Many state and local networks and IT systems are unprepared for cyberattacks, as the CIOs overseeing them struggle to make do with strained budgets and static or shrinking staffs.
The results of a recent survey by Consero of chief information officers of states, counties, cities and towns are hardly surprising, but hardly comforting, either.
“I wasn’t shocked by anything, but I was disturbed by the cybersecurity numbers,” said Paul Mandell, CEO of the company, which took the survey for public IT officials in February. “The numbers were troubling.”
The survey contains results from only 36 officials, and Mandell acknowledges that they are anecdotal rather than statistically significant. But the respondents represent a small cross section of state and local government, with CIOs from states including Oklahoma and Idaho; counties from Riverside Co., Calif., to Prince William, Va.; cities from San Diego to Rochester, N.Y.; and agencies from the Wyoming DOT to the Fire Department of New York.
“There was a quite a bit of frustration and concern about the need to do what had to be done and the inability to get the resources they need,” Mandell said of the gathering.
That frustration is reflected in the CIO’s strategic planning goals. Fifty-five percent of respondents said their greatest impediment to doing their jobs is a lack of financial resources, and the top priority for 41 percent was simply working within budgetary constraints.
As a result of these pressures, 44 percent said that their IT infrastructure is not adequately prepared for cyberattacks, and 28 percent said they had experienced a security breach in the last 12 months. It is tempting to say that the 56 percent who feel they are adequately protected and the 72 percent who have not been attacked are being overly optimistic. With no uniform requirements for state and local government to report breaches, it is impossible to say what the actual level of malicious activity in their systems is.
The officials at the Consero conference were looking for more than a sympathetic ear to share troubles, Mandell said. They were looking for strategies to improve their lot. “The focus was on communication,” he said; “bridging the gap between their needs and the level of knowledge in those making budgetary decisions.”
Bridging that gap is not easy. The politicians who hold the purse strings do not want to be lectured by techies about routing tables and deep packet inspection. It turns out that those CIOs who are best at advocating for their budgets are not necessarily those who are best versed in the bits and bytes of their systems, but those with experience in the business world who use their well-learned politesse in dealing with the establishment.
One bright spot in the survey is that the lines of communication are open. State and local CIOs report to a variety of officials, including chief financial officers, boards of commissioners and city managers, but 86 percent of them felt that they had sufficient access to executive leadership.
That’s a start.
Posted by William Jackson on May 15, 2013 at 9:39 AM0 comments
Leo Scanlon, chief information security officer of the National Archives and Records Administration, has an information security question for federal CIOs: “Are you satisfied that where you are is good enough? Do you understand the risk?”
Too often, he says, federal C-level officials do not know if their security is adequate because they do not understand the risks they face and what the risk tolerance of their agencies should be. And too often, they are content to remain that way.
The issue of understanding and managing IT risk takes on greater significance with the growing emphasis on automating security. Security professionals, system administrators and agency executives have been fighting a battle over IT security vs. regulatory compliance since the passage of the Federal Information Security Management Act of 2002. Critics of the act — or at least of how it has been implemented — say that an emphasis on grading agency performance based on compliance scores has undermined efforts to improve security. With the introduction of tools to monitor systems, respond to incidents and report on status, there is a chance to finally settle the battle in favor of security.
The question, said Scanlon, is “are we going to automate compliance or automate risk management?”
Speaking at cybersecurity conference hosted by (ISC)2, Scanlon said that FISMA was never intended to be about compliance. The opening paragraphs of the act spell out that its intent is to “provide a comprehensive framework for ensuring the effectiveness of information security controls,” and “. . . provide effective governmentwide management and oversight of the related information security risks . . . .”
So why the emphasis on paperwork and reporting rather than managing risk over the last 11 years? Compliance is easier to measure. Reports from auditors and inspectors general have given congressional overseers an easy way to grade agencies, either with an A, B . . . F report card or a green-yellow-red dashboard.
The C-level executives who must report to Congress have embraced this. Their approach to IT security, Scanlon said, is, “get the IG off my back.”
Al Seifert, CEO of MSB Cybersecurity and formerly security officer for the Defense Department’s Global Command and Control System, called FISMA a “noble endeavor” that has not fulfilled its promise.
“We are not collecting the metrics we need to ensure that our security is working,” he said. “Everybody fears the auditor.”
Security automation still is rudimentary and focused on compliance reporting, Seifert said. But the technology exists to do better. The Homeland Security Department’s Cyberscope reporting system and the growing list of commercial tools that support the Security Content Automation Protocol make it possible to focus on real risk rather than merely playing the compliance game.
