By GCN Staff

NIST issues final guidance for mobile app security

Today’s mobile-enabled workers have access to a variety of apps that are designed to improve productivity, but an employee who downloads an unsafe app may unwittingly expose an organization’s computer network to security and privacy risks.

The National Institute of Standards and Technology’s Vetting the Security of Mobile Applications, (SP 800-163) aims to help organizations assess the security and privacy risks associated with mobile apps, whether developed in-house or downloaded from mobile app marketplaces.

It is the final version of Technical Considerations of Vetting 3rd Party Mobile Applications guide that was published for comments in August 2014.

The guide offers plans for implementing the vetting process as well as  considerations for developing app security requirements, and describes the types of app vulnerabilities and the testing methods to use to detect them. The document also provides guidance for determining if an app is acceptable for an organization to use.

The publication is a guide for developers seeking to understand the types of vulnerabilities that can be introduced during an app’s software development cycle.

Posted on Jan 27, 2015 at 1:02 PM0 comments

NIST retires security standards

The National Institute of Standards and Technology is proposing to withdraw six Federal Information Processing Standards from its roster because of their obsolescence or lack of support from developers, according to a Jan. 16 notice in the Federal Register. The FIPS include:

FIPS 188, Standard Security Label for Information Transfer. This standard is now maintained, updated and kept current by the National Archives and Records Administration.

FIPS 191, Guideline for the Analysis of Local-Area Network Security. This standard is being withdrawn because new technologies, techniques and threats to computer networks have made the standard obsolete.

FIPS 185, Escrowed Encryption Standard. Released during the Clinton administration, this standard was based on a secret encryption algorithm called Skipjack that the National Security Agency began developing in 1985. Its goal was to hardwire an encryption standard into computers, communications networks and devices on a so-called Clipper chip that would be accessible to law enforcement agencies conducting lawful electronic surveillance. The system never caught on in the private sector and, according to the Federal Register notice, "is no longer approved to protect sensitive government information."

FIPS 190, Guideline for the Use of Advanced Authentication Technology Alternatives; FIPS 196, Entity Authentication using Public Key Cryptography; and FIPS 181, Automated Password Generator. These FIPS referenced withdrawn cryptographic standards, and newer guidance has been developed based on modern technologies.

Withdrawal means that the FIPS would no longer be part of a subscription service provided by the National Technical Information Service and federal agencies will no longer be required to comply with them. NIST said it will continue to provide relevant information on standards and guidelines by means of electronic dissemination methods.

Comments on the proposed withdrawal of the FIPS should be sent to fipswithdrawal@nist.gov by March 2, 2015.

Posted on Jan 20, 2015 at 10:06 AM0 comments

Harrisburg University of Science and Technology

Harrisburg U builds cybersecurity center for state, local gov

The Harrisburg University of Science and Technology’s Government Technology Institute has established a new center focused exclusively on safeguarding government data and systems from unauthorized access.

The Security Center of Excellence (SCoE) is believed to be the first such center focused solely on securing data entrusted to state, county and local governments, the university said

Cisco, Deloitte Consulting, IBM, Symantec and Unisys have all agreed to sponsor the SCoE and bring their global experts to HU to help GTI showcase the benefits of collaboration among cybersecurity experts from government, academia and the private sector.

“Our goal is to make this a national best practice for training and supporting those within government responsible for safeguarding sensitive data,” said Barb Shelton and Charlie Gerhards, co-directors of the GTI. 

Eric Darr, President of HU, said “these are some of the best security companies in the world and they will clearly help this Center to achieve its goal and in turn help Pennsylvania’s governments safeguard citizen data.”

It also is a tremendous opportunity for our faculty and students to work closely with government IT leaders and distinguished experts from the technology companies that have agreed to help Pennsylvania continually improve cybersecurity,” he added.

The educational program for security specialists in government is planned to begin in spring 2015 and will be followed with seminars, technology testing and collaboration among multiple levels of government. 

Posted on Jan 15, 2015 at 9:53 AM1 comments

IT spending in SLED market outside IT shops

Low-tech sectors to see more IT spending

Cash-strapped state, local and education (SLED) agencies started feeling the budget pinch around April 2014 and began reeling in their IT spending compared to the previous year.

But while IT departments were decreasing their investments, other areas like education, law enforcement and road construction have been “using technology to better meet their objectives while reducing overall (non-IT) costs,” according to a recent report by Onvia, a government business development consultant.

More communities are investing in body cameras to document the behaviors of public safety officers as a means to increase accountability.  Reports indicate body camera technology has doubled from 2013 to 2014.  In fact, President Obama recently requested $263 million for body cameras at the state and local level.  In the past, municipalities have paid between $50,000 and $ 1 million for body camera contracts, and there are potentially 9,000 departments that are interested in similar procurements in 2015, Onvia said.

Similarly, communities are also projected to increase investment and procurement of school bus cameras to ensure greater student safety.  Most commonly, buses are outfitted with three cameras – inside and outside – and some communities have invested in equipping their entire bus fleet with them.    

The education sector has rapidly increased the use of tablets and laptops to keep up with global technology proliferation trends.  Tablet contracting increased 21 percent between 2013 and 2014, and this growth is expected to continue.  In 2013, 85 percent of Chromebooks sold were placed in school systems, which numbered 2.5 million devices.  Other vendors, like Curricula, have focused on bringing technology such as 3D printing into the classroom. 

As more people primarily use their mobile devices to access the Internet, governments are making their services and websites more mobile friendly.  As such, state and local governments are investing in open data and engagement tools as well as crowdsourcing technology to help drive innovation.

Procurement of intelligent transportation systems has increased by 13 percent, Onvia reported, a trend that is also expected to continue.  Intelligent transportation systems are used by state and local governments to alleviate traffic congestion through a combination of sensors, computers and fiber optic networks that update traffic signals in real time based on the current traffic. 

The full report is available from the Onvia website.  

Posted on Jan 13, 2015 at 10:25 AM0 comments

PIN and chip card

Air Force to issue smart travel cards

Like most businesses, the federal government has been concerned about combating fraud and identity theft among its employees. President Obama issued an executive order in October mandating federal agencies make upgrades to their payment and travel systems to increase the security of financial transactions. 

Keeping in line with the president’s vision, the Air Force announced it will begin to issue chip and personal identification number-enabled government travel cards this month to those applying for new cards, those who need replacements or those whose cards will expire this year.  

The new cards from Citibank are embedded with a microchip that provides for transaction encryption and an elevated level of authentication. Chip and PIN technology strengthens data security, better protecting cardholders’ personally identifiable information, as well as the government’s sensitive transaction and payment data.

Furthermore, Citi’s chip and PIN cards do not use RFID and so are not susceptible to “skimming issues,” in which hackers remotely read information from RFID cards. Citi’s cards will include both chip technology and magnetic stripe technology, commonly found in ATM cards. 

More primitive cards that merely feature magnetic stripes and PINs are less secure as they are incapable of dynamic authentication, a process that generates a different transaction code at every transaction ensuring greater data protection.      

“Starting in January 2015, only Chip and PIN travel charge cards will be issued to DOD personnel,” according to a fact sheet by the Defense Travel Management Office.  

Posted on Jan 12, 2015 at 11:31 AM0 comments