Today, the PaaS offering is an early-stage pilot designed to meet a request from the Air Force, but a broader pilot is forthcoming. “The Air Force came to us and said, we not only want you to manage the infrastructure, but also the middleware,” Alfred Rivera, DISA’s director of computing services, said in a speech Wednesday at DISA’s Customer and Industry Forum in Washington, D.C.

As part of the PaaS offering, DISA would not just provide the servers themselves, but also the operating system stack and all support services below the application layer, including patching and managing the IT infrastructure.

More broadly, this new PaaS pilot is only one of several cloud computing and shared service projects DISA has in the works. There’s also a planned Microsoft SharePoint 2010 deployment, virtualized web-based versions of Microsoft Office apps hosted in DISA’s cloud, and a number of other services on the way. For example, Rivera said that DISA is also considering ways that it could potentially manage applications that don’t even necessarily reside in DISA data centers — IT service management as a service, he called it.

DISA’s VOffice pilot, disclosed earlier this summer, is now up to 1,000 users who have access to web-based versions of Microsoft Word, PowerPoint, Excel, and OneNote hosted in DISA’s cloud. It’s an effort that’s drawn the interest of the office of the Secretary of Defense, and will go into production in January, Rivera said.

The agency also plans to offer SharePoint as a service to other military agencies, with deployment of SharePoint 2010 slated to begin in January 2011.

RACE is also due for some upgrades and improvements, Rivera said. Deployment on the Department of Defense’s classified SIPRNet — which has seen a lot of demand, according to Rivera — is slated to begin by the end of September. Also coming are refinements to the RACE portal, integration with DISA’s configuration management system, and some automated security accreditation processes.

Eventually, DISA could even begin offering its services outside the Department of Defense. According to Rivera, DISA has had related discussions with the inter-agency Cloud Computing Advisory Council and agencies like the Department of State to discuss the possibilities, but for now, RACE’s access-control mechanism, which requires a military smartcard, remains a barrier.

DISA’s cloud push isn’t over, by a long shot. “We’re in the beginning stages, but this certainly allows you to move toward leveraging technology and processing speed without having to build the network and the infrastructure yourself,” DISA director Lt. Gen. Carroll Pollett said in an interview.

Source

“With decades of IT infrastructure built to support changing technologies, there is little ability to baseline the entire infrastructure within the United States,” said Randy Vickers, director of the United States Computer Emergency Readiness Team (US-CERT), in an interview Wednesday. “This variety of platforms and applications provides many possible vectors by which to attack infrastructure.”

Vickers is scheduled to join other IT leaders from government agencies for a panel to discuss the threat of cyber war and how to deter it at the Black Hat security conference in Las Vegas on Thursday.

US-CERT is a division of the Department of Homeland Security (DHS) responsible for responding to and defending against cyber attacks for the federal government’s IT infrastructure. It also is in charge of sharing information and collaborating with state and local governments as well as the private sector to protect critical infrastructure in the U.S.

Vickers said that critical infrastructure is not likely to become less prone to attacks anytime soon. He cited ongoing changes in the IT landscape — such as cloud computing and an increasingly mobile workforce — as conditions that only open up infrastructure to more threats.

“The environment is only going to increase in complexity, and as more threat capabilities are developed the risk to our information infrastructure that we are so heavily dependent upon also increases,” he said.

To achieve its goal to keep an eye on federal networks, the DHS is currently deploying an intrusion-detection and security system called EINSTEIN 2, Vickers said. The system is currently operational at 12 of 19 federal agencies, providing US-CERT with, on average, visibility into more than 278,000 indicators of potentially malicious activity per month, he said.

EINSTEIN 2 should be fully deployed at the federal government by the end of the year, after which the DHS will take security to the next level with EINSTEIN 3, Vickers said.

