government – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Fri, 05 Jul 2019 16:46:13 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png government – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 House Actions on Election Security Bode Well for 2020 https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/house-actions-on-election-security-bode-well-for-2020/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/house-actions-on-election-security-bode-well-for-2020/#respond Tue, 09 Jul 2019 15:00:52 +0000 https://securingtomorrow.mcafee.com/?p=95799

As a U.S. cybersecurity company, McAfee supports legislation that aims to safeguard U.S. election security. After the 2016 election, McAfee sees the importance of improving and preserving election security; we even offered free security tools to local election boards prior to the 2018 elections and released educational research on how localities can best protect themselves […]

The post House Actions on Election Security Bode Well for 2020 appeared first on McAfee Blogs.

]]>

As a U.S. cybersecurity company, McAfee supports legislation that aims to safeguard U.S. election security. After the 2016 election, McAfee sees the importance of improving and preserving election security; we even offered free security tools to local election boards prior to the 2018 elections and released educational research on how localities can best protect themselves in future elections. As the 2020 primary elections quickly approach, it is more important than ever that the federal government takes steps to ensure our election infrastructure is secure and that states and localities have the resources they need to quickly upgrade and secure systems.

The U.S. House of Representatives recently passed H.R. 2722, the Securing America’s Federal Elections (SAFE) Act, legislation introduced by Rep. Zoe Lofgren (D-CA) that would allocate $600 million for states to secure critical election infrastructure. The bill would require cybersecurity safeguards for hardware and software used in elections, prevent the use of wireless communication devices in election systems and require electronic voting machines to be manufactured in the United States. The SAFE Act is a key step to ensuring election security and integrity in the upcoming 2020 election.

Earlier this year, the House also passed H.R. 1, the For the People Act. During a House Homeland Security Committee hearing prior to the bill’s passage, the committee showed commitment to improving the efficiency of election audits and continuing to incentivize the patching of election systems in preparation for the 2020 elections. H.R. 1 and the SAFE Act demonstrate the government’s prioritization of combating election interference. It is exciting to see the House recognize the issue of election security, as it is a multifaceted process and a vital one to our nation’s democracy.

McAfee applauds the House for keeping its focus on election security and prioritizing the allocation of resources to states. We hope that Senate leadership will take up meaningful, comprehensive election security legislation so our country can fully prepare for a secure 2020 election.

The post House Actions on Election Security Bode Well for 2020 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/house-actions-on-election-security-bode-well-for-2020/feed/ 0
A Robust Federal Cybersecurity Workforce Is Key To Our National Security https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/a-robust-federal-cybersecurity-workforce-is-key-to-our-national-security/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/a-robust-federal-cybersecurity-workforce-is-key-to-our-national-security/#respond Wed, 05 Jun 2019 17:13:41 +0000 https://securingtomorrow.mcafee.com/?p=95498

The Federal government has long struggled to close the cybersecurity workforce gap. The problem has continued to get worse as the number of threats against our networks, critical infrastructure, intellectual property, and the millions of IoT devices we use in our homes, offices and on our infrastructure increase. Without a robust cyber workforce, federal agencies […]

The post A Robust Federal Cybersecurity Workforce Is Key To Our National Security appeared first on McAfee Blogs.

]]>

The Federal government has long struggled to close the cybersecurity workforce gap. The problem has continued to get worse as the number of threats against our networks, critical infrastructure, intellectual property, and the millions of IoT devices we use in our homes, offices and on our infrastructure increase. Without a robust cyber workforce, federal agencies will continue to struggle to develop and execute the policies needed to combat these ongoing issues.

The recent executive order on developing the nation’s cybersecurity workforce was a key step to closing that gap and shoring up the nation’s cyber posture. The widespread adoption of the cybersecurity workforce framework by NIST, the development of a rotational program for Federal employees to expand their cybersecurity expertise and the “president’s cup” competition are all crucial to retaining and growing the federal cyber workforce. If we are to get serious about closing the federal workforce gap, we have to encourage our current professionals to stay in the federal service and grow their expertise to defend against the threats of today and prepare for the threats of tomorrow.

Further, we must do more to bring individuals into the field by eliminating barriers of entry and increasing the educational opportunities available for people so that there can be a strong, diverse and growing cybersecurity workforce in both the federal government and the private sector. Expanding scholarship programs through the National Science Foundation (NSF) and Department of Homeland Security (DHS) for students who agree to work for federal and state agencies will go a long way to bringing new, diverse individuals into the industry.  Additionally, these programs should be expanded to include many types of educational institutions including community colleges. Community colleges attract a different type of student than a 4-year institution, increasing diversity within the federal workforce while also tapping into a currently unused pipeline for cyber talent.

The administration’s prioritization of this issue is a positive step forward, and there has been progress made on closing the cyber skills gap in the U.S., but there is still work to be done. If we want to create a robust, diverse cyber workforce, the private sector, lawmakers and the administration must work together to come up with innovative solutions that build upon the recent executive order.

The post A Robust Federal Cybersecurity Workforce Is Key To Our National Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/a-robust-federal-cybersecurity-workforce-is-key-to-our-national-security/feed/ 0
McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-playing-an-ever-growing-role-in-tackling-disinformation-and-ensuring-election-security/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-playing-an-ever-growing-role-in-tackling-disinformation-and-ensuring-election-security/#respond Fri, 24 May 2019 15:09:12 +0000 https://securingtomorrow.mcafee.com/?p=95379

As Europe heads to the polls this weekend (May 23-26) to Members of the European Parliament (“MEPs”) representing the 28 EU Member States, the threat of disinformation campaigns aimed at voters looms large in the minds of politicians. Malicious players have every reason to try to undermine trust in established politicians, and push voters towards the political […]

The post McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security appeared first on McAfee Blogs.

]]>

As Europe heads to the polls this weekend (May 23-26) to Members of the European Parliament (“MEPs”) representing the 28 EU Member States, the threat of disinformation campaigns aimed at voters looms large in the minds of politicians. Malicious players have every reason to try to undermine trust in established politicians, and push voters towards the political fringes, in an effort to destabilise European politics and weaken the EU’s clout in a tense geopolitical environment.

Disinformation campaigns are of course not a new phenomenon, and have been a feature of public life since the invention of the printing press. But the Internet and social media have given peddlers of fake news a whole new toolbox, offering bad actors unprecedented abilities to reach straight into the pockets of citizens via their mobile phones, while increasing their ability to hide their true identity.

This means that the tools to fight disinformation need to be upgraded in parallel. There is no doubt that more work is needed to tackle disinformation, but credit should also go to the efforts that are being made to protect citizens from misinformation during elections.  The European Commission has engaged the main social media players in better reporting around political advertising and preventing the spread of misinformation, as a complement to the broader effort to tackle illegal content online. The EU’s foreign policy agency, the External Action Service, has also deployed a Rapid Alert System involving academics, fact-checkers, online platforms and partners around the world to help detect disinformation activities and sharing information among member states of disinformation campaigns and methods, to help them stay on top of the game. The EU has also launched campaigns to ensure citizens are more aware of disinformation and improving their cyber hygiene, inoculating them against such threats.

But adding cybersecurity research, analysis and intelligence trade craft to the mix is a vital element of an effective public policy strategy.  And recently published research by Safeguard Cyber is a good example of how cybersecurity companies can help policymakers get to grips with disinformation.

