Running to catch up with threats
New technology can cause security headaches
Cybersecurity continues to dominate the IT concerns of federal agencies, and with a slew of new issues threatening to ratchet up the pressure even more, it’s doubtful those concerns will lessen in the foreseeable future. In that kind of environment, you take your pleasures where you can find them.
In March, the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) reported just a 5 percent increase in the number of cyberattacks against federal websites and networks in 2011 compared to 2010, a major slowdown from the nearly 40 percent increase recorded for 2009 to 2010.
At the same time, the Office of Management and Budget, which released the annual report to Congress that contained the US-CERT figures, said agencies had substantially improved their ability to measure how well they were doing in staving off attacks. Some 78 percent of agencies were using continuous monitoring tools in 2011, compared with just 56 percent in 2010.
However, it should be noted that attacks on government sites and networks are still increasing. In 2006, only 5,503 incidents were reported. The total of 43,889 attacks in 2011 marks a six-year explosion of nearly 800 percent.
Outside government, the picture is hardly more comforting, though there are at least signs of a leveling-off. The entirety of attacks reported by federal, state and local governments, along with those on commercial enterprises, hardly increased in 2011, according to US-CERT.
What seems to be bothering people the most, however, is not the number of attacks but new technologies that agencies are taking up and that pose problems for security.
Agencies are under a mandate to move services to the cloud, for example, as a way of both saving money and making the delivery of those services more efficient. But there are still unresolved concerns over the security of cloud vendors.
Likewise, the uptake of mobile devices such as smart phones and tablet PCs is rapidly expanding in agencies, but keeping those devices secure is not proving as easy as it is for desktop and laptop computers. The situation is made even more difficult with the burgeoning trend of employees using their personal devices for work.
Some agencies have tried to assert policies forbidding such practices, but with budget pressures making it hard for agencies to provide their employees with new devices and the fact that employees tend to use them at work regardless, it seems to be a tide that can’t be turned.
“We recently ran a survey on security management and operations about what new technologies enterprises saw as affecting them most in the area of security and found that cloud was by far No. 1, with mobile devices second,” said Jon Oltsik, a senior principal analyst at Enterprise Strategy Group. “More than half of the respondents said mobile devices made security much more difficult than in the past.”
The other side of the security coin is what kind of attacks agencies need to defend against. It’s accepted that the traditional form of signature-based attacks can be well defended against with current firewall and intrusion-detection technologies, while deep packet inspection can take care of many viruses hidden in e-mail and other data.
What concerns most security professionals now is the kind of long-lived, sophisticated attacks that find their way into enterprise systems — through such things as targeted phishing attacks or other social engineering methods — and sit in those systems for weeks or months searching for valuable data. There is still no good way to defend against those advanced persistent threats.
And that concern has been punched up to an even higher level with the recent revelation of the Flame virus, reportedly a cousin to the Stuxnet virus that a couple of years ago was seen as the reason for large parts of the Iranian nuclear-enrichment infrastructure going down.
According to the New York Times and the Washington Post, Flame was jointly developed by the United States and Israel to collect intelligence prior to attempts at cyber sabotage intended to slow Iran’s nuclear weapons development.
Security professionals are worried that this could augur a new phase in cyber threats, one that could make it even harder to detect attacks. One Flame-based incursion, for example, employed phony digital certificates used with Microsoft Windows that organizations would need for updates and patches, unwittingly giving attackers access to system code.
This and similar types of attacks have moved many security professionals away from the idea that they can completely defend networks and systems and toward the belief that at least some attacks will succeed. The focus now is on risk management, defending the data itself and beefing up access methods.
The Obama administration more or less admitted this is the new approach earlier this year when recently departed White House Cybersecurity Coordinator Howard Schmidt published a short list of security controls that he said are the most cost-effective and efficient for agencies in tackling advanced adversaries in a resource-constrained environment. They are:
• Trusted Internet Connections: The initiative seeks to consolidate external telecommunications and ensure a set of baseline security capabilities for situational awareness and enhanced monitoring.
• Continuous monitoring of federal IT systems: This transforms a static control assessment and authorization process into a dynamic risk mitigation program that provides a near-real-time security status and remediation capability.
• Strong authentication: It’s obvious now that passwords alone provide little security, so the emphasis will be on embedding such things as personal identity verification and Common Access Cards deeper into the government security infrastructure to provide multifactor authentication, digital signature and encryption capabilities for user access to systems.
Some government organizations are already betting the future on this kind of approach. The Defense Department’s Joint Information Environment (JIE), which will replace the current Global Information Grid, will be built around such things as identity management and public-key infrastructure to securely deliver information to military users wherever and whenever they need it.
Information will be labeled in such a way that access to it will be afforded only to the user credentials that match the required roles and privileges of the person requesting access.
“It’s about protecting the JIE at the outer edges all the way down to the user and also figuring out what the user weaknesses are so we can remedy those,” said Robert Carey, DOD’s deputy CIO. “Security is all about risk management, and clearly there are things we can do in this new architecture that will raise the bar and make it more difficult for enemies to get access to our data.”
In announcing the three priority areas for federal cybersecurity, Schmidt acknowledged that many departments and agencies have been working on these areas for several years and that there had been a lot of progress. By focusing on those three priorities, he said the plan is to push their adoption past the tipping point for the whole government.
“The goal is that by the end of 2014, federal departments and agencies will achieve 95 percent utilization of critical administration capabilities on federal information systems,” specifically including all three of the priority control areas, he said.