Analysis: DHS Domain Name System Breach Directive
On January 22, the Department of Homeland Security (DHS) issued a directive to government agencies in response to breaches of the Domain Name System (DNS). The attackers used stolen credentials to alter DNS entries and steal certificates used for encryption and decryption. In combination, these actions let the attackers redirect sensitive traffic to their own sites, and to decrypt the traffic once it was received.
DHS’s directive provides good advice for responding: audit DNS records & prioritize those related to critical services; change DNS account passwords; add multi-factor authentication to DNS accounts; and monitor and review certificate logs. The time frame for these actions is ten days, but MFA implementation can be postponed indefinitely with an explanation of why it cannot be implemented. DHS also warns, rightly, against the use of SMS-based MFA (i.e., the kind where a security code is texted to the user).
Several questions arise. Do agencies have the tools and expertise to conduct these response activities? Do they have the infrastructure and software to implement MFA quickly? Why don’t these agencies have MFA on DNS accounts in the first place? Did affected agencies have strong controls in place on systems storing sensitive data while leaving DNS servers relatively unprotected? Can agencies correlate findings to validate the identification of perpetrators?
After these initial tasks, affected agencies will need to determine what data was compromised and when, assess the impact of the breach, conduct forensic investigations to identify the attacker(s), and share that threat intelligence without creating a secondary risk. If Personally Identifiable Information (PII) was taken, victim notification will be necessary, and if covert operations of any kind were compromised, then safeguarding those human assets will be a top priority. Depending on the data stolen, other adjustments to operations will likely be necessary.
Under the NIST Risk Management Framework (RMF), Federal IT systems are assigned an impact level of “High”, “Moderate”, or “Low”. The impact level determines the stringency of security measures implemented on those systems. Do all agencies assign the same impact level (and attendant security controls) to DNS systems? Is a review of impact levels appropriate, to ensure the appropriate safeguards are in place?
This incident reveals:
• The need for adequate identity protection, particular privileged accounts that should be protected by MFA
• The need threat hunting and post-incident investigative tools and expertise
• The need for an inconsistent assignment of impact levels to mission-critical systems such as DNS servers, or systems hosting DNS”
DHS’ incident response capability has improved significantly in recent years, and for that, they deserve great praise. The next phase is to concentrate on a harder task: incident prevention.
Related Blog Posts
Cybersecurity May 12, 2020
The old saying goes, there are only two kinds of organizations: those that have been breached and those that will be soon. Clearly, the “moat-and-castle” approach to security has not worked. Simply being “inside” a network – behind a firewall, DMZ and other traditional defenses – does not confer trustworthiness, whether it’s a device, a user, network traffic, or an application.
Don Maclean
Cybersecurity, IT Infrastructure April 22, 2020
Election security is a big topic, but it resembles a many-legged centipede. Federal contractors face the reality that elections are the purview of state, county and municipal officials. The technical and managerial abilities of these entities vary from what you might expect in a tiny hamlet to what you might encounter in a million-person suburban county.
David Blankenhorn
Cybersecurity April 14, 2020
DHS recently published version 3.0 of the Trusted Internet Connection (TIC) architecture. A response to changing IT conditions, Executive Orders, and OMB mandates, the new architecture seeks to support IT modernization through cloud adoption while keeping security as a top priority. The comprehensive set of documents includes an overview, a catalog of security capabilities, a reference architecture, guidance for pilot programs, advice for service providers, and a very helpful set of use cases relevant to agency needs.
Don Maclean
Cybersecurity April 14, 2020
The Threat
Risk is a function of likelihood times impact. When it comes to zero-day exploits, particularly those that use return-oriented programming (ROP) or one of its many cousins the likelihood is high, and the impact is higher. How do these attacks work, and what is the industry doing to stop them? More importantly, what can you do to stop them? Is it possible to stop a zero-day without patching or updating systems? Let’s explore these questions.
How ROP Works
Don Maclean
Cybersecurity March 20, 2020
The Cyberspace Solarium Commission recently released a groundbreaking report detailing 75 recommendations for improving the cybersecurity of the nation, including both the private and public sectors. The Commission, bipartisan in both name and spirit, conducted over 300 meetings with industry, academia, U.S. government, think tanks and foreign governments. I had the privilege of participating in this effort. The result is a comprehensive report that urges immediate and concrete action on its recommendations, organized into six pillars”:
Don Maclean
Cybersecurity March 20, 2020
Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors.
