Firefighter working on containment

Is limiting damage the best hope for cybersecurity?

When it comes to cybersecurity, government defenses tend to be measured against broad threats such as cyberespionage and possible nation state attacks on the country’s critical infrastructure. As recent studies show, however, that focus may be a bit wayward.

Symantec’s 2014 Internet Security Threat Report  shows yet again why it’s the smaller, oft-used threats that likely remain the biggest problem for agencies. Those have grown in number, but also continue to evolve in response to the development of better defenses.

Spear phishing, for example, was a major problem in the past but had been seen as diminishing as other threats grew and took up more of organizations’ attention. Not so, according to Symantec, which called reports of the death of spear phishing “greatly exaggerated.” In fact, while the total number of emails used per phishing campaign decreased, along with the number of targets, the total number of campaigns almost doubled in 2013.

“This ‘low and slow’ approach (campaigns also run three times longer than those in 2012) are a sign that user awareness and protection technologies have driven spear phishers to tighten their targeting and sharpen their social engineering, Symantec said.

The even worse news? Government is in the top three targets for these kinds of attacks, the report said, with odds of 1 in 3.1 that at any given time a government employee is being subject to a phishing attack  (though, admittedly, the method they used to come up with that ratio is a little fishy!).

The rest of the Symantec report is not more hopeful, and its conclusions make for scary reading:

  • More zero-day vulnerabilities were discovered in 2013 than any other year, in fact 2013 registered more of those than the previous two years combined.
  • Ransomware attacks, where perpetrators pretend to be local law enforcement demanding payment of fake fines, grew by 500 percent in 2013 and “turned vicious.”
  • There was explosive growth of scams and malware attacks via mobile media in 2013, though the prevalence of those is still relatively low.
  • Users continue to fall for scams on social media sites, and the fear is that this behavior will have even worse consequences as the activity migrates to mobile devices.
  • Attackers are now turning to the Internet of Things. With device manufactures so far not paying much attention to security, the onus falls on the user, which surely has attackers salivating at the prospects. As Symantec said, there’ll be a huge increase in data because of the IoT, and “big data is big money.”

The latest illustration of the potential for attackers came with the revelation on April 7 of the so-called OpenSSL Heartbleed bug, a vulnerability that had existed in the OpenSSL 1.01.f standard for a couple of years but that had only recently been patched.

Some high-profile sites had apparently been open to leaking information because of the bug, including the FBI’s main site. OpenSSL is a widely used SSL library, and is the basis for a lot of data encryption across the Web.

Looking ahead, Symantec makes a salient point: Even though better cooperation between law enforcement and industry is making it increasingly difficult for cyber criminals to operate, this won’t make them stop. Instead, Symantec said, e-crime is likely to move toward a new and more professional model.

That’s in line with other recent reports. As this blog recently pointed out, not only are cyber criminals becoming more professionalized, the market for the attacks tools they use is also proliferating, ramping up threats posed by a profit-based, market-driven business.

It may be tempting for those in government to throw up their hands and concede defeat. How is a ponderous and slow-turning ship like the government supposed to compete against the nimble and light-footed criminal set?

The easy answer is that it can’t. There’s no way a bureaucratic and budget-constrained organization like the government, or its agencies, can compete at that level. But it can instill a mindset that will drive government responses to cybersecurity, and even that has been missing, until recently.

The champion in this case is the National Institute of Standards and Technology, a non-regulatory body that has been pushing for a risk-based framework for cybersecurity that emphasizes limiting damage from attacks rather than trying to prevent them completely.

That approach has been adopted by the Department of Homeland Security, and private industry is also increasingly taking it up. Earlier this year, the National Association of State Chief Information Officers (NASCIO) said it was adopting NIST’s framework, which “provides states with a common platform on which to base strategic security decisions, allocate resources and build defenses against both common and sophisticated attacks.”

The final leg in the stool came with the decision by the Defense Department a few weeks ago, after several years of negotiation and discussion, to adopt NIST’s risk management framework as the basis of its cyber defense. With that, there is now a common language that all levels of government and the private sector can use to define and coordinate their cybersecurity efforts.

It won’t stop cyber criminals getting into government systems, and breaches will continue. But it provides a foundation for something that could, finally, provide a resilient defense.

Posted by Brian Robinson on Apr 11, 2014 at 7:55 AM0 comments

Decorated veteran in a parade

Making IT security a priority at VA

If a demonstration is needed that security is a process, not a product, and that it depends on management, not technology, the Veterans Affairs Department provides it.

