Tuesday, February 24, 2015

The Emerging Science of Digital Forensics


Managing Director, Greer Institute for Leadership and Innovation


Without question, the rise in cyberleaks, nation-state cyber terrorism and the beach of consumer data across multiple industry domains has led to a heightened awareness of the enterprise and personal responsibilities associated with cybersecurity. The consumerization of IT and the adoption of cloud, mobile and social media by enterprise organizations is opening a new threat landscape and new threat vectors. Everyone is affected and everyone is talking about it, from senior executives to teenagers.

In its SecureWorks “The Next Generation of Cybercrime” executive brief, Dell cites a study conducted by the Ponemon Institute, which found that “the average cost of a data breach was $7.2 million in 2010.” The rate of cybercrime and the impact of cyberbreaches have exponentially accelerated since then. This has resulted in the emerging science of digital forensics.

Digital forensics can be described as the science of preserving and analyzing digital evidence useful in the development of legal cases against cyber criminals. This new and growing field includes high-tech crime investigation and computational defense across traditional IT like hardware, servers, operating systems and networks, as well as the new digital environments of social, mobile and cloud. The emerging science of digital forensics and cybercrime investigation has become very important for national security, law enforcement, and information assurance. This convergent science combines law, computer science, finance, telecommunications, data analytics, and policing disciplines.
There are a number of companies that are responding with new digital forensic processes, methods tool and solutions. In its digital forensics solution, Dell cites the use of a six-step digital forensic life cycle designed to leverage cloud computing and data center operations in the processing of digital evidence. Chief information security officers are using these new frameworks to:
  •        Improve incident response
  •        Develop new digital forensic techniques
  •        Drive new investigatory standards
The cybersecurity landscape is constantly evolving, and it’s up to business and technical leaders to evolve their cyberdefenses in response. Here are key recommendations leaders should consider:
  •        Update and complete an enterprise-wide security risk assessment. Identify security gaps and emerging threats
  •        Link strategic technology investments in security with robust and flexible processes for incident response
  •        Develop real-time monitoring and automated response techniques that provide real-time threat analysis
  •        Move from cyberdefense to cyberthreat intelligence. Develop a cyber toolkit which is more proactive than reactive
Given the continued growth of cyber activity, the emerging science of digital forensics is sure to grow along with the sophisticated frameworks required to gather, analyze and investigate evidence that leads to an increased level of cybersecurity.

(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.)


Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2015)



Monday, February 16, 2015

African-Americans and STEM careers: Getting a foot in the door



Technology leadership is driven by the innovation and creativity of science, technology, engineering and mathematics (STEM) professionals. STEM careers offer some of the highest-paying jobs and the potential for a high quality of life. However, the realization of such promises has not benefited all segments of the U.S. population, including African-Americans. As we celebrate Black History Month, I share a few facts on this issue, suggest sources for solutions and profile African-American technology trailblazers.

Silicon Valley’s most innovative technology companies have reached phenomenal success levels. There are over 320 million people in the U.S.: 77.7 percent White, 17.1 percent Hispanic, 13.2 percent African-American, 5.3 percent Asian and 51 percent women, according to the U.S. Census. However, Silicon Valley technology companies have employee populations that are 64 percent White, 21 percent Asian, 6 percent Hispanic, 3 percent African-American and 6 percent other. This shows a 10-point gap in the African-American population.

Companies with employees from diverse backgrounds tend to be more creative and profitable. A large body of evidence exists to substantiate this assertion. Diverse collaborative teams leverage a broader perspective of experiences and ideas. They create more innovative products and services that appeal to a wider, global audience. Intel’s chief executive Brian Krzanich recently stated that “without a workforce that more closely mirrors the population, we are missing opportunities, including not understanding and designing for our own customers.”

This complex issue requires creative solutions. Some of the roadblocks include the relatively small pipeline of African-American STEM students, the lack of support and visibility of role models, and the hostile environments encountered by some students and professionals. A few solutions are listed here, including building relationships with schools with large African-American STEM student populations and requiring that candidates from diverse backgrounds be interviewed for STEM positions. From my own experience, a few years ago I spent two hours, over dinner, offering encouragement and advice to a discouraged, young African-American employee who was ready to quit. Within six months, she was the team leader for her department.

Listed below are additional, suggested actions for ruminating on potential solutions:
  • Attend the Black Engineer of the Year STEM Awards Conference. Some of the U.S.’ top technology leaders attend this annual event.
  • Attend the National Society of Black Engineers National Conference. NSBE is a student-run organization. Nearly 10,000 students attend this annual conference.
  • Ask some of the top global technology leaders who are African-American for input. Their trailblazing experiences and ideas can provide valuable insight. (You can start by contacting those profiled below or asking me).