The recent engagement with the European Commission think-tank, the EPSC, and Safeguard Cyber is a good example of how policymakers and cyber experts can work together, and we encourage more such collaboration and exchange of expertise in the months and years ahead.  McAfee Fellow and Chief Scientist Raj Samani told more than 50 senior-ranking EU officials in early May that recent disinformation campaigns are “direct, deliberate attacks on our way of life” that seek to disrupt and undermine the integrity of the election process.  And he urged policy makers that the way to address this is to use cyber intelligence and tradecraft to understand the adversary, so that our politicians can make informed decisions on how best to combat the very real threat this represents to our democracies. In practice this means close collaboration between best-in-class cybersecurity researchers, policymakers and social media players to gain a deeper understanding of the modus operandi of misinformation actors and respond more quickly.

As the sceptre of disinformation is not going to go away, we need a better understanding the actors involved, their motivations and most importantly, the rapidly changing technical tools they use to undermine democracy.  And each new insight into tackling disinformation will be put to good use in elections later this year in Denmark, Norway, Portugal, Bulgaria, Poland and Croatia and Austria.

The post McAfee Playing an Ever Growing Role in Tackling Disinformation and Ensuring Election Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/mcafee-playing-an-ever-growing-role-in-tackling-disinformation-and-ensuring-election-security/feed/ 0
Why Data Security Is Important https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/#respond Wed, 01 May 2019 15:00:09 +0000 https://securingtomorrow.mcafee.com/?p=95090

The Increasing Regulatory Focus on Privacy The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on […]

The post Why Data Security Is Important appeared first on McAfee Blogs.

]]>

The Increasing Regulatory Focus on Privacy

The ongoing trend of data breaches and the increasing privacy risks associated with social media continue to be a national and international concern. These issues have prompted regulators to seriously explore the need for new and stronger regulations to protect consumer privacy. Some of the regulatory solutions focus on U.S. federal-level breach and privacy laws, while individual U.S. states are also looking to strengthen and broaden their privacy laws.

The focus on stronger consumer privacy has already sparked new regulations like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). Many customers of U.S. companies are covered by GDPR’s broad privacy protections, which protects the rights of residents of the European Economic Area. As U.S. states increasingly pass their own privacy laws, the legal environment is becoming more fragmented and complex. This has led to an increased focus on potentially creating a U.S. federal privacy law, perhaps along the lines of the GDPR or otherwise protecting individuals’ information more broadly than the sectoral laws now in place. Although it is not clear whether effective national legislation will pass in the immediate future, the continued focus on regulatory solutions to strengthen consumer data privacy appears certain.

Privacy is Important to McAfee

For technology to be effective, individuals and corporations must be able to trust it. McAfee believes that trust in the integrity of systems – whether a corporate firewall or a child’s cell phone – is essential to enabling people to get the most possible out of their technologies. Fundamental to that trust is privacy and the protection of data. McAfee is committed to enabling the protection of customer, consumer and employee data by providing robust security solutions.

Why Privacy Matters to McAfee
  • Protecting our customers’ personal data and intellectual property, and their consumer and corporate products, is a core value.
  • Robust Privacy and Security solutions are fundamental to McAfee’s strategic vision, products, services and technology solutions.
  • Privacy and Security solutions enable our corporate and government customers to more efficiently and effectively comply with applicable regulatory requirements.
  • McAfee believes privacy and security are necessary prerequisites for individuals to have trust in the use of technology.

Effective Consumer Privacy Also Requires Data Security

Today, electronic systems are commonly used by government, business and consumers. There are many types of electronic systems and connected devices used for a variety of beneficial purposes and entertainment. The use of data is a common element across these systems, some of which may be confidential information, personal data and or sensitive data.

A reliable electronic system must have adequate security to protect the data the system is entrusted to process and use. Data leaks and security breaches threaten the ability of customers to trust businesses and their products. Flawed or inadequate data security to provide robust data protection puts consumers’ privacy at risk.

Too often, privacy and information security are thought of as separate and potentially opposing concerns. However, there are large areas of interdependency between these two important policy areas. Privacy and information security must work in harmony and support each other to achieve the goal of consumer privacy. Privacy requires that consumers have the capacity to decide what data about them is collected and processed, and the data must have safeguards driven by appropriately secure technologies and processes.

Data security is the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Privacy is an individual’s right or desire to be left alone and or to have the ability to control her own data. Data security also enables the effective implementation of protective digital privacy measures to prevent unauthorized access to computers, databases and websites. Data security and privacy must be aligned to effectively implement consumer privacy protections.

An effective risk-based privacy and security framework should apply to all collection of personal data. This does not mean that all frameworks solutions are equal. The risks of collection and processing the personal data must be weighed against the benefits of using the data. Transparency, choice and reasonable notice should always be a part of the way data is collected. The specific solutions of a framework may vary based on the risk and specific types of data. The key is to have in place a proactive evaluation (Privacy and Security by Design principles) to provide the most effective protection for the specific application and data use.

Examples Where Privacy Regulations Require or Enable Robust Data Security

Breach Notification Safe Harbor for Encrypted Data in U.S. State Privacy Laws

Data breach notification laws require organizations to notify affected persons or regulatory authorities when an unauthorized acquisition of personal data occurs as defined by the applicable law or regulation. Many U.S. state laws provide a “safe harbor” for data breach notice obligations if the data was encrypted. A safe harbor may be defined as a “provision of a statute or a regulation that reduces or eliminates a party’s liability under the law, on the condition that the party performed its actions in good faith or in compliance with defined standards.”

Security safe harbor provisions may be used to encourage entities and organizations to proactively protect sensitive or restricted data by employing good security practices. Encrypting data may protect the organization from costly public breach notifications.  Encrypted data may be excluded from breach requirements or unauthorized access to encrypted data may not be considered a “breach” as defined in the statute. To be protected by an encryption “safe harbor” exemption, the breached organization must encrypt data in compliance with the state statute. The state-specific statutes may also require control of the encryption keys to claim safe harbor.

GDPR Security Requirements

The General Data Protection Regulation (GDPR) went into effect in the European Economic Area (EEA) in 2018, enhancing further the privacy rights of residents of the EEA.  In addition to allowing EEA residents access to personal data collected about them, the GDPR requires companies interacting with this data to perform risk analyses to determine how to secure the data appropriately.  The GDPR lays out basic security requirements in Article 32, GDPR Security of processing, which requires entities to “ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”

Controllers of personal data must also have appropriate technical and organizational measures to satisfy the GDPR. Business processes that handle personal data must be designed and implemented to meet the GDPR security principles and to provide adequate safeguards to protect personal data.

Implementing a robust security framework to meet the GDPR requirements means the organization should proactively evaluate its data security policies, business practices and security technologies, and the organization must develop security strategies that adequately protect personal data.

Next Steps:

Federal policymakers need to pass uniform privacy legislation into law. A key part of this effort must include sufficiently strong cybersecurity provisions, which are imperative to protecting data, as evidenced by GDPR and thoughtful state breach notification laws. Instead of relying on hard regulations to incent organizations to implement strong security, policymakers should include a liability incentive – a rebuttable presumption or a safe harbor – in privacy legislation. Such an approach, ideally aligned to NIST’s flexible Cybersecurity Framework, would enable policy makers to promote the adoption of strong security measures without resorting to a “check the box” compliance model that has the potential to burden customers and discourage innovation in cyber security markets.

