CIS 608/301 – Week 9 Blog Post: Pentagon Email Hacked

The Pentagon was the target of a recent and successful breach involving the Joint Chiefs of Staff email system. The attack occurred sometime around July 25th and the email system, affecting over 4000 personnel, has been down since that time (Vanden Brook & Winter, 2015). The attack vector used to penetrate the network was spear-phishing and it was noted that a new and different vulnerability was exploited, one that has not been seen before. Based on this, officials believe that a state actor was involved in the breach. To date, the Pentagon and other federal agencies have been under attack from suspected state-sponsored actors with the most recent breach involving the Office of Personnel Management (OPM) resulting in the compromise of information of an estimated 22 million people. 

For this most recent attack, officials are pointing to Russia based on the nature of the attack, which does not appear to be in line with suspected Chinese attack behavior. The attack employed an automated system to rapidly gather a massive amount of data within a minute and distribute it to thousands of accounts across the Internet with coordination of encrypted social media accounts being involved. This would not represent the first venture of Russia into federal email systems as Russia is also suspected of a breach at the State department back in October 2014. While no classified information was suspected to have been compromised given that the system was unclassified, a great deal of sensitive information was likely compromised, including the president’s personal schedule. 

Spear phishing has been on the rise in the past few years across all organizations and cyber-espionage incidents have involved spear phishing in nearly two thirds of such attacks (Verizon, 2015). Also, as noted above, it appears that the government is well aware of the intent of multiple state actors’ intent to breach federal organizations and compromise information. The federal government took only a matter of a couple of weeks to attribute this latest attack to Russia, though of course there is rarely a smoking gun in such cases as this. Also, the government is taking very specific steps in remedying this massive breach including scrubbing the entire system, revamping part of the system, creating mock hacking scenarios, performing red team evaluations, conducting training for all personnel and distributing information to the federal government (Youssef, 2015). 

Given the response actions taken and the short time-frame involved, this would indicate that the government has a very good idea how it will be attacked and also how to prepare and respond to such attacks. What this does not explain is why with such a firm understanding of the adversary and the types of attacks that will be involved these attacks continue to be so successful and continue to result in massive breaches of federal organizations. Each organization in the federal government is charged with the proper execution of precious and scarce resources and these continuing failures indicate this is not the case. Hopefully the government will be taking a very hard look at the continuing causes of these failures and begin to hold organizations accountable for them. It is likely that the response of the organizations will be that they do not have the resources necessary to protect their systems. However, cyber security is part of the mission of every organization and any organization that cannot execute its mission should be held accountable and either shut down or have its mission transferred to another organization within the federal government that can execute. Only with accountability will these organizations begin to really take cyber security seriously and really work to implement what they apparently already know.

Works Cited

Vanden Brook, T., & Winter, M. (2015, August 7). Hackers penetrated Pentagon email. Retrieved August 7, 2015, from usatoday.com: http://www.usatoday.com/story/news/nation/2015/08/06/russia-reportedly-hacks-pentagon-email-system/31228625/

Verizon. (2015). 2015 Data Breach Investigations Report. Retrieved August 7, 2015, from cyberactive.bellevue.edu: https://cyberactive.bellevue.edu/bbcswebdav/pid-7308760-dt-content-rid-9574545_2/courses/CIS608-T301_2157_1/CIS608-T301_2157_1_ImportedContent_20150529052136/Verizon-DBIR-2015.pdf

Youssef, N. A. (2015, August 5). Pentagon Hack ‘Most Sophisticated’ Ever. Retrieved August 7, 2015, from thedailybeast.com: http://www.thedailybeast.com/cheats/2015/08/05/joint-chiefs-of-staff-hacked.html

CIS 608/301 – Week 8 Blog Post: The New NIST 1800 Series

The National Institute of Technology and Standards (NIST) recently announced a new series of Special Publications in addition to the existing 800 and 500 series and will be known as the 1800 series. NIST is charged with developing security standards for the federal government, which was further bolstered by passage of FISMA (NIST, 2015). This new line of special publications is in-line with that mission and should further enhance NIST’s ability to provide sound guidance to the federal government. The stated purpose of the new series is to complement the SP 800 documents, target specific cyber security challenges and facilitate adoption of the standards-based approaches to cyber security. The current draft document is actually a series of documents 1800-1a through 1800-1e (NIST, 2015) and encompass a summary, architecture, how-to guide for security engineers, standards and controls mapping as well as risk assessment document.

