Posts Tagged ‘Department of Defense’

Friday, April 4, 2014 @ 04:04 PM gHale

Outside cyber attacks gain the most publicity, but internal incidents are just as worrisome, just ask the Defense Department (DoD).

What concerns DoD officials the most is careless or poorly trained insiders as a source of threats, one survey found, according to a survey by SolarWinds, an IT management software provider.

Smart Grid; Vulnerable Grid
NIST Seeks Smart Grid Comments
Cyber Security Framework Released
NIST to Update Role-Based Security Training

In the survey, which addressed cyber security threats and preparedness across the federal government, 41 percent of DoD respondents named insider data leakage/theft as a threat, not far below the 48 percent who identified external hacking.

And although those responses may have come with the disclosures of Edward Snowden and Chelsea Manning in mind, it seems inept co-workers, rather than intentional leakers, are the biggest concern.

Fifty-three percent of DoD respondents cited careless/untrained insiders as a source of security threats, more than foreign governments (48 percent), terrorists (31 percent) or the general hacking community (35 percent). Malicious insiders were at 26 percent of respondents.

SolarWinds conducted the online survey earlier this year of 200 IT and IT security professionals in the federal government, 40 percent of whom worked in the military. The results showed similarities in the concerns of civilian and military agencies, as well as some notable differences.

Overall, the respondents were pretty confident in their IT defenses, with 94 percent rating their cyber security readiness as good or excellent (though more good, at 50 percent, than excellent, at 44 percent).

External hacking was the most common threat in the overall survey, with 50 percent of the respondents naming it, followed by malware (46 percent), social engineering (37 percent) and spam (36 percent), with similar results coming from civilian and Defense agencies.

Differences cropped up in a few areas, though. Only 21 percent of civilian respondents cited insider data leakage/theft as a threat, compared with DoD’s 41 percent. And twice as many civilian respondents (25 percent to 12 percent) named mobile device theft as a threat, perhaps reflecting the fact that DoD has to date eschewed the bring your own device trend. DoD respondents showed more concerned than their civilian counterparts about physical security attacks, 25 percent to 13 percent.

Click here to review the survey.

Wednesday, October 2, 2013 @ 10:10 AM gHale

Seventeen Carnegie Mellon University (CMU) graduate students earned cyber security scholarships from the National Science Foundation, the Department of Homeland Security’s CyberCorps Scholarship for Service (SFS) Program and the Department of Defense’s Information Assurance Scholarship Program (IASP).

The SFS awards went to nine students in CMU’s Information Networking Institute (INI) and six students at CMU’s Heinz College. The IASP awards went to two INI students.

Grant to Boost Wireless Security
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
NIST Grants to Improve Security, Privacy

Both programs share a common goal and that is to increase and strengthen the amount of federal information assurance professionals that protect the nation’s critical infrastructures and national defense.

“As future federal employees, the SFS and IASP scholars delve into challenging engineering and information assurance coursework and engage in interdisciplinary cyber security research. In addition to the emphasis on the technologies and strategies related to cyber defense and cyber offense, CMU’s cyber security curricula explore risk management, economics and policy issues related to reducing vulnerability and securing our national information infrastructure,” said Dena Haritos Tsamitis, INI director and director of education, training and outreach for CyLab. She is also the principal investigator of the grants.

Increased global cyber attacks make the training and retention of cyber security experts a priority of the U.S. government. The National Security Agency (NSA) and the United States Cyber Command designated Carnegie Mellon as a National Center of Academic Excellence (CAE) in cyber operations for 2013-2018. The National Security Agency designated the university as a CAE in Information Assurance Education and a CAE in research.

More than 160 students in the SFS program have graduated from CMU in the past decade. One student in the IASP graduated from the INI in 2012.

Both programs provide full-tuition scholarships and stipends to scholars in exchange for working for the federal government after graduation.

