A September 2015 Government Accountability Office (GAO) report, Federal Information Security: Agencies Need To Correct Weaknesses and Fully Implement Security Programs, revealed that the number of information security incidents affecting information systems (IS) supporting the Federal Government continues to increase.
The number of incidents rose from 5,503 since fiscal year (FY) 2006 to 67,168 in FY 2014—an increase of 1,121 percent. During FY 2013 – 2014, federal agencies continued to experience weaknesses in protecting their data and IS. At the same time, weaknesses in their information security policies and practices impeded efforts to protect against known threats and exploits.
Furthermore, assessments by inspectors general highlighted security control deficiencies at agencies that exposed data and IS supporting governmental operations and assets at elevated risk of unauthorized use, disclosure, modification, and disruption. These facts have been amplified and reinforced by incidents such as the breach of the Office of Personnel and Management (OPM), which compromised the sensitive information of millions.
The OPM hack serves as an important reminder that federal agencies must redouble their efforts to identify all measurable IS security vulnerabilities, remediate exploitable vulnerabilities via extensive system-level patching, and enter into a state on continuous monitoring in accordance with the National Institute of Standards and Technology (NIST) SP 800-137.
These best practices are consistent with and guided by federal law, including the Federal Information Security Management Act and the E-Gov Act of 2002). As a result, NIST’s Risk Management Framework (RMF) is becoming accepted across the entire Federal Government as the standard for assessing, mitigating, and managing risk.
In addition, the Department of Homeland Security’s (DHS) flagship cyber program—Continuous Diagnostics and Mitigation (CDM)—is moving into its third year. CDM enhances government network defense by automating and implementing specific security controls and monitoring functions. The CDM program is designed to:
- Provide services to implement network sensors and dashboards;
- Deliver near-real time indications and warning results;
- Prioritize the most significant events and incidents within minutes;
- Enable defenders to identify and mitigate vulnerabilities at network speed; and
- Lower operational risk and exploitation of government Information and Communications Technologies (ICT).
CDM in part fulfills FISMA mandates, and is the first concerted effort launched by the Federal Government to both standardize the implementation of security controls designed to counter Advanced Persistent Threats (APT), and manage risk via a single Assessment and Authorization (A&A) process.
These are all critical and necessary steps along the path to continuous monitoring. As federal agencies focus on complying with the RMF—optimizing NIST SP 800-53 security controls and acquiring the required technology to remediate APT—they cannot underestimate the critical role humans (both end users and cybersecurity practitioners) play in keeping agency IS and data safe.
Indication of Compromise (IOC): Automation and the Human Factor
In 2009, President Obama named the first Cybersecurity Coordinator and directed a comprehensive Cyberspace Policy Review to assess US policies and structures for cybersecurity. Since then, the White House continues to take aggressive actions to strengthen the Federal Government’s ICT and protect government networks and data.
In June of 2015, the United States Chief Information Officer (CIO) launched a 30-day Cybersecurity Sprint. This initiative aided agencies, in part, with mitigating cyber threats through continuous monitoring of adversarial Tactics, Techniques, and Procedures (TTP) that lead to indicators of compromise (IOCs). In addition, the Sprint directed Federal agencies to patch critical vulnerabilities without delay; tighten policies and practices for privileged users (i.e., implement least privileges); and, dramatically accelerate implementation of multi-factor authentication (MFA), especially for privileged users.
Yet even with an automated Computer Network Defense (CND) sensor grid and processes implemented to identify IOC, skilled cyber threat analysts that understand how to interpret the output of Security Incident and Event Management (SIEM) systems are irreplaceable. IOCs can flag unsuccessful login attempts, unusual network behavioral traffic patterns, and departures from “known-good” IS security configurations. But, without proper human analysis, supported by technology, incident data cannot be fully interpreted to identify the exploit. Human analysts use experience and logic to make certain correlations that automated systems cannot.
Incident Response & Management Teams
With a full and proper implementation of layered network security countermeasures (e.g., defense-in-depth) and controls configured to detect IOC, cybersecurity breaches are inevitable. According to NIST, “risk can never be eliminated and so it must be managed. Managing risk doesn’t mean fixing everything, nor does it mean not fixing anything.”
