CUI · Cyber Incident · cybersecurity · Distaster Recovery

Defining CUI – Controlled Unclassified Information for the Manufacturing Segment

The definition of CUI, or Controlled Unclassified Information, by the Department of Defense is challenging for most small and medium manufactures to grapple. The NIST Frameworks for Cybersecurity SP800-171 have defined CUI under the context of “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.” The security requirements of 800-171 apply to all components of nonfederal systems and organizations that process, store or transmit CUI, or that provide security protection for such components. I will walk through the various standards and definitions to highlight the specifics that affect our manufacturers who need to meet compliance with the NIST cybersecurity guidelines. As this background currently applies to commercial manufacturing under DOD contracts, the guidance and definitions are in either draft or consideration for other verticals, including financial services, healthcare, food safety, automotive and other related verticals.

What is CUI? According to the National Archives, “Only information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies may be CUI. this excludes all information that is classified under Executive Order 13526 of December 29, 2009, or the atomic Energy act, as amended.” In commercial manufacturing, this would be anything other than COTS (Commercial Off-The-Shelf) and includes modified COTS products. The summary and extension is to any organization that provides a product or solution that is designed for government or modified for government, the information associated with such would be considered CUI. CUI is: (i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; falls in any of the following categories: (i) controlled technical information, (ii) critical information, (iii) export control (iv), any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies (e.g., privacy, proprietary business information).

How do you protect CUI? Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network. Adequate security is defined as implementation of NIST SP800-171 that include the 14-controls for cybersecurity and is required by 12/31/2017. Compliance with 800-171 is considered 100 percent complete with any waivers or deviations approved by the DOD CIO. An organization can demonstrate through Plans of Action (POAM) and System Security Plans (SSPs) that they are in-progress as part of a contractor’s risk management decision of CUI protection by their supply chain.

Cyber incidents are another component of the compliance or CUI program. A cyber incident is an action(s) taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

What steps must be taken if a cyber incident occurs? Affected parties must:

  • Review contractor network(s) for evidence of compromise of covered defense information using contractor’s available tools including, but not limited to, identifying compromised computers, servers, specific data and user accounts.
  • Identify covered defense information that may have been affected in the cyber incident.
  • According to DFARS Clause 252.204-7013(c)(1), they must rapidly report (within 72 hours of the discovery of an incident) directly to DoD and the subcontractors need to provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as is practical.

The need for critical infrastructure and supply chain cyber improvement has now become a requirement. We are seeing more and more cyberattacks on this market segment that result in the rapid and “unknown” theft of intellectual property, data and designs. Copied and counterfeit products, parts and infrastructure cause damage to the US economy.

The extension of the standards to other vertical markets is not a question of “if,” but a question of “when.”  Prepare to adopt the NIST framework in every vertical market as a measurable, identifiable and comprehensive approach to understanding cyber posture of any organization.

*Nationalarchives.gov

**DFARS Clause 252.204-7012(c)(1)

Visit https://www.cytellix.com/media/cyberblog/ for more posts.

 

Cyber Incident · Disaster Recovery · Incident Response · Malware · Ransomeware

Corporate Cyber Incident Response Plan – Do You Even Have One?

ng_digital_forensics_incident_response

Corporate Cyber Incident Response Plan – Do You Even Have One?

I was messaging with a very good friend and colleague this week and we started chatting about incident response plans. We noted that most people have a plan in place at home; he raised examples around personal security elements such as home alarms, dogs, door locks and cameras. The comment that resonated with me most was, you know what to do when you come home and your home has been burglarized. Call the police, insurance company, etc. He went on to pose the question, what about when your company is electronically burglarized? For most organizations, that question is met with silence.

While burglary in the workplace takes on many forms, we will focus on burglary in the form of cyberattacks. The attacker is “stealing” information from your company for monetary purposes. Yes, the cyberattack is intended to take something from you: data, money or both. Cyberattackers work systematically and operationally efficiently to pick either high-value targets or high-probability targets to extort what they are targeting—data, intellectual property, personal identifiable information or cash extortion from a ransomware event. It’s a business and the value to the attacker is what they take for future gains or currency to potentially give you back what they have access to or control of. The results of this are highly distracting, expensive and potentially severely impactful to the business.

