April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Federal | Agencies | Legislative
Cybersecurity executives: 'Wannacrypt' ransomware attack a wake-up call for industry, government leaders
By Steve Bittenbender
Editor, Government Security News
The ransomware attack that plagued the globe on Friday must serve as a “wake-up call” to both industry and government leaders that the time for urgent action is now. That’s how one of Microsoft’s top executives reacted to the “WannaCrypt” attack that targeted computer systems in various industries worldwide, including healthcare and government systems.
“WannaCrypt,” also dubbed “WannaCry,” was a ransomware attack that paralyzed hospitals in Great Britain and even FedEx in the United States, although the attack seemed to focus mainly on Russian servers based on information provided from Kapersky Labs. A ransomware attack is where a hacker encrypts files and threatens to destroy the data if the ransom – in the case of “WannaCrypt,” it was at least $300 in Bitcoin – is not paid within a certain time.
In a Sunday blog post on Microsoft’s Web site, company President and Chief Legal Officer Brad Smith said the hackers used material stolen from the National Security Agency to perpetrate the attack. The NSA breach had been previously reported, and, in March, Microsoft released a patch to its users to protect them from an attack. While some users updated their systems, others did not, and they were the ones scrambling on Friday.
The ransomware attack “demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers,” Smith said. “The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Dan Matthews, a sales engineer with Lastline, said network managers had another option to prevent the attack if they were not able to get the patch installed in time.
He, like other experts, said the ransomware attack served as an important reminder of being proactive in managing cybersecurity risks.
“In practice things are often more complicated and there are legitimate reasons for needing more time to implement a patch,” Matthews said. “Organizations who are unable to deploy Microsoft's (or other software vendors’) critical patches in a timely manner can instead implement advanced email and network protections that are capable of detecting ransomware and preventing the delivery of these payloads to unpatched computers.”
Ofer Israeli, CEO and founder of Illusive Networks, said he expects hackers will continue to use the stolen NSA material for other attacks.
“In this case, we are seeing an opportunistic ransomware operation, but we can expect the exploit is already being used for surgical targeted attacks, the outcome of which will only be revealed in a few months, due to the time it takes to execute a sophisticated targeted attack,” he said.
Brian Lord, OBE, managing director for British-based PGI Cyber, said the attacks were “always inevitable.”
Lord also echoed Smith’s comments on this being a wake-up call.
“While organizations are distracted by high profile dramatized threats, such as Russian election hacking, they are neglecting basic cyber hygiene measures which can prevent the mass effectiveness of mass ransomware attacks like this,” said Lord, the former director of deputy director for intelligence and cyber operations for Britain’s Government Communications Headquarters.
Smith added that it’s time government leaders readdress their cybersecurity policies, as attacks like “WannaCrypt” are becoming an emerging problem this year. He equated the NSA losing its coding to the military having a few Tomahawk missiles taken.
“This is one reason we called in February for a new ‘Digital Geneva Convention’ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them,” Smith said. “And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality.”
LANCASTER, PA Ross Technology, a global leader in architectural security products, has been awarded the Government Provided Equipment (GPE) contract by the U.S. Department of State to supply Forced-Entry/Ballistic Resistant (FE/BR) windows and doors. The award contract is for one year, with four optional years to follow.
Ross has been the incumbent GPE contract holder for FE/BR windows since 2005, and throughout that time has provided products to over 50 embassies and consulates.
In addition to supplying FE/BR windows, Ross has now been trusted to provide FE/BR doors as part of the new government contract.
Mark Heberlein, Ross Technology’s Architectural Security Product Manager, recognizes the magnitude of the GPE Award. “We’ve worked very hard to provide the highest quality products and service to the Department of State over the past 12 years. It speaks volumes that, in addition to awarding us the window contract again, they’ve entrusted us to fulfill the requirement for the doors as well.”
Ross manufactures FE/BR windows and doors tested to the U.S. Department of State threat mitigation standards. For a full list of available products and more information about the products Ross will supply as part of this contract, please view our webpage.
