Friday, April 6, 2012

FOIA, I hardly know ya! (Yearly Report Card on Federal Government’s efforts to track and manage Freedom of Information Act requests)

http://www.ostglobalsolutions.com/index.htm

The Freedom of Information Act (FOIA) requests are a critical element of business development and capture. This is how you learn about a pursuit’s history and your competition. The problem is – FOIA requests are tricky:

OST proposal management process: proposal kick-off (integration phase), pink team and proposal drafting (planning phase), red team and proposal writing (writing phase), proposal polishing and gold team (polishing phase), proposal editing, printing, and shipping (publication phase), and proposal debriefs and lessons learned (post-proposal phase)

They take forever to obtain – so someone needs to carefully track them and follow up relentlessly to get any results – sometimes taking months and rendering your requests useless for your capture effort.
They have a potential to tick off your competition as they will know who is requesting – and if you tend to team with this competitor on occasion, you may want to be strategic as to what you request.
Third-party FOIA requests through services such as GovWin IQ and Centurion are great. They are faster as these services have established contacts in FOIA offices and they have personnel to follow up. The party whose documents are subject to FOIA doesn’t know who is requesting the FOIA documents. The downside is, now that these services have gone through the effort of fetching the information for you, they may also reuse this information to provide it to your competitors. Brilliant move on your part to FOIA something. Now your competitors subscribing to these services will have a reason to thank you. This may or may not matter to you.

Now it promises to be even harder to get FOIA documents – the length of time is stretching to close to a year. On March 15^th, 2012 the U.S. House of Representatives Committee on Oversight and Government Reform, released their yearly Report Card on Federal Government’s efforts to track and manage FOIA requests. This report is critical of the federal government’s tracking of how it processes and responds to FOIA requests. Agencies got anaverage grade of C-. FOIA logs were requested to be graded based on a few criteria: names of FOIA requesters on log, tracking numbers for requests, descriptions of material sought, and whether records were in fact released. There are now as many as 13-months delays in some requests.

There are two things to consider:

These grades are an indication of a willingness and ability by certain agencies FOIA offices to show accountability and transparency. You should be concerned about how difficult it is to obtain the information needed to help us decide to pursue an opportunity, enrich our capture efforts, and produce a proposal.
See if the agencies that received an F grade are part of your customer list. There were two reasons to receive this grade: either the agency did not respond to FOIA requests – which in itself is a bad sign – or failed to produce them in digital format (which is a FOIA rule). In this case, save yourself an effort and don’t count on FOIA information – try to find it in other ethical ways.

If you would like to see the report card, you can download it herehttp://bit.ly/HQfLx4

What does this report mean to you? Well, a couple of things. First, start waaaay early with your capture. If you feel that you need to FOIA documents, plan for months of waiting to get them. Second, use the resources available to you to their maximum, such as the paid services that can help you. However, be strategic about it, you may get the information faster and anonymously, but know that others may get it as well. There is no difference in the thought process when asking questions about an RFP in a public forum: is getting what you need worth making your competition better off?

Capture and Proposal Seminars

Don’t miss early bird registration pricing – it ends 3 weeks before each class. Register at www.ostglobalsolutions.com/training/schedule

Date, 2012	Class Name
April 17-18	Foundations of Capture Management
April 19-20	Foundations of Proposal Management
April 23-24	Proposal Speed-Writing and Persuasion
May 14-15	Preparing Winning Multiple Award and Task Order Proposals
May 16	Cost Proposal Strategy for Proposal Managers
June 19-20	Advanced Capture Management
June 21-22	Advanced Proposal Management
July 19	Proposal Win Themes Development Workshop
July 20	Executive Summaries For Winning Proposals Workshop

If you don’t find a class that suits your schedule, consider us for on-site corporate training at your company, or for a webinar for your dispersed workforce if you have multiple locations.

Useful Proposal Resources

Blueprint for Winning Government Contracts – Find opportunities, write winning proposals, and win multimillion dollar contracts to grow your small business in the federal market.
Task Order Manual Template – Reusable professional toolset (electronic Word template) – instant download.
Executive Summary Secrets – Self-study course (workbook and audio CD) to persuade evaluators to award the contract to you.
How to Succeed as a Proposal Consultant – Get more work, higher pay, and better clients – instant download!
A Proposal Manager’s Essential Checklists – Reusable toolset for consistently successful proposal management and coordination.
Proposal Resources Estimating Guide – Guide for determining required manpower and hours to calculate how much a proposal should cost

P.S.: As always – if you need business development, capture and proposal consulting or training support, contact us at 301-384-3350 or at service@ostglobalsolutions.com

P.P.S.: Feel free to forward this newsletter to others who may find it useful. If you have received this from a colleague and would like to sign up yourself, here is where you can do it: http://www.ostglobalsolutions.com/eZine-signup.htm.

