Security Trends Blog:

If only DDoS mitigation could divert shutdown from federal agencies, towards Congress.

Today is the last day of Fiscal 2013 for US federal government folks. This may be one of those years where government folks can stay up late at fiscal New Year's Eve parties, watch the glittery ball drop from the OMB tower, and then sleep in on Tuesday am - the US Government may be shut down as politicians continue their games.

But not to worry - at last week's AFFIRM conference, government CIOs seem to think information security would be considered as critical functions and be funded. From Network World:

'Charles McClam, deputy CIO at the Department of Agriculture, said that mission-critical applications in his organization are housed in data centers around the country, and the employees responsible for keeping them secure are considered exempted personnel, meaning that they ...

I'm always on the lookout for good graphics to use in presentations about security. I recently came across EIQ Network's recent small survey on "What Keeps IT Pros Up at Night?" that reported roughly equal fears of experiencing a breach and failing a security audit - realistic, but still kinda depressing to me.

Failing a security audit doesn't damage a single customer, causes minimal business damage. Experiencing an actual breach can damage millions of customers and causes enormous, career-altering damage to the business.

In a larger SANS survey looking at the adoption of the Critical Security Controls, SANS found that the largest motivation to focus on the Critical Security Controls was to reduce risk (80%) while nearly 40% of adopters were

Cybersecurity, like arson and burglary, is more law enforcement than national defense.

At the SANS NetSec conference in Las Vegas last week, we had a HealthCare Security breakfast, and one of the issue brought up was that medical machinery and servers often remain vulnerable because the vendors don't issues updates incorporating patches to Windows or other commercial software running underneath the application. The system vendors often claim "We can't patch, because then we would have to go through FDA certification all over again."

This is, to put it politely, a lie. Back in 2005, the FDA issued guidance saying that patching did not necessarily require re-certification, they reiterated that guidance in 2009 after Conficker hit, and the re-reiterated it in June 2013.

I wrote Gartner Research Notes on this in 2006 and 2009, and here we are all those years later still hearing this! Security managers need to get CIOs and operations procurement to