Security as a Strategy (SaaS)

How Einstein Protects Government Computer Networks

Ever wondered what the Department of Homeland Security (DHS) is doing to protect government networks and what you can do too? Government networks are some of the most highly targeted sites by cyber terrorists. They come under attack hundreds of times per year. To protect government assets DHS uses a network flow monitoring system called Einstein 1 and a system called Einstein 2 - an intrusion detection system.

DHS is in charge of monitoring the .gov domain for potential threats and works with several non-federal partners in various network security programs. While primarily focused on federal networks, DHS is now branching out to deploy Einstein on civilian and state networks in partnership programs under the auspices of DHS' U.S. Computer Emergency Readiness Team (CERT).

Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, DHS, has said a third version of Einstein with more advanced technology is envisioned that would be an intrusion prevention system across civilian networks and systems. The additional surveillance and intrusion response capability would give the government better awareness to protect the public, according to Mr. Reitinger.

In addition to Einstein 3, DHS has a variety of other initiatives under way to enhance the cyber security of federal and civilian networks including:

• Consolidating agencies' external Internet connections to reduce the number of entry points for potential outside threats
• Developing a supply chain risk management framework to address security threats and vulnerabilities that could be introduced into hardware and software acquired by federal agencies
• Establishing the Industrial Control Systems Cyber Emergency Response Team facility, to synchronize incident response activities related to attacks on control systems operating the Nation's critical infrastructure
• Initiating an information-sharing pilot working with the Financial Services Information Sharing and Analysis Center to enhance threat information sharing with the financial services sector

So what we learn from the DHS programs is that a solid network security plan will include: (1) a network security system that monitors, detects and prevents intrusions; (2) a strategy of reducing access points (network nodes, connections, rogue devices, multiple software packages used by end users); and (3) collaboration with trusted security partners to share incident response and threat information.

China Attacks U.S. in Cyber Space

A 367-page report prepared by the U.S.-China Economic and Security Review Commission and released November 2009, details cyber attacks targeting the United States.

During 2008 there were 54,640 total cyber attacks against the U.S. Department of Defense (DoD) according to the report, citing data provided by U.S. Strategic Command officials. The number of instances significantly increased in the first half of 2009, when there were 43,785 cyber incidents targeting the DoD, the report states.

The military has spent more than $100 million in the first six months of 2009 alone repairing damage to its networks caused by such cyber attacks, stated Army Brig. Gen. John Davis, deputy commander for network operations.

These circumstances have been fueling congressional bills that could give the president the authority to "unplug the Internet" in cases of national emergency. The bill, from Senators John Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, is part of a larger debate over what federal powers are necessary for cyber security.

In the best-case scenario, that power could enable the president to prevent cyber attacks on the power grid, air traffic control systems, or the root of the Internet. On the other hand, the government would be given the power to shut down vital telecommunications, financial, and corporate networks with claims of national security interest.

These scenarios are continually becoming more realistic as the Wall Street Journal reported in April of 2009 that Russian and Chinese spies have hacked into the U.S. electrical grid and left behind malware.  If accurate then to protect the nation's public and private operations unplugging the Internet may be the fastest solution to a dire situation.

The thought of such actions remind me of the movie "The Day the Earth Stood Still." In that movie, aliens shut down everything on the earth that was powered by electrical current. It was done to give mankind pause to consider his actions and the pending consequences for behavior that was destroying the earth. We can only hope the zeal for destructive behavior by certain people never creates such a climatic ending.

Security Trends and Outlook for 2010

There was a call recently, sponsored by Symantec, in which security experts and analysts discussed the security trends in 2009 and what they expected to see in 2010. Here's what they said:

2009 Trends

• Drive-by. In 2008 there were 18 million drive-by download attempts. In the first half of 2009 there already 17.5 million. This activity is increasing. (see last blog for discussion of drive-by downloads)
• Plug-ins. Drive-by downloads that target browser plug-ins as well as websites are increasing.
• Trusted websites. Legitimate websites are now being compromised. The vast number of blocked downloads, per Symantec, were from legitimate websites. Cyber criminals are finding ways to post, especially on social networking websites, malicious Java applets or Active X components that target users of these websites.
• Rogue security software. From July 2008 to July 2009 Symantec states there were 43 million software installation attempts by rogue security software. The latest ploy by cyber criminals is to package free anti-virus software found on the web and either resell it for a fee, or attach some malware which will hijack the user's computer once the application is installed.
• Content scams. The latter half of 2009 saw increasing content-based attacks. How this works is the scam artist creates fake sites based on popular search items or current news events. This poisons search engine results - presenting sites laden with malicious links, ads or drive-by downloads.
• Security breaches. Data breaches continue to grow risking identity theft. 400 breaches were reported in 2009 which compromised 200 million records. 80% of breaches are caused by insiders within an organization. And adding to this is the fact that 59% of employees when they leave a company take confidential information with them.

2010 Outlook

• URL shortening services. Bloggers, Twitter users and many social networking site users often utilize what are called "URL shortening services" to provide short worded links that redirect to links which are actually longer in length. For example, if I have a link that is 30 characters long that I want to embed in a message, and I'm sending a Tweet that has a 140 character limit, I can use a service that allows me to post a 10 character link that will point to the actual link. URL shortening services provide a hosted solution that redirects a user from a longer URL to a shorter one. What has happened is cyber criminals are finding ways to redirect those links hosted by the URL shortening service provider to malicious links.
• Capture technology. When you register for new accounts on many websites, you are asked to type in a code displayed in a funny, groovy looking text box. By doing this the website owner insures that an actual human is registering and not a computer application. Some cyber criminals are now using low-cost labor in sweatshops, in places like India, to manually create accounts. Once registered within a website that for example offers an Instant Messenger (IM) account, the attacker uses the IM account to send malicious links to other IM users.
• Non-English spam. Most spam to date has been sent in English. However there has been a significant increase in countries like the Netherlands, Germany and France with native language spam.
• Focused malware. Symantec sees increases in specialized malware that targets specific systems such as Automatic Teller Machines (ATMs), and phone-based voting systems (e.g. those used in realty TV shows for the public to vote ).
• Cell phones. Smartphones are becoming targets for rogue security software download attempts. With so many applications now being made available for wireless devices like the BlackBerry, attackers are looking to exploit the same scams used on computer users.
• Bandwidth. Increased bandwidths in developing countries, created by the installation of broadband networks, has brought back a resurgence of botnets by spammers.
• Social networking sites. Scammers are trolling popular social media sites like Facebook for opportunities to implant malicious content and micro applications. By infecting users who receive and trust messages from others in their circle, attackers can exploit entire networks.

What to do? Symantec has embarked on a concept they call "reputation-based security." All websites are assumed guilty until proven innocent. So look for increased certifications and diligence in the safe-guarding of content, web links and applets on websites.

In addition, as individuals, one of the best practice security tips you should follow is: (1) don't store your passwords in the browser (don't click on the "remember me" option). And (2) use strong passwords in your home wireless routers (change the one that comes with your system) as well as at all web sites you register with.