EINSTEIN 3, developed by the National Security Agency, is the third phase of the Comprehensive National Cybersecurity Initiative (CNCI), and will provide intrusion prevention on top of EINSTEIN 2′s intrusion-detection capability, he said. The first phase of the system — EINSTEIN 1 — is currently in deployment as system that gathers information about network traffic.

US-CERT first revealed details about EINSTEIN 3 in March. At the time, the DHS said the system will do real-time, deep packet inspection and make decisions based on threats by examining network traffic at the edge of federal agency networks.

This activity will redirect agency Internet traffic to DHS cybersecurity systems, which will determine which traffic might be associated with cyber threats and how to respond, they said. The DHS worked with a commercial Internet service provider to do a test deployment of EINSTEIN 3 earlier this year. Vickers said these types of private-public partnerships will continue as the federal government continues to work to secure its network infrastructure against cyber attacks.

“At the end of the day, the architecture for the dot-gov’s cyber perimeter defense will be hybrid of government and private technologies,” he said.

Source

During a question-and-answer session at the end of her Wednesday keynote address, one attendee asked if we should expect the DHS to give cybersecurity the same kind of treatment it’s given air travel with the Transportation Security Administration. “Why should we believe that DHS, going forward, is going to protect cyber in something other than the same way?” he asked, scoring the loudest applause of the session with the question. “Now as the TSA slows down the air travel, DHS will slow down the commerce.”

The undersecretary disagreed with this characterization of the TSA, but conceded that there is a “tension” in the DHS’ mission. “We want to keep out people who might be dangerous, but we want to expedite legitimate trade and travel.”

“We happen to believe that we can achieve our security, we can protect our rights, we can protect commerce and lawful interchange,” she said. “We can have all of these things, but we need to engage in a debate about how we will prioritize and how we will strike the balance.”

Security experts such as Bruce Schneier have long slammed the TSA’s procedures, saying that they are ineffective and poorly thought out. Schneier calls U.S. airport screenings “security theater.”

Some have also criticized the DHS as slow in its response to cyber-incidents. As industrial systems were being targeted with the Stuxnet worm two weeks ago, it took DHS’ Industrial Control Systems Computer Emergency Response Team five days to push out a public alert. Critics say that was too long.

Hitting on a theme of her keynote, Lute called for real dialogue between government and industry and said she hoped that her department could be a “portal for that debate.”

“You know, societies used to have conversations with themselves through their governments. In that respect, we’re not talking to each other any more,” she said. “In many respects we’re throwing assertions back and forth at each other and seeing who has the more clever report, who has thought of the newer idea.”

Hitting on another theme that the government’s response to cyberthreats has been more rhetorical than practical, another attendee asked if Lute thought the U.S. would be able to secure computer systems without first experiencing a cyberdisaster, equivalent to the Sept. 11 terrorist attacks. “In Homeland Security, at the water cooler, do your peers say, ‘It’s just a matter of time before something horrible happens and that’s when we’re going to need to do what we actually need to do, instead of just talking about what needs to be done?”

“I’m a person who believes that this country can protect itself,” Lute said. “I don’t know what’s inevitable, and I think that anybody who lived through the events of 1989 [when the Berlin Wall fell] or who lived through the events of 2001 has lost the right to say that anything is impossible.”

Source

That’s certainly a noble goal. But the very existence of NSTIC begs two very important questions: Does protecting me and my fellow citizens while we transact business online fall within the department’s areas of responsibility? And does DHS truly believe it can do what the private sector, driven by a clear and compelling profit motive, has yet to successfully accomplish?

The answer to both questions is a resounding no. DHS should focus on doing what its name implies — protecting the homeland — and resist the urge to demote itself into the role of national cyber mall cop.

I say this not to demean the department, which shoulders a weighty load in addressing the manifold threats to our shores in this age of terrorism, but because any effort by DHS to create a voluntary trusted identity program is doomed to fail.

