Category Archives: Guest Blogs

Social Media Governance in Federal Agencies

In 2011 organizations are increasingly moving from prohibiting social media tools or merely experimenting with them to incorporating them into key work processes. And government is certainly no exception – in fact, many agencies have created presences on commercial services like Facebook and Twitter and have begun to put together “command centers” with comprehensive listings of all their social activities.

But as these tools are used to conduct government business, the information created through them has to be managed just as any other type of information created through more traditional means. This means that agencies have to incorporate social media into their existing governance structures where they exist and to the extent they are applicable.

At the same time, social technologies present some unique challenges including co-creation, fragmentation, aggregation, and geolocation. These make it much more difficult to simply extrapolate and apply existing information management practices to social content.

In my workshop on social media governance, taking place at FOSE on Wednesday, July 20th at 1:30pm, I will begin by outlining the elements of an effective governance framework including roles and responsibilities, policies and procedures, technology, and change management.

Next, I will describe some specific policy statements to include in a comprehensive social media policy. I will draw heavily from a number of existing Federal and other agencies’ social media policies.

Finally, I will describe specific steps agencies can take today to capture and manage social content as part of an effective records management program. As part of that discussion I will review existing guidance from NARA as well as resources from ACT-IAC, the CIO Council, ARMA, AIIM, and the IBM Center for the Business of Government. I will also discuss ways to address the unique challenges identified above.

Advertisements

Guest Blog: Government and Mobile Technology

Government agencies are beginning to experience the many benefits (and a few critical drawbacks) of mobile technology.  This has been an evolutionary process that is still in its infancy.

Initially, agencies released apps that were focused primarily on providing information to the public. In most instances this repackaged information that was already available on the agency website.

The second phase was creating a two-way interaction with individuals and the agency.  These apps have provided very useful services to the public.  Examples include reporting potholes or searching to see if a professional is licensed and in good standing.  Government is just putting its toe into the water with using mobile technology to communicate with citizens.  All kinds of new services are possible using mobile technology.  For example, an agency might ask for the public’s assistance in tracking the location of a beetle infestation that is killing trees. The app could use geo-location and the camera to help capture this information.

The third phase is government leveraging mobile technology for its own employees.  Nearly every government employee who is out in the field can potentially leverage mobile technology to reduce paperwork, speed the processing of information, improve safety and increase efficiency.  Today’s government employees, just like their private sector counterparts, have a desire to be able to access their work from home or on the road.  With the understanding that there are employment rules as well as security concerns, government must adapt to these changing work dynamics.

The increasing demand for the many benefits of smart phones is demonstrated by the fact that many government employees are carrying two cell phones.  The first is typically a government issued Blackberry (often with restricted functionality). The second is their own personal smartphone that is equipped with lots of apps as well as additional functionality including gps and camera.

I believe we are experiencing the very beginning of the many opportunities that mobile technology is going to create for government.  Whether it’s tracking pollution or finding an abducted child, mobile devices offer tremendous potential for government to enlist the aid of citizens.

I look forward to discussing these topics and many more during my panel session, Using Mobile Technology to Engage the Public, at the upcoming FOSE conference.

Guest Blog: Operation Trident Breach

….”hear from the investigators directly involved in this sensational story of intrigue and deception.”

It’s interesting how many major crime investigations begin when an alert citizen sees something suspicious and picks up the phone and notifies the proper authorities. Operation Trident Breach began just that way. This is a story which began in Omaha May 2009, when FBI agents in Omaha, Nebraska learned of automated clearing house batch payments to 46 separate bank accounts throughout the US. The case soon blossomed into an international investigation that spanned Europe and the wilds of the former Soviet Union. From England to the Netherlands and onto the Ukraine and Moldova the case has all the excitement of a spy novel with false passports, the recruitment of youth in search of overseas work, and cyber sleuths from around the global.

Keyboard

Cybercrime is a global phenomenon that requires international detective work and collaboration. For the first time hear from the investigators directly involved in this sensational story of intrigue and deception. The crime ring that organized this crime operation targeted $220 million in bank accounts in the United States. Over 100 people were ultimately arrested and over $70 million was stolen. In fact, this cybercrime ring stole more money in Operation Trident Breach than all bank robberies combined last year in the United States. The thieves targeted small- to medium-sized companies, municipalities, churches, and individuals.

