The Cyber Security Act of 2009 Revisited

As the Cyber Security Act of 2009 moves closer to becoming law, I would like to take a closer look into what we can expect in our not so distant future.

Rep. Lanevin addresses Congress in regards to The Cybersecurity Enhancement Act of 2009.

It looks like the main topics of focus may be on the President’s ability to shutdown the internet.

Greg Nojeim of the Center for Democracy and Technology discusses this issue. He give DoS attacks on critical Infrastructure as cause for the bill.

President Obama addresses the nation on Cybersecurity. The President announces his plans for securing America's digital future. May 29, 2009. (Public Domain) This address takes place before the Cybersecurity Act of 2009 was introduced. It will be interesting to see how President Obama will handle this piece of legislation.

By: Joseph Dustin

read more “The Cyber Security Act of 2009 Revisited”

Cybersecurity Act of 2009

A new Cybersecurity bill is “shaking up” the information security world.

If it becomes law, HR 4061 will help "strengthen domestic cybersecurity talent and find new ways to leverage the expertise that exists in the private sector," says Rep. James Langevin, D-Rhode Island. (USAToday, 2009)

The House passed H.R. 4061, the Cybersecurity Enhancement Act, with an overwhelming number of votes 422 Yes to 5 No and 7 not voting at all. (NYTimes, 2009)

H.R. 4061, now being tossed around in the Senate, is known as SB773 - Cybersecurity Act of 2009. Both Security and Compliance professionals will endure many changes if this bill makes it to the President’s desk.

The Cybersecurity Act of 2009 is broken down into 23 sections and cover a wide range of topics.

Sec. 2 - Findings

In section 2, Congress lists 14 separate reasons as to why this bill is vital to our national security. Among the listed are:

(1) America’s failure to protect cyberspace is one of the most urgent national security problems facing the country.

(4) The Director of National Intelligence testified before the Congress on February 19, 2009, that ‘a growing array of state and non-state adversaries are increasingly targeting-for exploitation and potentially disruption or destruction-our information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries’ and these trends are likely to continue.

(8) Alan Paller, the Director of Research at the SANS Institute, testified before the Congress that ‘the fight against cybercrime resembles an arms race where each time the defenders build a new wall, the attackers create new tools to scale the wall. What is particularly important in this analogy is that, unlike conventional warfare where deployment takes time and money and is quite visible, in the cyber world, when the attackers find a new weapon, they can attack millions of computers, and successfully infect hundreds of thousands, in a few hours or days, and remain completely hidden.’.

The Cybersecurity Act of 2009 has the potential of turning Cybersecurity into the new Arms Race. An arms race that will take place between Cybersecurity minded professionals and those who wish to exploit the latest vulnerabilities in our nation's security systems.

By: Joseph Dustin

CommentsClose CommentsPermalink

read more “Cybersecurity Act of 2009”

Passwords Don't Secure Sh@t!

I often hear the term strong and secure when talking about passwords and this can have adverse affects on overall security. System Access Controls are often considered the first line of defense against cyber-attacks and hackers. The problem we face with using passwords for authentications are that passwords are often written down and shared with other. I have seen passwords left in desks, taped to monitors, and placed under the keyboard. When passwords are written down, security becomes fragile.

Even the strongest of passwords are considered weak. To strengthen the access controls over an IT system will require what is known as two-factor authentication or three-factor authentication. Authentication is based upon three known factors:

Something You Know – Like passwords, Pin numbers, or passphrases, which are considered the weakest of all the Authentication types. Passwords can be guess, brute forced, shared, stolen, or compromised.

Something You Have – Like smart cards, USB tokens, and key fobs, which can be lost, stolen, broken, shared, borrowed, or duplicated.

Something You Are – biometrics are types of authentication used; they include devices like fingerprints scans, voice scans, and retina/iris scans.

What is then meant by two-factor Authentication is the combination of using two types of authentication. An example would be passwords combined with key fobs or something similar to the Kronos Time System I currently use at work. Kronos requires employees to use a badge and the employee's finger print to clock in. Three-Factor would require all three and is considered the strongest.

So the next time you hear someone say they have a secure password, please let them know that passwords used for authentication is not considered secure. Secure is accomplished through two or three-factor authentication.