The recent experience and backlash associated with Real ID — rebuffed by the general public and legislatively rejected by 11 states before being scrapped — and high-tech passports — subject to ongoing criticism for their security vulnerabilities — demonstrate that the public is uneasy at best and at worst dead set against any attempts by the federal government to centralize identification in any form. Another national identification storm cloud is gathering on the horizon in the form of the Biometric Enrollment, Locally-stored Information, and Electronic Verification of Employment provision of pending immigration reform. With every attempt at using technology to track citizens, George Orwell’s shadow grows longer.

Conspiracy theories aside, lessons learned from the evolution of Social Security numbers into a de facto national financial credential — in spite of being prohibited by the law that created them for any use other than the management of Social Security benefits — should be enough to remind us of what can happen with a national identification program even when it is conceived with the best of intentions.

Of course, DHS would not be the first organization to fail at creating a broadly successful universal digital identifier. Devices such as smart cards and tokens have been in use for years and are effective for managing identity-based access to secure enterprise systems. But such technology works best in a single organization because cost and management issues temper their advantages in broader applications.

At the consumer level, where individuals might be using multiple identities for a broad range of applications, any secure identity system would need to take into account the highly complex vagaries of human behavior. Doing so successfully in the private sector would be a feat with a multibillion-dollar payday — and there’s plenty of money and brainpower being spent on that effort already.

Consider, too, the challenges DHS faces in successfully launching a trusted identity program when the agency lacks the trust of the general public. In the Ponemon Institute’s annual Privacy Trust Study of the United States Government, DHS ranked 70th among the 75 federal agencies studied. The Citizenship and Immigration Services agency and Customs and Border Protection agency, both of which are part of DHS, ranked 74th and 75th, respectively.

If DHS believes that a more secure online experience will enhance homeland defense, that goal would be better served by the creation of an educational program that makes people more aware of how to safely conduct online activities. When you get beyond the Beltway, you find that too many people are making unsafe decisions online not because the technologies and techniques are lacking but because they simply don’t know any better. If left to persist, public ignorance will be the downfall of any trusted identity strategy.

Source

According to data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn’t sure why Iran and the other countries are reporting so many infections. “The most we can say is whoever developed these particular threats was targeting companies in those geographic areas,” Levy said.

The U.S. has a long-running trade embargo against Iran. “Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don’t have much AV right now,” Levy said.

Siemens wouldn’t say how many customers it has in Iran, but the company now says that two German companies have been infected by the virus. A free virus scanner posted by Siemens earlier this week has been downloaded 1,500 times, a company spokesman said.

Earlier this year, Siemens said it planned to wind down its Iranian business — a 290-employee unit that netted €438 million (US$562.9 million) in 2008, according to the Wall Street Journal. Critics say the company’s trade there has helped feed Iran’s nuclear development effort.

Symantec compiled its data by working with the industry and redirecting traffic aimed at the worm’s command and control servers to its own computers. Over a three-day period this week, computers located at 14,000 IP addresses tried to connect with the command and control servers, indicating that a very small number of PCs worldwide have been hit by the worm. The actual number of infected machines is probably in the 15,000 to 20,000 range, because many companies place several systems behind one IP address, according to Symantec’s Levy.

Because Symantec can see the IP address used by machines that try to connect with the command and control servers, it can tell which companies have been infected. “Not surprisingly, infected machines include a variety of organizations that would use SCADA software and systems, which is clearly the target of the attackers,” the company said in its blog post Thursday.

Stuxnet spreads via USB devices. When an infected USB stick is viewed on a Windows machine, the code looks for a Siemens system and copies itself to any other USB devices it can find.

A temporary workaround for the Windows bug that allows Stuxnet to spread can be found here.

Source

The Health Insurance Portability And Accountability Act, or HIPAA, requires that EHRs and the data in them be guarded throughout their life cycles. Risk assessments must be performed and access privileges determined. You’ll need policies to secure all possible points of data leakage, including desktops, servers, databases, mobile devices, and the Internet.

