Interesting analysis' of US OPM data breach

If you are interested in the recent US Office of Personnel Management (OPM) data breach you'll want to check out the following articles and blog posts.  For those not familiar with this breach, see here.

Richard Bejtlich has a great blog post regarding what Einstein and Continuous Diagnostic Monitoring (CDM) does and does not.  He talks about a debate going on in the Federal govt. about CDM and the misconception they have about it.  Statements are being tossed around that CDM searches for nefarious actors once they are already in networks.  Richard rightly points out that CDM does not do this but rather it is a vulnerability management program which searches for known cyber flaws.  Read more about this here:
http://taosecurity.blogspot.com/2015/06/continuous-diagnostic-monitoring-does.html (link)

Richard has a follow up post to the CDM debate where he talks about the House of Representatives' OPM breach hearings.  One of the witnesses testimony incorrectly talks about CDM providing real-time anomalous behavior detection.  Read more here:
http://taosecurity.blogspot.com/search/label/cdm (link)

Arstechnica article Why the "biggest government hack ever" got past the feds:
http://arstechnica.com/security/2015/06/why-the-biggest-government-hack-ever-got-past-opm-dhs-and-nsa/ (link)

US Senate is concerned about Internet 'malvertising'

The US Senate issued a report on the problems with Internet/online ad networks that are distributing malware to unsuspecting consumers.  The investigation was conducted by the Committee on Homeland Security's Permanent Subcommittee on Investigations, which stated the objective was to raise consumer awareness and pressure ad networks to clean up the problems.  The report is called "Online Advertising and Hidden Hazards to Consumer Security and Data Privacy" dated May 15, 2014.  Senator Carl Levin and Senator John McCain led the committee.

At least some attention is being brought to this problem; it's a start.  Now let's see what kind of results they can achieve.  Sorry for my pessimism but I'm not going to be holding my breadth on this.  Unless they are able to exact financial repercussions onto the networks, in my opinion little will be changed.

A PDF of the report is here:
http://www.hsgac.senate.gov/download/report-online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy-may-15-2014&ei=NiSdU86xKoGPyAT10oLACg&usg=AFQjCNEY4S1B-XiWvoDNCftD40ZwjC1_2A&bvm=bv.68911936,d.b2U

You can also find the transcripts from the associated hearing on May 15, 2014 here:
http://www.hsgac.senate.gov/hearings/online-advertising-and-hidden-hazards-to-consumer-security-and-data-privacy

Citing:  Credit to Spyware Sucks blog who highlighted this report. Go check out his blog, he has interesting posts there.

http://msmvps.com/blogs/spywaresucks/

NSA to investigate NASDAQ hack

Several sources are reporting that the National Security Agency (NSA) is looking into the breach of the company that runs NASDAQ experienced back in October of 2010.

Bloomberg News interviewed former head of U.S. counterintelligence in the Bush and Obama administrations, Joel Brenner, who stated “By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack, or it’s an extraordinarily capable criminal organization.”

It's being reported that other U.S. Federal Govt agencies (FBI, Secret Service) are assisting as well.




Kim Zetter (@KimZetter) over at Wired Magazine has a good article on this topic:
http://www.wired.com/threatlevel/2011/03/nsa-investigates-nasdaq-hack/

New information security bill to replace FISMA

There's yet another cyber security bill introduced in the US Senate; this one is called the 2009 U.S. Information and Communications Enhancement Act. While the others affect both government and private industry this one aims to strengthen information security within government offices.

It's an update to FISMA which has long been criticized for the lack of requiring agencies to demonstrate compliance. This bill focuses more on measuring actual security rather than on report writing, which is FISMAs focus. It requires the Commerce Department to establish standards for securing government systems. It will take away information security management away from the DOD and NSA and limits DHS' role to incident response and defenses provided by US CERT. I'm not sure I agree with that as there are some talented folks at DHS and US CERT.

You can read the whole bill here http://www.govexec.com/nextgov/042809/ICE_Bill.pdf

Message to US Adversaries: You Have Plenty of Time to Launch Cyber Attack

This is basically what the US government is telegraphing to those who want to attack our infrastructures. This conclusion of mine for the most part was confirmed today when I read the ThreatChaos post about the National Cybersecurity Center director (Rod Beckstrom) resigning, after only a year in office and little accomplished - not due to his lack of trying I might add.

Read his resignation letter, which is posted here. It's very telling of the issues in the agency. His two main complaints and reasons for leaving are power fights with NSA (re.; no power or authority to do the job he was given), and lack of funding. It sounded like this new center was doomed from the start.

He said he had only 3 people on his staff and 5 weeks of funding. What? No wonder couldn't get much completed. This office's mission was to address the lack of cyber security within the US Federal government and it's expected to accomplish this with 3 people and no funding?

The other main issue has to do with fighting with the NSA over the program. The NCSC is in DHS yet the NSA wants this role and according to Beckstrom's letter some in DHS were putting up roadblocks in his way. To make matters more difficult the Director of National Intelligence is putting his support behind the NSA.

Now another year has gone by and cyber security is still not a priority for the US Federal government and the mess still exists. Many Federal agencies are doing cyber security work that overlaps with each other and a central coordinating agency still does not exist.

One idea I'm hearing is the creation of a new armed forces branch to be in charge of cyber security and I think that's a great idea. A decision needs to be made soon and we need to get moving with improving our nations cyber security from both a defensive and offensive standpoint. Our adversaries aren't waiting, they continue to attack and breach our defenses.

There is one piece of good news however: on February 9th, 2009 President Obama issued a directive to conduct an immediate cyber security review of all plans, programs, and activities underway throughout the government dedicated to cyber security. They have 60 days to complete it. Press release here. I'm glad they are trying but I'm not holding my breath that decisions will be made soon (re.; weeks) after this review is completed and it's entirely possible we'll still be waiting by the next election cycle this November.

My plea to the policy makers in the US Federal government: stop advertising our confusion and uncertainty, make the decisions that need to be made, execute on those decisions, and start showing our adversaries we are serious about cyber security before it's too late. Oh and by the way, there are plenty of good people in the private industry that are willing to help you.