By Steve Bittenbender
Editor, Government Security News
President Donald Trump on Thursday signed a long-anticipated executive order calling for the federal government to ramp up its cybersecurity measures.
And once the announcement was made, it didn’t take long for cybersecurity experts to chime in with their analysis of the order, which among many things calls on federal agencies to maintain and modernize its information technology infrastructure so threats can be detected more easily and networks are more resilient.
“The executive branch has for too long accepted antiquated and difficult–to-defend IT,” Trump’s order read.
James Carder, the chief information security officer for LogRhythm, said the executive order encompasses many of the recommendations his firm makes to its clients. In particular, Carder, who has nearly 20 years of experience in IT security consulting, said he was pleased that Trump’s directive includes language for funding the improvements and holding officials responsible.
“It’s about time the government and critical infrastructure organizations take cybersecurity seriously,” he said. “Protecting these assets is imperative to protecting the American people and our way of life.”
The Department of Homeland Security has already started some of the groundwork Trump laid out in the order. Three months ago, the agency awarded a contract to Bastille to survey critical infrastructure for both public and private sectors for vulnerabilities from radio-based attacks.
“As so many administrative and process control systems use radio rather than hardwired connections, it is essential that every facility be aware of what's happening in its airspace as well as on its wired networks,” Bastille CEO Chris Risley said.
Cybersecurity has become a growing concern for American officials in recent years as the number of attacks has grown exponentially in recent years. Hackers have targeted such companies as Home Depot and Target as well as federal agencies, including the Office of Personnel Management. The attacks on OPM exposed personal information for more than 21.5 million current and former federal workers and contractors.
Michael Patterson, the CEO of security analytics firm Plixer, noted the OPM breach when he said he thought the order should have included a mandate for agencies to have forensic incident response systems in place that can quickly remedy the situation.
“With the amount of attacks that Government Agencies incur every day, it is not a matter of if, but when hackers will be successful,” Patterson said. “The key is to be alerted and respond as quickly as possible.”
The executive order did not just focus on attacks that compromised personally identifiable information. Trump also called for DHS secretary John Kelly and Energy Secretary Rick Perry to consult with state and local level officials to assess the threats cyberattacks pose on the country’s power supply.
That assessment is due within 90 days, according to the order.
Edgard Capdevielle said he was encouraged to see the country’s electricity infrastructure mentioned specifically in the order. He added that technology is available to help the utility companies become more resilient.
“Innovations such machine learning and artificial intelligence enable real-time monitoring and anomaly detection that offer critical infrastructure operators better tools to manage cyber risk and minimize disruptions,” said Capdevielle, the CEO of Nozomi Networks. The Swiss-based company provides real-time cybersecurity solutions for major industrial complexes.
Cybersecurity experts have called on government officials to be more willing to share information about the attacks their agencies have endured. In the order, Trump calls for agencies not only to share information with other agencies but also with the country’s allies.
Travis Farral, the director of security strategy for Anomali, called the order a “solid step” forward in bolstering the country’s security. Anomali is a California-based company that helps clients discover and respond to threats.
“When an organization, including the federal government, operates largely in silos, they miss out on a valuable force multiplier by leveraging resources from other agencies through sharing intelligence and other crucial information,” he said. “Threat intelligence sharing should serve as the backbone of a strong cybersecurity program, and with more robust cyber threat information sharing protocols in place, U.S. government agencies can better leverage resources to defend against cyberattacks.”
MCLEAN, VA May 10,2017 The U.S. Department of Treasury has selected BAE Systems to support the agency’s Office of Terrorism and Financial Intelligence (TFI) in safeguarding the country’s financial system against threats posed by rogue nations, terrorist facilitators, drug cartels, and other national security threats.
BAE Systems is among a group of federally-approved contractors that will have the opportunity to compete for future task order contracts to assist TFI in researching, analyzing, and documenting complex financial, trade, and other business activities in support of federal investigations and prosecutions. The maximum lifecycle value of all task orders to be awarded under the contract is estimated at $135 million. This work plays a critical role in enforcing the violations and sanctions programs administered by the Department of Treasury.
