Cybersecurity battleground – Status of cyber threat info sharing

The current status of cybersecurity threats and information sharing between the public, private and government sectors is improving. With that said, there is still much work that needs to be done. Host Sean Kelley sat down with an esteemed panel to discuss. The guests include: Wally Coggins, director of the IC Security Coordination Center within the Office of the Director of National Intelligence…

Source

Former WH senior advisor talks data privacy

Privacy became a real issue for American in 2018. Marc Groman, who joined Cyber Chat with host Sean Kelley, said existing incentives for data security have so far been wrong. “When it comes to protecting the perimeter and protecting our networks, we’re still — in some cases — at data security one-oh-one,” Groman, a former senior advisor for privacy at the White House and now principal at…

Source

What is insider threat?


Any mention of an organization and insider threat in the same sentence generally conjures up an image of information being stolen by an employee — which is precisely the image Michael Theis and Matt Moynahan want to change.

Cyber Chat Host Sean Kelley sat down with Moynahan, CEO of ForcePoint and Theis, Chief Counterintelligence Expert at Carnegie Mellon University’s CERT Insider Threat Center.

Theis defined an insider threat as “the potential for an individual who has authorized access to your organization’s assets to use those excesses maliciously or unintentionally to act in a way that could negatively affect the organization.”

But Theis said it covers a lot more than just employees or former employees.

“Things like trust and business partners, those supply chain vendors. Anyone who has access to your physical people, your physical facilities, your info or your technology.”

“Insider threats to enterprises begin with access, privilege and the intentions of the person with that access,” Moynahan added. “The definition of insider becomes very blurry with things like digital transformation [or] movement to the cloud. Attackers are getting in, identities and credentials are being stolen, and the human being has become one of the primary vectors of attack.”

Companies are spending tremendous amounts of money in training with the goal being to become security companies — more or less — in order to combat insider threats.

“Hygiene training from the hygiene approach certainly raises the bar, but I don’t think that is the answer quite frankly,” Moynahan said. “The unintentional, ‘don’t click on the link, don’t open the attachment’ [is a necessity, but] we need to do something more for systems and technology in my opinion.”

Theis said it’s fair to ask for proper care and caution, but he doesn’t know how effective training is. He said training should be broken down by observables, both human behavior and technical. “What are your coworkers doing that could be putting [the company] at risk? There’s no one type of ‘insider.’ It really depends on the type of threat. It’s not as simple to say, ‘What are you likely to see? When are you likely to see it? What do you look for?’” Thes said.

“The challenge has been that despite the general best efforts, the industry hasn’t protected organizations,” Moynahan said. “And the problem with the current security marketplace is that things have gotten so bad that we’re forcing enterprises to become security companies. We’re forcing individuals to try and become security experts.”

Moynahan said around $1 trillion has been spent over the past seven years trying to keep people out, with a 95% failure rate.

“It’s not just a spend issue, I think it’s an approach issue that we need to think about in addition.”

The post What is insider threat? appeared first on Federal News Network.

The future of IPv6 and cybersecurity


Charles Sun, government executive and IPv6 expert appeared on Cyber Chat with host Sean Kelley to discuss infrastructure, IPv4 and the need for quicker adoption of IPv6.

“Infrastructure and cyber security are really hard [when] separate from each other,” Sun said. “The fact that the network and infrastructure logs do not report a data breach does not mean your network is secure. We are facing a challenge where networks are attacked on daily basis.

Sun said “these are attacks are happening all over the world,” on average more than six confirmed data breaches a day, more than 53,000 reported security incidents and breaches last year alone.

Sun said this is due to the fact that most network environments are in between two IP stacks.

“This is especially true in the private sector. From my perspective, this is a huge challenge that both public and private sectors really need a different approach to. Just because you haven’t found the logs or the alarms haven’t gone off, it doesn’t mean that you haven’t been breached,” Sun said.

Sun said security information and event management (SIEM) has not brought the abilities or the clarity it promised with log management.

“I don’t think that SIEMs have produced what everybody thought they were going to produce from a tool standpoint,” he said, because of the dependence on human intervention for success.

Sun said there needs to be new questions.