The Government Accountability Office recently recited to a House panel a litany of weaknesses in the sprawling department’s struggling IT security program. The VA inspector general has identified development of an info security program as a “major management challenge,” and auditors have flagged inadequate security controls in financial systems as a material weakness for 12 years. GAO warnings date back to 1998, and it has reported consistent weaknesses in security control areas at VA since 2007.

“The persistence of similar weaknesses over 16 years later indicates the need for stronger, more focused management attention and action to ensure that VA fully implements a robust security program,” Gregory Wilshusen, GAO’s director of information security issues, told a House VA oversight subcommittee on March 25.

In an effort to refocus management attention, Rep. Jackie Walorski, (R-Ind.) on April 2 introduced a bill, H.R. 4370, to “improve the transparency and the governance of the information security program of the department.” The contents of the bill are not yet available, but Walorski said in a statement that it would provide “a clear roadmap for immediately securing its system.”

The department’s security shortcomings have been so consistent for so long that they merit attention. The size of the department and the scope of its mission make it one of the greatest IT security challenges in government. VA operates the nation’s largest healthcare system, providing healthcare for about 6 million veterans, administers financial benefits for millions more and manages veterans’ graves all across the country.

In June last year, the House VA Oversight and Investigations Subcommittee recommended designating the VA network a “compromised environment,” and said that VA should establish controls to reclaim it, “from nation state sponsored organizations.”

Department CIO Stephen W. Warren in a November 2013 letter to subcommittee Chairman Rep. Mike Coffman, responded that “VA has in place a strong, multi-layered defense to combat evolving cybersecurity threats, including monitoring by external partners and active scanning of Web applications and source code.”

But from January 2010 through October 2013, more than 29,000 possible data breaches were reported by VA. In his letter, Warren noted that “virtually all of VA’s data breaches are paper-based, equipment loss or unencrypted e-mailing of sensitive information.”

VA is addressing the equipment loss issue by encrypting laptops and desktops, which began last year in conjunction with the department’s upgrade to the Windows 7 OS. Warren reported that as of Oct. 29, 87 percent of the computers, more than 330,000 systems, were running Windows 7 and most of the rest were expected to be upgraded by the end of January 2014. He noted, however, that some pockets were likely to remain due to what he called “blocker” applications, “applications that are not compatible with Windows 7 and have not yet been replaced.”

Whether Congress will be able to significantly improve VA’s cybersecurity with new legislation remains an open question. Wilshusen, in last month’s testimony to the subcommittee, said that “many of the actions and activities specified in the bill are sound information security practices and consistent with federal guidelines. If implemented on a risk-based basis, they could prompt VA to refocus its efforts on steps needed to improve the security of its systems and information.”

But he cautioned that security should be risk-based and not based on technology requirements that could quickly become outdated.

Posted by William Jackson on Apr 04, 2014 at 9:26 AM0 comments

Man turning over key for money

Can government's cyber defense withstand a market-driven offense?

Cybersecurity more and more resembles nothing less than old-fashioned warcraft, with both sides confident in the weaponry they have and in their ability to either penetrate or defend borders. As the threat of cyberconflicts ratchets up, the two modes of warfare seem at times to be getting chillingly similar.

The latest expression of confidence came from Defense Secretary Chuck Hagel, who on March 28 spoke to an audience at the National Security Agency headquarters to mark the retirement of Gen. Keith Alexander, the head of both the NSA and the U.S. Cyber Command.

The Pentagon is well on its way to building a modern cyberforce, he said, which will be 6,000 strong by 2016.

The force will improve the U.S. ability to “deter aggression in cyberspace, deny adversaries their objectives,” and defend the country from cyberattacks. At the same time, however, he pointed out the “proliferation of destructive malware” that is being used to constantly, and aggressively, probe and disrupt networks.

More confidence shone through in a recent report that surveyed IT and security professionals in both the military and civilian agencies. Nearly all of them, some 94 percent, rated their own agency’s cybersecurity readiness as either good or excellent, saying they feel they have the right tools, processes and policies in place.

(Well, OK the survey also found 9 percent of the respondents were unsure if there even were cyberthreats that affected their agency).

Perhaps of most interest, though, was what kinds of threats they considered the most serious. Insider threats, which until relatively recently were seen as the greatest, have fallen behind those from “external hacking,” even in the age of Wikileaks and Edward Snowden.