The draft 1800-1 series is based on securing health records on mobile devices but goes beyond what the related SP 800-66 “An Introductory Resource Guide for Implementing Health Insurance Portability and Accountability Act (HIPAA) Security Rule” states. While a beneficial guide, 800-66 is a standards-based document that intentionally leaves a lot of details out. However, 1800-1, includes a significant amount of details for cyber security professionals and management as well. As stated, the 1800 series seeks to aid in implementation of the 800 series and this first set of documents appears to do just that. The 1800-1 documents provide specific examples of implementing a method for securing heath records on mobile devices. This is something that has been missing for some time in trying to implement NIST guides. An example of another agency that does provide specific details in configuring systems is the Department of Defense Security Technical Implementation Guides, which provides detailed configurations for securing many types of information systems as well as implementing associated and necessary policies and related documentation.

This new series is a welcome addition to the NIST Publication line of documents. Given this first document’s draft version, NIST is right on point with providing details that will aid anyone implementing NIST guidelines and in achieving that goal. While 1800-1 is only in draft form and is the only document, or series as previously noted, to be released thus far, there are numerous other areas of interest to the community and hopefully we will not have to wait too long before these are addressed in the new 1800 series.

Works Cited

NIST. (2015, July 28). DRAFT Securing Electronic Health Records on Mobile Devices. Retrieved August 1, 2015, from csrc.nist.gov: http://csrc.nist.gov/publications/PubsDrafts.html#SP-1800-1

NIST. (2015). Federal Information Security Management Act (FISMA) Implementation Project. Retrieved 8 1, 2015, from nist.gov: http://www.nist.gov/itl/csd/soi/fisma.cfm

CIS 608/301 – Week 7 Blog Post: Controlling Risk in the Federal Government?

A number of strategies exist for controlling risk including defense, transferal, mitigation, acceptance and termination (Whitman & Mattord, 2014). The first seeks to put in place safeguards to eliminate or reduce risk. Transferal seeks to shift risk outside of the organization, such as with outsourcing or insurance. Mitigation is the application of controls to reduce the impact to organization resources during an attack. Acceptance occurs when an organization chooses to leave a certain amount of risk in the system(s). This typically occurs for two reasons, risk cannot be eliminated fully under any reasonable circumstance and funds for are scarce. Termination seeks to remove systems from the organization, such as the Federal government did with Windows XP systems, or at least tried to do, after Microsoft support ended.

Another term that is often mentioned when addressing risk is defense-in-depth. This strategy is in line with the strategies listed above and seeks to ensure security mechanisms exist throughout the system architecture so that an attack is less likely to be successful. There are several areas in an organization that can be addressed. The National Institute of Standards and Technology lists 18 separate families of InfoSec controls that seek to address all areas of the information system architecture (National Institute of Standards and Technology, 2013). When implementing these controls, an organization will be able to address defense-in-depth within its systems.

An example of the benefits of these strategies can be seen in a typical attack taking place across an Internet connection. The first thing that must be available is an attack vector to a target system. The second is that the target system must generally have a vulnerability that can be exploited. Last, the attack needs a path for exfiltration of data or for any malware installed on the victim system to communicate back. The strategy of defense could prevent all three of these factors. A mitigation strategy would ensure backups are available for the data as well as rebuilding the victimized system. Transferal could also aid via insurance payments or offloading responsibility to a third party provider. Several families of the NIST controls would play into these protections including access control, audit and accountability, awareness and training, configuration management, incident response, system and services acquisition, system and communications protection, and system and information integrity.

