Pulse


Pulse

By GCN Staff


Sandia exploring ephemeral biometrics for insider threat monitoring

The Sandia National Laboratories is researching the use of ephemeral biometrics for identity management and insider threat monitoring and is looking for partners, according to an announcement in Federal Business Opportunities.

With ephemeral biometrics, individual identities are tied to active, living biometric data. Using this research, the Energy lab intends to significantly improve the authenticity and integrity of cyber identities.

Ephemeral biometrics will “significantly enhance the defensive capabilities of cyber and physical protection industries by enabling them with proactive insider threat management tools capable of actively mapping cyber/virtual activities into physically monitor-able and controllable identities,” the lab said in its FBO announcement.

Sandia already conducts research in security analyses, application of RIMES (Risk Informed Management of Enterprise Security), response force modeling, cyber security, physical security and supply chain security. Sandia also has advanced biosensor monitoring capabilities combined with a world class fabrication facility to design next generation biometric monitoring diagnostics.

Sandia is seeking Cooperative Research & Development Agreements (CRADA) or Work for Others (WFO) partnership agreements to enable improvements in cybersecurity authentication and for designing and implementing proactive insider threat management tools. 

Posted on Jun 05, 2014 at 9:27 AM0 comments


NSA gives Lockheed cyber incident response accreditation

Lockheed Martin earned accreditation from the National Security Agency under a new NSA program designed to recognize companies suited to help other organizations respond to cyberattacks.

The NSA’s Cyber Incident Response Assistance Accreditation (CIRA) program meets a growing need to leverage the cyber security expertise of industry leaders, according to Lockheed.

To be qualified as a CIRA service provider, Lockheed Martin said it was evaluated based on its ability to deliver consistent services and maintain a qualified staff to deliver cyber incident response services.

The evaluation process also included a review of the company's ability to deliver 21 critical focus areas of incident response assistance services to owners and operators of National Security Systems.

The CIRA program is a part of the NSA Information Assurance Directorate’s National Security Cyber Assistance Program. The program focuses on intrusion detection, incident response, vulnerability assessment and penetration testing.

Posted on Jun 03, 2014 at 12:42 PM0 comments


Opening up competition in federal IT

The Public Spend Forum, a group focusing on public-sector procurement, analyzed government IT spending  and found that a  “check the box culture” and a broken requirements and procurement process inhibits competition and limits innovation.

Its recent report, Billions in the Balance: Removing Barriers to Competition & Driving Innovation in the Public-Sector IT Market makes several recommendations for IT managers:

  • Establish clear lines of authority and accountability.
  • Develop a simple needs and outcomes statement instead of voluminous RFPs.
  • Engage the market early.
  • Develop a cost/outcome (ROI)-focused IT strategy. 
    • Focus on minimizing cost/outcome as the ROI of a government program
    • Implement flexible IT architectures as recommended in the ACT-IAC 7S for Success Framework.
    • Emphasize prototyping and approaches for minimum viable product rollouts.
    • Avoid monolithic acquisition approaches and instead leverage existing procurement vehicles and allow use of alternative vehicles.
  • Encourage smart risk taking.
  • Reduce burdensome requirements and speed up the procurement process.

The Public Spend Forum provides best practices, industry news and open discussion for the public-sector procurement community.

Posted on Jun 02, 2014 at 1:29 PM0 comments


NIST to help IT developers build in security

The National Institutes of Standards and Technology has launched an effort to develop guidelines for building security into IT systems from the beginning instead of at the end of the IT development process.

NIST, which is asking for public comment on initial guidelines for the project, said it wanted to bring in “widely recognized systems and software engineering principles to bear on the problem of information system security from the beginning … rather than trying to tack it on at the end.”

"We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in," said Ron Ross, a NIST Fellow.

The guidelines represent an effort to bring the principles of building reliable physical structures to software engineering design, according to NIST.

“Systems security engineering processes, supported by the fields of mathematics, computer science and systems/software engineering, can provide the discipline and structure needed to produce IT components and systems that enjoy the same level of trust and confidence,” according  to NIST.

NIST has released the first set of those guidelines for public comment in a new draft document, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.

The current draft -- and the first stage of the planned process -- describes the fundamentals of systems security engineering and covers 11 core technical processes in systems and software development.

Later public drafts will add material supporting principles of security, trustworthiness and system resilience; use case scenarios; and important nontechnical processes such as risk management and quality control procedures.

NIST asked for comments on the draft by July 11, 2014, which should be sent to sec-cert@nist.gov. NIST expects to publish the final, complete version of the engineering guidelines by December 2014.

Posted on May 27, 2014 at 8:31 AM0 comments


Multi-device BYOD management from a single console

Absolute Software Corp. announced Absolute Manage 6.5, which allows IT managers to automate BYOD polices for employee-owned computers, along with tablets and smartphones from a single console, the company said in an announcement.

Absolute Manage 6.5, which offers full BYOD support for Mac and Windows computers, provides enrollment workflows as well as remote and automated security for corporate and employee-owned devices, including smartphones, tablets and laptops.   

The automated workflow allows users to enroll their devices through a portal using their corporate credentials. Following authentication, Absolute Manage automatically applies device configurations, security settings and software apps directly to the device.     

With the latest release, Absolute Manage will also support Samsung KNOX, a containerization solution native to Samsung’s hardware and Android OS.  It also includes Cisco’s Identity Service Engine, a network security feature that provides compliance reporting and enforcement for devices connecting to enterprise networks. 

“Many of our customers are receiving requests from employees to bring their personally-owned devices to work. But corporate IT doesn’t want to use multiple consoles and products to secure this range of form factors,” said Errol Olsen, interim CEO at Absolute Software. “The release of Absolute Manage 6.5 will support the Absolute unified IT vision, allowing IT to manage all employee-owned devices from a single console.”


Posted on May 23, 2014 at 9:30 AM0 comments