CIS 608-301 - Week 3 Blog Post: Thoughts on Network Identity Management

The federal government is moving towards full adoption of a Personal Identity Verification Card and the Department of Defense adopted the Common Access Card as the basis of identification on its networks in response to Presidential Directive 12 after the 9/11 attacks in 2001. The goal of this effort was to bolster security of federal and DoD networks against attack. The National Institute of Standards and Technology (NIST) published Special Publication (SP) 800-76-2 to detail Biometric Specifications for Personal Identity Verification (National Institute of Standards and Technology, 2013). The document discusses how to obtain biometric data, including multiple types of biometric data, as well as encoding PIV cards with that data.

These various cards are intended to be used to access network resources whether the user is physically at the site or is utilizing remote access. Unfortunately, it is possible that users leveraging remote access often have the ability to use any computer, not necessarily a government issued and secured computer. All one needs is proper middleware and a card reader, both of which are usually available, to use a PIV or CAC from any system. The counter to this is that network access control (NAC) solutions are required for network access, both on site and remote, but are often either not procured or too difficult to manage and keep working properly and thus simply sit around not performing the NAC function.

Utilizing unsecured computers for remote access is a major concern when using CAC or PIV cards (PoweredbySSI, 2014)<>. There are a number of attack vectors including visual counterfeiting, skimming, sniffing, social engineering, and electronic cloning. Another attack vector available is malicious code (Lawton, 2012). A virus named “Skyipot” attacks the middleware of card readers and installs a key-logger to steal the PIN and then data from the card while it is still in the reader. It is likely that most sites do have holes in their security that could allow one or more of these attacks to be successful on a network when not using remote access given the ongoing revelations of hacking of government websites by the media such as the recent massive Office of Personnel Management (OPM) data breach (Nakashima, 2015).

One interesting note about these cards is that when implemented, are typically configured with a 6 to 8 digit PIN for access, thus providing two factor authentication (something you have and something you know). However, this does not necessarily need to be a PIN to gain access and could be anything, like a fingerprint. Apple has incorporated this fingerprint technology on its iPhone devices for access and it could conceivably be ready for wide deployment in the future. Given the number of attack vectors and the ease with which the access code can be obtained, individuals using these cards should be very wary of such a development for fear of losing biometric data.

Works Cited

Lawton, S. (2012, 1 18). DoD ID cards under attack. Retrieved 6 26, 2015, from scmagazine.com: http://www.scmagazine.com/dod-id-cards-under-attack/article/223625/

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

National Institute of Standards and Technology. (2013, 7). NIST.org. Retrieved 6 26, 2015, from Biometric Specifications for Personal Identity Verification: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

PoweredbySSI. (2014, 4 3). poweredbyssi.com. Retrieved 6 26, 2015, from poweredbyssi.com: http://poweredbyssi.com/smart-cards-are-not-the-solution-to-identity-theft-the-resolution-is-verifiable-identity-authentication-says-saas-software-inc-ssi/

CIS 608-301 - Week 2 Blog Post: Federal IT Contingency & Continuity Planning

Implementation of federal government contingency planning is primarily governed by NIST SP 800-34 (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010). Other documents including 800-53 for information security controls and federal policy also play a role. Organizations are required to identify any mission essential functions (MEFs) tied to continuance of critical federal government functions and ensure they are available if something happens at the organization to interrupt operations. This could be anything from a significant malware attack, fire, earthquake, significant weather event or a manmade accident or disaster. Once operations are interrupted, the site must execute its contingency plan to ensure operations can come back online within 12 hours (maximum tolerable downtime or MTD for MEFs) at the primary site or execute continuity of operations (COOP) at an alternate site ranging from 12 hours to 30 days if the event cannot be resolved at the primary site to restore all mission essential functions (Swanson , Bowen, Phillips, Gallup, & Lynes, 2010).

So, how well is the federal government doing with managing IT continuity planning and COOP and is it being accomplished in a cost effective way? Judging from my experience, there are pockets of excellence but for the most part, ITCP and COOP are not effectively implemented or are simply too expensive for most sites to accomplish on increasingly small budgets (Sequestration anybody?).  Given that the maximum tolerable downtime for MEFs is 12 hours, the government must primarily be focused on the use of hot sites, which are sites with fully operational equipment and capacity to assume operations after loss of the primary system facility, and thus nearly double the cost of running an organizations IT department. There are also significant technological hurdles (e.g. data replication and reconstitution) to maintaining two sites that often present too great of a technological challenge for staff to overcome with limited resources, both in tools and labor. For a government that typically runs annual deficits on the order of $400 Billion up to $1 Trillion dollars, one would think that it would begin to understand the need to be cost-effective in its operations. Also, given recent data breaches at organizations such as OPM (Nakashima, 2015) as an indication of security challenges, one wonders if the federal government should be in the business of performing most IT functions at all. Perhaps the government would be better served looking into other solutions for its varied IT problems.

