DHS Tightens Security for Federal Networks

Tuesday, May 17, 2016 @ 09:05 AM gHale


The Department of Homeland Security’s (DHS) added a new intrusion prevention security service to the National Cybersecurity Protection System (NCPS) — also known as Einstein 3A.

With this move, DHS is looking to address a substantial shortfall in the government’s major weapon for defending against cyber attacks.

RELATED STORIES
Cyber Security Education RAMPS Up
Ensuring ‘Trustworthy’ Systems
Looking to Hike Online Social Networks Security
Working to Quash Quantum Computer Threat

In a Privacy Impact Assessment, DHS said the intrusion prevention, a Web Content Filtering system, provides protection at the application layer for web traffic by blocking access to suspicious websites, preventing malware from running on systems and networks, and detecting and blocking phishing attempts as well as malicious web content.

This service will add to the existing E3A intrusion prevention security services already in place, the DHS said.

Einstein should provide DHS with capabilities to detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, and support data analytics and information sharing.

There has been plenty of debate about the program since its inception. Most recently, a Government Accountability Office found the NCPS system needs some work on its four chief areas of coverage.

The GAO report said:
• Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior.
• Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an email determined malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks email.
• Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code.
• Information sharing: DHS has yet to develop most of the planned features for NCPS’s information-sharing capability, and requirements only recently gained approval.

According to the DHS, the initial implementation of Einstein 3A involved two intrusion prevention security services: Domain Name Server (DNS) sink holing and Email Filtering. DNS sink holing protects against the use of DNS as a means to establish communication with compromised hosts or to distribute malware. Email filtering protects against the use of malicious file attachments and embedded links in email content by preventing emails that match known cyber threat indicators from reaching their intended destination and collecting information on malicious activity.