Wednesday, May 8, 2013 @ 09:05 PM gHale

This may not come as a big surprise, but China’s government and military appear to be an active participant in cyber attacks against the U.S., a new report said.

The conclusion, contained in the Department of Defense’s (DoD) annual report that evaluates China’s military capabilities, marked another pointed claim by the U.S. government amid rising tensions between the two nations over cyberspace.

Federal Security Guidelines Reworked
Firing Up a Security Framework
Obama Inks Cyber Security Order
Hackers ‘Declare War’ on U.S.

The DoD said last year “numerous computer systems around the world, including those owned by the U.S. government, continued to be a target of intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information.”

The stolen information is useful to a range of Chinese entities, including its defense and technology industries, U.S. policy makers in China as well as military planners, the report said.

Cyber warfare capabilities could complicate efforts to respond during a military confrontation, including causing slow response times by constraining the communication and commercial activities of an adversary, the report said.

China denies it is coordinating hacking campaigns, but computer security researchers point directly to the nation when describing intrusions.

The DoD report also said Russia and China were playing a “disruptive role” in international forums aimed at establishing confidence-building measures and transparency in cyberspace.

Both nations are also pushing an Information Security Code of Conduct, which would give governments sovereign authority over content and information on the Internet. The proposal has quite a few critics.

The U.S. argues existing international humanitarian law should apply in cyberspace. China doesn’t agree, but “Beijing’s thinking continues to evolve,” the report said.

In March, U.S. President Barack Obama’s national security advisor Tom Donilon said U.S. businesses have serious concerns about “cyber intrusions emanating from China on an unprecedented scale.” He called on China to recognize the threat cyber attacks pose to the two countries’ relationship and trade.

In February, computer security vendor Mandiant released a comprehensive report that named a specific Chinese military unit called “61398” as conducting an extensive, seven-year hacking campaign that struck 141 organizations.

The hacking group, also called the “Comment Crew,” was extremely active in targeting U.S. companies and other organizations despite China’s claims it does not permit state-sponsored hacking.

Monday, April 29, 2013 @ 04:04 PM gHale

A policy through which federal departments offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on private networks of defense contractors expanded by Executive Order to include other critical infrastructure industries, according to the Electronic Privacy Information Center (EPIC).

EPIC said the pilot-version of the program run with the Departments of Justice (DoJ), Defense (DoD), and Homeland Security (DHS) came to light in June 2011 after The Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, The Washington Post quoted Deputy Defense Secretary William J. Lynn III saying the program was to help thwart attacks against defense firms and the government hoped to expand the program moving forward.

Web Access Means More Attacks
Phishers Hide Real Links with Javascript
APT Attacks Shut Down
Cyber Attack Against S. Korea

The documents obtained in the a Freedom of Information Act (FOIA) request, EPIC said, reveal the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.

EPIC, digital rights group the Electronic Frontier Foundation, and others fear the program’s expansion would apply to the broad swath of organizations that potentially fall under the vague category of critical infrastructure.

The government has not yet named the program, but EPIC said the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.

For its part, the NSA said it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures the agency has developed.

EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”

The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and eventually gained access to thousands of pages of previously unreleased documents, which they have posted on their website.

Wednesday, January 30, 2013 @ 05:01 PM gHale

Cyber threats are real and abundant and the government is keenly aware it needs to lock in security policies and procedures.

Just look at what is going on. The Senate keeps pushing for legislation to improve information-sharing on threats and attacks. President Barack Obama is looking to issue an executive order on cyber security and the Department of Defense (DoD) is looking for a massive increase in the number of trained cyber security professionals to defend the country’s private and public networks.

Back to Basics: Security 101
Drive-bys Tops EU Threat Reports
Agencies Join in Security Plan
Ensuring Software Security Policies

Security professionals working on these assignments right now is difficult to narrow down as quite a few work in agencies that don’t discuss their operations. Also, some work in dual-tasked positions and don’t focus on just one assignment. However, officials from the Department of Defense have been pushing for more funding to hire more trained security professionals.

