Risk
3/21/2011
04:00 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

How Wall Street Works With The Feds

Banks and other financial firms learn to share sensitive cybersecurity information with federal agencies.

Beyond Info Sharing

What does the relationship look like from the government's perspective? Given that 85% of the nation's critical infrastructure is owned and operated by the private sector, "we can't execute our mission without public-private partnership," says Jenny Menna, director of critical infrastructure cyber protection and awareness with Homeland Security's National Cyber Security Division.

Toward that end, the National Cyber Security Division aims to take an even more active role in working with companies that operate critical infrastructure, such as utilities. Its largest program for critical infrastructure is the one for securing control systems, which monitor and run devices and processes used by utilities, manufacturers, and industrial operations. The DHS works with vendors and operators that build control systems software, and it has a facility at Idaho National Laboratory, where it tests software, dissects malware, and develops and shares mitigation strategies. The agency also runs training programs for energy sector operators and has trained more than 10,000 staff in basic and advanced security.

"We have people on the road doing site assessments, working with owners and operators to look at their security posture," Menna says. The department conducted more than 50 site assessments last year. In addition, Menna's team responds to security incidents, remotely or on site, by providing support and helping with remediation.

The DHS sees its role as going beyond threat assessment and response. Menna talks of helping companies "make the business case" for cybersecurity.

The DHS has formed a cybersecurity working group that includes representatives from the private sector. In addition, the agency meets regularly with security and business execs through roundtables conducted with the U.S. Chamber of Commerce and the National Cyber Security Alliance, with a goal of raising awareness about threats.

"We help CISOs make the case that cybersecurity is a critical part of the integrated risk management process," Menna says. "It needs to be understood by business people in the C-suites and the board. That's what DHS brings to the table."

Go to the main story:
Why Cybersecurity Partnerships Matter

Previous
3 of 3
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3090
Published: 2014-09-23
IBM Rational ClearCase 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3101
Published: 2014-09-23
The login form in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not insert a delay after a failed authentication attempt, which makes it easier for remote attackers to obtain access via a brute-force attack.

CVE-2014-3103
Published: 2014-09-23
The Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...

CVE-2014-3104
Published: 2014-09-23
IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

CVE-2014-3105
Published: 2014-09-23
The OSLC integration feature in the Web component in IBM Rational ClearQuest 7.1 before 7.1.2.15, 8.0.0 before 8.0.0.12, and 8.0.1 before 8.0.1.5 provides different error messages for failed login attempts depending on whether the username exists, which allows remote attackers to enumerate account n...

Best of the Web
Dark Reading Radio