Tag Archives: Report

New Sierra-Cedar HR Systems Survey uncovers lack of tech adoption data

LAS VEGAS — A new report emphasized that data-driven HR is a difficult goal to achieve. And it’s even more challenging because few companies track how much employees use — or don’t use — HR applications.

The numbers from the 21st annual Sierra-Cedar HR Systems Survey illustrated the gap: Fifty-two percent of respondents indicated that HR tech influences their business decisions, but less than a quarter of those people possess data on employee buy-in, as illustrated by HR tech adoption in their organization.

“You have to know how people use your tech,” said Stacey Harris, vice president of research and analytics at Sierra-Cedar, a tech consulting and managed services firm based in Alpharetta, Ga. “[Only] 10% of organizations are measuring HR technology adoption — how their technology is being used. That’s an issue.”

She presented the findings at the HR Technology Conference here this week. TechTarget, the publisher of SearchHRSoftware, is a media partner for the event.

Michael Krupa, senior director of digitization and business intelligence at networking giant Cisco, told Harris he is not surprised by the statistics. To measure adoption, a series of detailed steps is necessary, including documenting HR users, creating metrics based on those personas and then presenting the data in dashboards. Along the way, companies must also determine who monitors adoption data.

“You have to do all that,” Krupa said. “It’s hard.”

However, there is a statistical correlation between those who successfully track HR tech adoption and a 10% increase in favorable business outcomes, Harris said.

Methods to track employee buy-in and HR tech adoption

Sierra-Cedar HR Systems Survey respondents indicated lots of ways to ascertain adoption and use, including the following:

  • measuring mobile and desktop logins;
  • determining average transactions completed during a period of time;
  • running Google Analytics reports;
  • tracking employee self-service volume;
  • talking to employees; and
  • receiving vendor reports on activity.

[Only] 10% of organizations are measuring HR technology adoption — how their technology is being used.
Stacey Harrisvice president of research and analytics, Sierra-Cedar

Chatham Financial, a financial advisory and technology company based in Kennett Square, Pa., tracks logins and sends out satisfaction surveys to users, said Lindsay Evans, director of talent. Chatham’s approach is to think of employees as customers.

However, Evans — who appeared with Harris and Krupa — said it is not always a bad thing to find out employees don’t use an application.

“At my company, we use a time tracker, and people hate it,” she said. “I wish we hadn’t rolled it out. It’s not really saving us a lot of time.”

Data-driven HR raises data privacy concerns

The big picture of human capital management has changed within the last 15 years. Software from back then focused on processes, whereas HR professionals now use a company’s strategy, culture and data governance to evaluate technology, Harris said.

Stacey Harris, Michael Krupa and Lindsay Evans discuss data-driven HR needs.
Stacey Harris, Michael Krupa and Lindsay Evans speak at the HR Technology Conference.

“Data is at the center of your HR technology conversation,” she added.

Broadly, data governance describes steps to ensure the availability, integrity and security of digital information. “Data governance is important, because we need to know where data is stored, how people are using it and where it’s moving,” Krupa said.

With the emphasis on data-driven HR comes the need for cybersecurity and data privacy, and the Sierra-Cedar HR Systems Survey uncovered an interesting twist to those duties as it concerns HRIT professionals. HRIT and HRIS roles are the top choices to handle data privacy and content security, with 48% of organizations with all-cloud HR systems using HRIT in this way.

However, for 47% of companies with on-premises HR systems, IT departments deal with data privacy and content security, while only 18% use HRIT.

“In the cloud environment, [HRIT workers] are the people standing between you and data privacy,” Harris said, adding that this rise in prominence for cloud-based HR indicates HRIT professionals are becoming more strategic in their duties.

Closing thoughts on HR cloud, mobile and spending

Beyond results on HR technology adoption, the Sierra-Cedar HR Systems Survey looked at a wide swath of HR tech issues, including these tidbits:

  • Cloud adoption of HR management systems continues to rise, with 68% of companies heading in that direction, compared with on-premises installations — an increase of 14% from last year’s Sierra-Cedar report.
  • Mobile HR has been adopted by 51% of organizations. So, if your company doesn’t use this tech, it lags behind, Harris said. However, this statistic came with a warning, too, as only 25% of companies have a BYOD policy, which hints at data privacy risks, she said.
  • For 2018, 42% of organizations reported plans to increase HR system spending, which is a 10% increase over 2017. “There is no return on investment with HR technology … but there is a return on value,” Harris said. “But you only get more [value] if people are using it.”