Don Maclean
Cybersecurity March 20, 2020
I recently had the opportunity to visit an amazing new facility—the Cyber Range at Tech Data—and got to meet the truly exceptional people who make it happen. The facility has many purposes, stemming from the powerful sense of mission that drives the staff.
Don Maclean
Cybersecurity March 19, 2020
At RSA this year, Chris Krebs gave an important talk: “Cybersecurity Has a Posse” where he stressed the importance of collaboration between government and industry to fight the cybersecurity war. He started by pointing out that his agency, Cybersecurity and Infrastructure Security Agency (CISA) is an “all-source” group. He meant that CISA collects threat information from sources all over the world, including government agencies, private industry, and more. Krebs’ group consolidates that information and disseminates it – daily – to security professionals across all industries.
Don Maclean
Cybersecurity March 18, 2020
With the designation of the COVID-19 disease as a global pandemic hotly followed by a declaration of a national emergency by President Trump, the American way of life shifted dramatically – with the home office becoming a new reality for millions.
Unfortunately, the rise in the global remote workforce puts more pressure on IT teams, network architectures, and even equipment. But there are also very real cybersecurity challenges to consider.
DLT Solutions
Cybersecurity December 2, 2019
By Brandon Shopp, VP, Product Strategy, SolarWinds
Is unnecessary complexity making Office 365 monitoring a headache for your agency? A new presidential mandate requires federal agencies to “transform and modernize” their IT systems, with the goal of creating a more streamlined, cost-efficient, and secure IT environment.
DLT Solutions
Cybersecurity October 23, 2019
This is a repost of a blog originally posted to GovLoop here.
This blog post is an excerpt from our new report, How Artificial Intelligence Combats Fraud and Cyberattack, download the full report here.
DLT Solutions
Cybersecurity October 23, 2019
The security of public sector networks is under attack. Each day security and IT professionals work hard to defend the integrity of mission-critical data and systems against increasingly frequent and complex cyberattacks.
Staying informed is critical to staying ahead.
That’s great, but there are literally dozens of cyber news outlets, journals, and bloggers to follow. Security leaders and practitioners don’t have time to filter what’s urgent and relevant to their organizations. That’s why we’ve created GovCybersecurityHub.
Don Maclean
Cybersecurity October 17, 2019
*Article written by Jim Hansen, VP of Products, Security and Application Management
DLT Solutions
Cybersecurity October 10, 2019
This month, DLT sat down with James Ebeler, the Chief Technology Officer, Department of Defense, for Iron Bow Technologies. In this interview, James discusses the cybersecurity challenges facing our military and how Iron Bow is helping solve them with innovative solutions.
DLT: Good morning, James. Thanks for joining us today for this interview.
James: Good morning, happy to be here.
DLT: Fantastic, let’s dive right in. First, can you tell us about your role at Iron Bow Technologies?
DLT Solutions
Cybersecurity October 10, 2019
The first half of 2019 continued to be a busy one for cybersecurity teams and their organizations. But the nature of the adversary is changing.
New insight from DLT partner, CrowdStrike, finds that attackers are “continuing to ramp up in both their brazen behavior and sophisticated means.”
Don Maclean
Cybersecurity October 10, 2019
*Article originally posted on GovCybersecurityHub here.
DLT Solutions
Cybersecurity September 24, 2019
The DoD Cybersecurity Strategy https://www.fifthdomain.com/dod/2018/09/19/department-of-defense-unveils-new-cyber-strategy/ stresses nine key points. With the end of FFYE looming, are you aligning your spending with these objectives?
Don Maclean
Cybersecurity, IT Perspective August 2, 2019
Every Federal IT pro knows that security threats are a top agency priority. Yet, according to the SolarWinds 2019 Cybersecurity Survey, those threats are increasing—particularly the threat of accidental data exposure from people inside the agency.
DLT Solutions
Cybersecurity July 31, 2019
Capital One has announced that about 140,000 Social Security numbers and 80,000 linked bank accounts were compromised “in one of the biggest-ever data breaches,” affecting some 100 million individuals in the U.S. and 6 million in Canada.
DLT Solutions
Cybersecurity, Healthcare July 29, 2019
More and more organizations are making the move to cloud-based security solutions. Today, 33 percent of organizations are planning to adopt one or more security-as-a-service (SECaaS) solutions. The efficiency with which endpoint security solutions can provide protection, particularly when delivered as-a-service, is a key strategic consideration for many organizations – perhaps none more so than America’s network of medical schools and teaching hospitals.