Risk management ultimately is a business decision that must be made at the CIO or CEO level of an agency, not by the IT people in the security shop, Scanlon said. Because security is not perfect, the level of acceptable risk must be determined based on an agency’s business and mission needs. Then it is up to the security people to manage that risk.
Posted by William Jackson on May 09, 2013 at 9:39 AM1 comments
Unified communications—bundling all communications channels on a single IP platform—offers the promise of simplified IT management and cost savings, because an enterprise has to maintain and manage a single network rather than separate networks for voice and data. But as voice becomes just another data service, phones are being increasingly exposed to threats from the Internet.
Denial of service attacks against phone systems, or TDOS, have become more frequent in the past two years, and a report from SecureLogix on Voice and Unified Communications predicts that the problem is likely to get worse before it gets better.
“In the future, these attacks will be much more severe,” the company warns. “By simply generating more calls or using more entry points to the UC network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers.”
It should be noted that, as a provider of TDOS mitigation services, SecureLogix has a horse in this race and might not be 100 percent objective. But it is hard to deny the problem.
Earlier this year the Homeland Security Department altered government emergency communications centers after a rash of phone DOS attacks flooding public safety answering points in an apparent attempt to extort money. As early as 2010 the FBI warned that TDOS apparently was being used as diversions for more serious crimes, and last year, researchers at Arbor Networks reported hackers advertising TDOS-as-a-service.
What is new, or at least changing, is the growing ease of launching such attacks. Free software is available to automatically generate robocalls, and VOIP-aware botnets can generate massive numbers of calls from many locations, making the distributed attacks harder to spot.
“On the origination side, the public voice network looks more like the Internet every day from a call generation point of view,” the report says, making it easy for an attacker to generate floods of calls. “This change is accelerating and is out of the control of the enterprise.”
On the receiving side, if an enterprise that has integrated its voice systems into its data network, phones become one more entry point for attackers. And even if phones are not plugged into the network, phone DOS attacks can tie up customer services, cut off phone service, and leave the agency vulnerable to fraud and blackmail.
There is little an agency can do to prevent keep attackers from launching attacks. But as a potential target, phone DOS is one more problem to keep in mind. If your voice system is integrated into your data network, remember that VOIP needs to be managed like all other services. And if it is not in your data network, bear in mind that your phone system still is a critical communications link that should be monitored like other links. Pay attention to volume and capacity and be aware of unusual patterns that degrade your quality of service or even shut it down completely. Ensure that your analysts, service providers and security providers are ready to identify and track these activities and have the ability in place to block malicious traffic.
Posted by William Jackson on May 06, 2013 at 9:39 AM0 comments
We are living in world of increasingly smart devices. Not really intelligent; just smart enough to be dangerous.
As more devices become IP-enabled, they contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks. Distributing attacks make it more difficult to trace the source of the attack and also makes it easier to overwhelm a target. In the past year, distributed denial of service has become the attack of choice for activists and blackmailers.
Prolexic, a DDOS security company, has published a white paper on Distributed Reflection Denial of Service (DrDOS) attacks that focuses on a handful of protocols, including the Simple Network Management Protocol. SNMP is an application layer (Layer 7) protocol commonly used to manage devices with IP addresses.
“Unlike other DDOS and DrDOS attacks, SNMP attacks allow malicious actors to hijack unsecured network devices — such as routers, printers, cameras, sensors and other devices — and use them as bots to attack third parties,” the report points out.
This is a concern not only because it increases the number of possible devices that can be compromised, but also because remote devices such as printers and sensors of every kind often are less likely to be properly managed and secured, leaving them open to exploit.
For public-sector agencies, this can include such devices as sensors used in weather observations, control valves at power plants, door locks in prisons, traffic signals and any number of other connected devices. A search engine such as Shodan can reveal those connected devices, many of which are completely without security,
SNMP uses the User Datagram Protocol, a stateless protocol that is subject to IP spoofing. A Reflection DOS attack using SNMP is a type of amplification attack, because an SNMP request generates a response that typically is at least three times larger. Boiled down to its basics, an attacker can port-scan a range of IP address to identify exploitable SNMP hosts. He sends an SNMP request to these hosts using the spoofed IP address of the target server, and the hosts’ replies saturate the target’s bandwidth, making it unavailable.
“The raw response size of the traffic is amplified significantly,” the report says. “This makes the SNMP reflection attack vector a powerful force.”
The best way to protect yourself from being shanghaied into such an attack is to identify all of the devices accessible on your network, whether or not they appear to be sensitive, and properly manage them. Prolexic offers a list of mitigations in its paper.
Remote management of and access to otherwise dumb devices can be a great convenience, but the trade-off is that it adds to the list of things that must be managed and secured.
Posted by William Jackson on May 03, 2013 at 9:39 AM0 comments