By: Joseph Dustin

read more “Passwords Don't Secure Sh@t!”

An Overview of Loss Prevention and I.T. Security

Loss prevention encompasses a wide range of threats and Loss Prevention Professionals have to be ready to handle each type of threat that could affect their corporation.

There are four main types of threats;

• Natural

• Environmental

• Technical

• Human

Natural Threats – Tornados, Earthquakes, Hurricane/Typhoons, Floods, Landslides, Lightning Storms, Heavy Rains, Blizzards, Fires, ect.

Environmental Threats – Gas Leak, Fires, Toxic Waste, Pandemics, Fuel Outage, Drainage Chokes, Neighborhood Hazards, ect.

Technical Threats – Power Outage, IT systems Failure, Fires, System Breakdowns, Manufacturing Defects, Malicious Codes, ect.

Human Threats – Terrorism, War, Spying, Sabotage, Theft, Arson, Hacking, Immoral Employee Ethics, Legal Disputes, Unaware Users, ect.


A study conducted by Robert W. Taylor et al., in the book Digital Crime and Digital Terrorism, states that 73% of the risk to computer security is from internal sources; while 23% is attributable to external sources. Internal threats include violence in the workplace, theft of proprietary information, sabotage, infiltration by gangs or organized crime, and terrorism. (Purpura pg. 134, Security and Loss Prevention) One of the most obvious of threats would be theft. Theft can be broken down into sub-categories to include shoplifting, occupational fraud and abuse, employee theft, and as described by Purpura theft of proprietary information.

The I.T. threat from within is of great concern to those who wish to protect a company’s proprietary information. There are many reasons that companies would want to protect their data. Reasons may stem from loss of trade secrets, compliance, national defense, the fear of lawsuits, defalcation, or business continuity. Whatever the reason, companies have good reason to be concerned about I.T. security.

The Fourth Annual US Cost of Data Breach Study, an independent study conducted by Ponemon Institute, states that the average cost of data loss has risen to $202, up from last year’s $197 per customer record.

Internal threats and data loss can be intentional or accidental and are caused by current employees, non-current employees, or Third Party Employees. There are many I.T. threats that corporations face with everyday. I.T. threats include many of the main threats listed above with an emphasis on Information Technology Business Continuity and Security.

To get a better understanding for what an I.T. Security Professional needs to know we can look at the International Information Systems Security Certifications Consortium (ISC)2 for guidance. (ISC)2 has developed one of the highest regarded and sought after information security certificates called, Certified Information Systems Security Professional (CISSP) certification. Books that help you study for the CISSP, such as CISSP for Dummies by Lawrence Miller and Peter Gregory, are broken down into what is know as the Common Body of Knowledge (CBK) domains. Ten domains illustrate the vast range of topics that must be master to earn the CISSP certification. The domains are (excerpted from CISSP for Dummies):

Access Control – is about securing the perimeter; many security breaches result from inadequate Access Controls.

Telecommunications and Network Security – This domain is easily the most extensive and encompasses topics like networking models, protocols, standards, services, technologies, and vulnerabilities.

Information Security and Risk Management – This domain gets to the heart of Information Security Concepts and Risk Management concepts.

Application Security – essential concepts to understand in this domain are principles of applications, applications, application development, and databases.

Cryptography – you must fully understand the basic operation of cryptographic systems and how they apply in real-world applications.

Security Architecture and Design – this domain requires knowledge of security models, embedded systems, and basic computer architecture.

Operations Security – this domain details resources that must be protected, who should be restricted, control mechanisms available, the potential for abuse of access, appropriate controls, and good practices.

Business Continuity and Disaster Recovery Planning – detailed knowledge of Business continuity Planning and Disaster Recovery Planning are needed.

Legal, Regulations, Compliance, and Investigations – in this domain you must know what a computer crime is, how to conduct an investigation and collect evidence, and understand what laws may have been violated and the (ISC)2 Code of Ethics.

Physical (Environmental) Security – understand the various threats to physical security. Elements include planning and design, physical security controls, and administrative controls, physical security controls, access controls and technical controls.

By: Joseph Dustin

read more “An Overview of Loss Prevention and I.T. Security”