DLT Solutions
Cloud Computing, Cybersecurity July 22, 2019
It’s often said that there are two types of organizations: those that have been hacked, and those that will be – turning the conversations around security breaches from ‘what if?’ to ‘when?’.
Isabella Jacobovitz
Cybersecurity July 10, 2019
Although state and local technology leaders are increasingly prioritizing cybersecurity in their operations, government has a long way to go in securing critical information and systems from cyberattacks.
In light of this struggle, Route Fifty, in partnership with CrowdStrike, recently hosted a webcast that showcases the work of state and local governments who have undergone a transformation in cybersecurity protocols – and the challenges they continue to face.
Melissa Perez
Cybersecurity March 29, 2019
Many government agencies, particularly large agencies, face enormous obstacles in simply compiling and inventory of the software and hardware under in their system. The difficulty is understandable: I know of one agency responsible for 220,000 makes and models of medical devices (note that this number refers to “makes and models” only. The actual number of devices is much, much higher). In addition, the devices are online intermittently, and many of them are on air-gapped (i.e., physically separate networks), complicating the use of automated tools for identification and inventory.
Don Maclean
Cybersecurity March 28, 2019
Every government organization has been the victim of a cybersecurity incident. These can range from mundane incidents such as a user leaving their desk without locking their screen, up to a major breach such as the OPM hack in which hackers stole comprehensive and confidential information on millions of government employees and contractors.
Don Maclean
Cybersecurity March 27, 2019
Identity and Access Management (IAM) is the art and science of ensuring that someone is who they say claim to be. This ensures that they have the correct level of access to systems and data – enough to do their job, but no more. IAM systems cover a wide range of features, but typically include:
Don Maclean
Cybersecurity March 26, 2019
Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002. The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies.
Don Maclean
Cybersecurity March 25, 2019
“Hope for the best, plan for the worst”. This ancient principle still applies, especially for systems with high availability requirements. Principles are easy to quote, but how does an organization implement them effectively?
Don Maclean
Cybersecurity March 22, 2019
Cybersecurity endures as a top priority for federal agencies, the Trump administration, and Congress. So whatever other budget battles that might lie ahead, cyber will remain an important opportunity. In fact, two recent reports ought to scare the heck out of not just agency managers but pretty much every American.
Brian Strosser
Cybersecurity March 22, 2019
The “Internet of Things”, or IOT: we’ve all heard the term, but what does it really mean? More importantly, how do we secure all of these … “things”?
Don Maclean
Cybersecurity March 21, 2019
Cell phones, tablets, wearables, and other mobile devices dominate our lives. I personally bring my trusty iPad to everywhere, and, like everyone else, have my phone with me at all times. The biggest attack surface for any enterprise, then, may well be these devices. How can we assess the threats? What are the components in need of protection? What are some key methods of protecting them?
Don Maclean
Cybersecurity March 20, 2019
Earlier this month, I wrote about the Zero Trust model for security. As I proceed through these daily blogs, I find many of them complement the ZT model; data security is one. Outside the IOT world, the goal of cybersecurity is to protect data. The Zero Trust model recognizes this and focuses on keeping security close to the asset, and portable.
Don Maclean
Cybersecurity March 19, 2019
Configuration management is a many-headed beast, but the biggest beast with the sharpest teeth is the patch monster. Every day, a new vulnerability, a new patch – and an old decision: patch and maybe break something (I’m looking at you, Spectre and Meltdown), or stay online and be vulnerable. This model – “panic patching” -- is in wide practice, but not sustainable. For now, an efficient and reliable system is essential; for the long term, we need an entirely new model.
Don Maclean
Cybersecurity March 18, 2019
By now, you’ve heard it a hundred times: the perimeter is breaking down, no more “crunchy outside” to protect a “chewy inside”, no more castle-and-moat model of network infrastructure security. If there is no inside and outside, then where do defenses belong? What security architectures make sense for such amorphous network?
Don Maclean
Cybersecurity March 15, 2019
Once upon a time, endpoint security was just a hall monitor: it watched for known bad files identified with a simple signature and sent you an alert when the file was blocked. To be safe, it would scan every machine daily, an intrusive activity that slowed down machines, and sped up the heart rates of affected users and hapless analysts at help desks.
Don Maclean
Cybersecurity March 14, 2019
Insider Threat: it’s one of the biggest and most persistent issues in cybersecurity. High-profile cases – Manning, Snowden, and others – have kept the issue in the public eye; government security personnel are rightfully concerned. In addition to the willfully malicious, though, many insiders lack ill intent, but pose a threat just the same.