Blazing the trail

Here are five technology trailblazers who walk among us. They have made valuable contributions to our global society and provide inspiration for many. We honor them as innovative African-Americans who have changed the world.

Faye A. Briggs, Ph.D., is a retired Intel Fellow, the company’s top technical position. He was the technical visionary behind Intel’s billion-dollar server business. Dr. Briggs co-founded Axil Computers, which designed and sold multiprocessor computers and storage systems. He is now the CEO and founder of Niminq Inc., a technology consulting firm, and an adjunct professor at Rice University in Houston, Texas.

Mark Dean, Ph.D., is a professor at the University of Tennessee in Knoxville and a retired IBM Fellow, the company’s top technical position. He was also chief engineer for the development of several IBM PC offerings and holds three of the nine patents for the original IBM PC. This includes the Industry Standard Architecture (ISA) “bus,” earning him election to the National Inventors Hall of Fame. Dr. Dean is also a member of the U.S. National Academy of Engineering.

Carol Y. Espy-Wilson, Ph.D., is a professor at the University of Maryland, and director of the Speech Communication Laboratory. Dr. Espy-Wilson founded OmniSpeech LLC, a technology startup company with offerings to address the issue of background noise in cellphone conversations. She is a Fellow of the Acoustical Society of America.

Marc Hannah, Ph.D.co-founded Silicon Graphics Inc. (SGI), a company that became well-known for its computer graphics technology. He was the company’s principal scientist, creating computer programs that were used to create effects for movies like “Jurassic Park,” “Aladdin,” “Beauty and the Beast,” “The Hunt for Red October,” and “Field of Dreams.” His programs have also been used to create television commercials and the opening introduction for Monday Night Football.

Shirley Ann Jackson, Ph.D., is the president of Rensselaer Polytechnic Institute (RPI). Dr. Jackson is a theoretical physicist and the first African-American woman to earn a Ph.D. from MIT in any field. She is the former chairman of the U.S. Nuclear Regulatory Commission and a member of several corporate boards and national and international advisory boards. She is also a former researcher at AT&T Bell Laboratories, a member of the U.S. National Academy of Engineering and a Fellow of the American Physical Society.

What can you do in your organization to promote diversity? Can you share additional success stories? Who do you consider a technology trailblazer?

(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.)

Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2012)



Thursday, February 12, 2015

U.S. Department of Defense sets its cloud security guidelines



Those watching federal cloud security in the defense space were pleased to learn the Defense DOD Cloud Computing Security Requirements Guide (v1) (SRG) last month. This 152-page document outlines the security requirements that Department of Defense (DOD) mission owners must adhere to when procuring cloud-based services. While the document is very thorough and is required reading if you currently, or intend to provide, cloud-based services to the DOD, I wanted to cover some of the things that stood out to me.
Information Systems Agency (DISA) released the

CSPs are not compliant, but their offerings can be. The requirements guide makes it clear that there is a distinction between a Cloud Service Offering (CSO) and the Cloud Service Provider (CSP). A CSP can have multiple CSOs, all with different security postures.

This has always been the case. However, by making this distinction, DISA has reduced some areas of common confusion. This distinction should also make it clear that utilizing a compliant infrastructure as a service (IaaS) or platform as a service (PaaS) at a CSP does not make the resulting offering compliant. The CSO itself has to be fully evaluated for the Federal Risk and Authorization Management Program (FedRAMP) compliance.

Compliance responsibility is on the prime CSP. Expanding on the last point I made: Everything you put in a CSP environment is not automatically compliant. The SRG states that, “While the CSP’s overall service offering may be inheriting controls and compliance from a third party, the prime CSP is ultimately responsible for complete compliance” (p. 3). This language gives me the sense that if mission owners want to work with a federal integrator (prime contractor) to move an application to a FedRAMP-compliant or soon-to-be-FedRAMP-compliant platform or infrastructure — and that integrator will be performing Operations and Maintenance (O&M) — they will also be responsible for the compliance of the solution and the underpinning platform or infrastructure services from a commercial cloud service provider.

In essence, the solution enabler becomes the prime CSP. This is perhaps an important nuance that may have important ramifications for the integrator and those who provide what DISA dubs commercial cloud service providers. Keep in mind that the SRG also recognizes the existence of DOD-owned and operated CSPs.

FedRAMP + controls. Because DOD systems are categorized differently from other federal government systems, the SRG lists additional security controls and enhancements that are necessary to implement for DOD systems. These controls are over and above the FedRAMP moderate baseline, and as such are called, “plus” controls. The SRG has dealt with privacy and security requirements as “overlays” to all of the FedRAMP and FedRAMP plus baseline controls.