“What can we do differently? Can we bring a different perspective or opinion to address the issues? How do you reduce the overall attack vector or attack surfaces?” he asked.

In addition, Sun said eliminating IPv4 from the network would enhance security.

“By turning off that legacy IPv4, [we] will achieve a great reduction of all the attacks and the threats that are experienced today. The fact that currently we’re running dual stack mode of operations of both IPv4 and the IPv6 is a great vulnerability to the environment,” Sun said.

Sun acknowledged that getting rid of IPv4 will take time.

“Before we can truly enjoy automation and even artificial intelligence, we need to get down to one stack, one protocol and make sure IPv4 is entirely shut down,” he said.

Sun said quite a few carriers are already in the process of turning off IPv4, at least internally. According to a recent report, T-Mobile and Verizon are in the process.

Takeaways:

  • Infrastructure and cyber security are hard to separate from each other.
  • Even if your network or your infrastructure logs don’t report a data breach, that doesn’t mean your network is secured.
  • On average, more than six confirmed data breaches occur every single day. Last year there were over 53,000 reported security incidents and breaches.
  • Eliminating IPv4 on the network will greatly enhance security.

The post The future of IPv6 and cybersecurity appeared first on Federal News Network.

2019 technology priorities from Congress and private industry


Darryl Peek, former director of digital innovation and solutions at the Department of Homeland Security and current senior manager for strategy at Salesforce and Rep. Will Hurd (R-Texas) and sat down with Cyber Chat Host, Sean Kelley, to discuss the future of federal technology.

“A lot of people think bipartisanship is dead in Washington D.C., but it’s not,” Hurd said.

“We were able to pass [Federal CIO Authorization Act of 2019] unanimously, in essence strengthening the federal chief information officers. It is important to make sure one person is in charge of ensuring all the agencies and departments are following the right procedures to have good digital hygiene,” Hurd said.

Congressman Hurd said he hoped for more bipartisan support in 2019 for major issues like cybersecurity and transportation.

“[The American people] sent people to Washington D.C. to do things, not just to burn it down.”

Agencies like Veterans Affairs are dealing with critical technology issues. Hurd said VA needs system standardization and configuration in a big way. There are over 100 different versions of VA’s legacy systems and “nobody knows all of the different kinds of versions … what makes data transformation projects so difficult is you’re potentially dealing with tens of thousands of different versions of the software and nobody knows the changes from one application to another, ” Hurd said.

Looking ahead, Hurd counted the FITARA scorecard as one of his priorities — “making sure the 24 large agencies and departments are following efforts to have good digital hygiene.”

Another priority is a national plan on artificial intelligence (AI). “There are 18 countries that have one, five are developing it and we are not one of them. We have to make sure our research is complimentary between the public and the private sector. We need to make sure we’re thinking about how do we train the next AI researchers; how do we ensure that our workforce is prepared for a world of AI?” Hurd said.

Hurd also discussed his initiative called the Cyber National Guard.

“If you’re a kid and you want to go to college and you want to do something around cybersecurity, we’re going to find you some scholarship money. You’ve got a scholarship to work in the federal government, not NSA or DOD, but at the Census Bureau, at HHS and at places that require folks with cybersecurity skills,” Hurd said.

Hurd said once students finish the program, they would commit the same number of years to service in industry.

“The private sector is going to agree to loan you back into the federal government for 20 mandates a year,” Hurd said.

Peek said cloud adoption is gaining momentum as a priority.

“I’m starting to see it across the board. I’m starting to see more interest in how to leverage these cloud service providers and customers asking ‘How do I lower the barrier of entry?’ Peek said.

The post 2019 technology priorities from Congress and private industry appeared first on Federal News Network.

Unique partnership between FDA and DHA protects medical devices


We have entered a new level of connectivity, convenience and efficiency with the Internet of Things (IoT). The healthcare community is experiencing this growth and with the availability of data, improved patient care is imminent. With these advancements, however, comes greater risk. The majority of connected medical devices were designed, built and purchased around ten years ago. Likewise, the cybersecurity threat vectors from a decade ago were much different than today. This is a multi-billion-dollar problem for the healthcare industry.