The post Why Data Security Is Important appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/why-data-security-is-important/feed/ 0
Federal, State Cyber Resiliency Requires Action https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/#respond Tue, 16 Apr 2019 15:00:42 +0000 https://securingtomorrow.mcafee.com/?p=94907

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of […]

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

]]>

It is no shock that our state and local infrastructures are some of the most sought-after targets for foreign and malicious cyber attackers, but the real surprise lies in the lack of preventive measures that are able to curb them. Major attention has been drawn to the critical gaps that exist as a result of an ever-expanding attack surface, making old system architectures an increasing liability.

Recently, the city of Albany, New York became a victim of a ruthless ransomware attack, which created a series of municipal service interruptions. Residents weren’t able to use the city’s services to obtain birth certificates, death certificates or marriage licenses, and the police department’s networks were rendered inoperable for an entire day. This resulted in an enormous disruption of the city’s functionality and made clear that the threat to infrastructure is more real than ever. Bolstering state and local digital defenses should be of the utmost priority, especially as we near the 2020 presidential elections when further attacks on election infrastructure are expected. We must take the necessary precautions to mitigate cyberattack risk.

The reintroduction of the State Cyber Resiliency Act by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX), does just that. The legislation demonstrates a critical bipartisan effort to ensure that state, local and tribal governments have a robust capacity to strengthen their defenses against cybersecurity threats and vulnerabilities through the Department of Homeland Security (DHS). States have made clear that they suffer from inadequate resources to deal with increasingly sophisticated attacks, but also the most basic attacks, which require proper safeguards and baseline protection. This bill works to strategically address the challenges posed by a lack of resources to deal with emerging threats.

The possibility of cyber warfare must not be taken lightly and has long gone ignored. This bill shows that the status quo of kicking the can further down the road will no longer stand as a “strategy” in today’s political and cybersecurity landscape. Action is necessary to better secure our national security and the systems upon which every sector of our economy relies, from utilities to banking to emergency first responders to hospital networks to election infrastructure. It is our responsibility to create and support the safeguards against bad actors looking for gaps in our infrastructure.

The bill makes states eligible for grants to implement comprehensive, flexible cybersecurity plans that address continuous vulnerability monitoring, protection for critical infrastructure systems and a resilient cybersecurity workforce. States would also be able to repurpose funds to various local and tribal governments. In addition, the bill would implement a 15-person committee to review the proposed plans and track the spending of state and local governments. This committee would help states and localities formulate and deliver annual reports to Congress that detail the program’s progress. The specific funding was not disclosed, but this effort showcases the timeliness of the issue and why it is such an imperative step at this stage in time.

We must take basic steps to ensure the security of our state and local systems, and enable systems to be patched, maintained and protected from outside threats. This bill is a welcomed and needed effort by lawmakers to address the existing challenges states and local governments and infrastructures are dealing with every day.  As adversaries become increasingly sophisticated and targeted in their attack strategies, we have a responsibility to best equip states and localities with the necessary tools to close gaps and mitigate gaps.

We at McAfee are committed to partnering with federal, state and local governments to equip them with the best strategies to create a better and more secure cybersecurity future.

The post Federal, State Cyber Resiliency Requires Action appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/federal-state-cyber-resiliency-requires-action/feed/ 0
Privacy and Security by Design: Thoughts for Data Privacy Day https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/#respond Mon, 28 Jan 2019 14:00:56 +0000 https://securingtomorrow.mcafee.com/?p=93986

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data […]

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data breaches. Policymakers in the United States know they cannot ignore data privacy, and multiple efforts are underway: bills were introduced in Congress, draft legislation was floated, privacy principles were announced, and a National Institute of Standards and Technology (NIST) Privacy Framework and a National Telecommunications and Information Administration (NTIA) effort to develop the administration’s approach to consumer privacy are in process.

These are all positive steps forward, as revelations about widespread misuse of personal data are causing people to mistrust technology—a situation that must be remedied.

Effective consumer privacy policies and regulations are critical to the continued growth of the U.S. economy, the internet, and the many innovative technologies that rely on consumers’ personal data. Companies need clear privacy and security expectations to not only comply with the diversity of existing laws, but also to grow businesses, improve efficiencies, remain competitive, and most importantly, to encourage consumers to trust organizations and their technology.

If an organization puts the customer at the core of everything it does, as we do at McAfee, then protecting customers’ data is an essential component of doing business. Robust privacy and security solutions are fundamental to McAfee’s strategic vision, products, services, and technology solutions. Likewise, our data protection and security solutions enable our enterprise and government customers to more efficiently and effectively comply with regulatory requirements.

Our approach derives from seeing privacy and security as two sides of the same coin. You can’t have privacy without security. While you can have security without privacy, we strongly believe the two should go hand in hand.

In comments we submitted to NIST on “Developing a Privacy Framework,” we made the case for Privacy and Security by Design. This approach requires companies to consider privacy and security on the drawing board and throughout the development process for products and services going to market. It also means protecting data through a technology design that considers privacy engineering principles. This proactive approach is the most effective way to enable data protection because the data protection strategies are integrated into the technology as the product or service is created. Privacy and Security by Design encourages accountability in the development of technologies, making certain that privacy and security are foundational components of the product and service development processes.

The concept of Privacy and Security by Design is aspirational but is absolutely the best way to achieve privacy and security without end users having to think much about them. We have some recommendations for organizations to consider in designing and enforcing privacy practices.

There are several layers that should be included in the creation of privacy and data security programs:

  • Internal policies should clearly articulate what is permissible and impermissible.
  • Specific departments should specify further granularity regarding policy requirements and best practices (e.g., HR, IT, legal, and marketing will have different requirements and restrictions for the collection, use, and protection of personal data).
  • Privacy (legal and non-legal) and security professionals in the organization must have detailed documentation and process tools that streamline the implementation of the risk-based framework.
  • Ongoing organizational training regarding the importance of protecting personal data and best practices is essential to the continued success of these programs.
  • The policy requirements should be tied to the organization’s code of conduct and enforced as required when polices are violated.

Finally, an organization must have easy-to-understand external privacy and data security policies to educate the user/consumer and to drive toward informed consent to collect and share data wherever possible. The aim must be to make security and privacy ubiquitous, simple, and understood by all.

As we acknowledge Data Privacy Day this year, we hope that privacy will not only be a talking point for policymakers but that it will also result in action. Constructing and agreeing upon U.S. privacy principles through legislation or a framework will be a complicated process. We better start now because we’re already behind many other countries around the globe.

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/privacy-and-security-by-design-thoughts-for-data-privacy-day/feed/ 0
Step Up on Emerging Technology, or Risk Falling Behind https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/#respond Fri, 18 Jan 2019 22:00:30 +0000 https://securingtomorrow.mcafee.com/?p=93885

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in […]

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

]]>

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in the global market while supporting the development of emerging technology (read comments submitted by McAfee here).

Emerging technology poses an interesting challenge for tech companies and federal regulators alike. In many cases, technologies that BIS designates as “emerging,” such as AI and machine learning, are already in widespread use around the world. Other technologies like quantum computing are very much in the research and development phase but have the potential to alter the course of national security for decades to come. Many of these technologies are difficult to define and control, and many are software-based, which greatly complicates the development of regulation. Software technologies, by their very nature, are fundamentally different from physical items and physical process technologies. Their intangible, readily-reproducible character makes software-based technologies inherently difficult to define and control.