Now, that push seems to be paying dividends. The Pentagon’s goal is to increase the number of security professionals from fewer than 1,000 to 5,000 in the next few years. Those personnel will comprise military and civilian security professionals, and the goal will be to defend the country’s critical infrastructure as well as government and military networks.

This all comes just a few days after Janet Napolitano, secretary of the Department of Homeland Security, warned a nation-level incident of the scale of 9/11 could occur sometime soon as a result of a cyber attack. Napolitano is not the first to warn about the possibility of such an attack, but is rather the latest in a long line of government officials, presidential advisers and security experts to raise that specter. Security researchers also have warned in recent years about serious vulnerabilities in the SCADA and ICS systems that run much of the network infrastructure in utilities, financial systems and other critical areas.

In October, DHS officials warned SCADA system operators about an increase in the level of malicious activity targeting those systems.

“Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities,” the alert said.

The new plan from the Pentagon contemplates the creation of several separate groups of cyber security personnel, each with a different set of responsibilities. One group will defend networks used by critical infrastructure entities like utilities. Another team will be responsible for defensive and offensive military operations in cyberspace, and the third group will work on fortifying the DoD’s networks.

All of the groups will report up to the U.S. Cyber Command, a relatively new arm of the military headed by Gen. Keith Alexander, the director of the National Security Agency.

Monday, September 17, 2012 @ 04:09 PM gHale

U.S. power grids and other civilian infrastructure are not prepared for electromagnetic pulses (EMP) that could result from weapons or violent space weather, according to a congressional subcommittee hearing last week.

There are serious flaws in the nation’s infrastructure that could allow for EMP events to shut down power and communications for extended periods of time, said panelists at the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, headed by Chairman Dan Lungren R-CA.

Profile on Civilian ‘Cyber Warriors’
Hacktivists Could Bring Down Grid
Schoolboys Behind Greek Hack
Tear Gas Maker Hacked

“Our civilian grid, which the Defense Department relies upon for 99 percent of its electricity needs, is vulnerable to these kinds of dangers,” Rep. Trent Franks, R-AZ, testified during the hearing. Franks, one of the leaders of the Congressional EMP Caucus, sponsored legislation in 2011 to protect U.S. infrastructure in the event of an attack by an EMP weapon.

Michael Aimone, a director of business enterprise integration at Defense, said the Pentagon had pursued a “two-track approach” to mitigate the impact an EMP attack could have on Defense facilities. He said his plan relied on in-house capabilities to maintain power and electronics and a means to communicate and coordinate with outside partners.

“DoD recently adopted an explicit mission assurance strategy, which is focused on ensuring operational continuity in an all-hazard threat environment,” Aimone said.

EMP disruptions and attacks can come from different types of events, including high-altitude or low-altitude nuclear weapons detonations, locally based radio frequency weapons, and solar weather. One of the largest impacts from an EMP-based disruption was in Quebec in 1989, when nearly 6 million people lost power because of a geomagnetic storm.

Brandon Wales, of the Homeland Security Department’s National Protection and Programs Directorate, said DHS was working with federal agencies on contingency plans for an EMP event. He said Federal Emergency Management Agency was establishing lines of communication with key agencies in case an EMP event occurs, and that Homeland Security Secretary Janet Napolitano had commissioned a report in 2011 to study the impact of space-based EMP attacks.

“DHS has pursued a deeper understanding of the EMP threat, as well as its potential impacts, effective mitigation strategies, and a greater level of public awareness and readiness in cooperation with other federal agencies and private equipment and system owners and operators through various communications channels,” Wales said.

Common standards for power grid equipment are a major issue, said Joseph McClelland, director of the Office of Electric Reliability at the Federal Energy Regulatory Commission. He said current standards to protect infrastructure and equipment do not address the many levels within the power grid and should undergo an update.