For Sale – 6TB WD Red Drive HDD

For sale I have 1 6TB WD red, in full working order, its is now out of warranty (Just).

Please see Health report attached below.

Any questions please ask

Price and currency: £125
Delivery: Delivery cost is included within my country
Payment method: BT
Location: Burnham On Sea
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 6TB WD Red Drive HDD

For sale I have 1 6TB WD red, in full working order, its is now out of warranty (Just).

Please see Health report attached below.

Any questions please ask

Price and currency: £125
Delivery: Delivery cost is included within my country
Payment method: BT
Location: Burnham On Sea
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

For Sale – 6TB WD Red Drive HDD

For sale I have 1 6TB WD red, in full working order, its is now out of warranty (Just).

Please see Health report attached below.

Any questions please ask

Price and currency: £125
Delivery: Delivery cost is included within my country
Payment method: BT
Location: Burnham On Sea
Advertised elsewhere?: Not advertised elsewhere
Prefer goods collected?: I have no preference

______________________________________________________
This message is automatically inserted in all classifieds forum threads.
By replying to this thread you agree to abide by the trading rules detailed here.
Please be advised, all buyers and sellers should satisfy themselves that the other party is genuine by providing the following via private conversation to each other after negotiations are complete and prior to dispatching goods and making payment:

  • Landline telephone number. Make a call to check out the area code and number are correct, too
  • Name and address including postcode
  • Valid e-mail address

DO NOT proceed with a deal until you are completely satisfied with all details being correct. It’s in your best interest to check out these details yourself.

SIEM evaluation criteria: Choosing the right SIEM products

Security information and event management products and services collect, analyze and report on security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by an organization. Some SIEMs also attempt to stop attacks in progress that they detect, potentially preventing compromises or limiting the damage that successful compromises could cause.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

Because light SIEM products offer few capabilities and are much easier to evaluate, they are out of the scope of this article. Instead, this feature points out the capabilities of regular SIEMs and can serve as a guide for creating SIEM evaluation criteria, which merit particularly close attention compared to other security technologies.

It can be quite a challenge to figure out which products to evaluate, let alone to choose the one that’s best for a particular organization or team. Part of the evaluation process involves creating a list of SIEM evaluation criteria potential buyers can use to highlight important capabilities.

1. How much native support does the SIEM provide for relevant log sources?

A SIEM’s value is diminished if it cannot receive and understand log data from all of the log-generating sources in the organization. Most obvious is the organization’s enterprise security controls, such as firewalls, virtual private networks, intrusion prevention systems, email and web security gateways, and antimalware products.

It is reasonable to expect a SIEM to natively understand log files created by any major product or cloud-based service in these categories. If the tool does not, it should have no role in your security operations.

There are many SIEM systems available today, including light SIEM products designed for organizations that cannot afford or do not feel they need a fully featured SIEM added to their current security operations.

In addition, a SIEM should provide native support for log files from the organization’s operating systems. An exception is mobile device operating systems, which often do not provide any security logging capabilities.

SIEMs should also natively support the organization’s major database platforms, as well as any enterprise applications that enable users to interact with sensitive data. Native SIEM support for other software is generally nice to have, but it is not mandatory.

If a SIEM does not natively support a log source, then the organization can either develop customized code to provide the necessary support or use the SIEM without the log source’s data.

2. Can the SIEM supplement existing logging capabilities?

An organization’s particular applications and software may lack robust logging capabilities. Some SIEM systems and services can supplement these by performing their own monitoring in addition to their regular job of log management.

In essence, this extends the SIEM from being strictly a centralized log collection, analysis and reporting tool to also generating raw log data on behalf of other hosts.

3. How effectively can the SIEM make use of threat intelligence?

Most SIEMs are capable of ingesting threat intelligence feeds. These feeds, which are often acquired from separate subscriptions, contain up-to-date information on threat activity observed all over the world, including which hosts are being used to stage or launch attacks and what the characteristics of these attacks are. The greatest value in using these feeds is enabling the SIEM to identify attacks more accurately and to make more informed decisions, often automatically, about which attacks need to be stopped and what the best method is to stop them.