This task is enormous and must be handled cautiously, as history has provided countless examples of how overregulation has the capability to hamper development. A poignant example of overregulation at the cost of progress is the automobile industry. According to Deloitte, although tough restrictions on automobiles were nothing but well-intentioned in the late 1800’s, regulation greatly hampered research and advancement. The early days of the automobile industry should serve as a cautionary tale when it comes to regulating new and innovative technology.

The U.S. is in a unique position to act to protect our technological interest and secure the nation’s position as a global leader. The U.S. secured a pivotal tech leadership role, having spearheaded the development of the internet in the early 1990’s. The nation has immense power and potential to take the mantle on emerging technology, and the stakes are high. Some of the country’s greatest accomplishments have stemmed from empowering the private sector and encouraging innovation. For example, tremendous strides in private sector space exploration have been made possible due to the support and administration of empowering legislation. Companies like SpaceX and Boeing are creating next generation space technology, working each day to ensure that the U.S. maintains competitiveness.

Cybersecurity is another area that requires particular attention. Given the global availability of cybersecurity tools, many of which make use of the emerging technologies under review, McAfee understands that great care needs to be taken by our government before imposing additional export controls on American cyber companies. These rules can have the unintended and harmful consequence of stunting the growth and technical capabilities of the very companies that currently protect vital U.S. critical infrastructure, including federal and state government infrastructure, from cyber-attacks. As a leading nation, it is critical to stay ahead of threats by criminal actors. This is only possible if cyber companies have the ability to access global markets to fund the research and development needed to keep pace with rapid innovation. Controls should be implemented with a great understanding of the need to stay competitive in global innovation, particularly when it comes to cybersecurity.

Overregulation could cause great harm, and the U.S. government must tread carefully in administering a carefully-crafted, targeted approach. Rather than burdening U.S. software companies with new and substantial export control compliance costs, the U.S. should seek to empower these companies. Any controls deemed essential by the government should be as narrowly tailored as possible, especially given the broad range of current and future companies and technologies. A multilateral approach to export controls on emerging technologies is vital for U.S. companies to remain innovative and competitive in the global marketplace. This cautious approach would ensure alignment between the private and public sectors, ultimately allowing for emerging technology to be front and center. Providing an ecosystem in which the technology of tomorrow can flourish is essential to the U.S. continuing to blaze the trail on emerging technologies.

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/step-up-on-emerging-technology-or-risk-falling-behind/feed/ 0
New DHS Agency Will Provide Needed Emphasis on Cybersecurity https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/#respond Mon, 03 Dec 2018 14:00:54 +0000 https://securingtomorrow.mcafee.com/?p=92843

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm. Last week, a critical […]

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.

]]>

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm.

Last week, a critical step was taken in how the Department of Homeland Security (DHS) manages cybersecurity. The long-awaited Cybersecurity and Infrastructure Security Agency (CISA) Act was signed into law by the president, reorganizing the former National Protection and Programs Directorate (NPPD) into CISA. The permanent establishment of a stand-alone federal agency equipped to deal with cyberthreats is long overdue and welcome among the cybersecurity community.

CISA will be its own department within DHS, similar to the Transportation Security Administration (TSA), and will be led by cybersecurity expert, NPPD Under Secretary Christopher C. Krebs, who has had a distinguished career in both the public and private sectors. Establishing CISA as a stand-alone agency within DHS elevates both the mission of cybersecurity in the federal government and cybersecurity’s importance and solidifies the position of cybersecurity in our economy.

This is a smart decision on the part of Congress and the White House. It will help the newly created agency outline its priorities, advocate for a separate budget, and further develop recruitment efforts. CISA’s leaders will have the ability to continue to drive a culture of cybersecurity within our federal agencies and workforce while enhancing their capabilities to partner with the private sector to address our nation’s most critical cybersecurity threats.

McAfee looks forward to continuing to work with Christopher C. Krebs and his able team, led by CISA Assistant Director for Cybersecurity Jeanette Manfra.

 

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/new-dhs-agency-will-provide-needed-emphasis-on-cybersecurity/feed/ 0
NIST’s Creation of a Privacy Framework https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/ https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/#respond Wed, 31 Oct 2018 19:50:12 +0000 https://securingtomorrow.mcafee.com/?p=92370

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like […]

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

]]>

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/nists-creation-of-a-privacy-framework/feed/ 0
State County Authorities Fail at Midterm Election Internet Security https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/#respond Wed, 24 Oct 2018 07:00:10 +0000 https://securingtomorrow.mcafee.com/?p=92178

One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels.  A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security […]

The post State County Authorities Fail at Midterm Election Internet Security appeared first on McAfee Blogs.

]]>

One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels.  A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security conferences focus on the elaborate “Hollywood-esque” scenarios where tampering with physical voting machines allows them to be hacked in 45 seconds, and the entire election system falls apart via a well-orchestrated nation state attack.  The reality is, information tampering and select county targeting is a more realistic scenario that requires greater levels of attention.

A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle.

A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted. An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively).

Actors could use something as simple as a classic bulk email campaign to distribute links to fraudulent election websites that give voters false information about when, where and how to vote.  Given the fact that voter data can be purchased or even freely obtained from numerous recent breaches, a very specific and targeted campaign would be trivial.  As we will see – there are multiple challenges for a typical voter to identify legitimate from fraudulent sites, and the legitimate sites are often lacking the most basic security hygiene.

With this in mind we looked at how constituents get information from their election boards at the county level. County websites are typically the first place a citizen would go to look up information on the upcoming local elections.  Such information might include voter eligibility requirements, early voting schedules, deadlines to register, voting hours and other critical information.

McAfee ATR researchers surveyed the security measures of county websites in 20 states and found that the majority of these sites are sorely lacking in basic cybersecurity measures that could help protect voters from election misinformation campaigns.

What’s in a Website Name?

Our first disturbing revelation was that there’s no consistency as to how counties validate that their websites are legitimate sites belonging to genuine county officials.

I stumbled upon this initially because I live in Denton County Texas, where the voter information site is votedenton.com. When I saw that, I was a little perplexed because the county actually uses a website address with a .com top level domain (TLD) name rather than a .gov TLD in the name.

Domain names using .gov must pass a U.S. federal government validation process to confirm that the website in question truly belongs to the official government entity. The use of .com raised the question of whether such a naming process is common or not across county websites in Texas and in other states.

This is important, because unlike .gov sites where there is a thorough vetting process and background checks (including government officials as references), anyone can buy a .com domain.

We found that large majorities of county websites use top level domain names such as .com, .net and .us rather than the government validated .gov in their web addresses. Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities.

Our study focused primarily on the swing states, or the states that were most influential in the election process, and thus the most compelling targets for threat actors.  Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively. They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).

McAfee researchers found that Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.

The other thing that was very concerning was that significant majorities of county sites did not enforce the use of SSL, or Secure Sockets Layer certificates. These digital certificates protect a website visitor’s web sessions, encrypting any personal information voters might share and ensuring that bad actors can’t redirect site visitors to fraudulent sites that might give them false election information.

SSL is one of the most basic forms of cyber hygiene, and something we expect all sites requiring confidentiality or data integrity to have at a minimum.  The fact that these websites are lacking in the absolute basics of cyber hygiene is troubling.

Maine had the highest number of county websites protected by SSL with 56.2%, but the state was something of an outlier. West Virginia had the greatest number of websites lacking in SSL security with 92.6% unprotected, followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%).