“Our financial crimes experts work alongside the government to investigate and track down illicit finance suspects at home and overseas,” said Mark Keeler, acting president of BAE Systems’ Intelligence & Security sector. “We have a deep understanding of the revenue streams and financial tactics used by terrorist networks and criminal organizations, which pose threats to our national security and could compromise international financial stability.”
In addition to offering expert threat finance intelligence analysis and mission support, BAE Systems works closely with commercial financial institutions across the globe to build and refine defense-grade, anti-money laundering technologies. The company’s NetReveal suite of solutions are trusted and used by major global banks, insurers, government departments, and law enforcement agencies around the world to prevent and detect fraud and financial crimes in real-time to thwart criminal threats and minimize customer risk.
BAE Systems provides intelligence and security services to manage big data, inform big decisions, and support big missions. BAE Systems delivers a broad range of solutions and services including intelligence analysis, cyber operations, IT, systems development, systems integration, and operations and maintenance to enable militaries and governments to recognize, manage, and defeat threats. The company takes pride in supporting critical national security missions that protect the nation and those who serve.
NEW YORK May 8, 2017 New research reveals that cyberattacks on the government sector doubled in 2016, hiking to 14 percent from seven percent of all cybersecurity attacks in 2015. Attacks on the finance sector also rose dramatically from just three percent in 2015 to 14 percent of all attacks in 2016.
The manufacturing sector came in at third place at 13 percent, while the retail sector, which topped the list of all cybersecurity attacks on all sectors in 2015 moved down into fourth place (11 percent).
This is according to Dimension Data’s Executive’s Guide to the NTT Security 2017 Global Threat Intelligence Report, which was compiled from data collected by NTT Security and other NTT operating companies including Dimension Data, from the networks of 10,000 clients across five continents, 3.5 trillion security logs, 6.2 billion attempted attacks, and global honeypots and sandboxes located in over 100 different countries.
The report pinpoints several global geo-political events which could have contributed to the government sector being a cybersecurity attack target. These include:
- the U.S. presidential election campaign
- a new U.S. administration with a more aggressive stance toward China and North Korea
- China adopting a more aggressive policy stance in securing its vital ‘core interests
- U.S. and European Union-led economic sanctions against Russia
- Russian state-sponsored actors continuing cyber operations against Western targets
- growing negative sentiment in the Middle East against the West’s aggression towards Syria
Matthew Gyde, Dimension Data’s Group Executive – Security said, “Governments all over the world are constantly under the threat of sophisticated attacks launched by rival nation-states, terrorist groups, hacktivists and cybercriminals. That’s because government agencies hold vast amounts of sensitive information – from personnel records, budgetary data and sensitive communications to intelligence findings. What’s interesting is that this year we saw numerous incidents involving insider threats.”
Commenting on the financial services industry, Gyde said the ongoing attacks in the financial services industry is no surprise. “These organizations have large amounts of digital assets and sensitive customer data. Gaining access to them enables cybercriminals to monetize personally identifiable information and credit card data in the underground economy.”
Other highlights in the report are:
- Sixty-three percent of all cyberattacks originated from IP addresses in the U.S., followed by the U.K. (four percent), and China (three percent). The U.S. is the predominant location of cloud-hosted infrastructure globally. Threat actors often utilize public cloud to orchestrate attacks due to the low cost and stability of this infrastructure.
- The Internet of Things (IoT) and operating technology (OT) devices must be considered as both a potential source and target of attack. Of the IoT attacks detected in 2016, some 66 percent were attempting to discover specific devices such as a particular model of video camera, three percent were seeking a web server or other type of server, while two percent were attempting to attack a database.
- The top cybersecurity threats facing digital businesses are phishing, social engineering and ransomware; business email compromise; IoT and distributed-denial-of-service (DDoS) attacks; and attacks targeting end-users.
