State of Security: Fed FISMA Fizzle, PCI Fine Lawsuit, Targeted Attack Report, ENISA Flash Note
Feds Take Two Steps Backward on FISMA Compliance…
According to a new report from the White House, the federal made no progress last year in their efforts to come into compliance with FISMA regulations. In fact, they did not even manage to meet compliance levels from the prior year. Simultaneously, “the total number of reported incidents impacting the Federal Government increased by approximately 5% from FY 2011 while the number of reported incidents from all sectors combined increased by approximately 42% for the same period.” Yikes.
The annual Report to Congress on the Implementation of The Federal Information Security Management Act fro Fiscal Year 2012 reveals that while the cost of securing information systems increased by one billion dollars, the federal government was less compliant with security standards than they were in 2011. Not exactly the metric you look for after such a hefty increase in spending. Why the regression? Simply, put, security is hard, and te federal ?IT infrastructure is big – really big – which means securing it is really hard.
FISMA “requires agencies to provide information security protections commensurate with risks and their potential harms to federal information,” and the efforts to do so are guided by three principle initiatives which focus on “what data and information is entering and exiting agency networks (Trusted Internet Connections, or TIC); what components are on agency information networks and when their security status changes (continuous monitoring); and who is on agency systems (strong authentication using HSPD – 12 Personal Identity Verification credentials).”
To those ends, DHS last year worked with other agencies to “update the TIC baseline security capabilities in the TIC architecture, based on evolving and increasingly sophisticated threats,” according to the report. As for monitoring, the feds deployed the NCPS EINSTEIN 3 intrusion detection system which will “provide US – CERT and agency CERT teams with an increased set of defensive capabilities to detect, collect, act upon and report on cybersecurity events in near real-time.”
In addition, “OMB, DHS and NIST are working together to define a standards – based approach for continuous monitoring capabilities, developing viable and cost – effective approaches to measure capabilities derived from continuous monitoring data,” as well as working on improving threat data sharing.
On the authentication front, the report notes that “the majority of federal employees and contractors [have] received PIV smartcard credentials in FY 2012,” and that the “NIST is in the process of finalizing revision 2 of the HSPD – 12 standard, FIPS 201, to address the integration of PIV credentials with mobile devices and advances in technology.”
Regardless of these accomplishments, the report also notes that:
- - Only 88% of federal employees received security awareness training, down from about 99% in 2011
- Automated Configuration Management capabilities dropped from 78% to 70%
- - Only 57% of user login credentials require tokens, down from 66% in 2011
- Remote Access Authentication, Remote Access Encryption, and US-CERT SAR Remediation levels all remained relatively unchanged
- - Overall, the federal government’s FISMA compliance scores dropped from 75 percent in 2011 to 74 percent in 2012
Hacked Retailer Sues Visa Over $13 Million Fine…
In what will be the first ever case of a retailer suing one of the powerful credit card brands that make up the self-regulating PCI Security Standards Council for a post-breach fine, sportswear merchandiser Genesco is seeking to recoup $13 million dollars in damages for what a spokesman for the National Retail Federation characterizes as a “near scam” – the levying of steep penalties for the loss of consumer credit card data, even if there is no hard evidence that any data has actually been stolen in an event.
In late 2010, Genesco disclosed to the public that they had found data-sniffing malware on their systems, and acknowledged that the presence of the malicious agents may have exposed consumer credit card information. Forensic investigators were unable to confirm whether or not any data was actually lost to hackers, but nonetheless VISA handed down a stiff “fine” for the event of $13 million, which was said to also have covered operating expenses for the card brand that were a result of the event.
The retailer maintains that regular reboots of the network’s servers would have overwritten any log data the hackers may have been after, and that all information in transit in the company’s systems is encrypted. The malware found was designed only to intercept unencrypted data, so based on these conditions, Genesco is certain that no data could have been lost.
“[R]eboots of the intruded-upon servers in the Genesco cardholder data environment caused any log files that may have contained data relative to those accounts to be overwritten by the intruder(s)’ malware prior to the intruder(s)’ having an opportunity to exfiltrate those files from Genesco’s network… as a result of such overwriting Genesco did not even suffer a possible theft of cardholder data with respect to many of the accounts cited by Visa,” Wired’s Kim Zetter reported the complaint as stating.
This is not the first time merchants have complained about the cram-down compliance and self-serving nature of PCI standards, and numerous analysts have predicted that the days of the big five credit card brands having unregulated dominion over the payment card industry may be numbered. The issue last came to a head when compromised payment processor Heartland had its PCI compliance status revoked after suffering a long term systems breach – an incident that was occurring at the same time the company passed a security audit by a PCI Council certified examiner.