“Protecting the electric generation, transmission and distribution systems from severe damage due to an EMP-related event would involve vulnerability assessments at every level of electric infrastructure,” McClelland said.

Tuesday, May 15, 2012 @ 07:05 PM gHale

Cyber security is the top issue keeping federal agency CIOs up at night, followed by controlling costs and managing human capital, according a new survey.

Forty CIOs and other federal IT leaders, from agencies including the Department of Defense, Homeland Security, and Veterans Affairs ended up interviewed by TechAmerica, a tech industry group. Twenty percent identified cyber security as their top concern, followed by 15% who pointed to controlling costs, and 12% human capital.

Security Awareness: CISO’s Role Changing
Internet Crime: An Upward Spiral
Data Breaches Focus on Money: Study
Agile Hackers will Break Security

While most of security resources direct toward outside threats, internal threats are a growing concern, respondents said. At the same time, TechAmerica said outside threats are on the rise and becoming more sophisticated.

One CIO said IT security is inconsistent in federal government and quality is “all over the place.” A consequence of such concerns is agencies are unwilling to embrace federal IT goals for centralization and mobility, according to the report. There would be less concern if there was a consistent, high-quality security framework applied across government.

Survey respondents recommended agencies identify which department “owns” security; that they plan ahead and build infrastructure with security in mind; and the government develop sound metrics for security monitoring.

Cost control was the second most-mentioned concern of federal CIOs, a reflection of flat IT budgets over the past three years. Some said budget discipline drove changes such as dropping unused software licenses and adopting thin-client hardware. However, across-the-board budget cuts were the “most feasible and least effective way” to control costs.

Monday, May 14, 2012 @ 06:05 PM gHale

The push is on for government and the private sector work together when it comes to security so effective immediately, the Defense Industrial Base (DIB) Cyber Pilot program is open to all eligible DIB companies.

The program, an information exchange arrangement that allows intelligence agencies to share threat information with companies, and companies to share information on attacks with some liability protections, started in June 2011 and initially included 20 volunteering companies.

ICSJWG: Govt., Companies Partner
Security a Weak Link for States
Security First; Not in Smart Grid
Smart Meters Getting Smarter

Defense officials have said they wanted to increase the number of companies to more than 200, but this announcement means the program will be open to any company in the industrial base that can meet certain minimum requirements and that chooses to join. Specifically, the company must handle DoD information or have access to a DoD network and demonstrate a basic level of information security.

“Increased dependence on Internet solutions have exposed sensitive but unclassified information stored on corporate systems to malicious probes, theft, and attacks,” said Ashton Carter, deputy secretary of defense. “This expanded partnership between DoD and the defense industrial base will help reduce the risk of intrusions on our systems.”

Experts familiar with the program have voiced concern about its effectiveness, saying the data provided by the government has been far from useful and that companies have been withholding critical information from the government.

But company sources said the program has improved in recent months, with a basic level of trust established which has allowed the flow of better intelligence.

“I am pleased by the deep collaboration between DoD, DHS and DIB partners,” Carter said. “Shared information between DoD, DHS and the defense industrial base can help us defend against the ever-growing threat of cyber attacks.”

Tuesday, May 1, 2012 @ 03:05 PM gHale

By Nate Kube
Though it’s critical to accurately identify vulnerabilities in process control networks and devices, a chief executive or management team will likely question the additional investment in robustness testing.

At first glance, what they often don’t recognize is that additional investment will end up improving the bottom line.

Robustness testing provides insight into how environments perform under stress, it goes the extra mile beyond requirement specifications to ensure control systems exceed specifications in emergencies.

Siemens CERT Gains Achilles Status
Security First; Not in Smart Grid
Smart Meters Getting Smarter
Secure Smart Grid Moves Forward

National Aeronautics and Space Administration (NASA) and the U.S. Department of Defense (DoD) reports indicate over half of the bugs found in deployed devices directly relate to a lack of robustness testing. Now with resources in short supply, developers cannot be reverting to fixing flaws that should have never shipped.

