BreachExchange mailing list archives
NIST, Cyberdefense is Shut Down in the Shutdown
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 8 Oct 2013 23:45:47 -0600
http://www.infosecurity-magazine.com/view/34921/nist-cyberdefense-is-shut-down-in-the-shutdown/ The National Zoo’s Panda Cam, the World War II memorial, vast swaths of FEMA and food stamps are all casualties of the US government’s ongoing shutdown in the wake of Congress failing to approve funding for government operations. Cybersecurity isn’t escaping the furloughs either, leaving some to postulate that the US is essentially asleep at the switch right now – and eminently vulnerable. “Let’s hope that any security-related work being done to harden these websites from malicious attack was not interrupted by the government shutdown, and fingers crossed that no new critical patches come out that are needed to protect them from exploits and hackers,” said security researcher Graham Cluley, in his blog. Steven VanRoekel, CIO for the federal government, said that he fears exactly that. With websites lying dormant and the number of cybersecurity staff across federal agencies having been greatly reduced, hackers and spies could see an opportunity to infiltrate US systems with a far lesser threat of detection. “I worry about cybersecurity in the midst of a shutdown,” VanRoekel told the Wall Street Journal. “If I were a wrongdoer looking for an opportunity, I’d contemplate poking at infrastructure when there are fewer people looking at it.” The shutdown also means that bad actors could take their time knocking around the compromised systems. “Additionally, compromised systems may go for a longer period without detection, allowing an attacker to take more than one step toward their target without being noticed,” said Tripwire director of product management Tim Erlin, in a news report. “These deeper intrusions are more likely during this shutdown and harder to uncover when the shutdown ends. For its part, the National Institute of Standards and Technology (NIST) has gone mostly dark. A forlorn message on its home page reads: "NIST Closed, NIST and Affiliated Web Sites Not Available Due to a lapse in government funding, the National Institute of Standards and Technology (NIST) is closed and most NIST and affiliated web sites are unavailable until further notice. We sincerely regret the inconvenience." The Computer Security Resource Center (CSRC) is one of the victims of collateral damage, although some services such as the National Vulnerability Database and NIST Internet Time Service websites are still running, Cluley noted. However, they’re not being updated as often. VanRoekel said that cybersecurity forces are down to a “skeleton crew,” with the staff that specialize in responding to cyberattacks out on furlough. They would need to be called in to respond after any attack, losing a crucial real-time edge. That reality “is a little bit worrisome for me,” he said. “I have fewer eyes out there.” The one exception is the Department of Homeland Security, which has retained some of its cyberstaff. Bottom line? “If I were a hostile nation state, I would start unleashing everything I have right now in an attempt to exploit as much as possible while federal agencies are distracted,” said Lamar Bailey, head of Tripwire’s Vulnerability and Exposures Research Team (VERT), speaking with Softpedia. “In the late 1990′s and early 2000′s, the greatest number of exploits happened over holidays, weekends, and late at night when the IT staff was operating on a skeleton crew. This is no different.”
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- NIST, Cyberdefense is Shut Down in the Shutdown Audrey McNeil (Oct 17)