Tag Archives: cyber security

Cyber Tech Firms Need Integrator Partners to Broaden Their Services

Standard
Itegrator Parnter Oracle dot com

Image:  Oracle.com

“WASHINGTON TECHNOLOGY”

“Given the frequency and severity of security intrusions in the public and private sector, cybersecurity companies are now looking for more complete offerings beyond their core capabilities.

By demonstrating an ability to technically integrate with third party vendor products, these companies can show that they are able to more fully meet the needs of Federal government customers.”


“Government agencies are looking for companies that can act as general contractors, but not all companies are system Integrators. Therefore, the goal for many companies is to have the ability to provide a more expansive, holistic offering beyond just their own product portfolio.

That hasn’t traditionally been the case among cybersecurity providers. These companies have typically focused on selling their uniquely specialized products into agencies, which understandably can limit their success in responses to requests for proposals in more comprehensive programs.

For the government in particular, the approach agencies to more easily make decisions on which products to deploy in complex environments.

Let’s look at how some general technical cybersecurity integrations can add benefit to customers:

Multi-Factor Authentication (MFA) – An agency looking to deploy MFA tokens to all their employees will likely need a card management system (CMS) to enroll the certificates stored on the physical tokens. Some companies offer both tokens and a CMS, but particularly when looking for high assurance tokens that were designed with the Federal government in mind, they are unique areas of expertise. Having the ability to vet out, in advance, a working solution that can be jointly offered to a customer simplifies the overall process and allows a customer to more readily select the appropriate vendor.

Storage & Key Mgt Encryption – What’s important here is whether a storage encryption solution can work with a key manager through open standards such as the Key Management Interoperability Protocol (KMIP). This type of interoperability is another way of layering levels of security and creating an overall efficient solution for the customer. It alleviates the challenge of the customer having to validate that the products they purchase will properly integrate in their environments.

Complete offerings – In some cases a company may be missing one element to an overall holistic solution. Among encryption providers, encrypt everything is the Holy Grail. Some come very close to meeting that promise with encryption solutions for web/application servers, databases, file servers, disk encryption, virtual machines, etc. Often, however, what might be missing is the ability to encrypt email and documents. Companies should pool resources to be able to offer that level of encryption and storage with hardware for root key management, to provide an integrated solution for all available data venues.

So after being a bit late to the game on the need to create integrated offerings, cybersecurity firms have come to realize that there is more value to creating a simple means for agencies to ensure their IT security than there is to owning a narrow segment of the market.”

https://washingtontechnology.com/articles/2017/09/29/insights-schatz-cyber-integrator-role.aspx

 

Advertisements

“Who’s Who” in Cyberspace Operations (CSO)? DARPA Asks

Standard
DARPA Who's Who

(Photo credit: DARPA)

Defense Advanced Research Projects Agency Wants to Know

“FIFTH DOMAIN”

“DARPA wants to know who can do what when it comes to cyber research.

The agency wants to compile an up-to-date list of companies capable of participating in research projects in cyberspace operations (CSO).

“Ideally, respondents will include both potential performers currently holding security clearances and those who may be granted clearances based on technical capabilities and eligibility,” DARPA said.

“Often, these projects are classified and can only be solicited from a limited number of sources,” noted the FedBizOps request for information. “DARPA must maintain up-to-date knowledge about potential performers to maximize the number of sources that can be solicited for classified, highly specialized, CSO R&D initiatives.”

Interested parties should submit a white paper that includes a list of their personnel with CSO experiences, any security clearances those employees have, and a narrative description of their relevant skills. Companies should also list any relevant facilities, including secure areas.”

https://www.fifthdomain.com/dod/2017/08/29/darpa-wants-whos-who-of-cyberspace/

 

 

DARPA Wants Bots To Protect Us From Cyber Adversaries

Standard
Bots for Cyber Protection

MOPIC/SHUTTERSTOCK.COM

“DEFENSE ONE”

“The military research unit is looking for technology and software that can identify networks that have been infiltrated—and neutralize them.

[They are]  looking for ways to automate protection against cyber adversaries, preventing incidents like the WannaCry ransomware attack that took down parts of the United Kingdom’s National Health Service networks.

The Defense Advanced Research Projects Agency is gathering proposals for software that can automatically neutralize botnets, armies of compromised devices that can be used to carry out attacks, according to a new broad agency announcement.