While assuming there are extra resources to troubleshoot after the fact, the challenges of critical infrastructure testing are more significant. For instance, rebooting a PC can cause a minor disruption, rebooting a nuclear power plant has broader implications.

Defining Robustness Testing
The Institute of Electrical and Electronics Engineers (IEEE) defines robustness as “the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.” Having a properly functioning system, despite the unpredictable, is essential in the industrial control systems world in order to “keep the lights on.”

Overlooking Robustness Testing
Quite a few DoD programs engage in what has been called “happy-path testing,” in other words only showing the system maintains functional requirements, according to a DoD assessment report. While this type of testing is essential, additional tests to ensure the system properly handles errors and failures appropriately are often neglected. Performing “happy-path testing” underscores that control system failure in the field is often due to a lack of robustness.

Although vendors’ solutions meet user requirements for particular installations, users may not be able to quantify the level of robustness required for specific installations. At present, most industrial control equipment manufacturers and software developers are limited in their ability to rigorously test new products for possible security flaws because of the lack of available tools.

As a result, new vulnerabilities are discovered each year, but only after the products are sold and installed by the end user. This is particularly true of control and SCADA systems used in critical infrastructures such as the oil and gas, water, and electrical generation/distribution industries. Standard information technology (IT) vulnerability testing does not typically address the unique resources and timing constraints of critical control systems or the specialized protocols used.

As business and technology continue to drive toward more open and connected networks, mission critical systems – including those used in the control of power generation, oil and gas production, water treatment and transportation – are becoming increasingly vulnerable to cyber attacks that penetrate or bypass perimeter defenses (e.g. firewalls).

Yet, how does one measure and assess something that doesn’t necessarily happen? Additional testing is a tough sell for management if the current testing regimes appear successful. How and why can one build a case for an expanded testing capability or continued diligence?

Dollars and Sense
NASA leads the industry in computer usage and complex systems. They advise robustness testing through usage of off-nominal cases. NASA believes a methodology able to test for off-nominal cases (i.e., hardware and software failures) during design, and the earlier test stages, could avoid over one-half of all failures and over two-thirds of the failures in the most severe classifications.

For a quick rubric:
1. Make an estimate of the additional costs you’ve incurred over the last year due to robustness failures of your systems in the field.
2. Multiply that figure by .50 to get the low end of the range and by .66 to get the high end of the range.

Although this can quickly determine the value of pursuing a course of action, this may not be enough to persuade management to make additional robustness testing investments.

Fortunately, several valuation models can aid in putting a dollar amount on security costs. Carnegie Mellon University for the U.S. Department of Homeland Security published a paper that makes a comparison between 13 different models for assessing the cost and value of software assurance. They found several features common to each model and categorized the models into four types: Cost-based, investment-based, quantitative estimation and environmental/contextual. A follow-up paper provided by the same company demonstrated organizing its approach focused specifically on the Balanced Scorecard model. The Balanced Scorecard is widely used; one major explanation to its success (and to the success of all quantitative methods) is data. Before embarking on any effort to quantify the cost of robustness testing, an organization must have metrics in place and data collected and validated.

Budgets are shrinking and threats are increasing. Times are difficult with economic hardships, but security cannot be compromised. Companies have the capability to increase the robustness of their systems to reduce the time to market and produce a quality product while decreasing overall costs.

Protecting critical infrastructure and “keeping the lights on,” is the singular aim of any robustness test. Robustness testing is not just important, it is essential. This expands from the plant floor to every point where an organization’s system is touched by the Internet.

As more devices become Ethernet-enabled in the control systems world, we can no longer depend on “security through obscurity.” Everyone needs to be confident that implemented security solutions function effectively under known, as well as, unexpected conditions.

Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s Chief Technical Officer is responsible for strategic alliances, technology and thought leadership.

Archived Entries