Of course, the quality of threat intelligence varies between vendors. Factors to consider when evaluating threat intelligence should include how often the threat intelligence updates and how the threat intelligence vendor indicates its confidence in the malicious nature of each threat.

4. What forensic capabilities can SIEM products provide?

Forensics capabilities are an evolving SIEM evaluation criteria. Traditionally, SIEMs have only collected data provided by other log sources.

However, recently some SIEM systems have added various forensic capabilities that can collect their own data regarding suspicious activity. A common example is the ability to do full packet captures for a network connection associated with malicious activity. Assuming that these packets are unencrypted, a SIEM analyst can then review their contents more closely to better understand the nature of the packets.

Another aspect of forensics is host activity logging; the SIEM product can perform such logging at all times, or the logging could be triggered when the SIEM tool suspects suspicious activity involving a particular host.

5. What features do SIEM products provide to assist with performing data analysis?

SIEM products that are used for incident detection and handling should provide features that help users to review and analyze the log data for themselves, as well as the SIEM’s own alerts and other findings. One reason for this is that even a highly accurate SIEM will occasionally misinterpret events and generate false positives, so people need to have a way to validate the SIEM’s results.

Another reason for this is that the users involved in security analytics need helpful interfaces to facilitate their investigations. Examples of such interfaces include sophisticated search capabilities and data visualization capabilities.

6. How timely, secure and effective are the SIEM’s automated response capabilities?

Another SIEM evaluation criteria is the product’s automated response capabilities. This is often an organization-specific endeavor because it is highly dependent on the organization’s network architecture, network security controls and other aspects of security management.

For example, a particular SIEM product may not have the ability to direct an organization’s firewall or other network security controls to terminate a malicious connection.

Besides ensuring the SIEM product can communicate its needs to the organization’s other major security controls, it is also important to consider the following characteristics:

  • How long does it take the SIEM to detect an attack and direct the appropriate security controls to stop it?
  • How are the communications between the SIEM and the other security controls protected so as to prevent eavesdropping and alteration?
  • How effective is the SIEM product at stopping attacks before damage occurs?

7. Which security compliance initiatives does the SIEM support with built-in reporting?

Most SIEMs offer highly customizable reporting capabilities. Many of these products also offer built-in support to generate reports that meet the requirements of various security compliance initiatives. Each organization should identify which initiatives are applicable and then ensure that the SIEM product supports as many of these initiatives as possible.

For any initiatives that the SIEM does not support, make sure that the SIEM product supports the proper customizable reporting options to meet your requirements.

Do your homework and evaluate

SIEMs are complex technologies that require extensive integration with enterprise security controls and numerous hosts throughout an organization. To evaluate which tool is best for your organization, it may be helpful to define basic SIEM evaluation criteria. There is not a single SIEM product that is the best system for all organizations; every environment has its own combination of IT characteristics and security needs.

Even the main reason for having a SIEM, such as meeting compliance reporting requirements or aiding in incident detection and handling, may vary widely between organizations. Therefore, each organization should do its own evaluation before acquiring a SIEM product or service. Examine the offerings from several SIEM vendors before even considering deployment.

This article presents several SIEM evaluation criteria that organizations should consider, but other criteria may also be necessary. Think of these as a starting point for the organization to customize and build upon to develop its own list of SIEM evaluation criteria. This will help ensure the organization chooses the best possible SIEM product.

Report on Alexa-enabled devices puts spotlight on voice commerce

Will voice commerce catch on? It hasn’t yet, according to a new report by The Information, but experts said that won’t slow the growth of voice computing.

According to the report, which cites two people briefed on Amazon’s internal figures, only about 2% of the people who own Alexa-enabled devices — mainly Amazon’s Echo line of speakers — have made a purchase with their voices so far in 2018. Of the people who did buy something using Alexa voice shopping, about 90% didn’t try it again, the report states.

An Amazon spokesperson disputed the figures presented in The Information, but previous reports also conveyed less-than-stellar numbers when it comes to consumers using smart speaker devices for voice commerce. The Information’s numbers also jibe with a report released last fall by technology consulting firm Activate that found the majority of smart speaker owners use their devices for relatively simple functions like playing music, getting the weather or setting alarms. In fact, shopping wasn’t even on the list of things users said they do with their devices.