The “Harnessing Autonomy for Countering Cyber-adversary Systems” program is also looking for systems that can exploit vulnerabilities in compromised networks to protect those networks, making cyber adversaries—both state and non-state—less effective.

This isn’t the first time DARPA has investigated automated cybersecurity. In the 2016 Cyber Grand Challenge, participants were tasked with building systems that could thwart attacks without human intervention.

The businesses awarded contracts under the HACCS program will also come up with ways to measure how successful that technology is, incorporating how accurate the systems are in identifying botnet infections and the types of devices harnessed by the botnet.

It’s not enough to simply fortify Defense Department networks, the solicitation says, because botnets might operate without the owner of that network knowing. The Defense Department needs a way to initiate an immediate response even if the owner is not “actively participating in the neutralization process,” according to the announcement.

One way to build such an autonomous system might be to teach it to mimic the way human operators neutralize attacks in cyber exercises, according to a HACCS slide deck.

DARPA is not concerned about how stealthy the technology is in neutralizing botnets, the deck notes, but an effective system should only work on the networks that actually are compromised instead of taking the “kitchen sink” approach.

Some internet privacy advocates noted that law enforcement’s efforts to quietly neutralize botnets could violate the privacy of those who own the compromised devices, especially if the Federal Bureau of Investigation doesn’t inform them that they’re accessing their devices in their attempts to thwart attacks.

Proposals for DARPA’s four-year program, whose budget is undisclosed, are due Sep. 29.”

http://www.defenseone.com/technology/2017/08/darpa-wants-bots-protect-us-cyber-adversaries/140565/?oref=d-river

 

All the Ways the U.S. Government Cyber Security Falls Flat

Standard

Gov Cyber Security Falls Flat

“WIRED”

“[An] analysis of 552 local, state, and federal organizations [was] conducted by risk management firm Security Scorecard.

The report goes beyond the truism of government cyber security shortcomings to outline its weakest areas, potentially offering a road map to change.”


“DATA BREACHES AND hacks of US government networks, once novel and shocking, have become a problematic fact of life over the past few years. So it makes sense that a cyber security analysis placed the government at 16 out of 18 in a ranking of industries, ahead of only telecommunications and education. Health care, transportation, financial services, retail, and pretty much everything else ranked above it.

Security Scorecard found that the government particularly lags on replacing outdated software, patching current software, individual endpoint defense (particularly when it comes to exposed Internet of Things devices), and IP address reputation—meaning that many IP addresses designated for government use or associated with the government through a third party are blacklisted, or show suspicious activity indicating that they may be compromised. A wide range of issues plague government agencies—but they’re largely fixable.

“There’s a lot of low-hanging fruit when it comes to the government sector overall,” says Alex Heid, SecurityScorecard’s chief research officer. “They’ll implement a technology when it’s very new and then it’ll just sit there and age. This creates a mix of emerging technologies, which might be misconfigured, or not everything is known about them yet, with legacy technologies that have known vulnerabilities and exploitable conditions.”

After a few years of high-profile government hacks—the devastating breach of the Office of Personnel Management chief among them—the sector as a whole has made some modest strides on defense, moving up from last place in a 2016 SecurityScorecard report. Even OPM has gained some ground, though findings (and a government review) indicate that it still has a long way to go. Agencies that control and dole out money—like the Federal Reserve, Congressional Budget Office, and National Highway Traffic Safety Administration—tend to have much more robust digital security, as do intelligence and weapons agencies like the Secret Service and Defense Logistics Agency. Even the Internal Revenue Service, which has been plagued by leaksover the past few years, has shown marked improvement, spurred by necessity.

SecurityScorecard gathers data for analyses through techniques like mapping IP addresses across the web. Part of this analysis involves attributing the addresses to organizations, not just by looking at which IPs are allocated to which groups, but by determining which organizations use which IP addresses in practice. This means that the report didn’t just assess blocks allocated to the government, it also tracked addresses associated with contract third parties, like cloud and web application providers. The group also scans to see what web applications and system software organizations run, and compare this information to vulnerability databases to determine which organizations should upgrade and patch their platforms more rigorously. Additionally, SecurityScorecard collects leaked data troves of usernames and passwords, and monitors both public and private dark-web forums.