In short, you must protect data at rest and in motion, and prepare for the inevitable breaches.

Creation And Use

When a patient walks into a provider’s office for the first time, the terminal at reception must be hardened, hosted on a trusted network, and continually scanned for viruses and malware. Receptionists should be able to add basic patient information but have limited access to executable files.

Access privileges should be assigned that strictly regulate employees’ ability to view, enter, edit, and delete data based on what they need for their jobs. For example, billing personnel don’t need to see the results of the medical tests that they’re charging patients for.

Attending physicians should use unique credentials to access the EHR application to record diagnoses. E-medical records must be signed with electronic signatures, which include PIN codes and are saved in encrypted files. Signatures verify that information has been reviewed every time a physician signs off on an EHR. They also let the medical staff sign off on records from any location, expediting processing, reducing workflow costs, and maintaining HIPAA compliance.

Source

What’s worse: U.S. security officials say the country’s cyberdefenses are not up to the challenge. In part, it’s due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of U.S. computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering.

“We don’t have sufficiently bright people moving into this field to support those national security objectives as we move forward in time,” says James Gosler, a veteran cybersecurity specialist who has worked at the CIA, the National Security Agency and the Energy Department.

If U.S. cyberdefenses are to be improved, more people like Gosler will be needed on the front lines. Gosler, 58, works at the Energy Department’s Sandia National Laboratory in Albuquerque, N.M., where he focuses on ways to counter efforts to penetrate U.S. data networks. It’s an ever-increasing challenge.

“You can have vulnerabilities in the fundamentals of the technology, you can have vulnerabilities introduced based on how that technology is implemented, and you can have vulnerabilities introduced through the artificial applications that are built on that fundamental technology,” Gosler says. “It takes a very skilled person to operate at that level, and we don’t have enough of them.”

Gosler estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks. To meet the computer security needs of U.S. government agencies and large corporations, he says, a force of 20,000 to 30,000 similarly skilled specialists is needed.

Some are currently being trained at the nonprofit SANS (SysAdmin, Audit, Network, Security) Institute outside Washington, D.C., but the demand for qualified cybersecurity specialists far exceeds the supply.

“You go looking for those people, but everybody else is looking for the same thousand people,” says SANS Research Director Alan Paller. “So they’re just being pushed around from NSA to CIA to DHS to Boeing. It’s a mess.”

The Center for Strategic and International Studies highlights the problem in a forthcoming report, “A Human Capital Crisis in Cybersecurity.”

According to the report, a key element of a “robust” cybersecurity strategy is “having the right people at every level to identify, build and staff the defenses and responses.”

The CSIS report highlights a “desperate shortage” of people with the skills to “design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”

The cyber manpower crisis in the United States stands in sharp contrast to the situation in China, where the training of computer experts is a top national priority. In the most recent round of the International Collegiate Programming Contest, co-sponsored by IBM and the Association for Computing Machinery, Chinese universities took four of the top 10 places. No U.S. university made the list.

The Chinese government, in fact, appears to be systematically building a cyberwarrior force.

“Every military district of the Peoples’ Liberation Army runs a competition every spring,” says Alan Paller of SANS, “and they search for kids who might have gotten caught hacking.”

One of the Chinese youths who won that competition had earlier been caught hacking into a Japanese computer, according to Paller, only to be rewarded with extra training.

“Later that year, we found him hacking into the Pentagon,” Paller says. “So they find them, they train them, and they get them into operation very, very fast.”

Some members of Congress, eager to follow China’s example, are now promoting a U.S. Cyber Challenge, a national talent search at the high school level. The aim is to find up to 10,000 potential cyberwarriors, ready to play both offense and defense.