Above all, there was no consistency within states, let alone across the nation, in website naming or in how effectively SSL was applied to protect voters.

The following Orange County site protects user information with SSL at the voter registration section of the site, but not at the main home page, meaning an attacker could manipulate the content of the top-level site and replace the legitimate registration link with a fraudulent one. Those accessing the site would subsequently never be able to navigate to the legitimate protected site.

Florida’s Broward County became famous (perhaps infamous) during the 2000 presidential election as one of the state’s counties for which then-Vice President Al Gore requested a vote recount. Today, the site is not protected by SSL and has a .org address that is not distinguishable from a fake .org domain.  The browser itself actual calls out “Not Secure” when you go to the site.

Even sites that report election results are utilizing non-.gov domains, such as the Glades County site below.

This following site from Scioto County in Ohio uses an unvalidated .NET top level domain and doesn’t protect site visitors with SSL.

The Fulton County Ohio site uses an unofficial .com top level domain and is also missing enforced SSL support.

The following site from New York’s Albany County uses an unvalidated .com TLD. It also fails to use SSL protection on the site’s critical voter information pages.

Lacking Basic Protection

Because SSL protection is a very well understood website security practice, the lack of it does not instill confidence that other systems managed at local levels are adequately secured.

Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.

If you think about a close election race with rural or urban district elements to it, a malicious actor could simply send emails to hundreds of thousands of voters in rural or urban parts of the municipality and direct voters to the wrong voting locations. Such an actor would essentially be disrupting, misdirecting and perhaps even suppressing voter turnout through misinformation.  No systems would be taken off line, no physical harm done, and likely no one would even notice until election day when angry voters showed up to the wrong sites.

We developed the following phishing email message to provide an educational example of what such an election campaign message might look like (we did NOT uncover it as a part of a real phishing campaign currently in progress):

To avoid early detection, it is most likely that a coordinated attack would take place just hours, perhaps a few days before a critical vote; the threat actors would want to provide enough time to reach a critical mass for election disruption, but little enough time to avoid detection and remediation.  At that point what could you even do?

Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves, and it scales to achieve the broad election objective any malicious actor might desire.

What Must Be Done Nationally

Regardless of whether central regulation or best practice publication are the best approaches to election security, we need better security standardization for all of the supporting systems that deal with elections.

While it might be difficult to pass a federal law that would mandate things like .gov naming standardization or utilizing SSL protection, an organization like the U.S. Department of Homeland Security could take a leading role by recommending these best practices.

How Voters Can Protect Themselves Locally

First, regarding SSL protection, anyone can always determine whether or not their communication with a website is protected by SSL by looking for an “HTTPS” in a site’s website address in the address bar of their browser. Some browsers also show a key or lock icon to make SSL protection easier for users to spot before they share street addresses, dates of birth, Social Security Numbers, credit card numbers or other sensitive personal information.  

As for the validity of election websites, McAfee encourages voters across the country to rely on state voter registration and election sites.  Such sites have a better track record of utilizing .gov TLDs and generally enforce SSL to protect integrity and confidentiality.   These sites may navigate voters to their local sites which may suffer from the security issues described in this blog, but utilizing a state secured .gov site as a starting point is better than a search engine.

State voter registration websites:

  1. Alabama
  2. Alaska
  3. Arizona
  4. Arkansas
  5. California
  6. Colorado
  7. Connecticut
  8. DC
  9. Delaware
  10. Florida
  11. Georgia
  12. Hawaii
  13. Idaho
  14. Illinois
  15. Indiana
  16. Iowa
  17. Kansas
  18. Kentucky
  19. Louisiana
  20. Maine
  21. Maryland
  22. Massachusetts
  23. Michigan
  24. Minnesota
  25. Missouri
  26. Montana
  27. Nebraska
  28. Nevada
  29. New Hampshire
  30. New Jersey
  31. New Mexico
  32. New York
  33. North Carolina
  34. North Dakota
  35. Ohio
  36. Oklahoma
  37. Oregon
  38. Pennsylvania
  39. Rhode Island
  40. South Carolina
  41. South Dakota
  42. Tennessee
  43. Texas
  44. Utah
  45. Vermont
  46. Virginia
  47. Washington
  48. West Virginia
  49. Wisconsin
  50. Wyoming

Finally, state governments provide information phone numbers allowing voters to confirm election information. McAfee encourages voters to call these official phone numbers to confirm any seemingly contradictory information sent to them, particularly if voters received any email or other online messages regarding changes to planned election processes (time, location, ballots, etc.).

Our country’s democracy is worth a phone call.

 

For more perspectives on U.S. election security, please read here on the topic.

The post State County Authorities Fail at Midterm Election Internet Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/feed/ 0
Securing the Social Security Number to Protect U.S. Citizens https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/ https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/#respond Wed, 10 Oct 2018 13:01:19 +0000 https://securingtomorrow.mcafee.com/?p=91724 With cyber criminals having more flexibility in funding and operations than ever before, U.S. citizens are vulnerable not only to breaches of security but also of privacy. In the United States, no article of personal information is meant to be more private or secure than the Social Security Number (SSN). This is for good reason. […]

The post Securing the Social Security Number to Protect U.S. Citizens appeared first on McAfee Blogs.

]]>
With cyber criminals having more flexibility in funding and operations than ever before, U.S. citizens are vulnerable not only to breaches of security but also of privacy. In the United States, no article of personal information is meant to be more private or secure than the Social Security Number (SSN). This is for good reason. The SSN has become a common identifier in the U.S. and is now integrated into many identification processes across different institutions.

The SSN is also the gateway to all sorts of other personal information – health records, financial positions, employment records, and a host of other purposes for which the SSN was never designed but has come to fulfill. What do all these pieces of information have in common? They are meant to be private.

Unfortunately, the unforeseen overreliance on the SSN as an identifier has left citizens’ identities vulnerable. The reality is that the SSN can easily be stolen and misused. It is a low-risk, high-reward target for cybercriminals that is used for fraudulent activities and also sold in bulk on the cybercrime black market. This has resulted in major privacy and security vulnerabilities for Americans, with some estimates saying that between 60 percent and 80 percent of all SSNs have been stolen. For example, Equifax and OPM breaches exposed probably millions of SSNs.

This is not a new problem.

Twenty-five years ago, computer scientists voiced concerns about sharing a single piece of permanent information as a means of proving a person’s identity. The issue has only recently gained national attention due to major breaches where cyber criminals were able to access millions of consumers’ personal online information. So, why hasn’t there been any significant measure put in place to safeguard digital identities?

A major reason for a lack of action on this issue has been a lack of incentives or forcing functions to change the way identity transactions work. But it’s time for policymakers to modernize the systems and methods that identify citizens and enable citizens to prove their identity with minimal risk of impersonation and without overtly compromising privacy.

The good news is that the U.S. has the technology pieces to put in place a high-quality and high security identity solution for U.S. citizens.

There are reasonable and near-term steps we can take to modernize and protect the Social Security Number to create better privacy and security in identification practices. McAfee and The Center for Strategic and International Studies (CSIS) recently released a study on Modernizing the Social Security Number with the aim of turning the Social Security Number into a secure and private foundation for digital credentials. The report’s ultimate recommendation is to replace the traditional paper Social Security card with a smart card — a plastic card with an embedded chip, like the credit cards that most people now carry. Having a smart card rather than a paper issued SSN would make the SSN less vulnerable to misuse.