Federal agency Computer Incident Response Teams (CIRT) must be prepared to identify and respond to Computer Network Attacks (CNA). They should have knowledge of the “Cyber Kill Chain” so they can formulate the correct Response Action (RA) based on the state/phase of the intrusion. The Kill Chain is not a panacea. In fact, most Security Operations Centers (SOC) and CIRTs should proportionately focus their attention on Steps 6 and 7 of the chain—command, control, escalate, exfiltrate.
All Federal Agencies should have an Incident Response (IR) plan to manage unauthorized cyber intrusions. The plan should be tailored to the capabilities and experience of the CIRT. A well-exercised IR plan can aid a targeted organization with maintaining network operations while containing and neutralizing an incident. Again, the human factor plays a critical role in the IR process. CIRTs focus on containing and eradicating the intrusion while also collecting and preserving vital cyber forensics data that will become essential to deconstructing and analyzing the compromise (e.g., malware sandboxing and reverse engineering).
The Human Element, Cyber Security Metrics, and Awareness
When assessing an organization’s cybersecurity systems engineering methodology, operations, and maintenance maturity level, it’s important to focus on mission-essential functions such as governance, awareness and training, anomaly and event detection, process improvements, and communications. The Federal Government has done a good job generating basic metrics for agencies when itcomes to assessing security, from goals set in the Cyber Sprint to metrics associated with Cross-Agency Priority Goals. These metrics are important for determining where cyber remedial efforts should be focused.
Pinpointing the most useful metrics requires the expertise of seasoned cybersecurity practitioners, such as Security Monitoring and Event Analysts, Counter-Intelligence/Insider Threat Analysts, Big Data Security Analysts. With an analyst’s expertise, an organization can develop metrics that reveal true, measurable states that infer areas requiring improvement. Rather than a standard vulnerability scan or a simple measurement of time to remediation, experienced cyber analysts have the knowledge to determine which metrics provide the greatest impact.
NIST SP 800-55, Security Metrics Guide for Information Technology Systems, provides guidance on how an organization identifies the adequacy of implemented security controls, policies, and procedures. It provides an approach that aids leadership with deciding where to invest additional cybersecurity resources, and how to identify and evaluate unproductive controls. The results of an effective metrics program can produce useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
In the end, the final line of defense against any CNA is the human behind the keyboard. Security Education and Awareness Training is necessary, mandated, but insufficient—although improving via automation, role playing, and gamification. Today’s most sophisticated attacks uses subterfuge to such a great extent that even the most trained eye will eventually fall prey to an attempted compromise of an IS, with email phishing being the most pervasive and deceptive of these types of attacks.
However, there is help out there in the form of online communities such as Stop.Think.Connect—a global cybersecurity awareness campaign constructed to help all digital citizens stay safe and secure online. SANS Institute’s “Securing the Human” is another vital computer-based training, cyber security education and awareness initiative designed for non-technical end-users. Their “OUCH!” periodical is a leading free cyber security newsletter published monthly, in multiple languages, that I recommend users and cyber security practitioners alike review.
As both the public and private sectors continue to improve their cybersecurity posture, they should not overlook the impact of human factors, and how integral they are to the overall success of any CND strategy. Human cybersecurity practitioners and end users play a significant role in protecting, detecting, and responding to CNA, and ultimately sustaining the overall security posture needed to minimize online risk. Their “OUCH!” periodical is a leading, free security awareness newsletter published monthly in multiple languages.
As the conversation about improving cybersecurity continues in 2016, the government needs to recognize the importance of human cybersecurity expertise, prioritize their development and sustainment, and reach across to private sector high-tech cyber communities to bridge the skills and capabilities gap, as Secretary of Defense Ash Carter began doing last Spring in order for the nation to take a vigilant stand against this persistent threat.
Marc M. Kolenko, Chief, Cybersecurity Architecture & Strategy, Office of the CTO | Information Innovators Inc.
