An optimistic scorecard estimates that federal agencies will meet 95 percent of the administration’s high-priority cybersecurity goals by the end of fiscal 2014, but agencies still have a strong climb remaining in the face of increasing budget uncertainties.
Although the current budget sequester might not have a big impact on recent initiatives to secure critical infrastructure, where the government is playing an advisory role, cybersecurity operations within agencies are likely to take their share of the hit from the across-the-board cuts. How big those cuts will be remains to be seen, but when agencies are struggling just to keep up with a growing surge of cyber threats, it will not be easy to actually make improvements.
The Cross-Agency Priorities are an attempt to bring some order to federal cybersecurity efforts, incorporating milestones into Federal Information Security Management Act reporting metrics and identifying officials to be held accountable. The goals are strong authentication (the use of PIV Cards for physical and logical access control), the Trusted Internet Connections (TIC) program, and continuous monitoring of IT systems. Agency officials will work with interagency groups that include the President’s Management Council, the Performance Improvement Council and the Federal CIO Council.
Based on FISMA reporting for fiscal 2012, the administration estimates 95 percent success by the end of fiscal 2014. But as of the first quarter of fiscal 2013, only TIC consolidation was in the green, with an 84 percent completion rate. The strong authentication and continuous monitoring efforts both were in the red at 57 percent and 78 percent, respectively. The overall scores for the priorities actually dropped from 76.82 percent in the last quarter of fiscal 2012 to 75.87 percent in the first quarter of 2013, a drop ascribed in the report to “adjustments and improvements to measurement methodology.”
The effort to prioritize cybersecurity initiatives with milestones and deadlines is worthwhile. But considering how long the TIC, PIV and continuous monitoring initiatives have been in place, the race to the finish is looking more like a slog than a sprint.
Indiscriminate budget cuts are not going to help progress in an environment in which security officials have to run as fast as they can just to keep up. If Congress cannot match budget to operational priorities, don’t expect to see a lot of progress in the next two years.
Posted by William Jackson on Mar 07, 2013 at 9:39 AM0 comments
One topic that was notable by its absence at this week’s RSA Conference in San Francisco was the widespread economic and military espionage being conducted by China. It’s not that the subject wasn’t mentioned, but it was just background and not news. Everyone in the security community accepted long ago that the Chinese are going online to steal intellectual property and other sensitive data.
The current mantra in security is that it is “when” and not “if” your IT systems will be breached, and two paths to cybersecurity are emerging. Although many cybersecurity practitioners say, “forget the attacker and focus on the risk,” there also is a growing consensus that sophisticated cyber espionage must be met with political and economic responses.
In his opening keynote at the conference, RSA’s executive chairman Art Coviello called for the speedy adoption of next-generation intelligence-based cybersecurity that would leverage big data by extracting meaning from growing masses of unstructured data.
“Collectively, we’re not winning,” he said of the growing threat from rival nations. “But we haven’t lost yet, either.”
Although attributing attacks is important, it is not necessary in defending systems, he said. What is necessary is automation to monitor conditions and activity on systems, and standards to enable analysis and correlation of data to recognize and identify threats. The assumption that breaches will occur means that priorities must shift from stopping penetration at a perimeter to dealing with bad actors who already are on the inside. Vendors on the showroom floor at the conference already are integrating big data analysis in their security offerings to help do this.
On the other hand, there is awareness that technology alone will not solve the problem and that government must take a hand in responding to attacks from nation states, although not necessarily militarily. Attributing a given attack to a specific individual or organization is not necessary, proponents say. When a problem has been going on for years, “everybody knows” who is behind it and that is enough for the diplomats and policy makers to take action.
In the case of China, there is a global acceptance that the nation is engaged in cyber espionage. But some set of international norms for behavior in cyberspace is needed to enable this type of pressure. China does not have to admit that it has been hacking our computers in order for diplomatic pressure and economic sanctions to have an impact on its behavior. Warnings that its behavior is outside the pale could be effective, once that pale is established.
This type of pressure would not work at cyber speed and does not eliminate the need for IT security, warned Jim Lewis, cybersecurity program director at the Center for Strategic and International Studies. “You really have to keep drilling on them,” he said. “This is a process that will take several years of constant pressure.”