Circling back to the concept of corporate cyber incident response, what is your answer? Is the first step to call the authorities and FBI? Is it to pay the ransom? Is it time to deploy your Disaster Recovery (DR) policy? Do you even have a DR plan? Have you identified your critical data?

What exactly is the FBI’s role in cyber? The FBI’s role is to hunt down the “bad guys” and prosecute them, plain and simple. Their role is not to recover your assets, cash or data. Should you call the FBI if you are burglarized (cyberattacked)? Absolutely! We want to shut down as many cyber criminals as possible. Should you pay the ransom? Well, that depends—do you have a data recovery plan implemented that remains unscathed by the encryption tactics used by the attacker? If yes, why would you pay? Sometimes organizations need to make a time vs. money decision, as the time to recover may exceed the threshold a company can accept for their business. Law enforcement suggest not paying the ransom, but your business objectives need to drive your decision.

Many organizations talk about the topic of incident response, but very few have a realistic plan. Some suggestions that can help include: building a plan that includes recovery steps, using realistic scenarios and identifying leaders within your company who will drive those decisions.  Have a true plan of action that is executable. Do a few tests of the plan “dry run” a few scenarios.  Be prepared, be ready, be diligent—the odds prove that this will happen to your company at some point. The small and medium business market is the largest potential target, while also the least prepared. Start today!

 

 

 

 

 

Artificial Intelligence · cybersecurity

Artificial Intelligence (AI) Cybersecurity: It’s All About Behavior!

The latest leading-edge data intelligence topics referred to as Artificial Intelligence (AI), Machine Learning (ML) and, Artificial Neural Networks (ANN) are currently experiencing significant venture and corporate capital investments. Some of the advantages of ingesting large quantities of data and creating a corpus of knowledge to draw insights are very interesting for complex subjects such as cybersecurity, healthcare and financial services. The use cases of AI in healthcare such as DNA/genome research are truly captivating to read. The parallels to cybersecurity research and respective knowledge base for predicting and analyzing data will be step-functions of change needed to understand the data collection and interpretation of threats. The application of any form of AI includes a “people factor,” as directly linked to both ends of a “cyber activity.” A “cyber event” is started by a person and the resolution is implemented and managed by the same.

The behavior part of cybersecurity also involves people, but machine behavior plays a significant role in cyber events. For example, if we can measure a baseline of machine behavior that is “known good,” then we can react—potentially in real-time—to machine changes in behavior. There are many parameters to consider and behaviors that may be considered non-issues to filter; however, having a system of behavioral analytics under the category of AI/ML/ANN brings data-driven decision making.

A few scenarios to outline this include known devices on the network or IoT devices changing their state. In the first case of known devices, this has been a topic we have been discussing in the security space for a very long time. Products and technologies have been built for attestation, key management and device authentication—to capture a few categories. As we move up a level from the cryptography space to understanding the metadata a device produces, we can measure changes, arrival, departure and state. By observing anything with an IP address in relationship to the context of its metadata, we can filter “good” and “bad” activities, behaviors and changes. If a known device comes on the network at 8 am on Monday normally, but an unknown device comes on the network at 3:00 am, we can create an action to change that behavior and thus become proactive in our cyber preparedness. Alternately, if a known device that was once considered “good” starts talking to a “bad” actor site or shows a change in its metadata that is considered out of policy/standard, then actions can be taken to quarantine or remediate accordingly.

In the second example of IoT devices changing their state, we have seen this with IP cameras, and medical devices. The potential case of industrial systems being taken over by the “zombie robot apocalypse” is not as far removed from reality as one might think. Hackers can exploit flaws and create subtle changes to industrial control systems, which could be dramatic in scale or event. I am not suggesting that the machines will take over the world, but I am suggesting close monitoring of IoT devices for behavioral changes that could indicate the presence or possibility of a wider scale issue.

As an industry, we can start to move from a reactive to a proactive state in the category of cyber preparedness. A real-time approach to monitoring device behaviors could reduce cyber event time to discovery from the current industry average of 256 days. The cost of discovery time is escalating every year. Our small and-medium businesses cannot afford the costs of remediation and losses that accompany a cyber event. The statistics of survival for SMBs in a cyber event estimate that roughly 60 percent or 6 out 10 will not be in business in six months.