In defending the revocation, PCI SSC chief Bob Russo said something to the effect of ‘no PCI compliant company has ever been breached,’ regardless of the fact that the council granted a compliant status mid-breach. Subsequently, the card brands, merchants, banks, and payment processors all took turns throwing one another under the bus during Congressional hearings, and the whole house of cards almost came tumbling down.
If Genesco is successful in suing VISA (and probably later MasterCard, who also levied fines), this could be the dawn of a merchant-led revolt that spells the beginning of the end for the payment card industry’s self-regulatory fiefdom.
Mandiant Issues Annual Report on Targeted Attacks…
Security provider Mandiant, who made headlines in the weeks prior to the RSA conference with a report detailing Chinese government sponsored cyber espionage activities, as released their annual examining sophisticated and highly targeted attacks. M-Trends 2013: Attack the Security Gap (registration required) is the fourth installment of the series and details the most prevalent attack scenarios employed to pilfer sensitive data from a wide variety of targeted organizations, as well as the best methodologies to date being used to thwart their illicit efforts.
“We’ve seen first-hand that a sophisticated attacker can breach any network given enough time and determination. It’s not enough for companies to ask ‘Are we secure?’ They need to be asking ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’” Mandiant vice president report co-author Grady Summers said in a press release.
the most heavily targeted industries continues to be aerospace/defense, followed by energy, pharma and financial. The report’s highlights include:
- - Nearly two-thirds of organizations learn they are breached from an external source.
Targeted attacks continue to evade preventive defenses, but organizations are getting better at discovering them on their own. Still, a full 63 percent of victims were made aware they had been breached by an external organization such as law enforcement.
- - The typical advanced attack goes unnoticed for nearly eight months.
Attackers spend an estimated 243 days on a victim’s network before they are discovered – 173 days fewer than in 2011. Though organizations have reduced the average time between compromise and detection by 40%, many are still compromised for several years before detecting a breach.
- - Attackers are increasingly using outsourced service providers as a means to gain access to their victims.
As companies continue to outsource business processes such as finance, accounting, HR, and procurement, advanced attack groups are increasingly taking advantage of those relationships to gain access to the organizations.
- - Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.
Attackers are frequently stealing data related to network infrastructure, processing methodologies, and system administration guides to gather the reconnaissance data they need to more quickly exploit network and system misconfigurations.
- - Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.
Mandiant observed a relationship between the strategic priorities of the People’s Republic of China (PRC), the operations of PRC state-owned enterprises (SOEs), and data stolen through cyber intrusions from a wide variety of clients and industries. Of the top three industries repeatedly targeted, aerospace topped the list, followed by energy, oil and gas, and pharmaceuticals.
- - Once a Target, Always a Target
Organizations are being targeted by more than one attack group, sometimes in succession. In 2012, 38% of targets were attacked again once the original incident was remediated. Of the total cases Mandiant investigated in 2012, attackers lodged more than one thousand attempts to regain entry to former victims.
ENISA Warns of Old Dogs, New Tricks…
The European Network and Information Security Agency’s (ENISA) issued a brief report which urges “Europe’s businesses and government organisations to take urgent action to combat emerging attack trends” that are “characterised by old attack methods” that have been “given a new edge” and are being employed in a “smarter, more targeted way. The advisory was issued in response to the latest wave of cyber attacks as documented in reports examining Red October, MiniDuke, and the Mandiant analysis of Chinese exploits.
“Well known cyber-attack methods, such as spear-phishing, are still very effective. However, much can be done to counter these attacks – by making users aware of traps, and by ensuring that better security measures are in place. In cyberspace, it is difficult to be sure where attacks originate, so the focus should be on preventing and mitigating attacks, regardless of where the attackers are based,” ENISA’s Executive Director, Professor Udo Helmbrecht said.
Key elements of the advisory include:
- Cyberspace has no borders: It should be stressed that attribution of cyber-attacks is in general difficult. In cyberspace it is very easy to wipe traces or to create fake traces. This severely complicates identification of the attackers, and makes prosecution highly problematic
- Common attack methods: Including phishing, spoofing, social engineering, and zero-days
- - Failing security measures: Phishing filters and anti-virus products can protect organizations from certain large-scale attacks, but there are many ways for attackers to stay under the radar
- - In cyber-space, prevention is key: If targets are unprotected, their weaknesses are going to be exploited by adversaries, regardless of their origin and motives
- - Email is insecure: In the long term, industry, government and businesses should investigate alternative communication channels which better protect users from spoofing or phishing
- - Software vulnerabilities: Organizations and businesses should proactively reduce the attack surface by reducing the complexity of software installed on user devices and reducing the permissions of users to access other devices, services and applications by applying the principle of least privilege
Image courtesy of ShutterStock
Categories: Off Topic