Cybersecurity in the Public Sector
Gartner analyst Steve Hawald noted in recent research that “With daily cyberattacks and new hacker groups being created constantly, cyberspace is a huge challenge for the DoD as well other government organizations and private companies around the world. Cyberattacks are becoming more sophisticated, more random and more targeted.”
He also noted that “To meet the mission need for more-agile collaboration while still maintaining high levels of security, older cyberdefenses need to be upgraded or replaced to be more effective and efficient. The ability to continuously monitor and regularly evolve security controls is critical.”
Federal organizations, like in every other sector, are embracing the web as never before to share information, collaborate and conduct business. We are even seeing the government leap into the adoption technologies like Cloud with the FedRAMP program, where others in the private sector have been much slower to jump on board. This shows that the public sector is working to keep up with new technologies and even set the bar in some instances.
With this growth in technology adoption, particularly as it relates to web-based activity, comes an added opportunity for global cyber espionage, cybercrime, and targeted attacks that could inflict harm on government systems, and in turn, the country.
We see a true need for government organizations to take an additional step in their defense of web-based activity. Traditional security and fraud prevention is no longer enough, and as Gartner’s Steve Hawald mentioned – continuous monitoring and evolution of security controls is critical.
Silver Tail Systems is taking steps to help federal and government agencies better protect their Internet resources with real-time monitoring of web session behavior by: opening an office in the Washington D.C. area; partnering with Carahsoft – a trusted government IT solutions provider. These are exciting strides in our continued expansion, and our team is already working tirelessly in the new space. Make sure to take a look at our website for more details!
Good Guys Collaborating as well as the Bad Guys? Congress Taking Steps
Many of you may be tired of me harping about how well the criminals coordinate with one another and how poorly we, on the other side, work together. It looks like the government may be taking a step to help organizations work more closely together to protect each other.
The article talks about how the government doesn’t want to add too much burden to businesses and that is obviously critical. But, I’m thrilled by the idea that corporations and other organizations can have the opportunity to work together in a way that could benefit the entire ecosystem.
One of the biggest hurdles I see with this is that many times organizations see their data about attacks as a valuable asset. If it takes an organization fifty man hours and $200,000 in development of tools to identify a particular threat or set of data, why would they want to share that with others? Should they get paid for sharing this data? Is there some other way that these organizations could be compensated for this information?
“60 Minutes” Video: Sabotaging the System
Several people have mentioned the 60 Minutes episode that aired last Sunday night. I watched it and was fascinated by a lot of it.
First, it’s very rare that the government will talk about possible threats against its infrastructure. To hear people talking about how you could manipulate the programming of a power generator to get it to self destruct was much more information than I’m used to seeing on tv – especially prime-time.
Second, the discussion about how other governments have very likely already infiltrated our government’s systems was amazing.
I agree that all of this has very likely already happened, but I was surprised to see it discussed so openly. I’m torn – is it a good thing to raise awareness about these types of issues? Maybe. I suppose it might help increase the funding around protection mechanisms, etc. Is it better to not talk about it? Maybe. That means the attackers don’t know what we know and it also makes it more difficult for new attackers to identify these vulnerabilities.
My opinion is that these vulnerabilities and potential exploits need to be kept somewhat secret. There are a select set of people who could help defuse the problem if they are “in the know”, but making it public is very risky. I look at what happened around the Kaminsky vulnerability and, more recently, the SSL MitM hole. For a while, these issues were kept very secret while a select set of organizations and individuals labored to resolve them. Obviously, they didn’t stay totally secret. But I think something along those lines is the better way to handle these threats than to expose them on tv.
In case you want to see what the government is talking about on tv, you can watch the 60 Minutes video here.
Making the 20 Controls for Effective Cyber Defense Approachable
SANS has published “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”. I must admit, I was pleasantly surprised by what was published.
My biggest concern prior to reading the draft was that since this document was supposed to be all-encompassing and was very likely “written by committee”, the guidance would end up being too complicated to understand, let alone implement. I was wrong.
The power in the document is that the recommendations are boiled down to 20 simple sentences. Here they are:
Critical Controls Subject to Automated Measurement and Validation:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
- Secure Configurations of Network Devices Such as Firewalls and Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Training to Fill Gaps
Of course, “Boundary Defense” is not as simple as those two words imply and there are a multitude of details behind each one of these “controls”. There is definitely a lot to be proven out about whether or not most organizations (government and industry) will be able to make sense of these directives. But I applaud the authors for at least attempting to make the initial pass at the document un-intimidating.
Security is a complex, acronym-laden practice that can be especially difficult for the uninitiated to approach, let alone tackle. By keeping the initial steps of this directive relatively simple, the authors have taken the right approach: make people understand the task can be accomplished when they first start.
And that’s another strength to the structure of the document. Since it is presented as a webpage, when you get to the bottom, there are links to separate pages for each control. As a CISO or CTO is working through the plan, they can look at one control at a time and determine how to move forward with it without being overwhelmed by the entire document.
This may be an advantage of the internet – we hide the complexity by making a 100 page book look like a 5 page website with a few links at the end. If this helps people feel like the task at hand is attainable, that’s a good thing.
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- May 2012 (5)
- April 2012 (7)
- March 2012 (13)
- February 2012 (6)
- January 2012 (4)
- December 2011 (7)
- November 2011 (8)
- October 2011 (9)
- September 2011 (5)
- August 2011 (7)
- July 2011 (7)
- June 2011 (6)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- predictive analytics
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