Zeus Kerravala, founder and principal analyst at ZK ResearchZeus Kerravala

“I’m not surprised,” said Zeus Kerravala, founder and principal analyst at ZK Research. “I think voice has a lot of potential; I just think there’s a lot of trust issues around it right now. It’s not dissimilar to what happened with online purchasing. A lot of people were cautious with that until they tried it a couple of times and they gained some confidence in it.”

Julie Ask, principal analyst at ForresterJulie Ask

Beyond that, using voice alone to shop is simply not practical, said Julie Ask, principal analyst at Forrester.

“It’s simply too hard [to purchase things via voice only] beyond replenishment of simple goods,” Ask said. “There are easier ways to buy. It’s hard to browse, you can’t see images and you can’t realistically listen to product descriptions — and who would want to.”

She added that although Amazon is number one in market share, retailers are wary of partnering with the company, which could also have played a role in the lackluster figures on shopping via Alexa-enabled devices.

Voice in the enterprise

Given all that, should the enterprise back off from pursuing voice computing? Not at all, said Werner Goertz, research director at Gartner. Just because “mom and pop” are not buying goods through Alexa-enabled devices today doesn’t say much about the value of the voice AI category as a whole — or about  consumer shopping habits going forward. Voice commerce will undoubtedly evolve, he said, and, in any case, people’s current disinclination to use Alexa-enabled devices for shopping shouldn’t dissuade CIOs from investing in voice computing.

Companies are definitely trying to reinvent brand experience and they’re doing that with smart speakers and with multimodal voice interactions as well.
Werner Goertzresearch director, Gartner

Goertz said there will be an organic growth in e-commerce capabilities and usage, with the hospitality industry, restaurants and chain stores already developing proofs of concepts and use cases that incorporate different transactions using voice AI technology.

An example Goertz gave was Amazon partnering with Marriott International to start bringing Amazon Echo smart speakers into hotels as part of the tech giant’s Alexa for Hospitality initiative. Hotel guests will be able to use the Alexa-enabled devices to order room service, call for more towels, order entertainment and more.

“Companies are definitely trying to reinvent brand experience and they’re doing that with smart speakers and with multimodal voice interactions as well,” Goertz said.

By multimodal voice interactions, Goertz means voice assistants with screens, like Amazon’s Echo Show. He said these kinds of devices lend themselves better to functions like voice commerce — and alleviate some of the issues with voice-only shopping raised by Forrester’s Ask.

Gartner analyst Ranjit Atwal agreed that multimodal voice devices using voice, video, chat and screens will eventually allow for more frequent and complex purchases — and a more integrated customer experience — but admits there’s still “a long way to go” for voice commerce.

As Kerravala said, “I think there will be a day when voice is the dominant interface … we just need to take baby steps in getting there.”

What’s the takeaway for CIOs, according to Ask?

“CIOs should use [voice technology] and pilot it, but in scenarios that make sense — easy information retrieval, control, et cetera,” she said. “Don’t stretch it beyond what it does easily.”

McAfee details rise in blockchain threats, cryptocurrency attacks

A new McAfee report on blockchain threats shows

cryptomining
malware grew more than 600% in the first

quarter
this year.

McAfee’s “Blockchain Threat Report” details the massive increase in

cyberattacks
against cryptocurrency owners, exchanges and other companies leveraging blockchain as the value of those cryptocurrencies has surged over the last year. Steve Povolny, head of advanced threat research at McAfee, said the intent of the report is to create a baseline for the industry as it deals with increased blockchain threats that use many of the same attack techniques and methods of the last five to 10 years.

“We’ve seen an explosion in cryptocurrency value recently,” Povolny said. “Hundreds of them were created in a very short time, and now we’re seeing threat actors trying to capitalize on that value.”

While attackers have learned to adopt different attack methods that target both consumers and businesses, according to McAfee researchers, the four major attack vectors include familiar threats like phishing, malware, implementation vulnerabilities

and
technology. Phishing is the most familiar blockchain attack due to its prevalence and success rate, the researchers wrote. Malware, meanwhile, has exploded over the last year; the report shows the total

cryptomining
malware
samples increased 629% quarter-over-quarter in Q1 of this year. The report also notes that malware developers began to shift from ransomware to cryptocurrency mining in the last six months with “ransomware attacks declining 32% in Q1 2018 from Q4 2017 while coin mining increased by 1,189%.”