The current state of cybersecurity necessitates the establishment of continuous monitoring practices—to monitor both known devices on networks and IoT devices changing their state. The innovations of artificial intelligence (AI), machine learning (ML) and artificial neural networks (ANN) are paving the way for a proactive cyber approach.

 

cybersecurity · IoT · Malware · Ransomeware

“Flipper” role in protection of our resources – it’s an IoT fish story!

Many may remember the TV series, “Flipper.” For those who do not remember, the theme and plot is as follows: Flipper, a bottle-nose dolphin, helps to protect his lagoon park and preserve its wild inhabitants. He is instrumental in apprehending criminals and thugs in the park.

How does this story draw parallels to cybersecurity?

This past week, an unnamed North American casino experienced a cybersecurity breach via a fish tank. The casino’s self-cleaning fish tank, programmed via sensors to monitor water temperatures and fish feeding schedules, was targeted by hackers. Through the fish tank system, the cyber thugs broke into the casino’s computer network and downloaded sensitive data to a Finland location.

Connecting the dots of this story back to “Flipper,” the idea of observing and monitoring one’s environment is vitally important. Like Flipper—whose role was to apprehend criminals through observation and data collection—we must remain vigilant, and can no longer blindly trust even the most innocent of devices, such as programmed fish tanks.

Fish tanks are now IoT devices on our networks and, as seen in the case of this casino, can create an open door for clever cyber thugs. Today’s cyber thugs and criminals leave breadcrumbs of information that we can collect to understand the risks associated with certain IT decisions. The same advice and best practices apply to fish tanks as they do to any other sensor on our networks. Understand, Monitor, Prevent and Segment to protect your most critical assets: DATA!

http://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html

 

 

 

cybersecurity

Where are cybersecurity threats coming from?

There has been a lot of recent news and discussion about several malware variants that have been defined as ransomware attacks. There are and have been other damaging malware attacks, but ransomware popularity is currently very well publicized.

Ransomware attacks are not simple but are commonplace in the market today. These attacks typically find their way into an organization through social engineering. To be more specific, the malware is embedded in an attachment as an executable. There are several outcomes from ransomware that we have seen thus far: an individual machine is encrypted and the decryption key is held for ransom by the attacker and a currency request of a “Bitcoin” is requested to decrypt the machine in question. The nastier variants can traverse from machine to machine through the network, creating a systemwide infection. This attack causes severe networkwide shutdowns, causing an organization to recover through more significant ransom payments, or if the company was prepared, backup remediation steps are taken.

The availability of targets for ransomware attacks is almost unlimited, with small and medium businesses (SMBs) being the most vulnerable. Most SMBs are not well-equipped to handle these attacks. There are a few typical dilemmas the SMBs face: What is a bitcoin and how do I get one/them? We did not prepare our network and back-up processes to remediate the problem. Lastly, law enforcement does not recommend payment to the ransom and there is no guarantee that the attacker will actual provide a legitimate decryption key.

The other type of attack—less publicized but equally damaging—is the “insider threat,” wherein the attacker is currently or was previously authorized to work inside your organization. These individuals can cause incalculable damage to your company. As an example, these can be system level attacks or result in losses of intellectual property. The insider threat is as complex to detect and remediate as an external attack. The differentiator here is the insider knows the weaknesses and knows where to find the most valuable information. As with external threats, experts recommend both employee training and monitoring capabilities to detect real-time behavioral changes.

Some additional processes to help SMBs monitor their employees, networks and behaviors to identify insider and external threats include:

  • Developing and enforcing policies for access to information systems
  • Monitoring and auditing inappropriate access – remediating upon discovery
  • Enforcing authentication and limited login attempt processes
  • Monitoring printers, downloading (large), queries and email
  • Deploying real-time networks monitoring for flow, files, connections, ports and suspicious IPs
  • Managing identities of current and past employees

 