These cyber criminals would insert Malware steal passwords of bank accounts of target companies with the use of sophisticated ZeuS banking Trojan. This would be inserted into a targeted computer by someone opening an email that contained the virus. Once inserted the criminals would capture the password to the bank account and transfer funds to other bank accounts around the country. These accounts were set up by money mules how came the US to work menial summer jobs under temporary J-1 visa’s to launder the money. Using false passports the temporary workers would established bank accounts with false passports they have been provided by the crime ring. After the transferred occurred they would withdraw the money and fly back to their home countries and jeep 10 percent of the proceeds.

Our keynote panel at FOSE on Wednesday, July 20th at 3:30pm, Operation Trident Breach – Lessons Learned from FBI Global Cyber Crime Arrests, will have FBI Agents from Omaha and Eastern Europe who were involved in the case. The panel will also feature Gary Warner, director of Computer Forensics at the University of Alabama in Birmingham and we anticipate a surprise guest.

About Paul Joyal
Paul M. Joyal is an American security analyst and media commentator who frequently comments on political and security matters concerning Russia and former Soviet countries. Joyal holds a master’s degree in international relations from The Catholic University of America. He was a staff member for the United States Senate Select Committee on Intelligence and later became a vice president at, and currently serves as managing director of National Strategies Inc. Joyal has been cited as an expert source by many news outlets, including Time Magazine and PBS The NewsHour with Jim Lehrer. 

Guest Blog: Mobile Risks

 Your mobile device is a treasure chest of valuable information for criminals…

Mobile computing is quickly changing the way we live and interact with the world around us.  While being connected to the world at all times makes us more efficient and productive in society, there are many security and privacy issues to take into consideration.

The threat model for mobile devices differs significantly from their larger desktop and laptop counterparts.  They travel everywhere with us, they are turned on at all times, and we use them to access a multitude of services.  We have a much better chance at losing an iPhone than a 27 inch iMac desktop computer.  Our smartphones contain all of our contacts, constant access to several email accounts, our social networks, our banks, corporate networks, and much more.  Your mobile devices know where you have been, who you were there with, and what you did with them.  Your mobile device is a treasure chest of valuable information for criminals and others with less than honorable intentions.  Often, a vulnerability in a single application can lead to a compromise of many services where there may be password reuse by a user or leaked Single Sign On (SSO) credentials.  A single piece of malicious software can extract everything about your life and potentially allow an attacker to pivot into your enterprise’s network.  This is bad.

As more companies move into the mobile space, we continue to see trends indicating that we have taken several steps backwards from a security perspective.  From both privacy and security perspectives, this is frightening.  In application security, we have cultivated a list of best practices over the years, many of which have been adopted as formal standards.  These include storing sensitive information encrypted, leveraging SSL for data in transit, and following the principles of least-privilege access.  We have not seen many of these best practices and “easy wins” replicated within the mobile application space.  As the “easy” issues are being neglected, we are simply not preparing ourselves to tackle the security challenges of more exotic mobile technologies and use cases that are being developed.

In many cases, security is being neglected as a result of racing new products to market to gain a competitive edge.  The difference between being first to market and finishing in second place can mean the world to a company.  At the same time, building your house out of straw instead of bricks will eventually come back to haunt you.  While balancing security requirements with usability is a constant juggling act that one must endure, organizations built for long-term success understand and embrace these challenges.

The harsh reality is that before we can get better, things will probably get much worse.  We have only scratched the surface of what is possible in mobile computing.  There will surely be many new risks and security obstacles to overcome in the next few years.  With technologies such as Near Field Communications (NFC) set to become integrated with virtually everything around us, these risks to businesses and organizations will become much more visible and widely exploited.

I encourage any individuals, government organizations, or companies developing mobile applications to pay close attention to how secure their applications are and how well they are protecting the data for their users. Security extends far beyond the mobile device itself; your infrastructure is vital to a secure mobile architecture as well, even if you do not host your own physical servers.  A serious security breach could place a huge financial and resource burden on your organization.  More importantly though, you owe it to your customers and users to do your absolute best to protect their privacy and personal information.

About Jack Mannino
Jack Mannino is the CEO of nVisium Security, a leading provider of mobile application and web application security services. At nVisium he is responsible for ensuring that all services are delivered at the highest levels of quality and with keen attention to detail. nVisium’s offerings include security source code reviews, penetration testing, remediation services, threat modeling, and developer training. He focuses on mobile application security research (especially Android), and is the co-leader of the OWASP Mobile Security Project. In addition to the Mobile Security Project, Jack is also heavily involved with the OWASP Northern Virginia Chapter where he serves as a member of the chapter’s board.