Ramping Up Agency Security, Yet Again

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/ramping-up-agency-security-yet-again-a-8315

A new Obama administration cybersecurity initiative isn't placing new
burdens on federal agencies; it's aimed at getting them to comply with
recommended safeguards they've failed to implement.

Federal CIO Tony Scott is heading up the initiative, unveiled late last
week, to require agencies to patch critical vulnerabilities without delay;
tighten policies to access systems and applications, especially for
privileged users who are delegated with extra levels of control; and
accelerate use of multi-factor authentication.

The initiative also would require federal agencies to immediately inform
the Department of Homeland Security of malicious activities in their IT
systems.

Doubling Down

Karen Evans, who held Scott's job in the George W. Bush White House, says
government initiatives to get agencies to comply with cybersecurity
processes aren't new, but the clock is ticking for the Obama administration
to improve security during its remaining months in office.

"This is doubling down," Evans says. "It's the last 18 months of the
[Obama] administration, and look at everything that has happened. You have
[Scott] who is an operational CIO. He's looking at it and saying, 'You
should have these things done.'"

Evans' predecessor, Mark Forman, says the outcome of the initiative could
give agencies fodder in making the argument for more money for critical
cybersecurity projects. "We're almost three-quarters the way through the
fiscal year, so resources are fairly far along in being consumed," Forman
says. "But now with having this memo and having all this guidance, the CIOs
and the information security officers can go to the budget process and show
that this is a priority. It's the unwritten purpose of this memo, if you
know what I mean."

Those CIOs and CISOs need help because getting agencies to implement
cybersecurity safeguards hasn't been easy for government IT security
practitioners. "This is hard; it's not trivial to do this," says former DHS
Deputy Undersecretary for Cybersecurity Mark Weatherford, a principal at
the security consultancy The Chertoff Group. "And, it's going to take a lot
of work. But as long as people can build a remediation plan, and stick to
that, and be measured against that, that's best effort, and you can't fault
people for best effort. But it's really going to require somebody to hold
them accountable and make sure they are doing that."

And who should that person be? Weatherford answers: "Tony Scott. He's the
one who put the memo out. He's the one who's leading this effort."

Initiative Preceded IRS, OPM Hacks

The Obama administration has issued over the years a number of programs and
directives to improve federal government cybersecurity. Work on this
initiative began before the Internal Revenue Service and Office of
Personnel Management had been victimized by majorbreaches in the past
month. Scott telegraphed his intentions to pursue such an initiative at his
first appearance before Congress in April (see New Federal CIO Withholds
InfoSec Judgement). "There is no agency, even the ones that we looked at so
far, who we believe is doing a really good job, who would say, 'We're done'
or 'we've done enough and, you know, it's the end of job,'" Scott told the
House Oversight and Government Reform Committee. "Everyone believes there's
more that we can and should do."

Still, the administration is using those breaches to get buy-in to its
initiative. "Recent events underscore the need to accelerate the
administration's cyber strategy and confront aggressive, persistent
malicious actors that continue to target our nation's cyber
infrastructure," a White House statement says.

The White House created a "cybersecurity sprint team," led by Scott, to
lead a 30-day review of the federal government's cybersecurity policies,
procedures and practices. Team members include other cybersecurity experts
from OMB, where Scott is based, the National Security Council, Defense
Department and DHS. Once the review is completed, according to the White
House, Scott will create and implement a set of action plans and strategies
to further address critical cybersecurity priorities and recommend a
federal civilian cybersecurity strategy.

Self Reflection

One goal of the initiative is to compel agencies to identify their
respective cybersecurity shortfalls and to get them to develop plans to fix
them.

Key principles of the strategy the White House expects to come out of the
review are:

Protecting data at rest and in transit;

Improving situational awareness;

Increasing cybersecurity proficiency to ensure a robust capacity to recruit
and retain cybersecurity personnel;

Improving overall risk awareness by all users;

Standardizing and automating processes to decrease time needed to manage
configurations and patch vulnerabilities;

Controlling, containing and recovering from incidents to identify and
resolve events and incidents quickly;

Strengthening systems lifecycle security to increase inherent security of
platforms by buying more secure systems and retiring legacy systems in a
timely manner; and

Reducing attack surfaces by decreasing complexity and the number of things
defenders need to protect.

Keeping Up Is Challenging

The failures to implement effective cybersecurity processes among agencies
is well-documented in countless Government Accountability Office and
agencies' inspectors general audits. "Systems and networks are so
complicated and large - and given the priority or their resources - it's
sometimes a challenge for agencies to keep up with it," says Gregory
Wilshusen, GAO director of information security issues.

Some cybersecurity experts contend that government breaches could have been
thwarted, or at least made more difficult to achieve, if two-factor
authentication were in place at the time of the attack. OMB requires
agencies to use to use a government-issued personal identity verification,
or PIV, card along with a password to access government systems. But not
all agencies have complied.

According to the latest OMB annual report to Congress on the state of
government cybersecurity, 77 percent of users at the 24 largest agencies
(excluding DoD, which has its own rules) employ two-factor authentication
incorporating PIV cards. However, 11 of those so-called CFO agencies report
no users employ PIV-card two-factor authentication.

Misleading Numbers

But numbers can mislead. The OMB report says 93 percent at OPM employees
and contractors log on remotely using the PIV card and a password. However,
as an OPM inspector general report from last year shows, some challenges
exist to implementing two-factor authentication universally. For instance,
some devices, such as iPads, were noncompliant. The IG also discovered
remote access sessions didn't terminate or lock out after a specified
period of time. As of Sept. 30, the end of fiscal year 2014, more than 95
percent of OPM workstations required PIV authentication to access to the
OPM network. However, none of the agency's 47 major applications required
PIV authentication.

Timely patching of applications with critical vulnerabilities is another
challenge for many agencies. Wilshusen says it's not uncommon for software
to remain unpatched for months, and in some instances, as long as three
years, after vendors issue patches.

Tightening access to critical systems by privileged users also presents.
Wilshusen says he often sees systems and network administrators assigning
themselves simple passwords and sharing those identities with other
administrators. "It always perplexes me that these administrators often use
the least secure methods of authentication.," Wilshusen says. "Their
primary concern [isn't security but] is to make sure they can [do what's
needed] to keep the network and running."

Advice for Those in the Trenches

Weatherford sees the intent of the new initiative as addressing the
operational, not policy, aspects of cybersecurity. The initiative could
help agencies define specific ways to help IT security practitioners in the
trenches to implement basic cybersecurity hygiene, he says.

"Because of the distributed nature of the federal government, and each
agency controlling its own destiny without a lot of fairly significant
oversight, there are big gaps in federal government cybersecurity,"
Weatherford says. "This [initiative will be] very specific and very
actionable. When people are given very specific paths like this, they'll
know what they need to do."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!