“An overwhelming majority of providers — 96 percent — point to the manufacturer as the cause of many of these device-related security issues,” according to Health IT Magazine. Out-of-date operating systems or the inability to patch devices are primary factors for the security issues.

In this edition of Cyber Chat with Sean Kelley, Sean sits down with Dr. Suzanne Schwartz, associate director for Science & Strategic Partnerships at the Center for Devices and Radiological Health, and Christopher Butera, deputy director for Cyber Threat Detection and Analysis at the National Cybersecurity and Communications Integration Center.

In October 2018, the FDA released a medical device security playbook that includes a roadmap to secure medical devices.

The FDA works closely with the vendors “to make sure that they’re able to patch these systems,” Schwartz said. “But the other thing I want to mention is we try to preach the in-depth defense scenario where we have good segmentation between medical devices and IT devices.”

“Medical devices are exploited in such a way where they’re not usually connected directly to the internet,” she added. “Rather, they’re often connected to an enterprise IT environment and results in the emergence of infection or compromised IT environment. Nonetheless, putting in place proper segmentation and intrusion detection — among other effective controls between the IT network and the medical device segments — happens to be a vital consideration we are trying to get owners and operators to do. ”

Schwartz also said medical device manufacturers are receptive to the federal government’s guidance.

“FDA has released policy around what our expectations are about the maintenance of devices through its lifecycle, which also includes management of cybersecurity through the lifecycle,” she said.

Schwartz said it becomes important to balance the concepts of maintaining, servicing and continuously managing the vulnerability and security of those devices.

“However, at the same time, we must be fostering the development of new devices which are going to have significant security built into them. With this, the legacy issue which we are facing today will be such that will eventually go away,” Schwartz said.

NCCIC’s Butera said the FDA’s playbook “formalizes the working relationship that we’ve had for some years, specifically around vulnerability coordination with medical device vendors and this also includes the research community. We coordinate a wide range of cybersecurity advice, and when we have the kind that needs specific things — for example, the impact to patient safety and things in a similar category — those are the times when we coordinate with FDA and other related experts because DHS aren’t medical professionals.”

Butera said when a specific cyber vulnerability presents itself in such a way that patients’ safety will be affected, DHS works with FDA to access relevant answers and to disseminate required information to the general public.

November 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act, replacing the National Protection and Programs Directorate.

“We’re excited to have an agency name [CISA] the public can understand and relate with,” Butera said. “It creates a central place regarding coordination for all cyber issues and [puts us in a position to be] a leader in emergency communications and infrastructure security [as well as] the one-stop shop to be the risk manager for the nation.”

Takeaways:

  • DHS is responsible for securing all 16 critical infrastructure sectors including public health, and this also involves trying to understand what these vulnerabilities are, and what the impacts are of telehealth.
  • Cybersecurity is a critical component of that premarket review process of medical devices. FDA issued guidance in 2014 on cybersecurity for medical devices which tells manufacturers FDA’s expectations regarding their premarket submissions.
  • FDA recently released updated premarket guidance that requires medical device manufacturers to incorporate security into medical devices before they go onto the market.
  • FDA highlighted specific themes in its premarket guidance: ‘The trustworthiness of these devices,’ ‘transparency around the devices,’ and ‘communication of the parts in those devices and its resilience.’
  • Cybersecurity and Infrastructure Agency Act of 2018 created a central place to coordinate cyber issues and to manage emergency communications and infrastructure security.
  • Medical device approval process can vary from several months to years depending on the type of data needed.

The post Unique partnership between FDA and DHA protects medical devices appeared first on Federal News Network.

Cloud security and lessons from private sector


In this edition of CyberChat, host Sean Kelley, former chief information security officer of the Environmental Protection Agency, digs into cloud offerings, security and compliance and how Silicone Valley startups can help the government with cybersecurity and innovation.

Kelley was joined by Steve Grewal, former deputy chief information officer at the General Services Administration, and former CIO of the Education Department. Grewal is now the Chief Technology Officer of Cohesity and is a member of the Exabeam Advisory Board.

Grewal said there is a learning curve around the compliance frameworks when a company first enters the government ecosystem.