Technology attacks, as explained by the researchers, are threats like dictionary attacks that are used against cryptocurrency private keys. Lastly, implementation vulnerabilities refer to flawed deployments of blockchain technology; the report cites examples such as the 2017 attack on blockchain startup Iota, where attackers exploited cryptographic vulnerabilities to created hash collisions and forged signatures, which enabled the hackers to steal coins from users’ digital wallets. Povolny stressed these vulnerabilities are not flaws with blockchain itself, which has proved to be secure so far.

The “Blockchain Threat Report” states, “In most cases, the consumers of blockchain technology are the easiest targets. Due to a widespread start-up mentality, in which security often takes a backseat to growth, cryptocurrency companies often fall in this category.”

Povolny said the issue of security within cryptocurrency and blockchain creates a two-sided problem. The first side revolves around the companies that initially rushed to capitalize on cryptocurrency but didn’t complete basic security checks and risk assessments; those shortcomings, which include a lack of proper access controls,

make
them easy targets for threat actors, he said. The second side is the financial motivation, as many cryptocurrencies’ values reached all-time highs in late 2017, when Bitcoin was valued at almost $20,000 per coin, thus catching the attention of hackers. This two-sided cryptocurrency problem created a continuous cycle that resulted in the development of wallets and ledgers being built without a complete understanding of security risks or an implementation of security around the programs, McAfee researchers claim.

The report also notes that “recovering from cryptocurrency theft is more difficult and complicated than with most other currencies due to their decentralized nature.” In order to secure a network, a tailored risk assessment should be conducted.

As industries begin to implement their own blockchain technology, users should prepare for continued development of new technologies by cybercriminals to further compromise them, McAfee researchers wrote. However, since there is not a clear understanding of where these risks are,

trust
may be placed in unwarranted blockchain applications. In order to keep cryptocurrency wallets safe, Povolny recommends storing them locally on a computer that lacks network accessibility and notes that we may not see people flock to a currency like this again.

Despite the increase in threats, Povolny said the surge in cryptocurrency startups and blockchain deployments is expected to continue.

Research claims ‘widespread’ Google Groups misconfiguration troubles

A new report claims a significant number of G Suite users misconfigured Google Groups settings and exposed sensitive data, but the research leave unanswered questions about the extent of the issue.

According to Kenna Security research, there is a “widespread” Google Groups misconfiguration problem wherein Groups are set to public and are exposing potentially sensitive email data that could lead to “spearphishing, account takeover, and a wide variety of case-specific fraud and abuse.” Last year, Redlock Cloud Security Intelligence also found Google Groups misconfiguration responsible for exposure of data from hundreds of accounts.

Kenna said it sampled 2.5 million top-level domains and found 9,637 public Google Groups. Of those public Groups, the researchers sampled 171 and determined 31% of those organizations “are currently leaking some form of sensitive email” with a confidence level of 90%.

“Extrapolating from the original sample, it’s reasonable to assume that in total, over 10,000 organizations are currently inadvertently exposing sensitive information,” Kenna wrote in its blog post. “The affected organizations including Fortune 500 organizations; Hospitals; Universities and Colleges; Newspapers and Television stations; Financial Organizations; and even U.S. government agencies.”

For context, there are currently more than 3 million paid G Suite accounts and an unknown number of free G Suite accounts, and Kenna acknowledged via email that they “do not believe [they] tested the vast majority of G Suite enabled domains.” Additionally, Google confirmed that Groups are set to private by default and an administrator would need to actively choose to make a Group public or allow other users to create public Groups.

It is unclear how many G Suite accounts are set to public, but a source close to the situation said the vast majority of Google Groups are set to private, and Google has sent out messages to users who may be affected with instructions on how to fix the Google Groups misconfiguration.

Specifics versus extrapolation         

Kenna Security’s research likened the Google Groups misconfiguration issue to the recent spate of Amazon Web Server (AWS) exposures where S3 buckets were accidentally left public.

