NIST, Cyberdefense is Shut Down in the Shutdown

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/view/34921/nist-cyberdefense-is-shut-down-in-the-shutdown/

The National Zoo’s Panda Cam, the World War II memorial, vast swaths of
FEMA and food stamps are all casualties of the US government’s ongoing
shutdown in the wake of Congress failing to approve funding for government
operations. Cybersecurity isn’t escaping the furloughs either, leaving some
to postulate that the US is essentially asleep at the switch right now –
and eminently vulnerable.

“Let’s hope that any security-related work being done to harden these
websites from malicious attack was not interrupted by the government
shutdown, and fingers crossed that no new critical patches come out that
are needed to protect them from exploits and hackers,” said security
researcher Graham Cluley, in his blog.

Steven VanRoekel, CIO for the federal government, said that he fears
exactly that. With websites lying dormant and the number of cybersecurity
staff across federal agencies having been greatly reduced, hackers and
spies could see an opportunity to infiltrate US systems with a far lesser
threat of detection.

“I worry about cybersecurity in the midst of a shutdown,” VanRoekel told
the Wall Street Journal. “If I were a wrongdoer looking for an opportunity,
I’d contemplate poking at infrastructure when there are fewer people
looking at it.”

The shutdown also means that bad actors could take their time knocking
around the compromised systems. “Additionally, compromised systems may go
for a longer period without detection, allowing an attacker to take more
than one step toward their target without being noticed,” said Tripwire
director of product management Tim Erlin, in a news report. “These deeper
intrusions are more likely during this shutdown and harder to uncover when
the shutdown ends.

For its part, the National Institute of Standards and Technology (NIST) has
gone mostly dark. A forlorn message on its home page reads:

"NIST Closed, NIST and Affiliated Web Sites Not Available
Due to a lapse in government funding, the National Institute of Standards
and Technology (NIST) is closed and most NIST and affiliated web sites are
unavailable until further notice. We sincerely regret the inconvenience."

The Computer Security Resource Center (CSRC) is one of the victims of
collateral damage, although some services such as the National
Vulnerability Database and NIST Internet Time Service websites are still
running, Cluley noted. However, they’re not being updated as often.

VanRoekel said that cybersecurity forces are down to a “skeleton crew,”
with the staff that specialize in responding to cyberattacks out on
furlough. They would need to be called in to respond after any attack,
losing a crucial real-time edge. That reality “is a little bit worrisome
for me,” he said. “I have fewer eyes out there.”

The one exception is the Department of Homeland Security, which has
retained some of its cyberstaff.

Bottom line? “If I were a hostile nation state, I would start unleashing
everything I have right now in an attempt to exploit as much as possible
while federal agencies are distracted,” said Lamar Bailey, head of
Tripwire’s Vulnerability and Exposures Research Team (VERT), speaking with
Softpedia. “In the late 1990′s and early 2000′s, the greatest number of
exploits happened over holidays, weekends, and late at night when the IT
staff was operating on a skeleton crew. This is no different.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.