Advanced search    Help

Clear all search criteria

Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).

• Survey of the Information Analysis and Infrastructure Protection Directorate

  Show summary     Open resource [pdf]     (open full abstract)

  "The Information Analysis and Infrastructure Protection (IAIP) directorate was created to support a key strategic mission of the Department of Homeland Security (DHS). IAIP analyzes and integrates terrorist threat information, mapping those threats against both physical and cyber vulnerabilities to critical infrastructure and key assets, and implementing actions that protect the lives of Americans, ensures the delivery of essential government services, and protects infrastructure assets owned by US industry. IAIP is unique in that no other federal organization has the statutory mandate to carry out these responsibilities under one organizational framework. The Office of Inspector General (OIG) conducted this survey to learn more about the department's plans for IAIP and to prepare us for more detailed future work as part of our general oversight responsibility for DHS and its component parts."

  United States. Department of Homeland Security. Office of Inspector General

  2004-02
• President's National Security Telecommunications Advisory Committee (NSTAC): Satellite Task Force Report Fact Sheet

  Show summary     Open resource [pdf]     (open full abstract)

  "In January 2003, the Director, National Security Space Architect, requested that the President's National Security Telecommunications Advisory Committee (NSTAC) consider embarking on a study of infrastructure protection measures for commercial satellite communication (SATCOM) systems. The NSTAC established the Satellite Task Force (STF) to review and assess policies, practices, and procedures for the application of infrastructure protection measures to commercial SATCOM networks used for national security and emergency preparedness (NS/EP) communications. Specifically, the STF was established to review applicable documentation addressing vulnerabilities in the commercial satellite infrastructure, identify potential policy changes that would bring the infrastructure into conformance with a standard for mitigating those vulnerabilities, consider Global Positioning System (GPS) timing capabilities during the deliberations, coordinate this response with representatives from the National Communications System (NCS) and others, and draft a task force report with findings and recommendations. The STF engaged broad and active participation from representatives of NSTAC member companies, non-NSTAC commercial satellite owners and operators, commercial satellite trade associations, Government agencies, and technical experts. The task force examined all types of commercial SATCOM systems, including Fixed Satellite Service, Broadcast Satellite Service, Mobile Satellite Service, and Satellite Digital Audio Radio Service. To gain a broad understanding of vulnerabilities, the STF compared the difficulty of potential threats against the degree of susceptibility of key elements in these services, including the radio frequency links, ground segment, cyber segment, and space segment."

  United States. President's National Security Telecommunications Advisory Committee

  2004-02
• President's National Security Telecommunications Advisory Committee: Satellite Taskforce Report, Fact Sheet [February 2004]

  Show summary     Open resource [pdf]     (open full abstract)

  This fact sheet from the President's National Security Telecommunications Advisory Committee discusses the issues surrounding infrastructure protection for commercial satellite communications (SATCOM systems. "In January 2003, the Director, National Security Space Architect, requested that the President's National Security Telecommunications Advisory Committee (NSTAC) consider embarking on a study of infrastructure protection measures for commercial satellite communication (SATCOM) systems. The NSTAC established the Satellite Task Force (STF) to review and assess policies, practices, and procedures for the application of infrastructure protection measures to commercial SATCOM networks used for national security and emergency preparedness (NS/EP) communications. Specifically, the STF was established to (1) review applicable documentation addressing vulnerabilities in the commercial satellite infrastructure, (2) identify potential policy changes that would bring the infrastructure into conformance with a standard for mitigating those vulnerabilities, (3) consider Global Positioning System (GPS) timing capabilities during the deliberations, (4) coordinate this response with representatives from the National Communications System (NCS) and others, and (5) draft a task force report with findings and recommendations. The STF engaged broad and active participation from representatives of NSTAC member companies, non-NSTAC commercial satellite owners and operators, commercial satellite trade associations, Government agencies, and technical experts. The task force examined all types of commercial SATCOM systems, including Fixed Satellite Service, Broadcast Satellite Service, Mobile Satellite Service, and Satellite Digital Audio Radio Service. To gain a broad understanding of vulnerabilities, the STF compared the difficulty of potential threats against the degree of susceptibility of key elements in these services, including the radio frequency links, ground segment, cyber segment, and space segment."

