Laying the IT Security Foundation Key Steps to Preventing Cyber Attacks Government systems are getting hit on a daily basis by new and ingenious external attacks. Federal, state and municipal agencies, plus government contractors, must find a way to adjust to this evolving threat landscape to prevent these threats from wreaking havoc. It is imperative that government organizations get back to the basics of security and lay a strong security foundation to weather these attacks by proactively addressing their root causes. February 2010 WP-EN-02-04-10 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Disengaging from the Arms Race The numbers are in, and it’s clear to most that tacks (48 percent) and software vulnerabilities (26 they don’t bode well for those within government percent). Another survey of federal IT profession- IT security. The latest statistics show that on als conducted by CDW Government in November the Internet, a new Web site is compromised by 2009 showed that more than half of agencies are host malware every five seconds. Cybercriminals experiencing cyber security incidents on a daily or and cyberterrorists are amassing large fortunes weekly basis. through the sale and trade of information from each of these exploits, only to reinvest more and This relentless barrage of attacks infiltrates sys- more resources into developing even more sophis- tems in a cloaked manner to fool detection mech- ticated attacks as time goes by. Their attacks are anisms. Plus, attackers are constantly changing highly polymorphic, and they are obfuscated. They them to evade signature-based protections, such don’t just attack vulnerabilities in applications, but as antivirus. Not only are they sophisticated, but also fundamental flaws in the way agencies protect these pieces of malware are flooding the playing their machines. These attacks are coming at a diz- field. The idea is to keep security professionals zying speed, especially as foreign states employ a guessing, to keep them engaging with old attack loose-knit network of hackers, however informal- approaches while the new ones sneak in the back ly, to extend their long arm of intelligence into as door. And for the most part, security teams are un- many American government systems as possible. able to keep up with the barrage of new threats with a set of old tools and a limited budget. It’s no wonder, then, that the National Association of State Chief Information Officers (NASCIO) voted The problem is that government security profes- IT security as a top 10 strategic priority for 2010 sionals are stuck in a rut. We’re involved in an arms and security enhancement tools in the top five hot- race with the bad guys that can only benefit them. test product categories for 2010. Meanwhile, half Rather than addressing the fundamentals that allow of agency CISOs at the federal level worried that, an attack to occur in the first place, we’re address- even though their organizations may be making ing each individual attack as it crops up through a progress in security practices, they are still “not detect-and-block schema. Every time we get that getting ahead of attackers,” according to a survey rock to the top of the hill, it just rolls back down. conducted by ISC2 in April 2009. Tops on their list It’s time to take a new approach. It’s time to get of most pressing problems today are external at- some bulldozers and flatten the hill. 1 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Addressing Security’s Biggest Problem The attacks are largely successful because vulner- on machines across the federal government. abilities and mis-configurations exist within appli- Since 2009, federal agencies have been required cations and throughout the government IT frame- to adhere to FDCC on their workstations and lap- work. If those vulnerabilities didn’t exist, the vast tops as part of greater Federal Information Security majority of attacks wouldn’t succeed no matter how Management Act (FISMA) compliance. According plentiful they were. In fact, more than 90 percent to Karen Evens, the then-administrator for OMB’s of attacks exploit a vulnerability for which a patch Office of E-Government and Information Technol- already exists. ogy, who wrote the first memo outlining FDCC in 2007, the idea for establishing this baseline was “to Think about it. If you had a door with a broken lock improve system performance, decrease operating that was being taken advantage of by burglars, you costs and ensure public confidence in the confi- wouldn’t start by spending your money on expen- dentiality, integrity and availability of government sive closed-circuit cameras, on booby traps within information.” the home or on chaining your big-screen TV to the wall. No, you’d address the root cause of the break- One of the pilot adopters of this FDCC approach ins and fix the lock first. was the U.S. Air Force, which managed to not only improve security by reducing its patch cycles from Many within government are starting to buy into seven weeks to three days, but it has also achieved such an approach. According to the ISC2 survey, cost savings as the number of help-desk calls of all the cyber security programs they’re tasked “have dropped drastically because there are fewer to participate in, the Federal Desktop Core Con- one-off configurations and mysterious problems to figuration (FDCC) is one that federal CISOs feel address,” reported FedTech Magazine. is making the most progress — likely because the FDCC offers such a good security ROI. The example provided by FDCC has a lot of benefit as a case study in endpoint configuration, not just The idea behind FDCC is simple: With the help of at the federal government, but also at state and Microsoft and the National Institute for Science and municipal levels because, at the end of the day, se- Technology (NIST), the Office of Management and cure configuration is the very bedrock of any secu- Budget (OMB) developed a standard configuration rity program. It always has been and will continue setup for managed endpoints using Windows XP to be so in the future — one only need look at the and Windows Vista so that the tenets of security — current threat environment to understand why. such as the rule of least privilege — are followed 2 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Adjusting to the Evolving may not have ever been intended for outside con- Threat Landscape nectivity. Many of these back-end systems contain valuable citizen, operational and financial data, as As much heat as Microsoft receives from the secu- well as national security secrets. The combination rity research community, the company has actually of these factors has been like the lining up of cher- made a lot of progress over the last several years ries in a Vegas slot machine for the state and non- in building defenses within Windows. In that time state hackers. And there’s no end in sight. we’ve seen the advent of the built-in firewall, user access control and improvements in the data ex- Many of these Web-based programs utilize SQL ecution system. The protections were not perfect, Server as the back-end technology that holds all but enough roadblocks were thrown up to make of the content seen by users as they browse a site. hackers look for easier prey. When they shifted The drastic spike in 2009 of SQL injection attacks their crosshairs to the application layer, what they — the insertion of specially crafted queries to break found was a target-rich environment that was not the technology to reveal sensitive information and only more vulnerable to attacks, but also more allow attackers to install malware or redirect them profitable to attack. to malware-laden Web sites — comes by way of insecure coding practices by developers rushing to And just as improvements in the operating system meet this need for Web application expansion. (OS) were gaining steam, there was a convergence in user behavior that made Web-based applica- And these Web-based attacks aren’t all we have tions extremely appealing to attackers. Known as to worry about, either. State and non-state actors the Web 2.0 movement in common parlance, this have also turned their attention to Microsoft Office confluence of action saw organizations double, and browser-related weaknesses that hadn’t been triple and even quadruple their number of custom previously exploited because the OS used to be so applications. easy to attack. They’re also more closely scruti- nizing opportunities in countless other applications This Web 2.0 revolution has seen the rise in Web- from vendors such as Cisco, Apple and Adobe. based collaborative tools, mash-ups, social media, They’re even attacking firmware on hardware such enriched instant messaging and user-contributed as printers. The attack surface has clearly expand- content online. Not only have many of these ap- ed dramatically. plications been built hastily with minimal regard for security to take advantage of quickly chang- Not only are Web-based applications riddled with ing market conditions, but they’ve been tunneled vulnerabilities, but many users exacerbate the through the network firewall to provide Web-based problem by surfing the Web and running docu- access directly into back-end systems that may or 3 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks ments on old, insecure versions of browsers and easily avoided a spread in infection had they im- productivity applications. Attackers not only find proved their password policies to protect fileshares.