In fact, of the six top threats, insiders come in fifth, behind external hacking, malware, social engineering and SPAM, and just ahead of distributed denial of service.

Where do the bad guys come out in all of this? It’s no secret they’ve become much more sophisticated in their ability to get on the inside of networks, but a report from the RAND Corp., Markets for Cybercrime Tools and Stolen Data, shows also just how professionalized and extensive their ability has become.

The black and gray markets for hacking tools and services, and for the ill-gotten gains they produce, are expanding and growing in complexity, the RAND report said. What was once a varied landscape of discrete, ad hoc networks of individuals motivated by little more than ego and notoriety, it said, “has emerged as a playground of financially driven, highly organized, and sophisticated groups.”

Adding to the complexity for government defenders are the rapidly emerging and highly secretive markets for zero-day vulnerabilities, RAND said, which are available in both licit and illicit markets.

The potential impact of these market-driven tools was seen in the 2013 attack on Target stores, which were confirmed earlier this year. The malware used for that was a tailored version of the “BlackPOS” malware, which according to writer Brian Krebs was available on the black market for the low, low price of $1,800 to $2,300.

Of course, Target seems to have screwed up in so many ways in its own security. A report from the Senate Committee on Commerce, Science and Transportation lays it  out in excruciating detail.

Nevertheless, it all makes a point. The business of creating malware and other tools to attack US networks and infrastructure now really is a business, with all of the profit-based energy and innovation that brings with it. Add the even more focused abilities of nation states, and the threat industry is vibrant.

Hagel and others are confident that government has the ability to withstand it. Are they right?

Posted by Brian Robinson on Mar 31, 2014 at 12:12 PM0 comments

Man unhappy with lemon on plate

When software development produces a lemon, make lemonade

In January 2002, Microsoft’s Bill Gates—then chairman—sent out his trustworthy computing memo, spurred by a growing wave of dissatisfaction about the security failures of the company’s operating systems and applications. As a result of past failures, Microsoft has helped to change the way we think about software development.

The late 1990s and early 2000s were difficult times in Microsoft security. A major vulnerability in the Universal Plug and Play feature of Windows XP was found just months after the release of the OS in 2001. In January 2002 the Electronic Privacy Information Center in Washington sent a letter to state attorneys general complaining of the lack of privacy controls in Microsoft’s Passport, Wallet and .Net services.

“I remember at one point our local telephone network struggled to keep up with the volume of calls we were getting,” Matt Thomlinson, vice president of security for Microsoft, said of the impact of the XP bug in an online history Microsoft’s security initiative. “We actually had to bus in engineers, many of whom were working on the next version of Windows, from their offices around campus to the call center. We needed every person available to talk to customers and walk them through how to get their systems cleaned.”

On Feb. 1, 2002, Richard Purcell, head of Microsoft’s corporate privacy office, announced in Washington a month-long moratorium on new coding.

Gates, Purcell told the audience at a privacy and data security conference, “is really annoyed by the incredible pain we put everyone through in computing.” As a result, “we are not coding new code as of today for the next month,” he said. The company instead would spend the time going over old code as a first step in cleaning out bugs. “It’s time to get the garage cleaned out.”

Twelve years later, the Trustworthy Computing initiative is not finished, and probably never will be. David Aucsmith, senior director of Microsoft’s Institute for Advanced Technology for Governments, said recently in in Washington, “I do not believe you can create a secure computer system.”

The problem is, “we build systems far more complex than our ability to understand them,” Aucsmith said. Because we don’t know what we don’t know, built-in security inevitably will be incomplete, and software and hardware will always have to adapt to newly discovered threats and exploits. “Nothing static remains secure.”

But the Secure Development Lifecycle (SDL) that grew out of the Microsoft initiative has helped to change the way developers think about software security. The SDL process now shows up as a requirement in government procurements, and the National Security Agency says it has made an impact on OS security.

“A fundamental goal of the SDL process is to reduce the attack surface,” NSA said in an evaluation of Windows 7 security for the Defense Department and the intelligence community.  “Since adoption of the SDL process, the number of Common Vulnerabilities and Exposures on Microsoft products in the National Vulnerability Database has declined.”

“A preliminary System and Network Analysis Center analysis has determined that the new Windows 7 security features, coupled with the use of the SDL process throughout the development cycle, has assisted in the delivery of a more secure product,” the assessment concluded.

We still are a long way from being as secure as we want to be or can be. But there has been progress.

Posted by William Jackson on Mar 21, 2014 at 6:32 AM1 comments