A smart card is a viable solution that already has the infrastructure in place to support it. However, there are other potential solutions that must not be overlooked, such as biometrics. Biometrics measure personal features such as voice, fingerprint, iris and hand motions. Integrating biometrics into a system that relies on two-factor authentication would provide a security and privacy threshold that would make it very difficult for cybercriminals to replicate.

What is most critical, however, is that action is taken. This is an issue that deserves immediate attention and action. Every day this matter remains unresolved is another day cyber criminals continue their efforts to compromise consumer data in order to impersonate those whose data has been breached.

With the Social Security Number serving as the ultimate identifier, isn’t it time that we modernize it to address today’s evolving privacy vulnerabilities? Modernizing the SSN will help with authentication, will provide more security, and will help safeguard individual privacy. Modernizing the SSN must be a high priority for our policymakers.

The post Securing the Social Security Number to Protect U.S. Citizens appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/modernizing-the-social-security-number/feed/ 0
McAfee Showcases ESM-TYCHON Cyber Scorecard at Security Through Innovation Summit https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-showcases-esm-tychon-cyber-scorecard-at-security-through-innovation-summit/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-showcases-esm-tychon-cyber-scorecard-at-security-through-innovation-summit/#respond Tue, 22 May 2018 15:53:14 +0000 https://securingtomorrow.mcafee.com/?p=89005 On Tuesday, May 22, McAfee will host the 2018 Security Through Innovation Summit at the Willard Intercontinental Hotel in Washington, D.C. The half-day event will showcase a dynamic lineup of private and public sector experts addressing the key issues central to the future of federal cybersecurity and IT. This year’s showcase features the latest certified […]

The post McAfee Showcases ESM-TYCHON Cyber Scorecard at Security Through Innovation Summit appeared first on McAfee Blogs.

]]>
On Tuesday, May 22, McAfee will host the 2018 Security Through Innovation Summit at the Willard Intercontinental Hotel in Washington, D.C. The half-day event will showcase a dynamic lineup of private and public sector experts addressing the key issues central to the future of federal cybersecurity and IT.

This year’s showcase features the latest certified McAfee Security Innovation Alliance (SIA) integration combining McAfee Enterprise Security Manager (ESM) 10.3 with TYCHON, an enterprise endpoint management and endpoint detection and response (EDR) technology developed by Tychon LLC (Tychon). This combined solution addresses the U.S. Department of Defense (DoD) Cyber Scorecard mandate, which measures progress on targets set in DoD’s Cybersecurity Discipline Implementation plan released in 2015. The plan identified key tasks related to proper cyber management, such as requiring strong user authentication, removing outdated software and internet-facing web servers that no longer have an operational requirement, and properly aligning networks and information systems.

Of course, all these tasks require resources, and according to the recent McAfee report, Hacking the Skills Shortage, demand for cybersecurity professionals is outpacing the supply of qualified workers. However, nine out of 10 respondents said that cybersecurity technology could help compensate for a skills shortage. The shortage of qualified workers coupled with the vast number of cyber threats facing organizations highlights the need for integrated solutions that achieve more with fewer resources.

In combination with McAfee Policy Auditor, TYCHON provides real-time actionable information needed to populate the complete DoD Cyber Scorecard. The ESM-TYCHON integration enables McAfee customers to visualize the ten threat assessment items presented in the Cyber Scorecard via dynamic dashboards in real-time, including a Summary Dashboard presented by ESM, and a Detail Dashboard powered by TYCHON.

Specifically, the Detail Dashboard presents the status of each of the following:

  • Web Server Public Key Infrastructure (PKI)
  • User Logon
  • Host Based Security System (HBSS) Services
  • STIG Compliance
  • Microsoft Windows Patches
  • Linux/OSX Updates
  • System Compliance

Together, the McAfee-Tychon integration facilitates effective cyber incident response by providing executive summaries (overall scores) of an organization’s assets (endpoints) and reporting asset benchmark results. The Scorecard can filter data by asset, organizational group, and task results.

Such capabilities provide a critical advantage when organizations must maximize their teams’ abilities to effectively detect threats, reduce risks and ensure compliance. This latest McAfee SIA partner integration with Tychon offers customers a certified, integrated solution that allows them to resolve threats faster with fewer resources.

McAfee recently announced 19 new partners to the McAfee SIA program, and seven newly certified, integrated solutions. This partner ecosystem helps accelerate the development of open and interoperable security products, simplify integration with complex customer environments, and provide a truly integrated, connected security ecosystem to maximize the value of existing customer security investments.

Please visit our McAfee SIA page for more information on program partners, certified solutions, and membership details.

Please visit Tychon for more information on the TYCHON technology.

Please visit our Security Through Innovation Summit site for more information on this week’s public sector IT event.

The post McAfee Showcases ESM-TYCHON Cyber Scorecard at Security Through Innovation Summit appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-showcases-esm-tychon-cyber-scorecard-at-security-through-innovation-summit/feed/ 0
Cyber Storm: Strengthening Cyber Preparedness https://securingtomorrow.mcafee.com/business/cyber-storm-strengthening-cyber-preparedness/ https://securingtomorrow.mcafee.com/business/cyber-storm-strengthening-cyber-preparedness/#respond Wed, 09 May 2018 15:00:11 +0000 https://securingtomorrow.mcafee.com/?p=88780 This past April, McAfee employees joined with more than 2000 members of the private industry, federal government, and international partners to participate in a three-day cyber exercise called Cyber Storm, led by the Department of Homeland Security (DHS). The goal of the exercise was to simulate discovery and response to a large-scale, coordinated cyber-attack impacting […]

The post Cyber Storm: Strengthening Cyber Preparedness appeared first on McAfee Blogs.

]]>
This past April, McAfee employees joined with more than 2000 members of the private industry, federal government, and international partners to participate in a three-day cyber exercise called Cyber Storm, led by the Department of Homeland Security (DHS). The goal of the exercise was to simulate discovery and response to a large-scale, coordinated cyber-attack impacting the U.S. critical infrastructure, and improve cybersecurity coordination for the nation.

These exercises are part of DHS’s ongoing efforts to assess and strengthen cyber preparedness and examine incident response processes. The Cyber Storm series also strengthens information sharing partnerships among federal, state, international, and private-sector partners. During the three-day exercise, we simulated a cyber crisis of national and international consequence. This exercise gave the McAfee team the ability to test both internal and external incident response processes in a safe venue.

While DHS does not disclose specific details about the scenario for operational security purposes, Cyber Storm VI featured a multi-sector cyber-attack targeting critical infrastructure that produced realistic global events with varied impacts. McAfee was one of over 100 participating public and private sector organizations.

I had the opportunity to be one of the members sitting inside ExCon or exercise control. This was the nucleus of the cyber exercise! It was a busy three days as new incidents were sent out, watching how teams responded, and adjusting if things didn’t go exactly as planned. This simulation allowed us to learn and gave us a unique opportunity to raise our game. We now have more processes in place ready to deal with cyber-attacks if they were to occur. The teams executed well, revealing the strengths of our critical relationships with government agencies and other private sector organizations.

I was particularly impressed how DHS executed and collaborated with all the various organizations participating. Because the participants took it seriously, it made it feel very real. Given the well-founded concerns around cybersecurity and the demands the cyber threat landscape regularly places on us, it was great to see different organizations from different agencies and vertical industry segments coming together when needed. Such large-scale simulation was no easy feat, but the core planning team in conjunction with all the organization planners made it run without a hitch. For more information on Cyber Storm, visit https://www.dhs.gov/cyber-storm.