“Ultimately, each organization is responsible for the configuration of their systems. However, there are steps that can be taken to ensure organizations can easily understand the public/private state for something as critical as internal email,” a Kenna spokesperson wrote via email. “For example, when the AWS buckets leak occurred, AWS changed its UX, exposing a ‘Public’ badge on buckets and communicated proactively to owners of public buckets. In practice, public Google Group configurations require less effort to find than public S3 buckets, and often have more sensitive information exposed, due to the nature of email.”

However, a major difference between the research from Kenna and that done by UpGuard in uncovering multiple public AWS buckets is in the details. Kenna is extrapolating from a sample to claim approximately 10,000 of 3 million Google Groups (0.3%) are misconfigured, and the examples of exposed emails reveal the potential for spearphishing attacks or fraud.

On the other hand, UpGuard specifically attributed the exposed data it found, including Republican National Committee voter rolls for 200 million individuals, info on 14 million Verizon customers, data scraped from LinkedIn and Facebook, and NSA files detailing military projects.  

Alex Calic, chief strategy and revenue officer of The Media Trust, said Google “made the right call by making private the default setting.”

“At the end of the day, companies are responsible for collaborating with their digital partners/vendors on improving and maintaining their security posture,” Calic wrote via email. “This requires developing and sharing their policies on what information can be shared on workplace communication tools like Google Groups and who can access that information, keeping in mind that — given how sophisticated hackers are becoming and the ever-present insider threat, whether an attack or negligence — there is always some risk that the information will see the light of day.”

Federal cybersecurity report says nearly 75% of agencies at risk

The latest federal cybersecurity report holds little good news regarding the security posture of government agencies, and experts are not surprised by the findings.

The Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) developed the report in accordance with President Donald Trump’s cybersecurity executive order issued last year. The report acknowledged the difficulties agencies face in terms of budgeting, maintaining legacy systems and hiring in the face of the cybersecurity skills gap, and it identified 71 of 96 agencies as being either “at risk or high risk.”

“OMB and DHS also found that federal agencies are not equipped to determine how threat actors seek to gain access to their information. The risk assessments show that the lack of threat information results in ineffective allocations of agencies’ limited cyber resources,” OMB and DHS wrote in the report. “This situation creates enterprise-wide gaps in network visibility, IT tool and capability standardization, and common operating procedures, all of which negatively impact federal cybersecurity.”

The federal cybersecurity report tested the agencies involved under 76 metrics and identified four major areas of improvement: increasing threat awareness, standardizing IT capabilities, consolidating security operations centers (SOCs), and improving leadership and accountability.

Greg Touhill, president of Cyxtera Federal Group, based in Coral Gables, Fla., and former CISO for the United States, said the report was an “accurate characterization of the current state of cyber risk and a reflection of the improvements made over the last five years in treating cybersecurity as a risk management issue, rather than just a technology problem.”

“I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries,” Touhill wrote via email. “As national prosperity and national security are dependent on a strong cybersecurity program that delivers results that are effective, efficient and secure, I believe cybersecurity ought to be at the top of the agenda, and we need experienced cyber leaders sitting at the table to help guide the right decisions.”

Agencies at risk

The federal cybersecurity report said many agencies lack situational awareness and noted this has been a long-standing issue in the U.S. government.

I am concerned that the deletions of and vacancies in key senior cyber leadership positions [are] sending the wrong message about how important cybersecurity is to the government workforce, commercial and international partners, and potential cyber adversaries.
Greg Touhillpresident of Cyxtera Federal Group and former CISO for the United States

“For the better part of the past decade, OMB, the Government Accountability Office, and agency [inspectors general] have found that agencies’ enterprise risk management programs do not effectively identify, assess, and prioritize actions to mitigate cybersecurity risks in the context of other enterprise risks,” OMB wrote. “In fact, situational awareness is so limited that federal agencies could not identify the method of attack, or attack vector, in 11,802 of the 30,899 cyber incidents (38%) that led to the compromise of information or system functionality in [fiscal year] 2016.”

Sherban Naum, senior vice president of corporate strategy and technology at Bromium, based in Cupertino, Calif., said improving information sharing might not “address the protection component.”