The report found that government agencies tend to struggle with basic security hygiene issues, like password reuse on administrative accounts, and management of devices exposed to the public internet, from laptops and smartphones to IoT units. “There were more IoT connections available from government networks than I would have expected,” Heid says. “Even things like emergency management systems platforms from the mid 2000s were available to the public.” When systems are unwittingly exposed online, hackers can find credentials to gain access, or use software vulnerabilities to break in. Sometimes this process takes attackers very little effort, because if an organization doesn’t realize that something is exposed online, it may not have made the effort to secure it.

For government groups, the report found that digital security weaknesses and pain points track fairly consistently regardless of the size of an organization. (Shout out to the Wisconsin Court System and the City of Indianapolis for strong cybersecurity showings.) That means that despite the large number of issues across the board, the same types of strategies can potentially be applied widely in an effective way. The question now, Heid says, is how effectively legislation can guide government IT and cybersecurity policy. There’s a mixed track record on that at best, but in the meantime breaches and market forces are slowly driving progress.

“It boils down to the conception of information security as an afterthought,” Heid says. “‘We’ve got operations to handle and we’ll deal with the problems as they arise’ is essentially how it’s been implemented into government. But for some agencies they end up having losses in the millions of dollars. People start wearing kneepads after they fall off the skate board a few times.”

https://www.wired.com/story/us-government-cybersecurity/

 

Estonia Lesson Learned: “Every Country Should Have a Cyber War”

Standard

cyber-war-or-business-as-usual-10-728

“DEFENSE ONE”

” Estonia’s biggest turning point was 10 years ago, when the country came under sustained cyberattack.

The shock of a cyberwar united the community to take action.  Estonians don’t see cybersecurity as a phenomenon,  it’s about being empowered by technology, not controlled by it.”


“Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves.

In 1991, Estonia was part of the dying communist empire. Its economy was run by central planners in Moscow, less than half of all households had a phone line, and goods were so scarce that people had to line up for food.

Skip ahead 26 years, and Estonians don’t even have to queue to vote. They do that online.

In just over two decades, Estonia has become one of the world’s most digitally innovative and efficient countries. In fact, Estonians conduct all their civic responsibilities online. Offices and paper forms have become obsolete as state-issued digital identities allow all citizens to carry out any financial or government transaction from their laptops or cellphones. And that gives them an edge when it comes to cybersecurity.

Estonia’s journey down the digital road has been astonishingly fast. When it gained independence from the Soviet Union in 1991, it had almost no money and few natural resources. But it did have one advantage: It was the designated center for software and computer production for the USSR. After achieving independence, the country had a pool of tech expertise for them to build on.

During these early years of independence, Estonia needed to create the means for a new economy. And it wasn’t going to be easy. The country’s tiny population of just 1.3 million is spread over a relatively vast countryside. Outside the capital Tallinn, there’s an average of just four people per square kilometer. The new government didn’t have the resources to extend government offices or banking facilities to small towns and villages, so it decided to encourage self-service, and spread internet access across the country in order to do so.

To achieve this, the government set up an investment group to build computer networking and infrastructure. By 1997, almost every school was connected to the internet, and by 2004, 300 wifi access points had been established, bringing the internet even to small villages—and mostly for free.

In 2007, Estonia was in the middle of a political fight with Moscow over plans to remove a Soviet war memorial from a park in Tallinn. Suddenly, it was hit with three weeks of D-DoS (designated denial of service) attacks. When this happens, multiple sources send multiple online requests, flooding a service or system and making it unable to function. It’s the digital equivalent of crowding an entrance to a building so that no one can come in or out.

As a result, the internet shut down as websites were bombarded with traffic. Russia denied any involvement, but Estonia didn’t believe it.

“War is the continuation of policy by other means,” Estonian president Kersti Kaljulaid told a NATO cyber-conference in Tallinn in June 2017. “Ten years on, it is clear that the decision made by Estonia not to withdraw but stay and fight for the security of our cyberspace was indeed the right one.”

The attacks made Estonia more determined than ever to develop its digital economy and make it safe from future attacks. “I think every country should have a cyber war,” says Taavi Kotka, the government’s former chief information officer. “Citizens get knowledge about what an attack means, about how phishing works, how D-DoS works, and they start to understand and live with that. People aren’t afraid if they know they can survive something. It’s the same thing as electricity going off: Okay, it’s an inconvenience, but you know how to deal with it.”

