments must respond. Singletary was Director of Compliance Solutions for Solidcore prior to the McAfee acquisition. She has 15 years of Product Management and Marketing roles with companies specializing in outsourced IT services for critical infrastructure both traditional datacenter services, MSSP and SAAS. Her expertise has been in developing and growing security, compliance and managed services for the Fortune 500 which included roles at SAVVIS Communications, Frontier Communications and Global Crossing.

Interview with Rep. Yvette Clarke, Chair, House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology To quell the rising tide of information breaches and to protect government and key civilian IT systems, the idea of regulating IT and data is gaining ground among those who shape federal law and policies. If such regulation comes about, Rep. Yvette Clarke, D-N.Y., will be involved in shaping authorizing legislation, by virtue of her chairmanship of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. Clarke, in an interview with GovInfoSecurity.com, said any such law or regulation must not hamper innovation. In the interview, Clarke discusses: Key elements of what she terms the National Data Breach Law. The deliberate approach the House is taking to implementing cybersecurity legislation. President Obama's need to appoint a cybersecurity coordinator now. Clarke represents one of the country's most ethnically diverse Congressional

Interview with Martin Libicki of the RAND Corp. Martin Libicki spends a lot of time studying and thinking about the intersection of national security and information technology as a senior management scientist at the think tank RAND Corp. And in a just-released report he authored, Cyberdeterrence and Cyberwar, Libicki argues that strategic cyber warfare shouldn't be a priority for America's armed services. The key word here is strategic. Cyber warfare, as a strategy, would unlikely cause the enemy to disarm as does conventional warfare. Zap an adversary's PC, and it can be replaced for $300. Cyber assault the enemy, and the opponent more likely than not will figure out how to defend itself against similar, future attacks. Besides, who knows how well cyber works as a weapon? "One of the differences between cyber and other forms of warfare is that cyber is largely untested. Sometimes it works, sometimes it doesn't," Libicki said in an interview with GovInfoSecurity.com. Yet, he said, cyber should be consid

Social networking. Cyberbullying. Identity theft. There are myriad threats to children as they explore their online universe. And to counter these threats is Safe and Secure Online, a new interactive presentation that brings information security professionals into classrooms to give sound advice to 11-14-year-old children. Delivered by (ISC)2, Safe and Secure Online relies on material developed by former school teachers, but delivered by certified information security professionals. David Melnick of Deloitte and (ISC)2 discusses: The need for Safe and Secure Online; How the program will be delivered and measured; Ways businesses, government agencies and information security professionals can help. Melnick is a principal in security and privacy services within the audit and enterprise risk services practice in the Los Angeles office of Deloitte and brings more than 17 years of experience designing, developing, managing and auditing large scale secure technology infrastructure. Melnick has authored sever

As people increasingly turn to information assurance to start - or re-start - a career, the nation's community colleges play a greater role in job training. Erich Spengler, professor at Moraine Valley Community College near Chicago, discusses: The role of community colleges in information assurance education; Challenges and opportunities for two-year programs; Where to begin when considering your next career move. Spengler has over 20 years experience in Information Systems and holds an MBA from Loyola University of Chicago and an MS in Computer Science from the University of Illinois - Springfield. In addition to serving as a tenured professor of Computer Integrated Technologies at Moraine Valley Community College, Erich also serves as a Guest Lecturer at Northwestern University and as the Director and Principle Investigator for the National Science Foundation (NSF) Regional Center for Systems Security and Information Assurance (CSSIA @ www.cssia.org). Erich holds several industry certifications includ

Interview with Myra Gray, Director, U.S. Army Biometrics Task Force Though fingerprint and iris scans have advantages over passwords and magnetic identity cards as a means to grant access to IT systems, in many instances, the biometric technologies aren't ready to be employed alone, says Myra Gray, director of the U.S. Army's Biometrics Task Force. "Actually, it's an outstanding method for good, strong identity assurance," Gray said in an interview with GovInfoSecurity.com. "But before we go throwing out passwords and usernames, I'd like to articulate that biometrics is one tool of many. It should be part of the portfolio that's used to protect against identity theft." Gray explained that three things exist to prove ones identity: What you know, such as a password; what you have, a magnetic card or token; and what you are - "something that's uniquely you" - an iris, a fingerprint "The power, it not just picking one over other, but setting up a construct that utilizes all of those as appropriate" Gray s

Interview with Cita Furlani, NIST Information Technology Laboratory Director Think of the National Institute of Standards and Technology, and most people charged with safeguarding government IT assets think of NIST's information security guidance. But NIST's core strength lies in its long history of measurement and testing, and that should prove valuable as the federal government changes the way it evaluates IT security, from a process that focuses on agency and departmental compliance with regulations to one of measuring IT systems in real time to verify they're truly secure. "People think of us as only the standards, but you can't really have effective standards unless you can measure that you're meeting those standards, and measurement at NIST means testing," says Cita Furlani, director of NIST's Information Technology Laboratory in an interview with GovInfoSecurity.com. Furlani discusses not only how NIST is gearing up for changes in the way government will measure cybersecurity but the proposed reorg