“Solution providers with emerging technologies that can really help the federal government struggle with how to onboard and get started from a compliance element,” Grewal said. “I would say that’s probably the biggest challenge as a solution service provider, whether you’re a product company or you want to do business in the federal space.”

Once a company makes the decision to do business with the government, Grewal said there are a variety of compliance elements and certification areas that have to be addressed. Grewal called them “investments where the ROI is a multiyear.”

A cyber hardening is a key focus.

“In the government, you have a variety of secured configurations, baseline standards or CIS benchmarks. These can be elaborate exercises to go through for a product, [so] the company has to benchmark it and harden it, and that really costs money,” Grewal said. “There is a good level of effort to this process and it’s not only a onetime process, it’s a continuous process.”

Grewal said a lot of security elements of cloud were underdeveloped when the Cloud First policy was first introduced in 2010.

“Now fast forward, here we are nearly 10 years later and we’re seeing more adoption,” Grewal said.

The adoption of cloud offerings has more to do with the fact that “we’re now in a perimeter-less world,” Grewal said. “Cybersecurity is more focused on data and software-defined perimeter where as in the past, the focus was on protecting the physical boundaries. Now, it is protecting the logical boundaries.”

Another focus in the government is identity management and credentials.

“If you look at a lot of cyber-attacks, always the common theme is credentials. When you’re looking at your enterprise security architecture, you’re thinking about proliferation, you’re thinking about fragmentation, you’re thinking about all these sources of data transactions growing. [But], you really need solutions that can scale from a threat landscape perspective, cover all your onsite assets and your off-site assets,” Grewal said. “So, it’s scalable solutions and technologies.”

Takeaways:

  • The federal acquisition service is much stronger as one voice/one buyer when it comes to negotiations and contract procurements to leverage the buying power.
  • The government has to move towards doing IT in a unified way. This will greatly increase the continuum of maturity. Some organizations are still struggling with legacy IT while others are on the bleeding edge. Given an agency’s strategic roadmap — where they want to go, what they want to do — organizing and coordinating the timing of those efforts is another challenge.
  • We are starting to see some of the consequences of not having centralized control of the cloud spend. Agencies didn’t necessarily have the visibility, monitoring and policy controls. With the implementation of Cloud Access Security Brokers (CASB) and other technologies, agencies have centralized policy control across that entire ecosystem of cloud services.
  • From a best practices, cyber health and hygiene perspective, agencies will start to focus on behavioral aspects to successfully secure an agency.
  • Silicone tech companies should partner with an established federal contracting company to avoid costly mistakes. There is a learning curve around the compliance frameworks, understanding the language and contract vehicles when a company first enters the government ecosystem.

The post Cloud security and lessons from private sector appeared first on Federal News Network.

Lessons learned from 2016 election season

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

In part two of the Cyber Chat election security show, host Sean Kelley discussed what agencies have learned from the last election and what they are doing to ensure the election is not only secure, but that American voters can still have confidence in the process. He was joined by:

  • John Gilligan, Chief Executive at Center for Internet Security;
  • Matthew Masterson, Senior Cybersecurity Advisor at DHS for Election Security;
  • Chris Wlaschin, Former HHS CISO and Vice President of System Security for Election Systems and Software.

Gilligan said its not enough anymore for agencies to just ensure that the votes cast are adequately measured. He said potential interference in 2016 opened the election community’s eyes to another factor they had not experienced before: Deliberate attacks against voting infrastructure.

“What ended up happening out of these attacks had no impact, and in fact was quickly recovered, but the public perception of this attack resulted in loss of confidence in the overall elections process, Gilligan said. “It then became obvious to the elections community that it’s not just sufficient to capture the votes.. We have to ensure that the entirety of the elections infrastructure from voter registration to poll books, to election management, to election reporting results all work properly, because any hiccup in any element could potentially erode the confidence of the American public.”

From left, John Gilligan, Sean Kelley, Matthew Masterson and Chris Wlaschin

In fact, many have expressed a belief that the election system would be better off a paper-driven system. Kelley asked: Is it based on a problem with the cybersecurity and election technology or just media hype?