In Estonia, people are not afraid of cyber warfare, nor are they afraid of sharing personal data across public and private institutions. Go to a hospital, and the nurse or doctor can call up your entire health records from any doctor you ever visited without the need to call their offices and asking them to send files.

Full marks for convenience, simplicity, and efficiency. But what about the dangers of nameless bureaucrats accessing your personal data? Isn’t there a risk of future governments abusing the system and using your intimate details against you? Isn’t this inviting an Orwellian nightmare?

Estonia says no. Unlike an authoritarian state like the old Soviet Union, government transparency is built into the system. While all your private data is online, only you can give permission for any data to be accessed. And you can check who has accessed what. If a doctor you don’t know has viewed your records, it will be traceable, and you can have them sacked. As one software developer Quartz spoke to said, “You become your own Big Brother.”

Data is protected through a framework known as X-road, which helps exchange decentralized data between big government databases. X-road has built-in security measures that encrypt traffic and time-stamps so that the data cannot be manipulated. Taimar Peterkop, from Estonia’s Information System Authority, says that the security measures built into E-identity databases are all but impenetrable by outsiders. “Estonia takes data integrity very seriously because our society is so digitized,” he says. “If someone manipulates citizens’ data, that’s a challenge for us. We use blockchain-based technology to ensure the data is as it should be.”

When it comes to security, Peterkop says humans are usually the weak link. “Cybersecurity starts with us. If you have weak cyber hygiene, that’s a problem. We need to raise awareness and educate people about using strong authentication methods,” he says. For example, Estonia has public-education campaigns about how to use your smart devices wisely.

It seems like glaringly obvious advice, but a look at the recent USelection shows that basic cyber hygiene has been an after-thought, even for the powerful. When Democratic nominee Hilary Clinton’s campaign chief John Podesta’s Gmail account was hacked, Wikileaks founder Julian Assange claimed Podesta’s password was simply the word “password.” The campaign denied this claim and said they fell victim to a phishing scam. Whatever the case, it was an avoidable security breach that should never have occurred.

Peterkop also says that consumers need to ask more questions about the Internet of Things, especially when it comes to everyday household products and devices. “There is so much pressure to come up with new products in a hurry, so security measures are an after-thought,” he says. “As consumers, it’s essential that we start paying attention to it. We don’t do enough risk mitigation. Basically every TV is a computer now.” These issues are present already: A recent document dump from Wikileaks points to hacking tools that directly relate to Samsung televisions.

Estonia’s steps have certainly been radical, and other countries can learn lessons from them about how to defend themselves. As well as creating a paperless public service, Estonia is now backing up government data on secure servers offsite in Luxembourg. It has also prioritized tougher international action for cyber-crime and encouraged private companies to review security measures and have stronger agreements with server providers.”

http://www.defenseone.com/technology/2017/08/every-country-should-have-cyber-war-what-estonia-learned-russian-hacking/140217/?oref=d-mostread

 

A New Tool for Looking at Federal Cybersecurity Spending

Standard
cyber Spending

Image:  “Taxpayers for Common Sense”

“THE PROJECT ON GOVERNMENT OVERSIGHT”

“A new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.”


“More and more of what the federal government does relies on complex computer systems and networks. This high tech infrastructure makes the government work better by making services more efficient and accessible.

But that digital revolution also comes with big risks—just think back to the massive data breach at the Office of Personnel Management disclosed in 2015, when hackers compromised sensitive information about tens of millions of Americans. Last year, there were at least “30,899 cyber incidents that led to the compromise of information or system functionality” at federal agencies, according to a White House report released in March. The number of attacks on federal computer systems have risen sharply over the last decade.

So how much is the government spending to protect itself (and us) in this brave new world?

Unfortunately, the answer is “we don’t really know.” But a new tool from nonpartisan watchdog group Taxpayers for Common Sense provides perhaps the most comprehensive analysis of federal cybersecurity spending.

Last week, Taxpayers released a new database and visualization tool that breaks down unclassified federal spending on cybersecurity over the past decade—giving the public a peek at how each major federal agency is devoting resources toward protecting computer systems.

