by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : November 2012
[datapoint] The most common concern for federal IT security professionals is regulatory compliance, accord- ing to nCircle s recently released 2012 Federal Information Security Initiatives Trend Study. The results indicate misplaced priorities, said Karen Cummins, nCircle s director of federal mar- kets. "If you pick compliance, that suggests we re a little out of balance," she said. Agencies are expected to have risk-based secu- rity policies and controls in place to help counter the growing threat of online attacks. But despite changes in the way the Federal Information Security Management Act is being implemented, success still is being measured by reporting rather than by results. "Continuous monitoring" is being replaced by the term "con- tinuous diagnostics and mitiga- tion," which Cummins said better reflects the goals of the program. Automated data streams can be powerful tools for risk remedia- tion, but what is being measured is the ability to report the data to DHS rather than its use within an agency. As a result, "the new FISMA looks a lot like the old FISMA," Cummins said. FISMA metrics that continue to focus on agency compliance rather than on results still can inhibit progress in securing federal IT systems. --- William Jackson Password servers, which can hold thousands of credentials for accessing accounts, can be gold mines for hackers and major head- aches for any organizations that host sensitive applications --- which is just about any government agency. No matter how strong the password, once it is stolen it can be used by an enemy. And recent attacks by targeted persistent threats demonstrate that it is nearly impossible to ensure that a server is not breached once an attacker has set his sights on it. RSA, the Security Division of EMC, has announced a tool for protecting stored passwords using a new distributed cryptographic scheme that does away with trust- ed third parties for authenticating credentials by scrambling and stor- ing them on separate servers. So RSA s Distributed Credential Protection (DCP) uses two servers so that breaching one produces no useable information. By comparing cryptographic values to authen- ticate a user, neither server ever holds the password. Information on the servers can be re-scrambled on the fly, making it difficult for an attacker to get useful information even if both servers are breached. The idea of distributed cryptog- raphy has been around in various forms for at least 30 years, but RSA claims its DCP is the first commer- cial implementation of the scheme. How it works Here is a brief explanation of how it works, as described in a recent blog post on split value crypto- graphic authentication by Eric Baize, senior director of the EMC Product Security Office: 1. Before the password is stored, a random number genera- tor creates a 256-bit string that is used to scramble the password. The random number is stored in one server (the "red" server) and the transformed password in a separate server (the "blue" server). Neither server contains the "clear text" password, and the informa- tion in each server is useless with- out that in the other. 2. A new random number can be generated at any time and both servers can be updated. This means that even if both servers are compromised the data is use- less if there has been an update between the compromises. 3. To verify a password, the password being submitted is scrambled with a new random number; the scrambled password is sent to the "blue" server and the new random number is sent to the "red" server. Each server then executes a new transformation using the stored data to validate the password. If the two answers match, the password is verified without either server seeing it. The process is e ectively transparent to the user, said Damon Hopley, RSA s senior product manager. "The comput- ing overhead is similar to [Secure Sockets Layer] and other negotia- tions" commonly used for secure transactions, he said. "It s a very common sense solution." So why is this solution only now coming to market? "The world has changed a lot in the last two years," Hopley said. Two years ago customers didn t believe that compromised servers would be a fact of life. Today they accept them. So RSA brushed o the crypto scheme about 18 months ago to turn it into a product. • --- William Jackson Crypto breakthrough? Divide password process to defend against attacks What is your biggest security concern for 2012? [BrieFing] Paper documents E-mail Digital text/documents Transitory content Digital audio/video Drawings/charts Social media Film Micro che /micro lm Other 68% 6% Measuring reporting not results Source: Government Business Council 10 GCN NOVEMBER 2012 • GCN.COM