Unfortunately that process has not yet really begun. “Most of our policy is aimed at stopping penetration,” a battle that recent history has shown we cannot win, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit. Focusing on defenses from the inside and dealing with the economic drivers for cyber espionage will require policy makers to have a technical understanding that they now lack.
Making a beginning in cyber diplomacy will require replacing some wonks with geeks, Borg said. Some of the Silicon Valley types will have to trade their t-shirts and sneakers for wingtips and ties on Capitol Hill. “Cybersecurity professionals should seize cyber policy,” he said.
Posted by William Jackson on Mar 01, 2013 at 9:39 AM0 comments
“It was only a matter of time,” the security company Mandiant said about recent phishing attacks using its report on Chinese hacking as bait.
Mandiant released its report, “APT1: Exposing One of China’s Cyber Espionage Units” on Feb. 18, focusing on the activities of a group that the company says is responsible for a cyber espionage campaign against a broad range of Western companies and governments over the last seven years. The report immediately attracted worldwide attention, not all of it benign. Within two days, two apparently unrelated phishing attacks were identified using the report as bait.
“We are currently tracking the threat actors behind the activity and have no indication that APT1 itself is associated with either variant,” Mandiant wrote in its response. “Mandiant has not been compromised.”
The first attack, reported by Symantec appears to be aimed at Japanese targets with an e-mail attachment titled “Mandiant.pdf.” When opened, the attachment contains the first page of the report, but also delivers malicious code exploiting a vulnerability in Adobe Reader. A patch for the vulnerability was released Feb. 20. The malware communicates with a command and control server hosted in Korea.
The second attack was identified by researcher Brandon Dixon and targets Chinese journalists with an attachment titled “Mandiant_APT2_Report.pdf.” When opened it exploits another Adobe Reader vulnerability. The malicious code connects with a domain associated in earlier attacks against human rights activists.
The attacks are another example of how attacks are being refined to specific targets. Scammers have often targeted viral Internet topics in wide-scale phishing scams, trying to lure people into clicking on malicious links that purportedly related to Steve Jobs’ death, an on-court outburst by tennis star Serena Williams or photos of Osama bin Laden. Now, targeted, spear-phishing attacks are being used to target journalists reporting on a report about hacking.
The advice is old, but bears repeating: Be careful opening attachments. Hashes for the malicious PDF files are available on the report blogs. The hash for the genuine report is available from Mandiant’s download site. If you’d like to read the report, download it yourself. Don’t wait for someone to e-mail it to you.
Posted by William Jackson on Feb 25, 2013 at 9:39 AM0 comments
I recently had to have my computer disinfected, which was frustrating. My firewall is up, I keep my antivirus up to date, I’m cautious about opening e-mail and don’t click indiscriminately on links. But something got through.
A new report from Lastline, a security company that focuses on advanced malware, offers some insight into a new technique used by black hat writers to escape detection by having their code do busywork in a security sandbox until it is allowed out.
It should be noted that Lastline has a dog in this fight and is offering a solution to counter this new threat. But the information is still interesting.
A sandbox is a virtual environment with its own guest operating system where intercepted incoming code can be observed. If it acts maliciously or suspiciously, it can be tossed out. Observing behavior of code in a sandbox should detect and block malware regardless of whether the code or the vulnerability it exploits is already known.
The challenge for attackers, then, is to outwit the sandbox. They do that with environmental checking; malware might check for the presence of a virtual machine or it might query well-known registry keys or files that indicate a sandbox. Other malware authors instruct their malware to sleep for a while, waiting for the sandbox to time out.
Security vendors have countered by looking for behavior such as queries for registry keys and by forcing sleeping code to wake up.
The latest trick by malware writers is what Lastline calls stalling code. It delays the execution of a malicious code inside a sandbox and instead performs a computation that appears legitimate. Sort of like an intruder avoiding notice by carrying a clipboard through an office. Once the sandbox has timed out, the evasive malware is free to execute.
This is not the ultimate malware; evasive techniques can be countered by better sandboxes. Also, these techniques are no good if the vulnerabilities being exploited have been patched or if the signature of the code is known. Although signature-based detection has been shown to be an inadequate defense by itself, it still works well when it works. (We’ll look later at why it doesn’t always work.)
But it is a reminder that what the mind of one man can achieve, another can overcome. No attack and no defense is perfect, and the battle goes on.
Posted by William Jackson on Feb 22, 2013 at 9:39 AM1 comments