Written by Olessia Smotrova-Taylor, President and CEO of OST Global Solutions, Inc. Olessia is a currently practicing capture and proposal manager who has won more than $17 Billion in new business. As one of the proposal industry leaders, she served on the Board of Directors of the Association of Proposal Management Professionals' (APMP) National Capital Area (NCA) chapter as the editor and chair of the APMP NCA Executive Summary eZine for 4 years since 2008, and as a president for 2012. She regularly presents at the APMP's international and other conferences, roundtables, and proposal boot camps, and runs popular training webinars on business development. She has 16 years of experience in proposal and capture management, marketing, and communications. She is a prolific author, speaker, trainer, and blogger, and is well-known in the global proposal community. Her self-study course, Executive Summary Secrets, sells worldwide. Prior to starting her own consulting company, she won business for Raytheon and Lockheed Martin, and wrote for the Financial Times of London. Olessia can be reached at otaylor@ostglobalsolutions.com or at 301-384-3350.

4th Law Enforcement IT Day 2012. April 18, 2012

https://www.signup4.net/Public/ap.aspx?EID=LEIT11E&TID=0DGolKLphAGqEeyOfCzEgg%3d%3d

AFCEA Bethesda Presents:

4th Law Enforcement IT Day 2012

Law enforcement and national security depends on adaptation—adaptation to the economy, adaptation to technology and adaptation to criminal methodologies. As budgetary cutbacks become commonplace in the Federal government, creativity in new technology initiatives must take precedence as agencies are increasingly expected to do more with less. Law enforcement agencies and officers will need to use new tools, including, data analytics, secure mobility, biometrics and even social media to more effectively track, detain and prosecute criminals.

AFCEA Bethesda invites you to Law Enforcement IT Day 2012 for a look at how these new technologies and processes are redefining the way law enforcement agencies adapt to budgetary constraints and the evolution of criminal devices and tactics. The event will bring together more than 400 senior government leaders and IT professionals across industry and Federal agencies such as DOJ, DHS, State, Treasury and DOD to foster better communications, share lessons learned and best practices, and identify mission-critical IT issues. It will focus on federal initiatives and programs that harness current and emerging technologies to better protect and improve the safety and security of U.S. citizens.

Register today and benefit from:

Networking opportunities with more than 400 senior executives and IT professionals
Keynote presentations and panel discussions from key stakeholders at critical agencies such as DOJ, FBI, DHS, ICE, CBP, State, and Treasury, among others, responsible for achieving Federal law enforcement objectives through the use of IT
Federal roundtables allow Q&A opportunities to discuss challenges, trends and initiatives between government and industry that will lead to innovation and economic growth
- Topics include: mobile force engagement, mobile security, data analytics, cloud computing, shared services, biometrics, information sharing, cyber defense, cyber incident response and social media as an investigative tool
Program updates from IT program and project managers and Department leaders
Small Business Innovation Luncheon featuring more than 125 small business representatives and systems integrators to look at real and planned set-aside programs throughout the health IT community
Meet one-on-one with Federal program offices such as FBI InfraGard, CJIS, LEO, NIEM PMO and NITAAC to discuss future law enforcement focused information technology opportunities and how the private sector can improve technology requirements
Receive continuing education credits from the Graduate School USA, an independent, educational, not-for-profit that prepares and advance your career in government, private sector and non-for-profit organizations

Wednesday, April 18, 2012

Bethesda North Marriott and Conference Center –

5701 Marinelli Road, North Bethesda, MD 20852

Webinar: Societal security – Emergency management – Requirements for incident response. April 11, 2012.

BEMA is a partner organization of EIPP.

ISO Technical Committee 223 on Societal Security Update

April 11, 2012 -- 12:00 Noon Eastern

In follow up to our last program on emergency management standards, EMForum.org is pleased to host a one hour presentation and interactive discussion Wednesday, April 11, 2012, beginning at 12:00 Noon Eastern time (please convert to your local time). Our topic will be an update on the activities of ISO Technical Committee 223 since our last program during 2008. This past December, ISO announced the publication of a new standard, ISO 22320:2011, Societal security – Emergency management – Requirements for incident response.