The post Cyber Storm: Strengthening Cyber Preparedness appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cyber-storm-strengthening-cyber-preparedness/feed/ 0
With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? https://securingtomorrow.mcafee.com/business/with-more-than-1200-cybersecurity-vendors-in-the-industry-how-do-you-stand-out/ https://securingtomorrow.mcafee.com/business/with-more-than-1200-cybersecurity-vendors-in-the-industry-how-do-you-stand-out/#respond Tue, 08 May 2018 15:00:58 +0000 https://securingtomorrow.mcafee.com/?p=88752 Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track […]

The post With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? appeared first on McAfee Blogs.

]]>
Like most who attend RSA, I set a goal for myself to walk through the North and South exhibit halls and stop by every booth to “keep up” with the latest messaging and capabilities across the cyber landscape. I started off the day optimistic and full of enthusiasm. This year, I decided to keep track of the booths I visited even if it was just for a brief few seconds. I went to 287 booths in the North Hall and 279 in the South Hall. That’s right: I counted and hit 566 booths in a little over three hours.

What did I learn from this year’s event? Aside from the latest industry buzzwords and jargon, — threat sharing, machine learning, AI, data lakes, SOC automation, attack surface discovery and exploitation — every vendor sounded the same, and you had to go beyond the surface level to find out how they differentiate themselves.

I left disappointed that not once did I hear a vendor talk about helping customers by focusing on their desired outcomes, value and service level agreements.

Our marketing team recently released the following data points, which I believe are telling of where we are as an industry.

More than 1,200 vendors compete in the cybersecurity market today. Conservatively, if each vendor offers an average of three products, with each product carrying an average of five features, that would make the cybersecurity market replete with nearly 20,000 features.

There is no shortage of competition for features in our industry. Look at most cybersecurity vendor websites and you’ll find lots of content around product capabilities. It’s no wonder customers are under assault by relentless adversaries. Each new threat vector requires a new defensive technology, which typically takes the form of a new product (if not a new vendor), complete with its own set of features.

That’s why McAfee focuses on sound architectural principles when designing modernized cybersecurity environments. We provide an open, proactive and intelligent architecture to protect data and stop threats from device to cloud. This allows customers to onboard new defensive technologies quickly to maximize their effectiveness. And, with our open, integrated approach, customers benefit from an overall security system with a whole greater than the sum of its parts. They get the benefit of both worlds: abundant vendor choice within a unified, cohesive system.

RSA 2019 Goals: Find vendors who are talking about solving customer challenges by focusing on outcomes, architecture interoperability, efficacy and efficiencies with some service level agreements mixed in for good measure. I really believe McAfee is setting a new higher standard for the cyber landscape that is essential and meaningful to our customers and the partner ecosystem. Let’s see if anybody else does something similar (or, if anybody else follows suit, or something like that).

The post With More Than 1,200 Cybersecurity Vendors in the Industry, How Do You Stand Out? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/with-more-than-1200-cybersecurity-vendors-in-the-industry-how-do-you-stand-out/feed/ 0
McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers https://securingtomorrow.mcafee.com/business/mcafee-vnsp-and-aws-are-winning-combination-for-enterprise-and-federal-customers/ https://securingtomorrow.mcafee.com/business/mcafee-vnsp-and-aws-are-winning-combination-for-enterprise-and-federal-customers/#respond Fri, 20 Apr 2018 15:00:28 +0000 https://securingtomorrow.mcafee.com/?p=88583 Fun Facts: ECS stood up and managed the first security operations center at the White House. Today, ECS manages the world’s largest McAfee installation—employing just about every solution we make—for the U.S. Army. ECS is more than a McAfee Platinum Partner: they’ve built their entire security solution around McAfee products. The company’s unique offering to […]

The post McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers appeared first on McAfee Blogs.

]]>
Fun Facts: ECS stood up and managed the first security operations center at the White House. Today, ECS manages the world’s largest McAfee installation—employing just about every solution we make—for the U.S. Army.

ECS is more than a McAfee Platinum Partner: they’ve built their entire security solution around McAfee products. The company’s unique offering to Enterprise, military, intelligence and federal civilian combines their award-winning managed services powered by McAfee, and high-level competencies across the Amazon Web Services (AWS) product suite.

ECS has earned service delivery certifications for every McAfee product, participating regularly in betas and trials of new software with active input into the development of new products. Its AWS bona fides are equally ambitious: ECS is an AWS Premier Consulting Partner, an Audited Managed Service Partner, and one of the world’s largest AWS resellers.

For the past 17 years, ECS (formerly InfoReliance) has built a managed-services offering that focuses on delivering custom solutions for clients in regulated industries such as government and defense, but the company also has a large and growing roster of high-profile enterprise and commercial customers. ECS focuses its security solutions around the threat defense lifecycle, applying not only McAfee products but complementary solutions from McAfee Security Innovation Alliance.

“Our choice to provide a single-vendor security platform and deliver McAfee at scale is one of the things that makes us unique,” remarks Andy Woods, Director of Managed Cybersecurity at ECS. “It means our organization can have a depth of expertise that’s frankly unmatched by anyone else in the industry. We also believe it’s the best way to be technology-heavy and people-light, and to automate as much of the cybersecurity lifecycle as we can.”

The McAfee Virtual Network Security Platform (vNSP) and its tight synergy with AWS is a large focus of ECS’s business. Tim Gonda, ECS security engineer and vNSP expert, explains: “We feel it is important to recognize that as part of the AWS shared responsibility model, it is up to us to ensure the security of our virtual networks. We leverage vNSP as a way to augment the security of native AWS capabilities. We are able to establish more flexible controls for protecting our own workloads, as well as providing custom-tailored solutions to our clients.”

In one example of a customer’s virtual private cloud (VPC) deployment, the ECS team launched a vNSP controller into the VPC, and deployed sensors per subnet. The application service also included the lightweight, host-based traffic redirector. “One of the biggest differentiators of vNSP versus other products is that it allows us to monitor internal VPC traffic, as well as traffic leaving the VPC, in an extremely lightweight framework,” Gonda comments. “In this example, we managed the lateral traffic within the VPC, as well as traffic going out to the internet, while providing custom filters and rules looking for specific threats on the wire.”

The application of vNSP with AWS-driven VPCs is just one example of ECS’s fearless innovation in today’s marketplace. Woods notes, “We’re proud of our internally developed intellectual properties, such as our iRamp billing system. We developed one of the very first DXL-enabled technologies within the partner community. We were also early adopters of integrated security through McAfee ePO, born out of a need to support clients in regulated industries.”

Woods concludes, “Our clients are focused on value management of their cybersecurity spend and how we can help them reduce their risk not only today but into the future. We deliver security customized security outcomes for every organization we work with. We’re confident in McAfee’s ability to scale along with core competencies on the endpoint, whether on-premises or in the cloud. The connected infrastructure is a key differentiator for us as we deliver managed services to customers across all verticals. For us, ‘Together is Power’ means being able to solve our clients’ cybersecurity problems in the most powerful manner possible, through a single platform of connected technologies.”

