Sunday, August 31, 2014
This Just In
For all you fans of cloud computing and Apple products: iCloud just got royally hacked, and the hacker is posting many, many nude photos of various celebrities whose intimate photos had been stored there. I've always been skeptical of cloud computing because of the security that users must cede to their service providers. I've also thought the alleged security of Apple devices has been grossly overstated for years. It's poor form to use an event like this to say "I told you so", but this situation is obviously awful, and should have been prevented both by the celebrities themselves, and by Apple's security folks.
Tuesday, August 19, 2014
Carriers, Amphibs, and American Naval Strength
Following up on this post (and this linked article from that post, which I'll plug one more time), James Holmes has an excellent piece at War on the Rocks. Holmes' article deconstructs War is Boring proprietor David Axe's recent article on American naval strength. Axe, who's a legitimate and accomplished journalist in his own right, nonetheless parrots two common mistakes regarding the United States Navy: the one-for-one comparison with amphibious assault ships with aircraft carriers, and the claim that America's navy is "stronger than the next [X] navies combined". It's worth the read.
Late Breaking Addendum: Following up on previous posts about USNS John Glenn, it's passed final contract testing to include LCAC interface tests. (UPI, IHS Jane's)
NIST Network Security Risk Management Framework
Most of my career has been spent supporting military customers, but my current work has me supporting a non-DoD customer. Although I've been exposed to NIST Special Publications before (and even blogged about them), I find myself getting intimately acquainted with some of these publications. In particular, I've been going through SP 800-53 with a fine-toothed comb, with additional attention to SP 800-37 and SP 800-53A. (I'll probably wind up going through SP 800-30 as well.)
To some degree, the NIST Risk Management Framework outlined in these documents mirrors the DoD's DIACAP framework, the idea being that system administrators can ensure the confidentiality, integrity, and availability of their data by implementing a set of standard security controls based upon the criticality of the network and the sensitivity of the data it's processing. The system can then be reassessed as necessary. It's a pretty standard concept, but I'm enjoying learning the ins and outs of it, to include going through the security controls with a fine-toothed comb.
Some organizations would do well to implement a system similar to the DoD's DIACAP system; for most organizations, however, the NIST Risk Management Framework is a more realistic option, particularly if a responsible cost/benefit analysis precludes said organization from investing in the infrastructure and manpower required to meticulously document and monitor every last item in excruciating detail.
To some degree, the NIST Risk Management Framework outlined in these documents mirrors the DoD's DIACAP framework, the idea being that system administrators can ensure the confidentiality, integrity, and availability of their data by implementing a set of standard security controls based upon the criticality of the network and the sensitivity of the data it's processing. The system can then be reassessed as necessary. It's a pretty standard concept, but I'm enjoying learning the ins and outs of it, to include going through the security controls with a fine-toothed comb.
Some organizations would do well to implement a system similar to the DoD's DIACAP system; for most organizations, however, the NIST Risk Management Framework is a more realistic option, particularly if a responsible cost/benefit analysis precludes said organization from investing in the infrastructure and manpower required to meticulously document and monitor every last item in excruciating detail.
Subscribe to:
Posts (Atom)