Our guests will include Dean Larson, Ph.D., CEM®, Chair of the U.S. Technical Advisory Group and Head of Delegation to Technical Committee 223. Dr. Larson also serves as a Commissioner on the Indiana Emergency Response Commission and chairs the Certified Emergency Manager (CEM®) USA Commission. He is project lead for the development of the first ISO Standard on exercises and testing. Additional certifications include Safety Professional (CSP) and Business Continuity Lead Auditor (CBCLA).

Also joining us will be Orlando P. Hernandez, Senior Specialist with the National Fire Protection Association. Mr. Hernandez has over 20 years of experience conducting and administering Fire and Life Safety Inspection Programs for the State of Texas Fire Marshal's Office and Bexar County. He also has over 16 years of Fire Investigation experience and 6 years of experience as an Emergency Management Coordinator and Incident Management Team responder.

Our final presenter will be Brian Zawada, Co-founder and Director of Consulting for Avalution Consulting, a global firm specializing in business continuity solution design, development, implementation and long-term program maintenance. Mr. Zawada previously served on the ASIS International Technical Committee that authored the new American National Standard on business continuity and currently serves on the US Technical Advisory Group charged with authoring the new family of ISO Societal Security standards, including ISO 22301.
Please make plans to join us, and see the Background Page for links to related resources and the new Instructions. If this will be your first time to participate, you may set up WebEx in advance. On the day of the program you may use the Webinar Login link not more than 30 minutes before the scheduled time.

As always, please feel free to extend this invitation to your colleagues.

EIIP and Jacksonville State University are now partnering to offer CEUs for attending EMForum.org Webinars. See http://www.emforum.org/CEUs.htm for details.

Is your organization interested in becoming an EIIP Partner? Click here to review our Mission, Vision, and Guiding Principles and access the Memorandum of Partnership.

Cybersecurity: Interesting reading. Kingpin

http://kingpin.cc/

KINGPIN: How One Hacker Took Over the Billion-Dollar Cybercrime Underground, by Kevin Poulsen

Former hacker Kevin Poulsen has, over the past decade, built a reputation as one of the top investigative reporters on the cybercrime beat. In Kingpin, he pours his unmatched access and expertise into book form for the first time, delivering a gripping cat-and-mouse narrative—and an unprecedented view into the twenty-first century’s signature form of organized crime.

The word spread through the hacking underground like some unstoppable new virus: Someone—some brilliant, audacious crook—had just staged a hostile takeover of an online criminal network that siphoned billions of dollars from the US economy.

The FBI rushed to launch an ambitious undercover operation aimed at tracking down this new kingpin; other agencies around the world deployed dozens of moles and double agents. Together, the cybercops lured numerous unsuspecting hackers into their clutches…yet at every turn, their main quarry displayed a seemingly uncanny ability to sniff out their snitches and see through their plots.

The culprit they sought was the most unlikely of criminals, a brilliant programmer with a hippie ethic and a supervillain’s double identity. As prominent ‘white hat’ hacker Max ‘Vision’ Butler, he was a celebrity throughout the programming world, even served as a consultant for the FBI. But as the black-hat ‘Iceman,’ he found in the world of data theft an irresistible opportunity to test his outsized abilities. He infiltrated thousands of computers around the country, sucking down millions of credit card numbers at will. He effortlessly hacked his fellow hackers, stealing their ill-gotten gains from under their noses. Together with a smooth-talking con artist, he ran a massive real-world crime ring.

And for years, he did it all with seeming impunity, even as countless rivals fell afoul of police.

Yet as he watched the fraudsters around him squabble, their ranks riddled with infiltrators, their methods inefficient…he began to see in their dysfunction the ultimate challenge. He would stage his coup and fix what was broken, run things as they should be run—even if it meant painting a bullseye on his forehead.

Through the story of this criminal’s remarkable rise, and of law enforcement’s quest to track him down,Kingpin lays bare the workings of a silent crime wave still affecting millions of Americans. In these pages, we watch as a new generation of for-profit hackers cobbles together a criminal network that today stretches from Seattle to St. Petersburg to Shanghai. We are ushered into vast online-fraud supermarkets stocked with credit card numbers, counterfeit checks, hacked bank accounts, dead drops, and fake passports. We learn the workings of the numerous hacks—browser exploits, phishing attacks, Trojan horses, and much more—these fraudsters use to ply their trade, and trace the complex routes by which they turn stolen data into millions of dollars. And, thanks to Poulsen’s remarkable access to both cops and criminals, we step inside the quiet, desperate arms-race law enforcement continues to fight with these scammers today.