Expanded CSP roles and responsibilities. (Appendix C-1). The SRG denotes that it is the CSP’s responsibility to provide Computer Network Defense (CND) services (all tiers) for its infrastructure and service offerings. CSPs must be willing to provide their own CND services and to be able and willing to contract for more advanced security services as required by a mission owner. Here again, a prime CSP must be willing and able to provide complete compliance, including Computer Network Defense Service Provider (CNDSP) services.

A few takeaways

While this is not an adequate summary of the SRG, this long-awaited guide has provided some clarification around DOD’s expectations from Integrators, CSPs, and DOD mission owners. The DOD has clearly laid out for Integrators and CSPs the expectations for inclusion into the DISA Cloud Service Catalog. It will be interesting to see how and if the definition of a prime CSP evolves and how the industry and government alike adapt to that distinction.

My initial reaction to the SRG is that it limits the playing field of prime CSPs that are able to comply with these requirements today. For small integrators trying to migrate applications to the cloud on behalf of the federal government, it makes the proposition riskier. For example, if small integrators move something to an Amazon Web Services or Microsoft IaaS solution, they are now responsible for the security of the application and that underlying environment. The way this is currently written, I believe that integrators will have to decide whether or not they will take the risk to take responsibility for the application and the underlying environment.

(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.)

Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2012)



Monday, February 9, 2015

Circles are good for the economy


Contrary to what your mother may have told you, going in circles is sometimes a good thing. When it comes to our economy, it is actually a great thing.

Throughout history, society has built itself up by transforming raw materials into finished, usable products. This manufacturing process has always been linear in that:

  1. Materials (sand, iron, gold, etc.) are evaluated for purpose and taken from nature.
  2. Modified and refined as necessary, these materials are combined and recombined into the services and products we use every day, until…
  3. Their usefulness to society wanes and the everyday products and services are disposed of in a heap of useless trash.
This linear “take, make, dispose” model uses large quantities of easily accessible resources and energy. It is also inefficient and wasteful. Enter the “circular economy.”

“The circular economy refers to an industrial economy that is restorative by intention; aims to rely on renewable energy; minimizes, tracks, and hopefully eliminates the use of toxic chemicals; and eradicates waste through careful design. The term goes beyond the mechanics of production and consumption of goods and services, in the areas that it seeks to redefine (examples include rebuilding capital including social and natural, and the shift from consumer to user).” – Ellen MacArthur Foundation

The circular economy concept has gained momentum since the late 1970s and has six general schools of thought:

  • Regenerative design –  interdisciplinary field of inquiry concerned with a sustainable future
  • Performance economy – the vision of an economy in loops (or circular economy) and its impact on job creation, economic competitiveness, resource savings, and waste prevention
  • Cradle to cradle – focuses on design for effectiveness in terms of products with positive impact and reducing the negative impacts of commerce through efficiency.
  • Industrial ecology – the study of material and energy flows through industrial systems
  • Biomimicry – a discipline that studies nature’s best ideas and then imitates these designs and processes to solve human problems
  • “Blue Economy” –  uses the resources available in cascading systems and the waste of one product becomes the input to create a new cash flow
All this goes to say that circular economies are efficient, and efficiency is good for us all. That is why we should all applaud the individuals and companies that were honored at the 2015 Circular Economy Awards. The Circulars, as they are more commonly called, are given at an annual event that recognizes individuals and enterprises from commerce, civil society and academia that have made a notable contribution to driving circular economy principles.

AWARDWINNER
The Fortune Award for Circular Economy LeadershipSir Ian Cheshire
The Fortune Award for Circular Economy LeadershipJanez Poto?nik
The YGL Award for Circular Economy EntrepreneurshipMethod
The Accenture Award for Circular Economy PioneerDell Inc.
The BT Award for Circular Economy Digital DisruptorTradeshift
The Ecolab Award for Circular Economy Cities / RegionsDanish Business Authority
By winning the Circular Economy Pioneer award, Dell has established a high bar for those in the IT industry. Because the circular economy is an essential component of the company’s vision, the company continually finds ways to minimize the impact of its manufacturing process on the environment.

In following this path, Dell implemented a major redesign across engineering, industrial design, procurement, logistics and marketing, which resulted in the use of post-consumer recycled plastics in its products. Dell also developed the first computer to use certified closed-loop recycled plastics. By setting this important precedent, Dell is using its position as one of the leading global technology vendors to move standards, infrastructure and international policies toward a circular economy.