“The idea is for schools around the country to field teams, and the teams would compete against one another,” says Sen. Thomas Carper, a Delaware Democrat who is one of the backers of the effort. He sees the challenge as an opportunity “not only for them to hone their skills on being able to hack into other systems, particularly those of folks we may not be fond of, but also to use what they learn to strengthen our defenses.”

In order to protect a computer system, one needs to know how someone might attack it. Last year’s preliminary Cyber Challenge game was won by a 17-year-old from Connecticut — Michael Coppola — who was smart enough to hack into the game computer and add points to his own score.

“There’s actually a flaw within that Web application,” Coppola says. “Using that, I was able to execute commands on the computer running the scoring software, and I was able to add points and basically do whatever I wanted.”

It was certainly an unconventional approach, but the competition judges were so impressed by Coppola’s ability to hack into the computer game that they actually rewarded him for changing his score.

“It’s cheating,” Michael says, “but it’s like the entire game is cheating.”

Indeed. People who know how to cheat will soon be on the front lines of cyber defense, because the best way to defend a computer system from attack is to figure out how an adversary would be able to hack into it.

Now 18, Coppola is himself looking to a career in cybersecurity.

Source

The suspects are accused of posing as ordinary citizens, some living together as couples for years.

They were charged with conspiracy to act as unlawful agents of a foreign government, a crime which carries up to five years in prison.

A Russian foreign ministry spokesman said the allegations were contradictory.

“We are studying the information. There are a lot of contradictions,” spokesman Igor Lyakin-Frolov told the AFP news agency, declining further comment.

Russian Foreign Minister Sergei Lavrov later said Moscow expected Washington to provide an explanation over the the spying row, Russia’s Interfax news agency reports.

Nine of the alleged spies also face a charge of conspiracy to launder money, which carries a 20-year prison sentence.

An 11th suspect remains at large, according to the US justice department.

Read More

On foreign media reports saying no evidence linked the North to the attacks, Jeong Seok-hwa, investigation director at the Cyber Terror Response Center in charge of the investigation, said, “No country including the U.S. could identify the origin of the DDoS attacks that occurred a year ago. Thankfully, the discovery by Korean investigation agencies has been the most credible so far.”

On how he was sure that it was Pyongyang, Jeong said, “It might be too early to conclude this, but the facts so far have shown that the IP address used for the attacks was the same one rented by North Korea’s Posts and Telecommunications Ministry from a Chinese Internet provider.”

“The attack was waged by dozens of people, not one individual,” he added.

According to the National Police Agency, the cyber center in October last year found that the attacks originated from the IP of the North’s ministry.

A lieutenant on the investigation team was promoted to inspector in recognition of this discovery. He refused to disclose more, however, saying “Giving out more details will compromise our national strategy,” but added, “It was possible thanks to the technical capability we’ve accumulated for more than 10 years since the cyber center’s launch.”

Amid rising fears over a second cyber attack from the North, Jeong said, “Attack rumors were prevalent in April and May, but nothing really happened. But there certainly is the possibility of another attack. One of the servers that made the attack order seems to have copied all files saved on zombie PCs, or those in charge of the attack.”

This indicates that zombie PCs analyzed the files South Koreans frequently use to make more of them when starting an attack.

On preventing a cyber attack, Jeong said, “We cannot prevent zombie PCs from multiplying even with the latest vaccine program. The government must distribute free firewall programs (used for protection in Internet banking services).

With the investigation over last year’s cyber attacks ongoing, Jeong pledged to find the culprit. “We’ve done everything we can within the country. Since the attack originated from China, which is beyond our investigative jurisdiction, we will collaborate with China to find who did it,” he said.

Source

First, the U.S. Department of the Health and Human Services (HHS) issued guidance wherein “unsecure protected health information (PHI)” is essentially any PHI that is not encrypted or destroyed. Under this definition, it doesn’t matter how many chains, walls, doors, biometric gizmos and guards with lethal weapons you have at your service. As long as PHI is not encrypted, it is considered unsecured.
A second and more compelling reason why encryption is now a requirement is the introduction of HITECH’s breach notification initiative, which requires HIPAA-covered entities to send notification letters if there is a breach of unsecured PHI. However, as HHS pointed out, the use of encryption grants safe harbor in the event of a breach because encrypted PHI is not unsecured PHI.