“Sharing information in real time of an active and fully identified attack is critical. However, more information alone won’t help if there is no contextual basis to understand what was attacked, what vulnerability was leveraged, the attacker’s intent and impact to the enterprise,” Naum said. “I wonder what systems are in place or are needed to process the real-time threat data to then automatically protect the rest of the federal space.”

Not all of the news was bad. OMB noted that 93% of users in the agencies studied use multifactor authentication in the form of personal identity verification cards. However, the report said this was only the beginning, as “agencies have not matured their access management capabilities” for modern mobile use.

“One of the most significant security concerns that results from the current decentralized and fragmented IT landscape is ineffective identity, credential, and access management processes,” OMB wrote. “Fundamentally, any organization must have a clear understanding of the people, assets, and data on its networks.”

The federal cybersecurity report acknowledged the number of high-profile data leaks and breaches across government systems in recent years and said the situation there is not improving.

“Federal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. The risk assessment process revealed that 73 percent of agency programs are either at risk or high risk in this critical area,” OMB wrote. “Specific metrics related to data loss prevention and exfiltration demonstrate even greater problems, with only 40 percent of agencies reporting the ability to detect the encrypted exfiltration of information at government-wide target levels. Only 27 percent of agencies report that they have the ability to detect and investigate attempts to access large volumes of data, and even fewer agencies report testing these capabilities annually.”

Additionally, only 16% of agencies have properly implemented encryption on data at rest.

Suggested improvements

The federal cybersecurity report had suggestions for improving many of the poor security findings, including consolidating email systems, creating standard software configurations and a shared marketplace for software, and improving threat intelligence sharing across SOCs. However, many of the suggestions related directly to following National Institute of Standards and Technology (NIST) Cybersecurity Framework guidelines, the Cyber Threat Framework developed by the Office of the Director of National Intelligence, or DHS’ Continuous Diagnostics and Mitigation (CDM) program.

Katherine Gronberg, vice president of government affairs at ForeScout Technologies, based in San Jose, Calif., said the focus of CDM is on real-time visibility.

“For example, knowing you have 238 deployed surveillance cameras found to have a particular vulnerability is a good example of visibility. Knowing that one or more of those cameras is communicating with high-value IT assets outside of its segment is further visibility, and then seeing that a camera is communicating externally with a known, malicious command-and-control IP address is the type of visibility that helps decision-making,” Gronberg wrote via email. “CDM intends to give agencies this level of real-time domain awareness in addition to securing data. It’s worth noting that many agencies are now moving to Phase 3 of CDM, which is about taking action on the problems that are discovered.”

Katie Lewin, federal director for the Cloud Security Alliance, said “standardization is an effective tool to get the best value from resources,” especially given that many risks faced by government agencies are due to the continued use of legacy systems.

“Standardized, professionally managed cloud systems will significantly help reduce risks and eliminate several threat vectors,” Lewis wrote via email. “If agencies adopt DHS’s Continuous Diagnostics and Mitigation process, they will not have to develop and reinvent custom programs. However, as with all standards, there needs to be some flexibility. Agencies should be able to modify a standard approach within defined limits. Failure to involve agencies in developing a common approach and in defining the boundaries of flexibility will result in limited acceptance and adoption of the common approach.”

Gary McGraw, vice president of security technology at Synopsys Inc., based in Mountain View, Calif., said focusing on standards may not hold much improvement.

“The NIST Framework has lots of very basic advice and is very useful. It would be a step in the right direction. However, it is important to keep in mind that standards generally reflect the bare minimum,” McGraw said. “Organizations that view security solely as a compliance requirement generally fall short, compared to others that treat it as a core or enabling component of their operations.”

Michael Magrath, director of global regulations and standards at OneSpan, said, “Improving resource allocations is a crucial to improving our federal cyberdefenses.” 

“With $5.7 billion in projected spending across federal civilian agencies, some agencies may cry poor. The report notes that email consolidation can save millions of dollars each year, and unless agencies have improved efficiencies like email consolidation, have implemented electronic signatures and migrated to the cloud, there remains an opportunity to reallocate funds to better protect their systems,” Magrath said. “The report also notes that agencies are operating multiple versions of the same software. This adds unnecessary expense, and as more and more agencies migrate to the cloud, efficiencies and cost reductions should follow enabling agencies to reallocate budget and IT resources to other areas.”