Cybersecurity

DHS mandates new security standards for federal networks

 

The Department of Homeland Security is requiring agencies to use new email and web security guidelines that address man-in-the-middle attacks.

A binding operational directive from DHS gives federal agencies 90 days to implement a pair of tools, Domain-based Message Authentication Reporting and Conformance (DMARC) and STARTTLS. DMARC is an email authentication tool designed to prevent email spoofing and provide data on where a forgery may have originated. STARTTLS helps protect against passive man-in-the-middle attacks by allowing for email encryption while data is in transit.

The directive also requires agencies to switch all publicly accessible federal websites to HTTPS and HSTS-secure connections within 120 days. Doing so could potentially eliminate a large swath of security flaws that affect most federal government websites.

"According to DHS's Cyber Hygiene scanning data, seven of the ten most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to web security," wrote Acting DHS Secretary Elaine Duke in a memo to Office of Management and Budget Director Mick Mulvaney.

The directive landed the same day as a dangerous flaw in the WPA2 protocol used to secure Wi-Fi routers was publicized. The United States Computer Emergency Readiness Team at DHS shared news of the discovery of a security bug that may leave nearly every Wi-Fi-enabled device open to man-in-the-middle attacks by malicious hackers.

The vulnerability allows hackers to potentially read and steal previously encrypted information sent over wireless networks, such as credit card numbers, passwords, cookies, chat messages, emails photos and other data, according to a website set up by the researchers who discovered the flaw, Mathy Vanhoef and Frank Piessens of the Belgium-based university KU Leuven.

The attack "works against all modern protected Wi-Fi networks," wrote the researchers, who dubbed their flaw KRACK or Key Reinstallation Attacks.

In order to take advantage of the vulnerability, an attacker must be in close physical proximity between the network's access point and the victim in order to disrupt the timing and transmission of authentication data and trick users into reinstalling already-used keys.

"With a little cleverness, this can lead to full decryption of traffic streams," Matthew Green, cryptographer and professor at Johns Hopkins University, wrote on his cryptography blog.

Because the vulnerability exists at the protocol level, it affects most if not all personal and enterprise wireless networks. Certain operating systems, such as Android 6.0 and Linux, are particularly vulnerable.

In a statement, the Wi-Fi Alliance, a nonprofit industry organization dedicated to promoting best standards and practices around the technology, said there is no indication yet that the attacks have been used by other parties, and the problem can be largely fixed through straightforward software updates by platform providers.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

Stay Connected