Masterson said its more than that. It’s a challenge the election community has dealt with since the passage of the Help America Vote Act (HAVA) — passed in 2003 — which introduced technology to the process.

“It’s a really challenging question, because what you’re talking about is the need to modernize because a process that isn’t modern … that doesn’t offer that level of accessibility to voters is one that voters will also lack confidence in, right? It needs to be available and usable for voters,” Masterson said. “So balancing the risks that some technology brings with the need for resilience and redundancy is a challenge that we face.”

With the upcoming election, It’s even more important that election offices expect that something may go wrong and are prepared with contingency plans — including keeping auditable records of votes cast, such as paper ballots or receipts.

State and Federal cooperation has increased significantly since 2016.  DHS is working with all 50 states of the states are regularly sharing information with DHS from the field. Masterson said this is the best source of information about what kind of threat is present, what kind of activities may be targeting their systems and why they’re coming to DHS to receive that support and services.

Takeaways:

  1. The Center for Internet Security has put sensors out in the field on the election networks to look for potential attacks and intrusions and CIS is very proactive in working with local jurisdictions trying to improve their security. In 2016 there were a handful of those sensors deployed on state networks looking at traffic targeting election infrastructure. Now 103 of those sensors are deployed across the country in 42 states.
  2. In addition to sensors, there are secure chat rooms where most of the election community’s offices are connected with CIS, DHS and other federal resources. Through this, election officials will be able to in real time look at events, deal with questions if there’s something that happens in the media, make sure everybody is aware of whether it’s a false report or respond to threats.
  3. The HAVA also created the Election Assistance Commission. The one federal agency dedicated to working exclusively with state and local election officials in the community.
  4. The EAC has serves three key roles:
    • Clearinghouse of information with best practices for state and local officials — from cybersecurity to voter registration to post-election results.
    • Focuses on accessibility, making sure that all voters (even those with disabilities or who are serving in the military overseas) have full access to the process and are able to cast their votes privately and independently
    • Tests voting systems with a voluntary certification process

The post Lessons learned from 2016 election season appeared first on Federal News Network.

How secure is the election process?

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

The 2016 elections left a swirl of unanswered questions around election security. In a two-part series, host Sean Kelley discusses the state of cybersecurity as it pertains to the election of our future leaders. He’s joined by:

  • John Gilligan, chief executive at Center for Internet Security
  • Matthew Masterson, senior cybersecurity advisor of Election Security at the Homeland Security Department
  • Chris Wlaschin, former CISO at the Health and Human Services Department and current vice president of System Security for Election Systems and Software.

There are approximately 9,000 election jurisdictions in the U.S., with an almost equal number of different technologies and configurations that could be employed during elections. According to the Brennan Center for Justice, 13 states have machines that produce no auditable paper trail, which is crucial in rooting out irregularities or hacks. And five states use paperless machines statewide that also don’t have an audit trail.

From left, John Gilligan, Sean Kelley, Matthew Masterson and Chris Wlaschin
From left, John Gilligan, Sean Kelley, Matthew Masterson and Chris Wlaschin

Close to 80 percent of the votes cast in 2016 had an auditable record associated with them. But, Masterson said, Homeland Security Secretary Kirstjen Nielsen wants 100 percent of the votes in 2020 to have an auditable record.

Masterson said it can be achieved through the practice of defense in depth. “There is no silver bullet to protect systems, but [you can] create layers of security such as physical, network and application security. DHS utilizes this approach when working with state and local officials to build a resilient election process, so that when incidents occur, they are not only able to detect them, but also recover from them while maintaining the integrity of the process,” Masterson said.

“DEF CON [an international hacker convention] stood up voting villages and procured legacy voting equipment and brought in security researchers with unfettered access to understand the vulnerabilities that reside in these technologies. In many cases, this equipment had been produced in the early 2000s. While some of it is still in operation in some of our election jurisdictions today, those election jurisdictions shine when it comes to protecting this legacy equipment and ensuring that elections that are conducted on this legacy equipment can be trusted,” Wlaschin said.

The biggest misconception regarding elections and election security is the idea that election machines are reachable through the internet, which would make them hackable. “The election industry works really hard to design, test, and deliver voting machines, tabulations and election management systems that are up to EAC standards,” Wlaschin said.