Click here to download Dimension Data’s Executive’s Guide to the 2017 Global Threat Intelligence Report.
About Dimension Data
Founded in 1983, Dimension Data plc is an ICT services and solutions provider that uses its technology expertise, global service delivery capability and entrepreneurial spirit to accelerate the business ambitions of its clients. Dimension Data is a member of the NTT Group. Visit us at http://www.dimensiondata.com/en-US, like us on www.facebook.com/DimensionDataAmericas or follow us @DimensionDataAM.
WASHINGTON May 9, 2017 According to the Center for Cyber Safety and Education™ Global Information Security Workforce Study (GISWS), sponsored by (ISC)²®, Booz Allen Hamilton and Alta Associates, federal agencies need to invest strategically and heavily in their benefits strategy if they're going to successfully compete for cybersecurity talent. U.S. federal data from the study was released today during a panel discussion of experts at the (ISC)2 CyberSecureGov training event in D.C., which included Dan Waddell, (ISC)² managing director, North America, Rodney J. Petersen, director of National Initiative for Cybersecurity Education, NIST, and Ron Sanders, senior executive advisor and fellow at Booz Allen Hamilton.
One of the largest studies of the information security profession ever conducted, the survey of over 19,600 information security professionals included responses from 2,620 U.S. Department of Defense, federal civilian and federal contractor employees. When asked to rate the importance of factors needed to effectively secure an organization's infrastructure, the majority (87 percent) of federal respondents placed the hiring and retaining of qualified information security professionals at the top of the list. To effectively retain existing information security professionals and attract new hires, federal respondents indicated that offering training programs, paying for professional cybersecurity certifications, boosting compensation and providing more flexible and remote work schedules and opportunities were the most important initiatives.
"It's crystal clear that the government must enhance its benefits offering to attract future hires and retain existing personnel given its fierce competition with the private sector for skilled workers and the unprecedented demand; unfortunately, the layers of complexity involved in fulfilling that goal are significant," said Waddell. "Thanks to the record-number of federal GISWS respondents this year, we now have substantial data that will support actionable take-aways and help move agencies closer to achieving that goal."
Key takeaways for federal agencies looking to attract and retain information security professionals include:
- In competing with the private sector for skilled professionals, hiring women and those from underrepresented groups should be a key component of the government's talent acquisition strategy given that 70 percent say their organization offers a program that encourages diverse hiring in information security, compared to just 55 percent in the private sector.
- Government agencies will need to increase annual salaries of information security personnel by approx. $7,000 in order equal the annual salaries of their private sector counterparts.
- The NIST Cybersecurity Workforce Framework should be established as the foundation for workforce policy moving forward, as its effectiveness is being demonstrated by its early adoption by a considerable number of federal government agencies.
- Cloud remains the area in highest demand for training and education. As more government agencies move their data to the cloud, they must consider training initiatives to help ensure that staff across multiple roles and departments is aware of the security risks and benefits.
- There is an ongoing need for front-line experience within the federal cybersecurity workforce, with the greatest demand being at the non-managerial staff level.
- Professionalization of the workforce through certification remains strong, as 73 percent of federal agencies require their IT staff members to hold information security certifications.
"The mission of government cybersecurity professionals is critically important," said Sanders. "In today's environment where cyber talent is scarce, organizations must recruit and train untapped talent pools, focusing on women, minorities, veterans and older workers. And while it can be difficult for government agencies to compete on salary alone when vying for these cyber warriors, they can appeal to a recruit's sense of mission and purpose, tout the cutting-edge work being done and highlight opportunities for advancement."
For a complete set of U.S. federal findings from the 2017 GISWS, go to: www.IAmCyberSafe.org/GISWS
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)2 offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our membership, over 123,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation – The Center for Cyber Safety and EducationTM. For more information on (ISC)², visit www.isc2.org, follow us on Twitter or connect with us on Facebook.
