Vulnerabilities / Threats
2/15/2011
05:36 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Working Together Works

But making public-private partnerships function properly isn't always easy.

Working together is critical to managing cybersecurity risk successfully, but not everyone is on the same page when it comes to how to collaborate effectively, particularly when partnerships stretch across the divide between the public and private sector.

At the RSA Conference in San Francisco, Calif., on Tuesday, pretty much everyone sharing an opinion on the subject of security expressed support for sharing information and knowledge to counter cyber threats.

Scott Charney, Microsoft's corporate VP of trustworthy computing, called for collaborative defenses based on a public health model. William Lynn III, Deputy Secretary of Defense, urged building stronger collective defenses with our allies and better information sharing.

Howard Schmidt, Special Assistant to the President and White House Cybersecurity Coordinator, Philip Reitinger, Deputy Under Secretary for the Department of Homeland Security, and Patrick Gallagher, Deputy Under Secretary of Commerce for Standards and Technology and Director of NIST, all expressed support for collaboration and information sharing across the public and private sector to mitigate cyber security risk.

Though there's widespread agreement that cooperation represents the best defense against the dark arts, there's some heavy lifting required to get from theory to practice.

Lynn, in his keynote address, said that the even if the Department of Defense successfully executes its "Cyber 3.0" strategy, now in the final stages of review, it can't do it alone because most of the national critical infrastructure is in private hands. The Department of Defense has been pushing its senior IT managers to incorporate more practices from the commercial world and Lynn proposed that those in the private sector ought to be mindful of their role in the nation's network defense.

"In the cyber domain, soldiers are not the only ones on the front lines," he said. Civilians ought to take some responsibility for security, in other words.

Lynn suggested that some of the network defense resources provided by the military to the Department of Homeland Security could be made available to assist the private sector, but didn't offer any details about how this might work.

One of the pillars of the "Cyber 3.0" strategy described by Lynn involves marshaling both technology and people to maintain America's preeminence in cyberspace. But there's considerable concern that lack of human resources could hinder that goal.

Reitinger, in a town hall discussion, described cyber security as both a security issue and an economic issue. "It is the cybersecurity workforce of the future that is going to enable our country to succeed," he said, adding his voice to the chorus calling for stronger national efforts develop science, technology, engineering, and math talent.

"We have to make being a geek cool," he said.

Schmidt, during the same discussion, offered a few examples of successful attempts to connect the public and private sector, like the Cyber Storm III exercise last year. And Gallagher confirmed that effective collaboration is occurring at many levels in the government.

But Reitinger stressed that more needs to be done.

"It's just too hard to be secure," he said. "We've got to make it easier."

We have a long way to go, he said, because people don't always understand how to collaborate and share information effectively.

When they hear collaboration, he said, "Some people here think 'kumbaya' and walk out the door and nothing changes."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.