Cyber Security

A XSS (Cross Site Scripting) vulnerability on twitter.com has been publicly disclosed. XSS vulnerabilities allow attackers to inject malicious scripts into web pages, allowing an attacker to gain control of your computer via the web browser.

As this vulnerability is now public knowledge and is not currently fixed by Twitter, the chances for an attack similar to the "Mikeyy worm" of last year or something more malicious is greatly increased. As such, the Enterprise Security Office recommends that users of Twitter not access the website unless it is absolutely necessary and further recommends that any use of Twitter be through a client rather than a web browser. Examples of 3rd-party clients to access Twitter include Web based solutions such as HootSuite and CoTweet, and desktop clients such as TweetDeck, Spaz, or Seesmic.

We will be monitoring this and will announce further developments as they occur.

Announcements of current cyber security threats and how to deal with them.

A collection of recent news items relating to cyber security.

Security administration services encompass the issuance of the following: access ID's to agency personnel for ITD maintained applications and resources, SSL server certificates and RSA SecurID tokens. In addition, ITD is also responsible for the securing of Commonwealth firewalls to ensure that only authorized TCP/IP ports and protocols are allowed in and out of the different agencies and agency located DMZ's.

ITD's Security Education & Awareness page is a central repository for important cyber security updates, news and announcements, tips and how-to's.

Information Security Risk Assessment is an on-going process of discovering, correcting and preventing security problems. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems. The risk assessment will help an agency determine the acceptable level of risk and the resulting security requirements for each system. The agency must then devise, implement and monitor a set of security measures to address the level of identified risk.

Information on how to identify when an incident has occurred, the procedure for reporting such incidents and the proper forms to complete the reporting process, and how to implement recovery from an incident. Requests for services have a streamlined intake process to facilitate these requests.

ITD maintains the Commonwealth's Wide Area Network. Services provided in this area encompass: maintaining the DNS, ensuring that all TCP/IP address space used on the Commonwealth's Internal Network is properly routed on the network and if necessary on the Internet, managing agencies' network connectivity, analyzing and reporting on network elements performance to determine bandwidth utilization and establishing TCP/IP controlled access to mainframe applications.

Links to various Enterprise policies and standards that relate to cyber security.

User guides to assist with using the EO504 Compliance Application.