  United States. President's National Security Telecommunications Advisory Committee

  2004-02
• Cybernotes: January 26, 2004

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between January 8 and January 22, 2004. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2004-01-26
• Cybernotes: January 12, 2004

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between December 12, 2003 and January 9, 2004. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2004-01-12
• National Security and Emergency Preparedness Telecom News 2004, Issue 1

  Show summary     Open resource [pdf]     (open full abstract)

  This edition of the National Communications System's (NCS) National Security and Emergency Preparedness Telecom News contains the following articles: "Homeland Security's Liscouski Named Manager of NCS"; "NCS Slated to Get $141 Million of $31 Billion Homeland Security Bill"; "NSTAC [National Security Telecommunications Advisory Committee], OSTP [Office of Science and Technology], Georgia Tech Announce Findings from March Research and Development Exchange"; "FCC [Federal Communications Commission], NCS Spearhead a National Outreach Campaign to Secure Priority Phone Service Restoration to 9-1-1 Centers"; "NCS Conducts First Successful Test of Backup Dial Tone Capabilities"; "Mr. Thomas J. Falvey Named Chief of the NCS' Customer Service Division"; "New Members Named to NCS Committee of Principals"; "COR [Council of Representatives Will Continue to Foster Cooperation and Information Sharing as Part of the DHS [Department of Homeland Security]"; "Critical Facilities Working Group Strives to Ensure Diversity of Facilities that Support NS/EP [national security and emergency preparedness] Functions"; "CIP [Critical Infrastructure Protection] Division Launches Outreach Program With New Trade Show Booth"; "Secretary Ridge Unveils Homeland Security Department Seal"; "DHS Announces $165 Million in Grants to States"; "Loy Becomes Deputy DHS, England Returns to Navy Position"; "Secretary Ridge Announces Homeland Security Advisory Council Members"; "DHS Creates a New Division To Combat Cyber Threats"; "United States and United Kingdom Announce Joint Anti-Terrorism Working Group"; "NS/EP Telecom News 18 The House of Representatives Establishes Select Committee to Coordinate Homeland Security Activities"; "Congress Continues Efforts to Secure the Nation Through Legislative Activities"; "'Cryptoberry' Provides Wireless E-mail Solution for Government"; and "Dr. McQueary Sworn In as Homeland Security Undersecretary".

  National Communications System (U.S.). Office of the Manager

  2004
• Serial No. 108-100: Cyber Security: The Status of Information Security and the Effects of the Federal Information Security Management Act [FISMA] at Federal Agencies: Hearing before the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census of the Committee on Government Reform, House of Representatives, One Hundred Eighth Congress, First Session, June 24, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of Adam Putnam: "Today we continue our in-depth review of cyber security issues affecting our Nation. Specifically this hearing will focus sharply on the efforts within the Federal Government to secure our own computer networks. Our critical infrastructure of the cyber kind must have the same level of protection as our physical security if we are to be secure as a Nation from random hacker intrusions, malicious viruses or, worse, serious cyber terrorism. There are several things unique to cyber attacks that make the task of preventing them particularly difficult...The Departments of Treasury, State and Agriculture all have serious problems with their information security. Both the CIOs and the IGs of these agencies have concerns. In addition, GAO has indicated a concern with computer security for all three agencies in its performance and accountability series." Statements, letters, and materials submitted for the record include those of the following: Scott Charbo, Robert Cobb, Robert F. Dacey, Mark A. Forman, Johnnie E. Frazier, Drew Ladner, Bruce Morrison, Wm. Lacy Clay, Candice S. Miller, and Adam H. Putnam.

  United States. Government Printing Office

  2004
• Cybernotes: December 31, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a year-end summary of software vulnerabilities identified between December 6, 2002 and December 12, 2003. The table provides the vendor, operating system, software name, common name of the vulnerability, potential risk at the time of publication, and the Cybernotes issue in which the vulnerability appeared. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source indicated in the endnote. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-12-31
• Cybernotes: December 30, 2002

  Show summary     Open resource [pdf]     (open full abstract)

  The following document includes a table providing a year-end summary of software vulnerabilities identified between December 7, 2001 and December 13, 2002. The table provides the vendor, software name, operating system, common name of the vulnerability, potential risk at the time of publication, and the Cybernotes issue in which the vulnerability appeared. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source indicated in the endnote. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the National Infrastructure Protection Center (NIPC). Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-12-30
• Cybernotes: December 15, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between November 11 and November 26, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-12-15
• Posthearing Questions from the September 17, 2003, Hearing on 'Implications of Power Blackouts for the Nation's Cybersecurity and Critical Infrastructure Protection: The Electric Grid, Critical Interdependencies, Vulnerabilities, and Readiness'