Don Maclean
Cybersecurity March 13, 2019
Do developers at your company keep application security top of mind when coding? Do they have training in secure code development? Do they have the tools to develop code securely? If they find a security issue, can they quickly fix the issue in all instances throughout a large-scale application? If they use open-source code, do they verify its security?
Don Maclean
Cybersecurity March 12, 2019
“Build it in, don’t bolt it on” is a mantra we all learn when we study cybersecurity, yet we see it in practice far too rarely. Our adversaries also know this principle and have begun to implement it by infecting the supply chain – hardware and software – as close to the source as possible. DLT technology partners Crowdstrike and Symantec both note the trend in recent threat reports. In their July,2018 report1, Crowdstrike notes that:
Don Maclean
Cybersecurity March 8, 2019
Phishing, vishing, whaling, spear-phishing: the list of clever new terms seems constantly to change. A successful attack by any other name, though, is just as sweet to the adversary. Terminology aside, the fundamental problem is this. Phishing is the most common and effective way to steal data because it goes after the weakest chain in our cybersecurity armor: the human being. Even high-profile people, including one CEO of a major cybersecurity firm and major figures in law enforcement, have fallen victim to phishing attacks.
Don Maclean
Cybersecurity February 28, 2019
“Trust but verify”: a Russian proverb Ronald Reagan often used to characterize U.S.-Russia relations, especially regarding nuclear weapons. The Internet has made it clear that the “trust” part of the proverb may not work so well. Today, we may have to say “Never trust; only verify”.
Don Maclean
Cybersecurity February 28, 2019
Every security professional knows that the adversary has the advantage. Security professionals have to find every vulnerability (good luck with that) and remediate it, and the enemy only needs to find one vulnerability and exploit it. This asymmetry underlies their economic advantage: finding one vulnerability gives access to a huge number of systems. In addition, for those willing to forego their conscience and risk jail, it is possible to make large sums of money in a short time, even with a minimum of technical expertise.
Don Maclean
Cybersecurity February 28, 2019
You have heard it enough to make you aim a fire extinguisher at your firewall: “compliance does not mean security”. Compliance work can consume up to 70% of security budgets in Federal government agencies, and it is common to spend more money identifying, documenting, and gaining approval for a remediation than the remediation itself costs.
Don Maclean
Cybersecurity February 28, 2019
Return on investment: is it worth the money? That is the central question in both government and industry when deciding on any procurement. Demonstrating ROI on cybersecurity products is notoriously difficult, and is one of the underlying reasons for the poor state of our nation’s cybersecurity posture.
Don Maclean
Cybersecurity February 14, 2019
The rising numbers of data breaches should come as no surprise to federal IT security pros who work every day to ensure agency information is secure. However, these breaches may not be something a federal IT team can prevent on its own.
DLT Solutions
Big Data & Analytics, Cybersecurity January 31, 2019
Expert Panel: The Challenges and Opportunities for Modernizing Data Protection
As online data has become ubiquitous, managing that data has become as important an endeavor as amassing and storing it. A host of issues surround data management, not the least of which is security. But many others loom as data increases exponentially both in size and in importance.
DLT Solutions
Cybersecurity January 16, 2019
Article written by Jim Hansen, VP of Products, Security, SolarWinds
Earlier this year, the Department of Defense (DoD) released a policy memo stating that DoD personnel—as well as contractors and visitors to DoD facilities—may no longer carry mobile devices in areas specifically designated for “processing, handling, or discussion of classified information.”
DLT Solutions
Cybersecurity December 28, 2018
The “National Cyber Strategy”, released recently by the White House, offers a broad blueprint for America’s approach to cybersecurity. Let’s look its four “pillars”, and their key elements.
Don Maclean
Cybersecurity December 3, 2018
In a recent blog post, DLT Chief Technology Officer David Blankenhorn shared his insight on DLT’s evolution to a government solutions aggregator:
Melissa Perez
Cybersecurity November 26, 2018
“Cyber Hygiene”: you know the term, but what does it really mean? Some say it is an ill-defined set of practices for individuals to follow (or ignore). Others say it is a measure of an organization’s overall commitment to security. Still, others think of “cyber hygiene” as simple, readily available technologies and practices for cybersecurity.
Don Maclean
Cybersecurity November 14, 2018
Benefits and social security fraud are a huge cost to taxpayers. In 2016, the White House estimated these losses at $144 billion. Fraud can take many forms from making false statements on a social security claim, misuse of benefits by a family member or friend, altering claims, duplicate billing for the same service, embezzlement, and so on.
Melissa Perez