How well these strategies and controls get implemented is another story. One has to consider funding as well as the vast size of the federal government including the diversity of its many branches and organizations. Included in this should be an understanding of the differences in a headquarters office at the Department of Homeland Security all the way to a very small remote office with limited staff. There is likely to be a wide range of capability differences between two such offices and organizations must be aware of this in planning InfoSec strategies. Mandating controls that a small site does not understand or have the capabilities to manage will not aid in securing systems, no matter how well the “training” family of controls is implemented.  Funding is also a serious concern. With the OPM data breach (see previous post), there was adequate warning of security issues and also a significant lapse in time before the breach was discovered and reported. This is likely to be at least partially attributable to a lack in funding in IT and security staff and resources. If intrusion detection systems are deployed, that certainly would meet one of the controls but it serves no purpose if there is not enough staff to actually monitor the systems. Likewise, when staff resources are stretched and then pressed between keeping a system up and running or patching vulnerabilities, typically the mission will win out and the vulnerabilities will remain. This does not absolve any organization of responsibility for breaches, but decision makers should be aware that a lack of investment in both IT and security has consequences and may in fact accelerate those consequences. 

Works Cited

National Institute of Standards and Technology. (2013, April). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved July 24, 2015, from nvlpubs.nist.gov: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security. Stamford: Cengage Learning.

CIS 608/301 – Week 6 Blog Post: Risk Management Framework Step 1 – Categorize Information System

Per National Institute of Standards and Technology Special Publication 800-37 Revision 1, the first step in the Risk Management Framework (RMF) is to categorize the information system (NIST, 2010). The guide to categorizing information systems for non-national security systems is FIPS 199 (NIST, 2004) and the guide for national security systems is CNSS 1253 (CNSS, 2012). However, both documents reference the need to classify data types as a prerequisite to determining confidentiality, integrity and availability (CIA). This is part of categorizing an information system and is a direct input into determining the appropriate security controls in step 2.

The NIST guide that is used to determine information types is NIST 800-60 (Stine, Kissel, Barker, Fahlsing, & Gulick , 2008). This document, along with the appendix, aids organizations in understanding the types of data that have been determined, and the applicability of them to an organization. Additionally, the documents also identify basic level of protections required for confidentiality, integrity and availability. While most have probably not read these and other associated documents, they actually serve as the foundation of the RMF since they are part of step 1 and affect everything that follows.

            Of note in this process of categorizing systems based on data types is that classification of systems appears to take a secondary role, though the documents do mention them. This is an interesting take and somewhat resembles the approach of industry to a degree. Industry has moved towards service based delivery and quantifies its services and associated contracts in service level agreements, or SLAs. Government does not appear anywhere close to being able to qualify or quantify its services or to sign an SLA guaranteeing a standard level of service. However, forcing government agencies to go through the process of focusing on data types is a way of focusing on what the organization is providing to its customers. This is a step in the right direction for organizations to both understand their systems and functions from a service and service level perspective but also to understand the IT systems supporting those services in that same context. When an organization begins to understand the services it provides, it gains much more of an understanding of the systems that support that service. When that occurs, it is in a much better place to really understand the risk to its systems and services and better apply risk management.

Works Cited

CNSS. (2012, March 15). SECURITY CATEGORIZATION AND NATIONAL SECURITY SYSTEMS. Retrieved July 16, 2015, from http://www.sandia.gov/fso/PDF/flowdown/Final_CNSSI_1253.pdf

NIST. (2004, February). Standards for Security Categorization of Federal Information and Information Systems. Retrieved July 16, 2015, from csrc.nist.gov: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

NIST. (2010, February). Guide for Applying the Risk. Retrieved July 16, 2015, from /nvlpubs.nist.gov: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

Stine, K., Kissel, K., Barker, W. C., Fahlsing, J., & Gulick , J. (2008, August). Guide for Mapping Types of Information and Information Systems to Security Categories (Voumel I). Retrieved July 16, 2015, from csrc.nist.gov: http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

CIS 608/301 – Week 5 Blog Post: New Federal Government Overreach?

Sometimes it is difficult to determine if the federal government is genuinely interested in assisting the private sector in solving problems or is simply interested in assuming additional authority over the private sector. In the case of cybersecurity, it appears that the government is united in its support of strengthening security against criminal hackers and especially state-sponsored hackers. The point does not belong to either party but is the domain of both major parties. According to one article, a poll among defense leaders across the military, national security policy, defense industry and congressional staffs found that the top security threat to the United States was cybersecurity, including among both Democrats and Republicans (Herb, 2014). Americans understand that cybersecurity is now a critical aspect of national security. The problem is that much of our national critical infrastructure is tied to the Internet and exists outside of direct government oversight, though the government does maintain some oversight of certain industries via regulations.