Taxpayers used public budget documents to build the database, but it wasn’t easy. “There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it,” the organization explains on its methodology page. Agencies also use a variety of different approaches to tackle the issue, making it even harder to pin down their spending. Then, there is the government’s murky “black budget” of classified spending. So Taxpayers “settled on providing the best picture [it] could develop from extensive research of government programs” that are unclassified, spending two years searching through thousands of budget documents for terms like “information security” and “information assurance.”

Taxpayers found the amount spent on cybersecurity has quadrupled over 11 years. The group was able to tally $7 billion in unclassified cybersecurity spending in 2007, as compared to $28 billion in 2016. But some of that growth could be attributed to improvements in how the government tracks cybersecurity funding.

The resulting snapshot isn’t perfect, but it’s an impressive start—and a necessary one. After all, you can’t figure out what bang the government gets for its cybersecurity buck if you don’t know where those bucks go.”

http://www.pogo.org/blog/2017/08/a-new-tool-for-looking-at-federal-cybersecurity-spending.html

 

 

 

 

 

The Business of National Cybersecurity

Standard

Business of Cyber Security

 

“FIFTH DOMAIN CYBER”

“With all the attention this subject is now receiving, one would think the business of national cyber security (commercial, government and defense) would be very robust.

Small and medium-sized businesses are not singing a happy, carefree tune. Delays in contracts, budget cuts and delayed payments seem to be the most common complaints.

It is hard to open a browser, look at a newspaper, or watch or listen to a news show without the topic of cybersecurity coming up. In mid-June, Microsoft received a lot of attention from headlines about the company’s warning of an elevated risk of cyberattacks. Another attention-grabbing headline came from Chris Childers, the CEO of the National Defense Group located in Germantown, Maryland, who shined light on the fact that many satellites in use today are dated and use old technology that was made before cyberthreats were a real issue and prior to when cyber defenses were readily available.

With all of the headlines about cyberattacks, viruses, ransomware attacks (WannaCry) and so on, you would think cybersecurity business is booming. Odds are it is not as robust as many people think. Let’s not forget when the Department of Homeland Security said 20-plus states faced major hacking attempts during the 2016 presidential election.

Today, basic cybersecurity understanding and skills need to reach into every profession and every level of the workforce. Updating the skills of the workforce must be continuous, and this takes time and money.

Another interesting point was brought up during a recent cyber strategy thinking session: Could our adversaries be leveraging inexpensive cyberattacks and threats as economic warfare, knowing full well that we will move to identify, analyze and address the emerging threats — something that would cost us money? After all, what choice do we have?”

http://fifthdomain.com/2017/07/07/the-business-of-national-cybersecurity-commentary/

 

 

 

 

 

Cyber Training and Education Must Be Continuous

Standard
Cyber Training

(Photo Credit: Staff Sgt. Alexandre Montes/Air Force)

“C4ISRNET”

“Today, very few organizations have as a requirement for employees and contractors the upkeep of cyber security knowledge.

That must change immediately if we are to keep pace with the ever-changing cyber threat environment.

Times are certainly changing. Politics, regulation, threats, conflict and so much more are changing; but it can be difficult to adapt to all the new and emerging technologies and their applications. There is little doubt that the world’s reliance on computers and their use continue to increase rapidly. Arguably, digital transformation is the leading driver of change. All these are producing a significant amount of new data and data communication paths that are all potential targets for cyberattacks by our adversaries and criminals. The sum of all this equals changes to our knowledge base, education requirements and the cyberthreat environment. Let’s take a look at some of the stats.

Cyberattack surface area

In 2016, there were multiple numbers that clearly showed just how large the cyberattack surface area has become. It was estimated that in 2016, internet of things, or IoT, devices rose to 17.6 billion. In 2016, there were an estimated 12.5 million connected cars produced and put into operation. Also in 2016, an estimated 45 percent of Americans had either a smart home or invested in smart-home technology, according to a survey by Coldwell Banker.Now we should also include robots. In the forth quarter of 2016, robot orders in North America surged by 61 percent. The increases in robot sales has led analysts projecting that robots will take/occupy 6 percent of all U.S. jobs by 2021.

Here is something that provides a partially over-arching perspective: data storage. IDC projects data storage growth by 35 to 40 percent per year for external storage and 33 to 38 percent for internal storage. Finally, consider Gartner’s projection that “manufacturers, consumer goods companies, medical device providers and their supply chain vendors are expanding the use of 3-D printing.” Think of the data files flowing to those printers! Think about the value of those files. Theft of those files enables counterfeit products, for sure. Think about all the changes in technology and to the cyberattack surface area the above data represents.