© 2017 (ISC)² Inc., (ISC)², CISSP, SSCP, CCSP, CAP, CSSLP, HCISPP, CCFP, ISSAP, ISSEP, ISSMP and CBK are registered marks, of (ISC)², Inc.
About the Center for Cyber Safety and Education
The Center for Cyber Safety and Education (Center), formerly (ISC)² Foundation, is a nonprofit charitable trust committed to making the cyber world a safer place for everyone. The Center works to ensure that people across the globe have a positive and safe experience online through their educational programs, scholarships and research. Visit www.IAmCyberSafe.org.
About Booz Allen Hamilton
Booz Allen Hamilton (NYSE: BAH) has been at the forefront of strategy and technology for more than 100 years. Today, the firm provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe. Booz Allen partners with public and private sector clients to solve their most difficult challenges through a combination of consulting, analytics, mission operations, technology, systems delivery, cybersecurity, engineering, and innovation expertise.
With international headquarters in McLean, Virginia, the firm employs more than 23,000 people globally, and had revenue of $5.41 billion for the 12 months ended March 31, 2016. To learn more, visit BoozAllen.com.
By Steve Bittenbender
Editor, Government Security News
President Donald Trump spent part of Wednesday morning using social media to defend his decision a day earlier to fire James Comey as the director of the Federal Bureau of Investigation.
“James Comey will be replaced by someone who will do a far better job, bringing back the spirit and prestige of the FBI,” the President posted as part of a series of messages on his Twitter account. “Comey lost the confidence of almost everyone in Washington, Republican and Democrat alike. When things calm down, they will be thanking me!”
It may take some time for things to calm down as news of the embattled director’s ouster caught most of Washington by surprise. Comey had drawn criticism from lawmakers for his handling of investigations related to last year’s presidential election.
Many Democrats believed Comey’s decision to reopen the case against Hillary Clinton late in the campaign opened the door just wide enough for Trump to win the election. Just last week, Comey testified before a Senate committee that it made him “mildly nauseous” that his decision may have impacted the race.
However, Democratic leaders questioned why the President chose to dismiss Comey, who still had more than half of his 10-year term left to serve.
"Director Comey's dismissal is extremely troubling,” Rep Joe Crowley, the chairman of the House Democratic Caucus said in a statement Tuesday evening. “President Trump fired the man investigating him and his cohorts. I strongly support calls for the appointment of a special prosecutor.”
The news even surprised many Republican lawmakers.
“I've spent the last several hours trying to find an acceptable rationale for the timing of Comey's firing,” Sen. Jeff Flake of Arizona posted on his Twitter account. “I just can't do it.”
Trump’s decision came hours after it was revealed that the FBI sent a letter to Senate Judiciary Committee correcting some of the testimony Comey gave in regards to the Clinton investigation. He relieved Comey after receiving a recommendation of Attorney General Jeff Sessions.
Sessions, in his memo to Trump, cited that the FBI director needs to “be someone who follows faithfully the rules and principles of the Department of Justice and who sets the right example for our law enforcement officials.” Rod Rosenstein, Sessions’ deputy attorney general, said in a letter to his boss that Comey’s mishandling of the Clinton investigation provided ample justification for his ouster.
“As a result, the FBI is unlikely to regain public and congressional trust until it has a Director who understands the gravity of the mistakes and pledges never to repeat them,” Rosenstein wrote. “Having refused to admit his errors, the Director cannot be expected to implement the necessary corrective actions.”
In addition to investigating the Clinton campaign, the FBI also has been checking Trump’s campaign and its alleged ties to Russian officials suspected of interfering with the presidential election. CNN reported Tuesday night that a federal grand jury issued subpoenas for associates of former National Security Advisor Michael Flynn.
Flynn resigned less than a month after Trump took office for failing to disclose meetings with Russian officials.
In his letter to Comey, Trump said that the now-former FBI director stated repeatedly that the President himself was not under investigation. However, the firing may lead to lawmakers setting up their own review.