            On February 12, 2014, the federal government under the National Institute of Standards and Technology released the Framework for Improving Critical Cybersecurity Infrastructure. The development of this framework was driven by Presidential Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”, directing an enhanced security and resilience of the Nation’s critical infrastructure and to maintain an improved cybersecurity environment (National Institute of Standards and Technology, 2014). The development was based on collaboration between the federal government and private industry in the hope that it would encompass private sector concerns and be more easily adoptable by organizations in industry. The framework can mostly be displayed in a spreadsheet. The spreadsheet would consist of a column of five core functions which are then subdivided into categories (similar to NIST 800-53 security controls) and sub categories, which are similar to NIST 800-53 sub controls. The spreadsheet also contains a limited mapping to other security models and is intended to be a best practices model that can be easily adopted by industry. There are a few other components of the framework including the Framework Implementation Tiers that primarily are concerned with allowing for an organization to be rated (or to rate itself) against four categories from Partial (Tier 1) to the most advanced Adaptive (Tier 4) tier. The final component is the Framework Profile where organizations develop a profile based on their industry, business and information security needs in light of what the Framework provides.

            Adoption of the new framework has been ongoing since its creation, though it has yet to be widely adopted. One article noted that some critical infrastructure companies in banking have begun proactively adopting the framework (Raysman & Morris, 2014). Of note is that the banking industry is already highly regulated when it comes to cybersecurity in regards to the Graham Leach Bliley Act (GLBA) among others, meaning that such an organization is likely voluntarily incurring additional costs for implementing and tracking compliance with this voluntary framework on top of other regulations that are currently mandatory.  Another article noted that security mainstay Symantec Corporation has already proactively adopted the framework into its security practices (Jackson, 2014). The article goes on to note that some see it as a semi-coercive attempt to begin regulating cybersecurity in industry and that it is not widely adopted at this point. One could hardly be critical of industry concerns, though it was developed with industry participation, with governmental reach into industry with the widely panned overreach of the NSA based on a flawed interpretation of the Patriot Act among other revelations of NSA and governmental activities. Still, some companies have proactively begun adopting the framework, whether for liability purposes as noted in (Jackson, 2014) or genuine concern over cybersecurity is not known. It is expected that adoption will be uneven in industry as the bottom line along with estimates of any resultant liability for non-compliance with a voluntary framework, will drive most industry decisions on adoption or non-adoption of the framework.

           

            The Framework for improving Critical Cybersecurity Infrastructure is currently on version 1.0 and it is understood that updates will be coming (Jackson, 2014). How long will it be until some critical infrastructure is hacked and the resultant uproar points to the inevitable new laws to bring order to the chaos? In our highly connected country with the 24 hour news cycle, outrage is spread quickly across the country at various events, most recently the murders in Atlanta and following actions brought on by the resultant pressure. This is not to say that this model of interaction is either good or bad, but to acknowledge that it is simply the way our society works in the present. What it portends is a reaction across the US among citizens, government officials and elected officials that would be predisposed towards a national response, which would then necessitate a governmental takeover of responsibility or strict oversight of cybersecurity for all critical infrastructures. With the existing Framework for Improving Critical Cybersecurity Infrastructure already in place and partially adopted by industry, the only logical step would be a new law mandating its implementation across all associated industry.

Works Cited

Herb, J. (2014, January 6). Poll: Cybersecurity Top National Security Threat. Retrieved July 10, 2015, from thehill.com: http://thehill.com/policy/defense/194475-poll-cybersecurity-top-national-security-threat

Jackson, W. (2014, April 21). Protecting Critical Infrastructure: A New Approach. Retrieved July 10, 2015, from informationweek.com: http://www.informationweek.com/government/cybersecurity/protecting-critical-infrastructure-a-new-approach/d/d-id/1204577

National Institute of Standards and Technology. (2014, February 12). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved July 10, 2015, from nist.gov: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Raysman, R., & Morris, F. (2014, December 18). CIOs Ignore the NIST Cybersecurity Framework at Their Own Peril. Retrieved July 10, 2015, from blogs.wsj.com: http://blogs.wsj.com/cio/2014/12/18/cios-ignore-the-nist-cybersecurity-framework-at-their-own-peril/

CIS 608/301 – Week 4 Blog Post: Configuration Management

Configuration management is identified as one of the security controls within NIST 800-53 document (National Institute of Standards and Technology, 2015). This is not to be confused with security configuration management or SCM as it is known. SCM is concerned with security configurations on a system such as the Security Technical Installation Guides available for Department of Defense systems. Configuration management is based on defining a baseline of hardware and software installed on a system and the policies and procedures that control and enforce that baseline.