Ultimately, Kingpin is a journey into an underworld of startling scope and power, one in which ordinary American teenagers work hand-in-hand with murderous Russian mobsters, in which a simple wi-fi connection can unleash a torrent of gold worth millions.

Article: Critical Infrastructure. Researchers Release New Exploits to Hijack Critical Infrastructure

http://www.wired.com/threatlevel/2012/04/exploit-for-quantum-plc/

By Kim Zetter

April 5, 2012

Categories: Cybersecurity, Stuxnet

The Modicon Quantum programmable logic controller, which is used in critical infrastructure systems, contains common security vulnerabilities that would allow attackers to upload rogue commands to it. Photo: Reid Wightman/Digital Bond

Researchers have released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure, such as refineries and factories.

The exploits would allow someone to hack the system in a manner similar to how the Stuxnet worm attacked nuclear centrifuges in Iran, a hack that stunned the security world with its sophistication and ability to use digital code to create damage in the physical world.

The exploits attack the Modicon Quantum programmable logic controller made by Schneider-Electric, which is a key component used to control functions in critical infrastructures around the world, including manufacturing facilities, water and wastewater management plants, oil and gas refineries and pipelines, and chemical production plants. The Schneider PLC is an expensive system that costs about $10,000.

One of the exploits allows an attacker to simply send a “stop” command to the PLC.

The other exploit replaces the ladder logic in a Modicon Quantum PLC so that an attacker can take control of the PLC.

The module first downloads the current ladder logic on the PLC so that the attacker can understand what the PLC is doing. It then uploads a substitute ladder logic to the PLC, which automatically overwrites the ladder logic on the PLC. The module in this case only overwrites the legitimate ladder logic with blank ladder logic, to provide a proof of concept demonstration of how an attacker could easily replace the legitimate ladder logic with malicious commands without actually sabotaging the device.

The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC – essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.

The attack code was created by Reid Wightman, an ICS security researcher with Digital Bond, a computer security consultancy that specializes in the security of industrial control systems. The company said it released the exploits to demonstrate to owners and operators of critical infrastructures that “they need to demand secure PLC’s from vendors and develop a near-term plan to upgrade or replace their PLCs.”

The exploits were released as modules in Metasploit, a penetration testing tool owned by Rapid 7 that is used by computer security professionals to quickly and easily test their networks for specific security holes that could make them vulnerable to attack.

The exploits were designed to demonstrate the “ease of compromise and potential catastrophic impact” of vulnerabilities and make it possible for owners and operators of critical infrastructure to “see and know beyond any doubt the fragility and insecurity of these devices,” said Digital Bond CEO Dale Peterson in a statement.

But Metasploit is also used by hackers to quickly find and gain access to vulnerable systems. Peterson has defended his company’s release of exploits in the past as a means of pressuring companies like Schneider into fixing serious design flaws and vulnerabilities they’ve long known about and neglected to address.

Peterson and other security researchers have been warning for years that industrial control systems contain security issues that make them vulnerable to hacking. But it wasn’t until the Stuxnet worm hit Iran’s nuclear facilities in 2010 that industrial control systems got widespread attention. The makers of PLCs, however, have still taken few steps to secure their systems.

“[M]ore than 500 days after Stuxnet the Siemens S7 has not been fixed, and Schneider and many other ICS vendors have ignored the issues as well,” Peterson said.

Stuxnet, which attacked a PLC model made by Siemens in order to sabotage centrifuges used in Iran’s uranium enrichment program, exploited the fact that the Siemens PLC, like the Schneider PLC, does not require any authentication to upload rogue ladder logic to it, making it easy for the attackers to inject their malicious code into the system.

Peterson launched a research project last year dubbed Project Basecamp, to uncover security vulnerabilities in widely used PLCs made by multiple manufacturers.

In January, the team disclosed several vulnerabilities they found in the Modicon Quantum system, including the lack of authentication and the presence of about 12 backdoor accounts that were hard coded into the system and that have read/write capability. The system also has a web server password that is stored in plaintext and is retrievable via an FTP backdoor.

At the time of their January announcement, the group released exploit modules that attacked vulnerabilities in some of the other products, and have gradually been releasing exploits for other products since then.