  Show summary     Open resource [pdf]     (open full abstract)

  "In our August 2003 report on information sharing, we identified initiatives that had been undertaken to improve the sharing of information to prevent terrorist attacks and surveyed federal, state, and city government officials to obtain their perceptions on how the current information-sharing process was working. Our survey showed that none of the three levels of government perceived the current information-sharing process to be effective when it involved the sharing of information with federal agencies. Specifically, respondents reported that information on threats, methods, and techniques of terrorists was not routinely shared, and the information that was shared was not perceived as timely, accurate, or relevant. Further, 30 of 40 states and 212 of 228 cities responded that they were not given the opportunity to participate in national policy making on information sharing. Federal agencies in our survey also identified several barriers to sharing threat information with state and city governments, including the inability of state and city officials to secure and protect classified information, their lack of federal security clearances, and a lack of integrated databases. Further, this report identified some notable information-sharing initiatives. For example, the Federal Bureau of Investigation (FBI) reported that it had significantly increased the number of its Joint Terrorism Task Forces and, according to our survey, 34 of 40 states and 160 of 228 cities stated that they participated in information-sharing centers."

  United States. General Accounting Office

  2003-12-08
• Cybernotes: December 1, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  The following table provides a summary of software vulnerabilities identified between November 11 and November 26, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-12-01
• Serial No. 108-196: Telecommunications and SCADA: Secure Links or Open Portals to the Security of Our Nation's Critical Infrastructure? Hearing before the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census of the Committee on Government Reform, House of Representatives, One Hundred Eighth Congress, Second Session, March 30, 2004

  Show summary     Open resource [pdf]     (open full abstract)

  From the opening statement of Adam H. Putnam: "Clearly, the issue of protecting the cyber element of our Nation's critical infrastructure is of paramount concern to this subcommittee and we will continue to examine these matters comprehensively. This is our second hearing dealing with the issue of SCADA or industrial control systems. Our first hearing was a closed hearing. Through our hearings and other high level briefings, it has become abundantly clear that our Nation is not protected sufficiently from cyber attack against our critical infrastructure. Given the fact that roughly 80 percent of these systems are owned or controlled by the private sector, it is important that we work collaboratively and aggressively to address this matter. The testimony today will, obviously, not reveal specific vulnerabilities; but I hope it will raise the alarm so that necessary steps will be taken to secure our critical infrastructure from the potential of cyber attack. Additionally, this hearing will focus attention on the telecommunications that connect SCADA devices to their control and monitoring networks and review the associated vulnerabilities." Statements, letters, and materials submitted for the record include those of the following: Robert F. Dacey, James F. McDonnell, Joseph Weiss, Dan Verton, Gerald S. Freese, Jeffrey H. Katz, Wm. Lacy Clay, Candice S. Miller, and Adam H. Putnam.

  United States. Government Printing Office

  2004
• Cybernotes: November 17, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between October 30 and November 13, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-11-17
• Cybernotes: November 3, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between October 7 and October 30, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-11-03
• Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure

  Show summary     Open resource [pdf]     (open full abstract)

  "This audit of critical infrastructure protection is a continuation of the executive branch-wide effort by the President's Council on Integrity and Efficiency (PCIE). We, along with other OIGs, who are conducting similar audits, focused on the adequacy of implementation activities for protecting critical computer-based infrastructures. Specifically, we reviewed Department activities in the areas of: risk mitigation; emergency management; interagency coordination; resource and organization requirements; the recruitment, education of Information Technology (IT) personnel; and computer security awareness. In addition, we reviewed follow-up activities undertaken with regard to the recommendations of our November 2000 report and found that the Department has made progress in the implementation of its CIP Plans, but much significant work remains to be done."

  United States. Department of Justice. Office of the Inspector General

  2003-11
• Cybernotes: October 20, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between October 2 and October 15, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-10-20
• Cybernotes: October 6, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between September 18 and October 3, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-10-06
• Critical Infrastructure Protection: Challenges in Securing Control Systems, Statement of Robert F. Dacey, Director, Information Security Issues, Testimony Before the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House Committee on Government Reform

  Show summary     Open resource [pdf]     (open full abstract)

  "Computerized control systems perform vital functions across many of our nation's critical infrastructures. For example, in natural gas distribution, they can monitor and control the pressure and flow of gas through pipelines; in the electric power industry, they can monitor and control the current and voltage of electricity through relays and circuit breakers; and in water treatment facilities, they can monitor and adjust water levels, pressure, and chemicals used for purification. In October 1997, the President's Commission on Critical Infrastructure Protection emphasized the increasing vulnerability of control systems to cyber attacks. The House Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census asked GAO to testify on potential cyber vulnerabilities. GAO's [Government Accountability Office's] testimony focused on (1) significant cybersecurity risks associated with control systems; (2) potential and reported cyber attacks against these systems; (3) key challenges to securing control systems; and (4) steps that can be taken to strengthen the security of control systems, including current federal and private-sector initiatives."