Beyond information security, configuration management is one of the foundations of developing an effective information technology program within an enterprise. While it is defined as a security control, it is also defined in other processes such as the Information Technology Infrastructure Library, or ITIL (HP, 2007). Understanding the hardware and software within an organization feeds directly into understanding the environment and populating a configuration management database (CMDB). While configuration management is primarily concerned with understanding what is deployed on the network at any given time, other processes such as change management are charged with tracking those changes and ensuring that the CMDB is updated accordingly.

            Unfortunately, configuration management is not very easy, typically growing in complexity, difficulty and labor requirements as the enterprise grows in size. While it seems straight forward, keeping track of what is deployed can be very difficult. Factors such as mission requirements, emergency changes, complex environment with multiple operating systems and other systems, lack of training and others can each undermine configuration management. Also, being forced to go through tedious processes can seem cumbersome and a waste of time to personnel who simply want to keep their systems running, meaning that it is also a cultural problem. Given limited funding in a less than stellar economy means that staff are likely burdened with responsibilities, most of which their job depend on and thus will always receive priority over something as extraneous as CM.

            While there are many issues with implementing CM, it does not negate the necessity of getting it right. IT services depend on accurate CM, especially if an organization has service level agreements (SLAs) to meet. Failure to ensure all systems are updated (easier if CM is accurate, can result in broken systems if corrective fixes cannot be applied where and when needed with accuracy. Such issues in managing the IT infrastructure are what lead to security issues where like systems are constantly in different software versions and configurations, thus leading to vulnerabilities on the network that can be exploited months or even years after patches are released. Making a commitment to CM can go a long way towards shoring up many of these issues but will likely only occur when management sees a direct correlation between CM and the bottom line and is thus likely to be uneven across organizations.

Works Cited

HP. (2007). ITIL v3 Configuration Management System. Retrieved 7 2, 2015, from hp.com: http://www.hp.com/hpinfo/newsroom/press_kits/2009/lasvegasevents2009/ITILv3CMS.pdf

National Institute of Standards and Technology. (2013, 7). NIST.org. Retrieved 6 26, 2015, from Biometric Specifications for Personal Identity Verification: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

CIS 608-301 - Week 3 Blog Post: Thoughts on Network Identity Management

The federal government is moving towards full adoption of a Personal Identity Verification Card and the Department of Defense adopted the Common Access Card as the basis of identification on its networks in response to Presidential Directive 12 after the 9/11 attacks in 2001. The goal of this effort was to bolster security of federal and DoD networks against attack. The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-76-2 to detail Biometric Specifications for Personal Identity Verification (National Institute of Standards and Technology, 2013). The document discusses how to obtain biometric data, including multiple types of biometric data, as well as encoding PIV cards with that data.

These various cards are intended to be used to access network resources whether the user is physically at the site or is utilizing remote access. Unfortunately, it is possible that users leveraging remote access often have the ability to use any computer, not necessarily a government issued and secured computer. All one needs is proper middleware and a card reader, both of which are usually available, to use a PIV or CAC from any system. The counter to this is that network access control (NAC) solutions are required for network access, both on site and remote, but are often either not procured or too difficult to manage and keep working properly and thus simply sit around not performing the NAC function.

Utilizing unsecured computers for remote access is a major concern when using CAC or PIV cards (PoweredbySSI, 2014)<>. There are a number of attack vectors including visual counterfeiting, skimming, sniffing, social engineering, and electronic cloning. Another attack vector available is malicious code (Lawton, 2012). A virus named “Skyipot” attacks the middleware of card readers and installs a key-logger to steal the PIN and then data from the card while it is still in the reader. It is likely that most sites do have holes in their security that could allow one or more of these attacks to be successful on a network when not using remote access given the ongoing revelations of hacking of government websites by the media such as the recent massive Office of Personnel Management (OPM) data breach (Nakashima, 2015).

