by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : April 30, 2013
Commentary | ANDREAS BAUMHOF ANDREAS BAUMHOF is chief technology of cer at ThreatMetrix. As part of the Digital Government Strategy, agencies are embracing mobile computing and developing policies to address the emerging bring-your-own-device trend. Developing BYOD policies is bene cial because they will help agencies reduce costs and increase productivity. But federal agencies have particular challenges when it comes to implementing BYOD: They handle data that must be protected for reasons of national security or taxpayer privacy, and they are the targets of a determined subset of attackers. The defense industrial base and the intelligence community are obvious objectives, but any federal agency has escalated risk. Cybersecurity incidents at federal agencies have increased 680 percent in the past six years, according to the Government Accountability Of ce --- and those are just the inci- dents we know about. That number is expected to increase as more personal mobile devices connect to agency networks and applications. Given that malware and stolen identities are primary avenues of attack, here are some steps that agencies can take to ensure that their BYOD policies are as effective as possible. 1. Understand the malware risk. It is increasingly dif cult to avoid malware. Users can unwittingly pick up drive-by downloads through common activities such as clicking on shortened URLs in Twitter, doing an image search or even clicking on an infected ad in a trusted site. Furthermore, personal systems typically lack the malware defenses of managed systems. The risk of acquiring malware increases for devices, such as iPads, that are shared among family members. And because smart phones are on the rise, attackers are writing more mal- ware for mobile apps. 2. Be aware of the identity prob- lem. Often, the purpose of a mal- ware program is to gain log-in cre- dentials. That means agencies have to worry about malware on any device that employees or contrac- tors use because their credentials are at risk of being compromised. Common Access Card authen- tication is not enough to protect systems from stolen identities and malware. For instance, man-in-the- browser Trojan horses on a legiti- mate user s device can hijack an authenticated session using CAC cards. In addition, attackers are targeting the certi cate authorities, such as EMC s RSA, to effectively gain the keys to the kingdom. 3. Focus on applications. The BYOD discussion typically focuses on managing devices. But the larger threat for agencies is to their appli- cations and data because incon- spicuous malware on personal devices --- mobile and otherwise --- can let attackers gain access to federal systems. There are steps that every agency can and should take immediately to address the growing risk to sensitive applications and data. As always in the security eld, a layered defense is the best strategy. • Help protect your employees against malware. If possible, give your employees malware protection for home computers and personal laptop PCs that they use to access government applications. • Analyze incoming connec- tions for malware. Use real-time technologies to examine incoming connections to sensitive systems for signs of malware manipulating the session. This will alert you to poten- tial attacks or other malware that could compromise a session. • Add device identi cation. By adding device identi cation technologies to sensitive applica- tions (including email), you can nd devices that do not match a legiti- mate user --- for example, those that hide their true location or are known to be infected with malware. For even better coverage, make sure those defenses can share infor- mation with one another and with a global network of known threats and malicious systems. ■ Why managing devices isn't enough Agencies need to protect their applications and data against attackers who use malware to steal log-in credentials Malware on personal devices --- mobile and otherwise --- can let attackers gain access to federal systems. 16 April 30, 2013 FCW.COM
April 15, 2013
May 15, 2013