 

cybersecurity

The background on Industry Cybersecurity Standards – NIST, CSET, DFARS

How to best understand the  Cybersecurity guidance and volumes of information is an ominous challenge? The foundational cybersecurity work produced by NIST (National Institute for Standards and Technology) is  a comprehensive cybersecurity review. Rather than diving too deep in to NIST and the regulatory nature of the definition of classified vs unclassified information and its protection, I will touch on the value of measuring a commercial organizations cybersecurity posture.
The recommended NIST standards, should you be interested to read, are noted as NIST SP 800-171 http://csrc.nist.gov/publications/drafts/800-171/sp800_171_draft.pdf, published October 18, 2015 identifies a couple very useful tools and premises for measurements. One tool, that is very useful is the CSET (Cyber Security Evaluation Tool) https://cset.inl.gov/SitePages/Home.aspx, which is a self-test, that any organization can use for “free.” While this tool is comprehensive in nature, it does require the user of the tool, to have an in-depth IT and Cyber background to accurately answer the 109 technical questions.
The second very useful part of the NIST publication is the breakdown of measurements into the specific 14-controls: Access Control, Awareness and Training, Auditing and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communication Protection, System and Information Integrity. By accurately measuring these controls in both a self-test environment (CSET) and using network scanning/situational awareness tools, an organization can get a true grade of their cybersecurity posture to uncover looming vulnerabilities.
The tool (CSET) produces a private result that are defined as a percentage out of 100%, with 100% being equal to compliance. The commercial customer can be measured against a publicly available industry standard, that has been architected to look at a company’s posture without bias. The meaning is to use an industry standard, and by definition, an industry standard is not proprietary. The consulting, technology and solutions market typically use a proprietary methodology to assist in assessments. However, leveraging the standards will give your organization a measurable outcome and baseline for improvements.
Now that we have reviewed the foundations, putting this into practice and having a vision of the effect on your company is an important discussion. Today, any organization, that supplies the federal government with product, solutions or services under a DOD contract, MUST BE COMPLIANT BY 12/31/2017. This date is non-negotiable. Organizations can self-assess or outsource the entire process to cyber experts. There are a few other requirements for compliance beyond providing the 100% System Security Plan, which include a Plan of Action and Milestones (your cyber improvement plan), a gap analysis (what are my company challenges), continuous monitoring and cyber incident reporting processes. The commercial market cyber need is increasing daily, with both compliance, business continuity needs and basic preparedness.  The standards approach is a very good methodology and starting place.
Other industries that will see changes for compliance in variations of this standard include: Healthcare, Financial Services, Food Safety, manufacturing and the Small and Medium Businesses (SMB’s). Here are some great references to see where the future of Cybersecurity preparedness is heading.

  • DFARS 252.204-7012 referenced as contract language for federal NIST 800-171 – designed for non-federal information systems (commercial)
  • NIST 800-53 cybersecurity framework for Federal information systems
  • Cybersecurity Framework for critical infrastructure – references NIST 800-53
  • Health Care Industry Cybersecurity Task Force recommends NIST Cybersecurity framework
cybersecurity · Malware · Ransomeware

Malware & Ransomware: SMB Best Practices

petya1-768x426[1]

In the wake of the past several weeks of broad and damaging cyber-attacks, it’s important that we talk about proactive measures the small and medium organizations should consider to protect your environment. Many of my colleagues have articulated the damage and origins of the recent attacks: WannaCry & Petya. I find these insights extremely valuable to understand the root and attributions of the malware itself. These publicized reports provide all sized organizations context to the magnitude of the current and future damages these organized type attacks can deliver.
The small and medium business sector has the largest threat landscape for cyber-attacks. The potential damages to the hundreds of thousands of businesses in the USA is an alarming statistic. The questions that consistently are asked by the small and medium business is; what should I do to protect my company? And, how can I afford the equipment, software and human resources required to truly become cyber prepared? Good news! There are options and practical real-world solutions available.
Many smaller organizations don’t have the internal resources to research both the industry standards and proprietary models to understand what is the best cybersecurity approach. A best practice is to use a methodical standards-based approach to build cyber awareness, develop a plan to improve and implement a proactive monitoring solution as an appropriate start to cyber preparedness. Noted below are strategic and tactical plans the small and medium businesses should implement immediately.

Strategic recommendations:

  • Cybersecurity assessment – understand your current posture to identify vulnerabilities
  • Gap analysis – a comprehensive view of what needs improvement
  • Plan of Action – a detailed, real-world and affordable improvement plan
  • Continuous monitoring – become a proactive cyber aware company to know when changes occur

Tactical recommendations for WannaCry & Petya variants:

  • Ensure systems are patched and all antivirus programs are up to date
  • Implement and determine if backup systems are effectively configured
  • Restore only backups that have been securely managed
  • Isolate any unpatched systems
  • Monitor all networks and device connectivity