“My staff and I are reviewing legislation to establish an independent commission on Russia,” tweeted Rep. Justin Amash, a Republican member of the House Committee on Oversight and Government Reform and its subcommittee on national security.
However, at least one senator believes Trump's decision won't affect the bureau's own investigation into the matter.
“Any suggestion that today’s announcement is somehow an effort to stop the FBI's investigation of Russia’s attempt to influence the election last fall is misplaced," said Maine Republican Sen. Susan Collins, who added that Comey's handling of the Clinton case made his ouster inevutable. "The President did not fire the entire FBI; he fired the director. I have every confidence that the FBI will continue to pursue its investigation. In addition, I am certain that the Senate Intelligence Committee, on which I serve, will continue its own bipartisan investigation and will follow the evidence wherever it leads."
WASHINGTON May 3, 2017 The American Federation of Government Employees strongly supports the reintroduction of a bill granting Title 5 rights to TSA Officers from Representatives Bennie Thompson of Mississippi and Nita Lowey of New York. Introduced last year as The Rights for Transportation Security Officers Act, this year’s bill finally grants transportation security officers (TSOs) the same workplace rights as all federal employees, including their colleagues in the Department of Homeland Security.
“Implementing basic worker protections for those charged with protecting our skies is a necessary step to increase security and improve workforce morale. TSA’s current personnel system has not served the agency well and lacks the means to attract and retain a strong workforce,” said Rep. Thompson. “This legislation we introduced today will ensure TSA’s personnel and labor management systems are brought in line with the rest of the federal government under Title 5. I hope my colleagues will agree that these frontline security workers should receive the rights and benefits they earned.”
“More than 42,000 Transportation Security Officers who serve on the front lines of aviation security at airports across the United States are denied worker rights and protections, including full collective bargaining, the right to a fair grievance and arbitration system, and statutory civil rights protections. Transportation Security Officers should be treated like their fellow employees across the Federal government. Our bill would grant TSO these rights, enhancing America’s security by retaining experienced and dedicated officers with improved workforce morale. To truly provide comprehensive transportation security, we must take care of those who take care of us,” said Rep. Lowey.
The new legislation would put TSOs on the General Schedule pay scale and provide them with much needed statutory worker protections like the Family and Medical Leave Act and the Fair Labor Standards Act. Being recognized as equal counterparts to their fellow federal employees would greatly improve workplace conditions and boost morale – which fell to an all-time low last year – at the agency.
“Thank you to Representatives Thompson and Lowey for once again recognizing how important it is to offer fair treatment to the men and women who risk their lives guarding our airports every day,” said AFGE TSA Council President Hydrick Thomas. “Last year our TSA Officers stopped a record number of firearms, dealt with a massive influx in passenger volume while being understaffed, and once again kept our flying public safe – all while being treated like second class citizens in their workplace. Being offered fair pay, workplace protections, the right to appeal adverse decisions to a third party, and full collective bargaining rights are long overdue and will help boost morale for the working people who safeguard our skies,” he added.
“Last year our TSA Officers were faced with a nearly insurmountable task, but they rose to the occasion and got the American travelling public to where they needed to be,” said AFGE National President J. David Cox Sr. Adding, “We are thrilled that Representatives Thompson and Lowey have once again introduced legislation that will finally offer our officers the same rights and protections as the rest of the federal workforce. TSA Officers have safeguarded our airports for 16 years, and have done an admirable job. Equal treatment by the federal government is desperately needed and very appreciated by the men and women who make sure you can fly without fear.”
AFGE urges Congress to pass the Rights for Transportation Security Officers Act to recognize the daily sacrifices TSA Officers make to protect the flying public.
The American Federation of Government Employees (AFGE) is the largest federal employee union, representing 700,000 workers in the federal government and the government of the District of Columbia.
WASHINGTON May 2, 2017 The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has awarded $9.7 million to 12 small businesses for 13 Phase II contracts through the Small Business Innovation Research (SBIR) program.
Each Phase II award contract received approximately $750,000 to develop a prototype based on the feasibility of the technologies demonstrated in the Phase I effort, which were completed in November 2016.