Thankfully, the federal government has actually been encouraging outsourcing of many services to the cloud over the past few years. The government set up an organization called “The Federal Risk and Authorization Management Program” (FedRAMP) to certify cloud vendors and their services (FedRAMP, 2015). FedRAMP approval is mandatory for federal agencies to leverage could services for all low and moderate risk impact level systems, though negotiations are possible for high risk impact systems. FedRAMP has certified multiple vendors and service offerings at this time and those include not only providing the IT service but also security services as well, thus reducing the burden of IT staff personnel on multiple fronts. Additionally, most cloud-based services are redundant to so if one site goes down, the service can be nearly instantaneously brought up at an alternate site in a transparent method and without significant additional cost. Finally, services in a cloud environment often scale to what is needed so IT departments are able to quickly respond to increased demand or decrease capacity (and cost) when not needed (Amazon Web Services, 2015). The bottom line is a much more efficient and potentially cost effective way of conducting IT operations and meeting organizational requirements such as with MEFs. 

Gartner (Leong, Toombs, & Gill, 2015) recently conducted a magic quadrant review of cloud infrastructure as a service (IaaS). Though limited in its approach and scope, it does provide some insight into the cloud market. The clear market leader of the survey was Amazon Web Services, which is FedRAMP certified. Microsoft was the only other organization to be rated in the leader quadrant on the survey. VMWare, Google, IBM (SoftLayer) and CenturyLink were all rated as visionaries in the field and a host of others were rated as niche players. The bottom line of this survey is that while many services have quickly come and gone, cloud services are growing and there are many players in the field that are investing heavily in their service offerings. Given that the federal government with its vast resources is in process of approving cloud vendors and actively encouraging agencies to enter into cloud solutions with industry, the cloud growth trend is likely to continue for some time, thus increasing competition while hopefully driving improvement in services and lowering costs. The federal government faces vast challenges in managing and securing IT as well as in meeting continuity goals but appears to be on the correct path in leveraging the vast knowledge and capabilities of industry in addressing those challenges.

Works Cited

Amazon Web Services. (2015). Amazon Web Services. Retrieved 6 18, 2015, from aws.amazon.com: http://aws.amazon.com/what-is-cloud-computing/

FedRAMP. (2015). FedRAMP. Retrieved 6 20, 2015, from Fedramp.gov: https://www.fedramp.gov/about-us/about/

Leong, L., Toombs, D., & Gill, B. (2015, 5 18). Gartner. Retrieved 6 20, 2015, from gartner.com: http://www.gartner.com/technology/reprints.do?id=1-2G2O5FC&ct=150519&st=sb

Nakashima, E. (2015, 6 18). Washington Post. Retrieved 6 20, 2015, from washingtonpost.com: http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/

Swanson , M., Bowen, P., Phillips, A. W., Gallup, D., & Lynes, D. (2010, 5). NIST. Retrieved 6 20, 2015, from http://csrc.nist.gov/: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf

CIS 608-301 - Week 1 Blog Post: Chinese Hack of the Office of Personnel Management Exposes CyberSecurity Challenges

The Office of Personnel Management was recently hacked by what is believed to be Chinese hackers. The scope of the breach was breathtaking in the amount and value of data that was obtained by the hackers. In addition to gaining access to OPM systems, a database that holds the sensitive security clearance information on millions of federal employees and contractors, which goes back for decades, was compromised. It is understood that this information could be used in numerous ways including stealing identities and even targeting of the cleared workforce for espionage (Nakashima, 2015).

According to National Security Presidential Directive 54, cyber security is defined as “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation” (Trulio, 2008). Obviously, the federal government is coming up short of these lofty goals and there are numerous cyber security issues that are still being addressed by the federal government.

The ongoing method to standardize cyber security across the federal government and Department of Defense (DoD) has been via National Institute of Standards and Technology (NIST) Special Publication guidelines. The guidelines are mostly contained within the 800 series and are avaialbe at the NIST website (NIST, 2015). While other guidelines are in use across the federal government, the NIST guidelines are increasingly serving as the primary source and will be the focus of most of the effort in addressing cyber security moving forward.

The above hack exposed significant weaknesses in several areas of cyber security at OPM. Despite the database being hacked the previous year (Nakashima, 2015), the systems were still not secured from the most recent hack even knowing it was a high value target. Attack vectors that could allow access were not closed. It took quite a while for this breach to be reported so detection mechanisms were certainly not optimal. One would wonder why on earth these were not addressed. However, having worked in the industry for some time, it is highly probable that steps were taken to address the issue but the shear size of large departments such as OPM make it very difficult to close all attack vectors a hacker may utilize. High value systems are slow to be updated for fear of causing disruptions. Additionally, there are over 170 guidelines listed in the NIST special publications, which do not include other governing policies (there are many) or vendor guidelines so implementation can be daunting. The bottom line is that the federal government will take a lot longer than most of us think (or hope) to improve cyber security. We can therefore expect to see many more breaches across the federal government over the next few years. So, if you work in the federal government, it may be a good idea to purchase identity protection in advance since your data will most likely be stolen and there is not guarantee that the government will let the public know in a timely manner.

Works Cited

Nakashima, E. (2015, June 12). The Washington Post. Retrieved June 13, 2015, from WashingtonPost.com: http://www.washingtonpost.com/world/national-security/chinese-hack-of-government-network-compromises-security-clearance-files/2015/06/12/9f91f146-1135-11e5-9726-49d6fa26a8c6_story.html

NIST. (2015, June 13). National Institute of Standards and Technology. Retrieved June 13, 2015, from NIST.org: http://csrc.nist.gov/publications/PubsSPs.html

Trulio, D. (2008, January 9). National Security Presidential Directive 54. Washington DC: The White House.