One interesting note about these cards is that when implemented, are typically configured with a 6 to 8 digit PIN for access, thus providing two factor authentication (something you have and something you know). However, this does not necessarily need to be a PIN to gain access and could be anything, like a fingerprint. Apple has incorporated this fingerprint technology on its iPhone devices for access and it could conceivably be ready for wide deployment in the future. Given the number of attack vectors and the ease with which the access code can be obtained, individuals using these cards should be very wary of such a development for fear of losing biometric data.

Works Cited

Lawton, S. (2012, 1 18). DoD ID cards under attack. Retrieved 6 26, 2015, from scmagazine.com: http://www.scmagazine.com/dod-id-cards-under-attack/article/223625/

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

National Institute of Standards and Technology. (2013, 7). NIST.org. Retrieved 6 26, 2015, from Biometric Specifications for Personal Identity Verification: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

PoweredbySSI. (2014, 4 3). poweredbyssi.com. Retrieved 6 26, 2015, from poweredbyssi.com: http://poweredbyssi.com/smart-cards-are-not-the-solution-to-identity-theft-the-resolution-is-verifiable-identity-authentication-says-saas-software-inc-ssi/

CIS 608-301 - Week 2 Blog Post: Federal IT Contingency & Continuity Planning

Implementation of federal government contingency planning is primarily governed by NIST SP 800-34 (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010). Other documents including 800-53 for information security controls and federal policy also play a role. Organizations are required to identify any mission essential functions (MEFs) tied to continuance of critical federal government functions and ensure they are available if something happens at the organization to interrupt operations. This could be anything from a significant malware attack, fire, earthquake, significant weather event or a manmade accident or disaster. Once operations are interrupted, the site must execute its contingency plan to ensure operations can come back online within 12 hours (maximum tolerable downtime or MTD for MEFs) at the primary site or execute continuity of operations (COOP) at an alternate site ranging from 12 hours to 30 days if the event cannot be resolved at the primary site to restore all mission essential functions (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010).

So, how well is the federal government doing with managing IT continuity planning and COOP and is it being accomplished in a cost effective way? Judging from my experience, there are pockets of excellence but for the most part, ITCP and COOP are not effectively implemented or are simply too expensive for most sites to accomplish on increasingly small budgets (Sequestration anybody?).  Given that the maximum tolerable downtime for MEFs is 12 hours, the government must primarily be focused on the use of hot sites, which are sites with fully operational equipment and capacity to assume operations after loss of the primary system facility, and thus nearly double the cost of running an organizations IT department. There are also significant technological hurdles (e.g. data replication and reconstitution) to maintaining two sites that often present too great of a technological challenge for staff to overcome with limited resources, both in tools and labor. For a government that typically runs annual deficits on the order of $400 Billion up to $1 Trillion dollars, one would think that it would begin to understand the need to be cost-effective in its operations. Also, given recent data breaches at organizations such as OPM (Nakashima, 2015) as an indication of security challenges, one wonders if the federal government should be in the business of performing most IT functions at all. Perhaps the government would be better served looking into other solutions for its varied IT problems.

Thankfully, the federal government has actually been encouraging outsourcing of many services to the cloud over the past few years. The government set up an organization called “The Federal Risk and Authorization Management Program” (FedRAMP) to certify cloud vendors and their services (FedRAMP, 2015). FedRAMP approval is mandatory for federal agencies to leverage could services for all low and moderate risk impact level systems, though negotiations are possible for high risk impact systems. FedRAMP has certified multiple vendors and service offerings at this time and those include not only providing the IT service but also security services as well, thus reducing the burden of IT staff personnel on multiple fronts. Additionally, most cloud-based services are redundant to so if one site goes down, the service can be nearly instantaneously brought up at an alternate site in a transparent method and without significant additional cost. Finally, services in a cloud environment often scale to what is needed so IT departments are able to quickly respond to increased demand or decrease capacity (and cost) when not needed (Amazon Web Services, 2015). The bottom line is a much more efficient and potentially cost effective way of conducting IT operations and meeting organizational requirements such as with MEFs. 