The post McAfee vNSP and AWS Are Winning Combination for Enterprise and Federal Customers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/mcafee-vnsp-and-aws-are-winning-combination-for-enterprise-and-federal-customers/feed/ 0
What do cybersecurity and the board game Battleship have in common? https://securingtomorrow.mcafee.com/business/cybersecurity-board-game-battleship-common/ https://securingtomorrow.mcafee.com/business/cybersecurity-board-game-battleship-common/#respond Fri, 02 Mar 2018 22:49:34 +0000 https://securingtomorrow.mcafee.com/?p=84947 A long day of encouraging a customer to reconsider their lack of desire to develop a plan, build a security architecture that included automation and orchestration –  with the ability to measure value vs. just adding tools as needed – led to a very late-night drive home. I was encouraged the customer invited me back […]

The post What do cybersecurity and the board game Battleship have in common? appeared first on McAfee Blogs.

]]>
A long day of encouraging a customer to reconsider their lack of desire to develop a plan, build a security architecture that included automation and orchestration –  with the ability to measure value vs. just adding tools as needed – led to a very late-night drive home. I was encouraged the customer invited me back to prove my case, but it was one of those days that left me shaking my head. In reflecting on the day and all the discussions, I kept thinking back to how many times both sides used the words “cybersecurity strategy.”

Clearly, strategy is one of those words that takes on different meaning depending on the context. A thought that came to mind on my drive home was that cybersecurity is very much like the board game Battleship. Both involve strategy, and operate in a “static model”.  In the game Battleship, as you may recall, the game play is simple: each player arranges five ships—an aircraft carrier, battleship, cruiser, submarine, and destroyer—on a ten-by-ten grid of squares and attempts to “sink” his opponent’s ships by calling out the squares where he believes his enemy’s ships are hiding. Most players approach the game as essentially one of chance, targeting squares at random and hoping for a “hit.” In the Battleship game, once the player positions and arranges their ships they cannot move them so in turn they become static targets. One could say the same holds true for our classic cyber security defenses. Once we position all our defensive sensors across our environments they remain static.

But is there a better strategy? In Cybersecurity we tend to deploy strategy in a similar fashion. We establish a perimeter, network and internal protections with Firewalls, Security Gateways, IPS’s, Endpoint Security etc., and wait for the adversary to guess where to attack us. They then refine their method until they achieve their objective. Clearly it is time for a change in cybersecurity game theory.

One concept that has not been yet fully explored is that of the Moving Target Defense (MTD). Not a new concept by any means, early research dates back to prior to 2011, however it is one I believe requires much more attention by the industry. The Department of Homeland Security (DHS) defines MTD as the concept of controlling change across multiple system dimensions in order to increase uncertainty and apparent complexity for attackers, reduce their window of opportunity and increase the costs of their probing and attack efforts. DHS believes in this concept so much they have invested Research & Development money to advance the idea past the concept stage.

MTD assumes that perfect security is unattainable. Given that starting point, and the assumption that all systems are compromised, research in MTD focuses on enabling the continued safe operation in a compromised environment and to have systems that are defensible rather than perfectly secure.

MTD will enable us to create, analyze, evaluate and deploy mechanisms and strategies that are diverse and that continually shift and change over time to increase complexity and cost for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency.

In an ideal case, I envision a scenario where an administrator would have the ability to set via policy variable time intervals to “move or shift” an entire network environment, or enclave including applications along with changing privileged account credentials, and leave a ghost network (think honeynet) in its place to capture forensics data for further review and analysis. There are several new innovative cybersecurity companies out there that have developed unique and forward-thinking deception technologies. I look forward to seeing what the art of the possible is in this space in the near future!

Good luck and good hunting…. Here is to you never having to say, “you sunk my battleship!”

The post What do cybersecurity and the board game Battleship have in common? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cybersecurity-board-game-battleship-common/feed/ 0
2017 – New Year, Better Security https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/2017-new-year-better-security/ https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/2017-new-year-better-security/#respond Tue, 03 Jan 2017 22:25:33 +0000 https://securingtomorrow.mcafee.com/?p=67609 Avoid junk food, exercise more, save some money. Every year around this time you can find gazillions (technical term) of articles about New Year’s resolutions and planning, for your job or personal life. I read an article a few years ago that suggested they usually take one of a few forms. Some inspirational feel-good stuff […]

The post 2017 – New Year, Better Security appeared first on McAfee Blogs.

]]>
Avoid junk food, exercise more, save some money.

Every year around this time you can find gazillions (technical term) of articles about New Year’s resolutions and planning, for your job or personal life. I read an article a few years ago that suggested they usually take one of a few forms. Some inspirational feel-good stuff that lulls you into a euphoric sense that everything’s going to be just fine without you having to lift a finger. Some self-important person’s resolutions, which you should care about because, well, they are a very, very important person. What someone’s crystal ball says you should do next year because it’ll make you happy, prosperous, or both.

Avoid malware, practice incident response scenarios, save some money.

In keeping with the tradition I’ll recommend two specific ones that you really should add to the list:

First, read the Commission on Enhancing National Cyber Security report.

Second, get involved in your cyber community and make a difference.

The Commission on Enhancing National Cyber Security released its report on Securing and Growing the Digital Economy on December 1, 2016, with a cover letter to the President and President-elect identifying imperatives, recommendations, and action items. If you are a cybersecurity professional at any level and have not read this document, your first action for 2017 should be to do so. Your second action should be to encourage everyone you know, cyber professional or not, to also read it. This report is not densely technical, and it clearly describes the current state of cyber security and outlines a vision of the future. One of the essential reasons that everyone should read the report is that we all “must be more purposefully and effectively engaged in addressing cyber risks.” The Internet is a commons, and all of us have some level of accountability and responsibility to make it more secure.

The Commissioners organized their findings into six major imperatives, which are well organized and high level enough to cover just about every challenge our government faces in cyber. Helpfully, the commission also provided specific recommendations and action items for each one, to help move them forward.

  1. Protect, defend, and secure today’s information infrastructure and digital networks.
  2. Innovate and accelerate investment for the security and growth of digital networks and the digital economy.
  3. Prepare consumers to thrive in a digital age.
  4. Build cybersecurity workforce capabilities.
  5. Better equip government to function effectively and securely in the digital age.
  6. Ensure an open, fair, competitive, and secure global digital economy.

However, what I found more thought provoking was the “other areas that required more consideration”:

  • How best to incentivize appropriate cybersecurity behaviors and actions and how to determine if or when requirements are called for;
  • Who should lead in developing some of the most urgently needed standards and how best to assess whether those standards are being met;
  • What is the feasibility of better informing consumers, for example, through labeling and rating systems;
  • Which kinds of research and development efforts are most needed and at what cost;
  • How to project the right number of new cybersecurity professionals our economy needs and how to choose among different approaches for attracting and training the workforce at all levels; and,
  • What the roles and relationships of senior federal officials should be and how best to ensure that they not only have the right authorities but are empowered to take the appropriate actions.

Several of these points lead to the second resolution, to get more involved. Whether you are working on the front lines of cybersecurity, setting policy and strategy, or just benefitting from better security in your role, enhancing cybersecurity is a collective responsibility. Talk with your peers, get involved with security standards, educate your customers and suppliers, mentor a new or interested colleague, or just fix your poor password hygiene!

2017 is shaping up to be a very interesting year in cybersecurity. Whatever it brings, here’s wishing you and yours a great start to a new year sure to be filled with many challenges and successes along the way!

https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf

The post 2017 – New Year, Better Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/executive-perspectives/2017-new-year-better-security/feed/ 0