Threats

Consider the following metrics as an indication of the current pace of change to the cyber environment. In just one quarter of 2016, Panda Labs stated there were 18 million new strains of malware identified/captured. That equates to about two and one-third new pieces of malware being identified every single second. That is what was found! It is anyone’s guess what was actually released. In 2016, ransomware continued to grow in number. In fact, some place the growth rate at approximately 300 percent. That means in 2016 there were on average approximately 4,000 ransomware attacks occurring every day. That equates to two and three-fourths ransomware attacks per minute. We shouldn’t forget about the growing use of cryptocurrencies for payment in ransomware attacks! At the time of writing this, there were more than 850 differentcryptocurrencies with a total market capitalization equal to or over $97 billion. Think about all the nefarious activities that cryptocurrencies could be used to fund. It’s proven to be so relevant that a recent cryptocurrency webinar had approximately 3,000 professional attendees.
Distributed denial of service, or DDoS, attacks in 2016 were up in frequency, intensity and the amount of flooding data. In fact, we saw the largest DDoS attack of its kind in history. One company reported DDoS traffic of 1.2 terabytes per second. But hold on. Think about the potential for a highly distributed IoT bot net. That is a distinct possibility evolving right before our eyes.

Impact on cyber training and education

The pace at which the cyberthreat environment is changing creates a huge challenge for our military and intelligence communities. Keeping up with these changes is a large and growing task. Considering the pace with which technology is advancing and implemented, it is easy to see just how essential continuous education has become. With all of the changes that have taken place and continue to take place, updating the curriculum must be an ongoing activity; the same goes for the knowledge and skill-set requirement of professionals in the cybersecurity field. Today, very few organizations have as a requirement for employees and contractors the upkeep of cybersecurity knowledge. That must change immediately if we are to keep pace with the ever-changing cyberthreat environment.”

 http://www.c4isrnet.com/articles/cyber-training-and-education-must-be-continuous

 

Half of Industrial Control Systems Suffered Cyber Attack Last Year

Standard
Cyber Attacks

The National Institute of Standards and Technology’s industrial control security testbed. (Photo Credit: NIST)

“FIFTH DOMAIN CYBER”

“Data gathered comes from 359 industrial cyber security practitioners in 21 countries that completed online surveys between February 2017 and April 2017.

One-in-five respondents experienced two incidents within the 12-month window.

Threats to industrial control systems are becoming increasingly widespread, according to a new survey from cyber security firm Kaspersky Lab and Business Advantage that found over half of the companies sampled reporting at least one cyberattack in the last 12 months.

The top observed threat remains conventional malware, which played a part in 53 percent of actual incidents, followed by targeted attacks, such as spear phishing to more sophisticated advanced persistent threats. The top perceived threats are  third-party supply chain/partners and sabotage/intentional damage from other external sources.

This has led three-in-four companies to expect a cyber attack to happen to them, though 83 percent feel prepared to combat an incident.

Organizations might not be as ready as they believe themselves to be, however, considering the fact that the anti-malware solutions already implemented by 67 percent of respondents still allowed for so many incidents.

Increasing the frequency of issuing patches/updates could contribute to protection from incidents like the WannaCry pandemic, but the increased attack surface and access granted to external parties by growing enterprises complicates matters.

Therefore, risk management is being recognized as a growing priority, but finding properly trained staff and reliable external partners to implement cyber security tops the challenges of companies that acknowledge financial loss is shown to decrease in organizations that have security awareness programs for staff, contractors and partners.

Looking at the survey’s findings, the top risk factors appear to be the access of external parties, a lack of compliance with industry/government regulations and the use of wireless connections. This has led companies to express support for some level of mandatory reporting and governance to help bring about more transparency to help develop frameworks to address the risks.

Some factors that appear to help mitigate threats include documented cybersecurity programs being set in place; regular security assessments/audits being conducted; vulnerability scans and patch deployments happening biweekly at minimum; unidirectional gateways being installed between control systems and the rest of the network; anti-malware solutions being installed for industrial endpoints; industrial anomaly detection tools, intrusion detection and intrusion prevention tools being used; and staff and contractors being given regular security awareness training.”