  United States. General Accounting Office

  2003-10-01
• Critical Infrastructures: Background, Policy, and Implementation [Updated September 25, 2003]

  Show summary     Open resource [pdf]     (open full abstract)

  "The nations health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures (e.g. electricity, the power plants that generate it, and the electric grid upon which it is distributed). Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There has been growing concern that this reliance on computers and computer networks raises the vulnerability of the nations critical infrastructures to 'cyber' attacks. InMay1998, President Clinton released Presidential Decision Directive No. 63. The Directive set up groups within the federal government to develop and implement plans that would protect government-operated infrastructures and called for a dialogue between government and the private sector to develop a National Infrastructure Assurance Plan that would protect all of the nations critical infrastructures by the year 2003. While the Directive called for both physical and cyber protection from both man-made and natural events, implementation focused on cyber protection against man-made cyber events (i.e. computer hackers). However, given the physical damage caused by the September 11 attacks and the subsequent impact on the communications, finance, and transportation services, physical protections of critical infrastructures is receiving greater attention."

  Library of Congress. Congressional Research Service

  Moteff, John D.

  2003-09-25
• Cybernotes: September 22, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between September 4 and September 20, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-09-22
• Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues, Statement of Robert F. Dacey, Testimony Before the Subcommittee on Cybersecurity, Science, and Research and Development and the Subcommittee on Infrastructure and Border Security, Select Committee on Homeland Security, House of Representatives,

  Show summary     Open resource [pdf]     (open full abstract)

  This document only contains prepared testimony from Robert F. Dacey, GAO ("Information Sharing Responsibilities, Challenges, and Key Management Issues [GAO-03-1165T]), Denise Swink, Acting Director of the Office of Energy Assurance, Department of Energy, Robert Liscouski, Assistant Secretary for Infrastructure Protection Acting Director, National Cyber Security Division Department of Homeland Security, and Colonel Michael McDaniel, Assistant Adjutant General for Homeland Security, State of Michigan.

  United States. General Accounting Office

  2003-09-17
• Cybernotes: September 8, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between August 19 and September 5, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-09-08
• President's National Security Telecommunications Advisory Committee (NSTAC): Legislative and Regulatory Task Force Report: Barriers to Information Sharing

  Show summary     Open resource [pdf]     (open full abstract)

  "The private sector owns and operates more than 80 percent of the Nation's critical infrastructures. To protect these key physical and cyber systems, the Government relies on the private sector for information about network vulnerabilities and threats. However, there may be barriers that hinder the private sector from sharing critical infrastructure information (CII) with the Government. The telecommunications and information technology sector, for example, has expressed concern that shared CII might be disclosed under The Freedom of Information Act (FOIA); that industry might be exposed to civil tort or contract liability for sharing such information in good faith; and that industry could face antitrust violations for sharing infrastructure information with other industry partners. The Homeland Security Act of 2002's Critical Infrastructure Information Act, Sections 211-215, 221, and 222, provides additional FOIA and liability protections to the private sector for sharing critical infrastructure information. Despite these new statutory protections, however, questions remain about whether the CII Act's provisions are strong enough to encourage information sharing between industry and the Federal Government. The President's National Security Telecommunications Advisory Committee's (NSTAC) Legislative and Regulatory Task Force (LRTF) was tasked with analyzing the information sharing environment since enactment of the CII Act to determine whether barriers to information sharing still exist between industry and the Federal Government. During its deliberations, the LRTF examined the CII Act. The LRTF then made a series of recommendations for improving the exchange of CII between industry and the Government and protecting CII that is voluntarily provided to the Government by critical infrastructure owners and operators."