(This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.)




Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2012)



Wednesday, February 4, 2015

2015 National Chief Information Security Officer Survey



Cybersecurity breaches are seemingly making headline news every day. Recent cases have highlighted identity theft, the loss of personal financial data, and the disclosure of sensitive national security information.  The executive in the hot seat for preventing these failures is the Chief Information Security Officer (CISO).

In order to better understand the challenges and concerns of this critical professional community, the 2015 National CISO Survey is now being conducted.  Commissioned by the National Cybersecurity Institute at Excelsior College, this data will be used to develop and publish actionable information for use by the day to day cybersecurity professionals.

Please take the time and care to participate in this important process.  By doing so you will influence future cybersecurity strategies help establish incident response best practices.  Individuals or specific organizations will not be mentioned.  The results will, however, provide industry vertical relevant insight into national cybersecurity practices, trends and concerns.  You may request a copy of the final report by providing name and email address at the end of the survey.


http://sqz.co/Xf93Tab



( This content is being syndicated through multiple channels. The opinions expressed are solely those of the author and do not represent the views of GovCloud Network, GovCloud Network Partners or any other corporation or organization.)


Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2012)



Sunday, February 1, 2015

Mobile device security: A new frontier for hackers


Recent security breaches have heightened our awareness of cybersecurity issues. The hack and other security breaches have resulted in unprecedented damages. However, the majority of mobile device users have yet to be sensitized to their personal and corporate security risks.
Staples
For example, a security study found that 69 percent of users store sensitive personal information on their mobile devices.  Examples include banking information, confidential work-related items and provocative videos and photos. In addition, 51 percent of mobile device consumers share usernames and passwords with family, friends and colleagues. This in spite of the fact that 80 percent of such devices are unprotected by security software. 
While mobile device security attacks are relatively small, they are the new frontier for hackers.  Listed below are highlights from several mobile device surveys:
  • The four top threats to mobile devices include: 1) lost and stolen phones; 2) insecure communications; 3) leveraging less-secure, third-party app stores; and 4) vulnerable development frameworks.
  • One in 10 U.S. smartphone owners are victims of phone theft.
  • Mobile malware attacks are increasing, with 2014 exhibiting a 75 percent increase in Android malware attacks on devices.
  • The use of mobile devices to access enterprise resources introduces significant security risks.
Cyberattackers are typically attempting to obtain access to sensitive or personal data, and then use it to access financial accounts. Some methodologies used include social engineering, distributing and executing malware, and accessing data through public Wi-Fi networks.
A recent survey found that phishing and scams for winning free stuff were the most popular SMS attacks. Unsolicited SMS messages attempted to trick users into providing detailed, sensitive information about their financial accounts at major banks. The mobile malware StealthGenie secretly monitors calls, texts and videos on mobile phones. Bitdefender has been able to break the secure communications between a Samsung watch and an Android device with ease, using brute force sniffing tools. (See “5 New Threats to Your Mobile Device Security” for more information.)
These are a sampling of the numerous cybercriminal methodologies for accessing user finances and data. Listed below are some user actions for reducing or minimizing a successful attack:
  • Always enable password or PIN protection on your device.
  • Run scans using a respected security and malware program on a regular basis (see the best antivirus software for Android devices).
  • Subscribe to managed mobile device services such as anti-malware and mobile device locator services; also lock the device and wipe all data in the event of device theft.
  • Encrypt mobile device data.
  • Install/run the latest versions of your device OS and all mobile apps.
  • Upgrade to the most recent firmware for your mobile device.
  • Do not access secure or highly sensitive information while using public Wi-Fi networks.
  • Avoid clicking on ads on your mobile devices.
  • Do not configure phones to allow the installation of apps from unknown sources, e.g., only download  from well-known and trusted app stores (although they are not foolproof).
  • Observe all corporate bring-your-own-device (BYOD) and related policies.
In addition, ISO lists some common sense advice regarding mobile devices, as included below:
  • Do not openly display a device — keep it in a pocket or handbag.
  • If possible, avoid using it in crowded areas.
  • Properly mark your phone with your ZIP code.
  • If the phone is lost or stolen, report it immediately to the police and to your service provider.
  • Be aware of your surroundings and the people near to you.
  • Do not leave it unattended – keep it with you at all times.
  • Make a note of your phone’s IMEI number.
  • Do not leave a device in view in an unattended vehicle.

( This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are our own and don’t necessarily represent Dell’s positions or strategies.)

Bookmark and Share



Cloud Musings
( Thank you. If you enjoyed this article, get free updates by email or RSS - © Copyright Kevin L. Jackson 2012)