Gartner (Leong, Toombs, & Gill, 2015) recently conducted a magic quadrant review of cloud infrastructure as a service (IaaS). Though limited in its approach and scope, it does provide some insight into the cloud market. The clear market leader of the survey was Amazon Web Services, which is FedRAMP certified. Microsoft was the only other organization to be rated in the leader quadrant on the survey. VMWare, Google, IBM (SoftLayer) and CenturyLink were all rated as visionaries in the field and a host of others were rated as niche players. The bottom line of this survey is that while many services have quickly come and gone, cloud services are growing and there are many players in the field that are investing heavily in their service offerings. Given that the federal government with its vast resources is in process of approving cloud vendors and actively encouraging agencies to enter into cloud solutions with industry, the cloud growth trend is likely to continue for some time, thus increasing competition while hopefully driving improvement in services and lowering costs. The federal government faces vast challenges in managing and securing IT as well as in meeting continuity goals but appears to be on the correct path in leveraging the vast knowledge and capabilities of industry in addressing those challenges.

Works Cited

Amazon Web Services. (2015). Amazon Web Services. Retrieved 6 18, 2015, from aws.amazon.com: http://aws.amazon.com/what-is-cloud-computing/

FedRAMP. (2015). FedRAMP. Retrieved 6 20, 2015, from Fedramp.gov: https://www.fedramp.gov/about-us/about/

Leong, L., Toombs, D., & Gill, B. (2015, 5 18). Gartner. Retrieved 6 20, 2015, from gartner.com: http://www.gartner.com/technology/reprints.do?id=1-2G2O5FC&ct=150519&st=sb

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

Swanson , M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, 5). NIST. Retrieved 6 20, 2015, from http://csrc.nist.gov/: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

CIS 608-301 - Week 1 Blog Post: Chinese Hack of the Office of Personnel Management Exposes CyberSecurity Challenges

The Office of Personnel Management was recently hacked by what is believed to be Chinese hackers. The scope of the breach was breathtaking in the amount and value of data that was obtained by the hackers. In addition to gaining access to OPM systems, a database that holds the sensitive security clearance information on millions of federal employees and contractors, which goes back for decades, was compromised. It is understood that this information could be used in numerous ways including stealing identities and even targeting of the cleared workforce for espionage (Nakashima, 2015).

According to National Security Presidential Directive 54, cyber security is defined as “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation” (Trulio, 2008). Obviously, the federal government is coming up short of these lofty goals and there are numerous cyber security issues that are still being addressed by the federal government.

The ongoing method to standardize cyber security across the federal government and Department of Defense (DoD) has been via National Institute of Standards and Technology (NIST) Special Publication guidelines. The guidelines are mostly contained within the 800 series and are avaialbe at the NIST website (NIST, 2015). While other guidelines are in use across the federal government, the NIST guidelines are increasingly serving as the primary source and will be the focus of most of the effort in addressing cyber security moving forward.

The above hack exposed significant weaknesses in several areas of cyber security at OPM. Despite the database being hacked the previous year (Nakashima, 2015), the systems were still not secured from the most recent hack even knowing it was a high value target. Attack vectors that could allow access were not closed. It took quite a while for this breach to be reported so detection mechanisms were certainly not optimal. One would wonder why on earth these were not addressed. However, having worked in the industry for some time, it is highly probable that steps were taken to address the issue but the shear size of large departments such as OPM make it very difficult to close all attack vectors a hacker may utilize. High value systems are slow to be updated for fear of causing disruptions. Additionally, there are over 170 guidelines listed in the NIST special publications, which do not include other governing policies (there are many) or vendor guidelines so implementation can be daunting. The bottom line is that the federal government will take a lot longer than most of us think (or hope) to improve cyber security. We can therefore expect to see many more breaches across the federal government over the next few years. So, if you work in the federal government, it may be a good idea to purchase identity protection in advance since your data will most likely be stolen and there is not guarantee that the government will let the public know in a timely manner.

Works Cited

Nakashima, E. (2015, June 12). The Washington Post. Retrieved June 13, 2015, from WashingtonPost.com: http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html

NIST. (2015, June 13). National Institute of Standards and Technology. Retrieved June 13, 2015, from NIST.org: http://csrc.nist.gov/publications/PubsSPs.html

Trulio, D. (2008, January 9). National Security Presidential Directive 54. Washington DC: The White House.