“Small businesses play a key role in developing effective and innovative solutions to pressing homeland security challenges,” said DHS Under Secretary for Science and Technology (Acting) Dr. Robert Griffin. “The SBIR program enables us to capture some of the best scientific thinking to find solutions to apply in the current threat landscape.”
The Phase II contracts were awarded to:
• BlockCypher (Redwood City, CA), Blockchain Platform for Multiple Blockchains, Applications, and Analytics
• BlueRISC Inc. (Amherst, MA), Cyber Attack Prediction for Situational Understanding and Preemptive Cyber Defense
• Card Smart Technologies (Basking Ridge, NJ), Composite Identity for High Assurance Remote Identity Proofing
• Digital Bazaar (Blacksburg, VA), Verifiable Claims and Fit-for-Purpose Decentralized Ledgers
• Evernym Inc. (Herriman, UT), Decentralized Key Management using Blockchain
• Evigia Systems, Inc. (Ann Arbor, MI), Wide-Area Flood Alert Sensor Network
• Inferlink Corp. (El Segundo, CA), OpenWatch: An Architecture for Scalable Resiliency Assessment
• McQ Inc. (Fredericksburg, VA), MEGASCOP: Multi Interface Secure Audio/Video Rebroadcasting (SAVR) System
• Oceanit Laboratories (Honolulu, HI), FIND (First responder INdoor Determination)
• Physical Optics Corp. (Torrance, CA), Real-time Flood Forecasting and Reporting
• Physical Optics Corp. (Torrance, CA), Real-time Information Contextual Correlation and Analysis Software System
• Progeny Systems Corp. (Manassas, VA), Internet of Things (IoT) Low-Cost Flood Inundation Sensor
• Red Balloon Security (New York, NY), Hybrid Prediction for Embedded Malware
Initiated in 2004, the DHS S&T SBIR Program is a competitive contract awards program designed to increase the participation of innovative and creative U.S. small businesses in federal research and development initiatives and to increase private sector commercialization of SBIR-funded solutions.
To learn more the DHS SBIR Program, visit the DHS SBIR Program Portal: https://sbir2.st.dhs.gov
PHOENIX May 3, 2017 BeyondTrust, the leading cyber-security company dedicated to preventing privilege misuse and stopping unauthorized access, today unveiled the results of its Federal Cyber-Security Threat Survey Report 2017. Based on a comprehensive survey of senior Federal IT professionals, the study exposes an aging Federal computing infrastructure which has led to an environment with an alarmingly high risk of breaches.
105 senior IT professionals working for federal agencies were asked about their computing infrastructure, security, breaches and IT modernization. A summary of the findings is included below.
Federal IT managers concerned about antiquated infrastructure.
An overwhelming majority of Federal IT managers (81 percent) say aging IT infrastructures have a somewhat to extremely large impact on their cyber-security risk. Further, three of five (61 percent) say aging infrastructure is a roadblock to achieving federal cyber-security mandate compliance.
We found ample examples of aging infrastructure in our survey. For example, a surprising 47 percent of Federal agencies still use Windows XP, driving a third of respondents (35 percent) to report that this kind of aging infrastructure had a somewhat to large impact on their ability to affect vulnerability patching.
The impacts of aging federal infrastructure don’t stop there …
- · Three of four say aging infrastructure is a somewhat to extremely large risk to their ability to achieve their mission.
- · The biggest impacts include inefficiency, increased cyber risk and problems with compliance.
- · Specific to cyber-security, the top impacts of an aging infrastructure are difficulty with patching, password management and privileged account management (PAM).
- · Respondents cite aging infrastructure as the top roadblock in the way of achieving federal cyber-security mandates
Aging Infrastructure Leads to Breaches
Aging infrastructure is not just a problem in theory; aging infrastructure makes federal systems more vulnerable to attack, which has led to an environment that could be rife for breaches.
- · 42 percent have experienced a data breach within the past 6 months.