Oddly enough, in the same breath, HHS also notes that “covered entities and business associates are not required to follow the guidance.” However, cleaning up the mess behind a breach notification can cost millions of dollars, so one would have to be supremely confident — or reckless — in not taking advantage of the encryption safe harbor. With such mixed signals, though, it is not hard to see why encryption is called ade facto requirement.

What type of encryption?

Since encryption means different things to different people, an important question is “what type of encryption should I use?”

In the past, companies offered hard drives that used strong encryption. However, analysis showed that strong encryption was used but only to protect the password and not the data that was stored on the devices. The actual data stored on the hard drive was encrypted with an encryption algorithm developed by the company, which proved to be anything but strong.

This illustrates the potential pitfalls of choosing any type of encryption package — a lack of strong, secure encryption. Obviously, some encryption programs do a better job of protecting data than others, but how can a company choose the right one?

HHS does not provide any guidance in this area, and that is a smart move. HHS does many things, but it is not in the position to determine the technical requirements that would separate strong from weak encryption. Instead, HHS defers to the National Institute of Standards and Technology (NIST) to direct organizations to a number of special publications on the subject.

The publications are endless, tedious documents which are long on theory and short on technical requirements. However, a little detective work leads to concrete specifications that one can work with.

While these requirements are for federal agencies, they could also serve as a great guide for private practices. Since HHS deferred to NIST when it comes to encryption, companies need to meet the expectations of what NIST considers “proper” encryption for sensitive data.

Further proof that HHS deferred to NIST is found in the guidance, where encryption for “data at rest” and “data in motion” are specifically mentioned. The latter refers to data going through networks, including wireless networks. The former refers to data that is stored: laptops, external hard drives, CDs or DVDs, backup tapes, etc.

Data in motion

Of the two, encrypting data in motion is more straightforward: Valid encryption processes must “comply with the requirements of Federal Information Processing Standards (FIPS) 140–2.” While there are many technical requirements involved, many vendors offer products that are FIPS 140-2 validated, so finding such a solution is easy.

Organizations must look for a solution that is FIPS140-2 validated, not FIPS140-2 certified. The former means that NIST evaluated, and validated, the encryption. The latter is used interchangeably with the former, but is technically meaningless and is mostly marketing speak. While encryption is in the spirit of NIST’s requirements, it hasn’t been validated.

Data at rest

Finding appropriate data at rest encryption requires a little digging. According to the suggested NIST publication — Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices — “Federal agencies must use FIPS-approved algorithms contained in validated cryptographic modules. Whenever possible, AES (Advanced Encryption Standard) should be used for the encryption algorithm because of its strength and speed.”

Also, a footnote makes reference to NIST SP 800-57, “Recommendation for Key Management,” and notes that it “provides detailed information on key management planning, algorithm selection and appropriate key sizes, cryptographic policy and cryptographic module selection.”

This information is relegated to a footnote. This is unfortunate since this publication is what most HIPAA-covered entities are looking for. As organizations review section 5.6.2 of the publication, they can identify encryption algorithms that are valid for use, the minimum key sizes and the length of their validity. In addition, examples are given on how all of the above comes together, and summarized in a table. Any encryption weaker than this, and you might not be covered.

HIPAA-covered entities can expect safe harbor if, and only if, they adhere to these strict standards and guidelines. The fact that a company’s data is encrypted is meaningless without taking into account the NIST requirements. Organizations that properly adhere to HIPAA standards understand the impact of breach notifications. By proactively leveraging the proper encryption technologies, companies of all sizes can avoid these breach notifications while ensuring the security of their sensitive data.

Source