Hundreds of elections occur throughout the year with safe, secure and trustworthy results. But that doesn’t mean U.S. election infrastructure is where it needs to be. “The $380 million distributed by the Election Assistance Commission should be considered a down payment on continued and regular recurring investment in our election infrastructure,” Wlaschin said.

Top Takeaways:

  1. DEF CON provides valuable access for election security researchers to understand the vulnerabilities of a wide range of technologies; mainly voting villages.
  2. Federal, state and local officials need to work together to understand risks to the systems and work together to build that defense in depth to build a resilient election process.
  3. The Center for Internet Security has resources available such as the 3 Steps to Secure your Election Infrastructure Today , as well as the Election Security Handbook.
  4. In 2016, 80 percent of votes cast had an auditable record associated with them, whether that’s a paper ballot, or a receipt.
  5. In March 2018, the president signed a bill that gave $380 million to states to invest in election security infrastructure.
  6. Voting machines that the public interact with are not reachable from the internet.
  7. Hundreds of elections are held throughout any given year.

The post How secure is the election process? appeared first on Federal News Network.

Cybersecurity in the VA’s Connected Health

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

The advancements in technology are allowing medical systems across the world to have a greater reach and to care for patients in areas that have been difficult to access in the future.  Most view this as a great enabler for every health care system and it is especially helpful for the Veteran Affairs Department. This month, Cyber Chat’s Host Sean Kelley sat down with Dr. Neil Evans, the chief officer for the Office of Connected Care in the Veterans Health Administration at the Veterans Affairs Department.  

Connected Health or Telehealth can mean many things to many people, but vans said: “at the simplest level it just means health at a distance. It’s allowing, in our case in the VA, veterans to connect with their health care teams using technology when they’re not face to face.” 

The Connected Health program at the VA assists them with access by getting patients access to health care or medical specialties that may not be accessible in the local community.  Similar to other settings, Telehealth improves accessibility by allowing the VA providers and patients to connect by video as well as improving the quality of healthcare by connecting patients with the health care provider who’s best suited to serve them. According to Evans, the veterans are very enthusiastic about using Telehealth “because it’s what helps them connect with the person who can help them with their health challenges.” 

So, what are the challenges with this approach? “With advances they’re also becomes greater risk right where things are no longer completely in the VA environment,” Evans said. The security of information and communication is absolutely critical and something the VA is constantly addressing.  

“It is imperative that VA does IT thoughtfully and that we make sure that that we are building a system that is secure and that protects the data and the information of the veterans,” Evans said.

One of the ways they are ensuring the security and protection of patient data is through the maturing of the ATO process. In addressing the Authority to Operation (ATO) process, he said “there is a clear path to answer the control and to provide for those controls.” The VA has a team in place that manages not only the ATO process, but reinforces the move towards continuous monitoring. According to  Evans, “the idea of AOT is really just a means to enforce good quality IT development.” 

When discussing mobile application in the VA, Evans highlights the VA Online Scheduling application and VA Video Connect. The VA Online Scheduling signifies the reason why they are in the business of mobile applications. “We’re doing mobile health to put tools in the hands of veterans to help them better manage their own health and provide the convenience of being able to book their appointment with VA providers from their mobile phone.”

“The VA Video Connect, announced at the White House in August, is a platform that allows patients and their VA providers to connect by video and have real-time video visits online”, Evans said. It provides encrypted video point-to-point video connection between a patient and their provider. Since its launch, the app has increased provider and patient virtual interaction drastically, but more specifically, “48,700 video sessions have been stood up by providers.” 

Takeaways:

  • VHA is in the business of delivering health care, priority number one is delivering health care and making sure that the VA is providing veterans access to health care
  • Telehealth is just delivering health at a distance
  • Telehealth gives patients access to health care or medical specialties that may not be available in the local community 
  • With the advancement of Telehealth, the VA is addressing the challenges of security
  • The ATO process has matured greatly at the VA 
  • VA Online Scheduling application and VA Video Connect are two mobile applications making significant impact in the VA 

The post Cybersecurity in the VA’s Connected Health appeared first on Federal News Network.