- · A staggering one in eight has experienced a data breach within the past 30 days.
- · Put another way, the typical federal IT system experiences one breach every 347 days.
- · Respondents report that the typical data breach costs more than $91,000.
- · The total cost due for data breaches is $637 million every year.
- · The most frequently reported costs include loss of productivity, loss of reputation and pure monetary damages.
Privileged Account Management: Gap Between Theory and Practice
We asked respondents what tools were most important to them in terms of securing their information environment. Here they ranked privileged access management and vulnerability patching as most important. This is significant as these technologies restrict user privileges and close off security weaknesses in systems.
Yet, despite understanding the importance of such measures, most (56 percent) use alternate solutions to manage privileged passwords and nearly two-thirds (63 percent) report less than fully mature vulnerability remediation programs. In fact, 6 percent have NO remediation plan, and another 14 percent do only the bare minimum required by compliance mandates.
What IT Can Do Mitigate the Security Risk of Aging Federal Infrastructure
The BeyondTrust 2017 US federal government study points to four best practices that any agency can implement.
- · Manage privileged credentials with greater discipline, eliminate administrator rights and enforce least privilege
Thirty percent of respondents believe that insider threats pose a significant threat and 35 percent believe their users have more privileges than are required. To mitigate insider threats and the exploitation of privileges, adopt a least privilege model by removing admin rights from users and storing all privileged credentials in a secure safe. Known escalation attacks have been around for years and are still being used. These attacks require local administrator rights. It’s not just about insiders. Enforcing least privilege prevents lateral movement within an organization if a breach does occur.
- · Isolate Legacy Systems to reduce attack surfaces
Modernization of federal IT infrastructure is a priority for most survey respondents, but realistically this will not happen quickly. These aging systems have known risks. Reduce the attack surface by isolating legacy systems. Segment these systems to force all traffic through a proxy to reduce attack vectors. Deploy an automated password and session management solution that provides secure access control, auditing, alerting and recording for any privileged account. This will provide segmented access to critical systems, manage passwords, and monitor when tasks and operations are committed to a managed system.
- · Improve the maturity of vulnerability management through automated patching
Even in today’s sophisticated threat landscape, the majority of attacks target known vulnerabilities that can be easily patched. Effective patch management goes a long way in reducing a network’s overall attack surface. To be truly effective, patch management requires intelligent prioritization and broad coverage for common business applications. To improve the efficiency and effectiveness of an agency patch process deploy a solution that provides integrated, automated patching. Implementing a solution that delivers analytics and trending across the threat lifecycle for multi-dimensional reports on assets, vulnerabilities, attacks and remediation allows prioritized patch management based or risk profile.
- · Unite threat intelligence from multiple sources to better prioritize risks across the environment
Since the asset risk-to-user privilege risk pattern is a common attack vector, deploy solutions that correlate asset-based risk with user-based activity to gain a more complete picture of risks, gaining needed prioritization of the most impactful risks. For example, advanced persistent threats (APTs) can be analyzed against privileged password, user, and account activity, along with asset characteristics such as vulnerability count, vulnerability level, attacks detected, risk score, applications, services, software and ports. Consuming multiple data feeds from in-place solutions into a single console can help mitigate additional costs and reduce complexity.
“The federal government is moving to modernize its aging infrastructure,” said Kevin Hickey, President and CEO at BeyondTrust. “But that takes time, and in the meantime, federal systems face a real risk. These are simple steps IT can take today to help mitigate that risk.”
Federal Cyber-Security Threat Survey Report
For more information on the 2017 US Federal Government Security Survey, please visit: https://beyondtrust.com/aging-fed-it-risky.
BeyondTrust is a global information security software company that helps organizations prevent cyber attacks and unauthorized data access due to privilege abuse. Our solutions give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Access Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your company goes. BeyondTrust’s security solutions are trusted by over 4,000 customers worldwide, including half of the Fortune 100. To learn more about BeyondTrust, please visit www.beyondtrust.com.