  United States. President's National Security Telecommunications Advisory Committee

  2003-09
• Cybernotes: August 25, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table summarizing software vulnerabilities identified between August 4 and August 21, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-08-25
• Cybernotes: August 11, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table providing a summary of software vulnerabilities identified between July 17 and August 11, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-08-11
• Critical Infrastructures: Background, Policy, and Implementation [Updated August 7, 2003]

  Show summary     Open resource [pdf]     (open full abstract)

  "The nation's health, wealth, and security rely on the production and distribution of certain goods and services. The array of physical assets, processes and organizations across which these goods and services move are called critical infrastructures (e.g. electricity, the power plants that generate it, and the electric grid upon which it is distributed). Computers and communications, themselves critical infrastructures, are increasingly tying these infrastructures together. There has been growing concern that this reliance on computers and computer networks raises the vulnerability of the nation's critical infrastructures to 'cyber' attacks. On November 22, 2002, Congress passed legislation creating a Department of Homeland Security. The Department consolidates into a single department a number of offices and agencies responsible for implementing various aspects of homeland security. One of the directorates created by the legislation is responsible for Information Analysis and Infrastructure Protection. Issues include whether to segregate cyber protection from physical protection organizationally, mechanisms for sharing information shared between the government and the private sector, costs, the need to set priorities, and whether or not the federal government will need to employ more direct incentives to achieve an adequate level of protection by the private sector and states, and privacy versus protection. This report will be updated as warranted."

  Library of Congress. Congressional Research Service

  Moteff, John D.

  2003-08-07
• Cybernotes: July 28, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  The following table provides a summary of software vulnerabilities identified between July 8 and July 26, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-07-28
• National Infrastructure Advisory Council (NIAC): Meeting Agenda, July 22, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  The following are the Meeting notes for the National Infrastructure Advisory Council (NIAC) on Tuesday, July 22, 2003. "General Gordon began by thanking Chairman Davidson, the members of the NIAC, and representatives of the National Security Telecommunications Advisory Committee (NSTAC) present. General Gordon then warned that cyber weapons are tested everyday in one form or another, and though this testing is done without cover, it is difficult to detect. He stressed the difficulty and importance of defending against direct attacks from various sources, including terrorists, criminals, and amateur hackers, noting that cyber attacks, while dangerous in their own right, can also be launched as a prelude to a physical attack, thereby magnifying their potential for harm. He called the cyber threat both serious and real, and remarked that the NIAC is a visible sign of the importance placed on the partnership between the public and private sectors. General Libutti opened by thanking General Gordon, Chairman Davidson, and the NIAC members for their attention and support of the Nation. After discussing his career highlights, General Libutti focused attention on his current position as Under Secretary, where he asserted that his job is to muster and motivate the resources of the IAIP Directorate to accomplish the mission of IAIP: delivering an integrated, end-to-end capability to identify and assess current and future threats to the homeland; map those threats against the nation's vulnerabilities; coherently and efficiently communicate threat and warning information; and prioritize protective measures to prevent attacks, reduce vulnerabilities, minimize damage, and assist in the restoration of critical services and functions in the wake of a crisis event."

  National Infrastructure Advisory Council (U.S.)

  Wong, Nancy J.; Libutti, Frank, 1945-; Gordon, John A.

  2003-07-22
• Cybernotes: June 30, 2003

  Show summary     Open resource [pdf]     (open full abstract)

  This document includes a table summarizing software vulnerabilities identified between June 11 and June 29, 2003. The table provides the vendor, operating system, software name, potential vulnerability/impact, identified patches/workarounds/alerts, common name of the vulnerability, potential risk, and an indication of whether attacks have utilized this vulnerability or an exploit script is known to exist. Software versions are identified if known. This information is presented only as a summary; complete details are available from the source of the patch/workaround/alert, indicated in the footnote or linked site. Please note that even if the method of attack has not been utilized or an exploit script is not currently widely available on the Internet, a potential vulnerability has been identified. Updates to items appearing in previous issues of Cybernotes are listed in bold. New information contained in the update will appear in italicized colored text. Where applicable, the table lists a "CVE number" (in red) which corresponds to the Common Vulnerabilities and Exposures (CVE) list, a compilation of standardized names for vulnerabilities and other information security exposures. Cybernotes is published every two weeks by the Department of Homeland Security/Information Analysis and Infrastructure Protection (IAIP) Directorate. Its mission is to support security and information system professionals with timely information on cyber vulnerabilities, malicious scripts, information security trends, virus information, and other critical infrastructure-related best practices.

  National Infrastructure Protection Center (U.S.)

  2003-06-30