In a recent study conducted by an independent consulting firm, government agencies when compared to 17 other industries ranked at the very bottom when it comes to proper cybersecurity hygiene. In recent survey of 24 federal agencies, the Government Accountability Office or GAO found that between 2006 and 2015 the number of cyber attacks climbed 1300 percent from 5500 to over 77000 a year. Eleven government agencies reported in 2014 cybersecurity incidents against high-impact systems these incidents are as follows:
– Category 1 – Unauthorized access – 202 incidents
– Category 2 – Denial of Service – 13 incidents
– Category 3 – Malicious Code – 497 incidents
– Category 4 – Improper Usage – 444 incidents
– Category 5 – Scanners, probes, attempted access – 109 incidents
– Category 6 – Investigation – 486 incidents
With some of the highest incidents being in the Malicious, code arena. There is no doubt that malware is a top priority among all of malicious attacks against critical systems. Botnets, rootkits, ransomware and phishing campaigns reign supreme in this sector. In a recent article (WIRED, 2016), says, “In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away.” Meaning that most of the damage happened after discovery. With the emergence of advance persistent threats or APT’s, government systems need to constantly comb their networks with a plethora of security controls such as signature based detections systems as well as anomaly based detection systems.
Another interesting metric was the improper usage category four. This shows the misconfiguration and lack of cybersecurity training to properly setup a critical system and establish a department wide security strategy. This can be rectified by improvements in employee training programs within the departments themselves. In a recent article (Government Technology, 2017) says, “Human error is the major reasons for cyber breaches, and we are pointing increasing complex systems toward people who can neither see nor understand what the systems are doing; it is a dangerous scenario to continually disconnect the human from massively automated systems that run without audit.” This is what the government attackers are living on human error.
Most of the government agencies are using the same technologies that are being used in the commercial sector. Consistent with the private sector which is currently moving toward a risk based approach on its overall security strategy. Some of the newer technology that is being used in the private sector is artificial intelligence. But we have already seen the AI behind Google’s Deep mind technology got hacked. AI is capable of hacking AI, which has also been proven. Also, whether people want to admit it or not 4th generation programming languages can all be clearly hacked.
However, governments need to make a bold decision and start moving toward a 5th generation programming languages, which uses codeless signature patterns. This will greatly improve the security in all application and technologies moving forward. 5GL codeless languages could be then working alongside the 4GL languages and show a clear path for migration of older legacy code bases. (Government Technology, 2017) says, “What’s great about 5GL technology is that it can be used without changing any of the current operational and industrial system technologies.” 5GL languages can also be used in supercomputing as well.
Software Cybersecurity Technologies
Looking at the areas of risk according to OWASP newly put out top 10 list for 2017. We can see that injection of malicious code still is the top vulnerability that attackers are using to infiltrate systems. We can also see the correlation to the previously referenced study that many of vulnerabilities are not easy to get rid of. Software technologies needed to be used to guard against the new 2017 OWASP Top 3 are as follows:
1. The usage of parameterized application programmable interfaces or API’s this will help cut down on injection vulnerabilities, which is number one on the OWASP List.
2. Proper configuration of strong authentication technology and session management, which will allow federal agencies to defend against broken authentication, and poor session management, that is the next biggest threat to all federal applications. Utilizing JWT Token provider or OAuth methodology can go a long way for decoupling extensive software solutions and lower risk, (Internet Engineering Task Force (IETF), 2015).
3. Usage of content security policy and properly escape all untrusted data based on the HTML context that the data will be placed into. This will help thwart number three on the OWASP list, which is XSS, or cross-site scripting.
Hardware Cybersecurity Technologies
There are many different types of tools that are used in the federal domain. However, the main areas of concern are according to (Komstandt, 2017) are:
1. Commercial Wireless LAN solution – The demand for wireless technology is because of the need to have a secure network within organizations, (Komstandt, 2017).
2. Network Vulnerability Assessment – It is critical for organizations to identify and assess the business assets that are vulnerable to damages, loss, or theft. Conducting routine assessments and threat modeling is a powerful tool in identify risk through the agency or department.
3. Network Penetration Testing – Through penetration testing with sophisticated tools and techniques, an enterprise can reveal all possible opportunities for hackers to compromise systems and networks.
Within the public sector, there is a classification for data already in place, which ranges from unclassified to top secret. According to (Pearson IT Certification, 2002) the government tiers are as follows:
1. Top Secret – Disclosure of top-secret data would cause severe damage to national security.
2. Secret – Disclosure of secret data would cause serious damage to national security. This data is considered less sensitive than data classified as top secret.
3. Confidential – Confidential data is usually data that is exempt from disclosure under laws such as the Freedom of Information Act but is not classified as national security data.
4. Sensitive But Unclassified (SBU) – SBU data is data that is not considered vital to national security, but its disclosure would do some harm. Many agencies classify data they collect from citizens as SBU. In Canada, the SBU classification is referred to as protected
5. Unclassified – Unclassified is data that has no classification or is not sensitive.
One of the top things to consider is proper attribution. Identity and authentication is one of the predominant security controls that allow network engineers to watch and monitor access of critical data while also having a clear audit trail in the event of an attack. The ability to use role based authentication through Microsoft’s Active Directory and a single sign on technology such as Centrify, pose a very valuable defense against critical data in the federal sector.
Active directory allows the federal government to not only split the business into different layers of business units or operational units, but it also allows for integration of other DLP technology such as Trustwave’s Data Loss Prevention. Not only does this integrate with Active directory but (TechRadar, 2017) says, “you get a configurable dashboard, so you can easily see where your data is located and put mechanisms in place to protect it.” This coupled with some preconfigured risk assessments and policies out of the box. The overall ability to track DLP comes down to visibility for the network and security engineers this setup will allow for complete visibility from Top Secret to Classified information.
Using great log management software that allows federal government to weed out the noise. CSC would need to implement a solution such as Splunk or Evebox and Elasticsearch on Linux. That can allow for packet level visibility and rule creation.
Internet Engineering Task Force (IETF). (2015, May 1). RFC 7519 – JSON Web Token (JWT). Retrieved from https://tools.ietf.org/html/rfc7519
Komstandt. (2017, June 30). Three key components of network security. Retrieved from http://blog.komstadt.com/three-key-components-of-network-security
Pearson IT Certification. (2002, December 20). Classifying data | cissp security management and practices. Retrieved from http://www.pearsonitcertification.com/articles/article.aspx?p=30287&seqNum=9
Government Technology. (2017, March 30). Cybersecurity industry must adopt cyber defense tech that utilizes analytics, artificial intelligence. Retrieved from http://www.govtech.com/opinion/Cybersecurity-Industry-Must-Adopt-Cyberdefense-Tech-that-Utilizes-Analytics-Artificial-Intelligence.html
WIRED. (2016, October 23). Inside the opm hack, the cyberattack that shocked the us government. Retrieved from https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/