The entire survey can be accessed by filling in a form on the Kaspersky blog.

WannaCry Worm Highlights Federal & Industry Failures

Standard
uscybercom - Department of Defense

Image:  Department of Defense

“BREAKING DEFENSE”

” The WannaCry worm proves that our collective response to cyber threat continues to churn ineffectively in the same futile rut while threats multiply and grow increasingly serious by the day.

A new approach is needed to enable innovation in the way security is encouraged and delivered with both carrot and stick.

The worm’s success is yet another clear signal that today’s security model isn’t working. Institutional failure to address security risks have/will continue to have the same pervasive impacts in government, industry, and at home with no respite in sight, no one in charge, and no one accountable for fixing the mess.

The ubiquity of such attacks challenges our internal/international legal framework. (The military and Intelligence Community should not be operating within the United States.) And it crosses our traditional fault lines (ensconced in US law) between corporate, military, legal, and law enforcement organizations. Senior leaders in each of these government fiefdoms tell me that the pan-government table top exercises held to understand and clear the fog around the “who’s in charge” questions assume away all the relevant risk. This is done in order to arrive at prearranged conclusions that won’t rock the boat between all the various stakeholders. The cyber problem is so much greater than a traditional geographical battlespace because it requires a complete strategic rethink of warfare as these kinetic, civil, intelligence, and international equities collide.

Microsoft has declared WannaCry “is a wakeup call.” Add the concomitant coverage in the press, and people being put at risk in hospitals and it makes you think that this incident marks a new chapter in cyber risk. Add in the second Wikileaks dump of the Vault 7 attack files and we have a perfect media storm of NSA toolkits, CIA attack techniques, likely North Korean mischief, chronic government underspending here and abroad, and the resulting health care service outages and outrage to feed the news cycle. The political, fiscal, and productivity impacts of the WannaCry worm highlight that the cyber risks currently accepted by corporate and government risk officials are not tenable.

This malware is particularly lively in large organizations whose legacy systems and limited security budgets provide clear skies for exploit and it could have been worse if not for an enterprising 22 year-old who helped save the world by finding and sharing its Kill Switch. Unfortunately, nastier and more effective worms and viruses and other tools are likely on their way and will wreak greater havoc. So let’s step back and ask what makes this crisis different?

The answer, sadly, is — NOTHING.

A quick review:

  • Ransomware (whereby software encrypts your computer and demands you pay a ransom for a decryption key) has been on the rise for several years. Everyone from Grandma to your insurance company has been hit and they have often (quietly) paid up to get back the family album or their health records.
  • Sure, WannaCry is linked to the purloined NSA toolkit. It is a variant of the WeCry exploit from February of this year and a patch has been available from Microsoft since mid-March.
  • Organizations with older equipment or legacy software often have a, “don’t fix what ain’t broke” culture of accepting risk because implementing a patch can be expensive and disruptive (trying to figure out why your 15 year-old patient scheduling system stopped working, for instance) and the potential real world impact outweighs the perceived risk.
  • The (allegedly) North Korea-linked team (the people behind the Sony hack, South Korean Banking attack, etc…) seeks to foment misery again,
  • The cure of installing up-to-date systems is perceived to be more expensive than compliance until the bill comes due — just ask the UK government as it reels under the revelations that the government funded NHS deemed that using post end-of-life (and hence unfixable) Windows XP machines.

The next question is: what are we doing about it? The answer for most large organizations is largely tactical – patch, update, scan, repeat. The strategic gaps induced by relying on individual organizations providing security for key services cannot be addressed by existing methods.

The institutional security risks highlighted again by WannaCry were mirrored in previous “wake up calls” such as the OPM hacks, Wikileaks — heck, just take your pick of Anthem/Blue Cross, the French election, etc… And these risks will only increase as vulnerable infrastructure increasingly underpins our daily lives. Our military is racing to understand and dominate the military aspects of the cyberspace domain. However, the seemingly endless policy churn around Cyber Command, Strategic Command, NSA, DHS etc. means that lines of authority, funding and staffing clouds the likelihood of anyone actually taking charge and solving the problem.

We must get behind a strategic embrace of computer security or the Internet will keep breaking. It will take international public/private partnerships that we haven’t seen since the Marshall Plan.”

http://breakingdefense.com/2017/05/wannacry-worm-highlights-federal-industry-failures/