Cybersecurity , Risk Management , Technology

Obama Administration Proposes Guidelines, But Action Could Be in Hands of Next President Eric Chabrow (GovInfoSecurity) • October 31, 2016     U.S. CIO Tony Scott unveils government IT modernization plan.

Proposed guidelines issued last week by the White House for modernizing federal agencies' information technology - a critical step to enhance government cybersecurity - come as the Barack Obama administration winds down. That means the next administration likely could be responsible for implementing the plan - or altering it.

See Also: Protect Your Identity Infrastructure

The proposed guidelines provide for a four-step approach to identify legacy systems vulnerable to exploitation, plan for new systems and pay for them. Much of what's contained in the proposed guidelines is not new; it's an amalgamation of previous Obama administration directives, though with a stronger emphasis on strengthening security.

U.S. CIO Tony Scott explains how IT modernization isn't a one-time deal. He refers to ITMF, Information Technology Modernization Fund, and OMB Circular A-130, which governs federal information resources management.

"Moving the federal government to modern infrastructure, such as cloud-based solutions, is a fundamental necessity to building a digital government that is responsive to citizen needs and secure by design," U.S. CIO Tony Scott says in a blog announcing the proposed guidance. "Doing so will enhance agencies' ability to protect sensitive data, reduce costs and deliver world-class services to the public. No one change is the silver bullet, however. Rather, this is a sustained effort that will ensure the federal government can best serve the American people in the 21st century."

The Office of Management and Budget, where Scott's office is located, gives the public until Nov. 26 to submit their views on strengthening the guidance.

Extension of Obama Initiative

The proposed guidance is an outgrowth of the Obama administration's $3.1 billion initiative unveiled in April to seed a fund to modernize federal information systems (see White House Proposes $3 Billion Fund to Modernize Federal IT). Simultaneously, a bill winding its way through Congress - the Modernizing Government Technology Act of 2016 - would create a working IT capital fund that would enable agencies to bank savings from modernization efforts to help pay for upgraded systems. The bill also would establish a governmentwide IT modernization fund in which agencies - led by their chief information officers - could present a business case for money for their modernization initiatives. The bill does not provide money for the fund; that would require a congressional appropriation.

The House, with overwhelmingly bipartisan support, approved the Modernizing Government Technology Act in September. "Using these old systems makes data housed by federal agencies more vulnerable to digital attacks, and it's a gigantic waste of taxpayers' money," says one of the bill's sponsors, Rep. Will Hurd, R-Texas.

The bill has been assigned to the Senate Homeland Security and Government Affairs Committee, whose chairman - Sen. Ron Johnson, R-Wis. - is preoccupied with a tough re-election battle. It's unclear whether the legislation will clear the committee and come up for a vote in the post-election, lame duck session.

What's Next?

If the Senate doesn't pass the Modernizing Government Technology Act this year, the next president and Congress would have to act. Both major presidential candidates have suggested they support modernizing federal IT as a way to secure government systems and data (see How Will the Next President Approach Cybersecurity?).

Democrat Hillary Clinton's campaign website says she supports expanded investment in cybersecurity technologies. Clinton also supports the Obama administration's Cybersecurity National Action Plan, which includes the modernization of federal IT and upgrades to government cybersecurity.

Republican Donald Trump says he'd establish a cyber review team and calls for the securing of IT "as modern technology permits." Trump says the team would consist of military, civilian and private-sector cybersecurity experts who would comprehensively review all of the government's cybersecurity systems and technology. The team would make recommendations for the best combination of defensive technologies tailored to specific agencies.

Neither candidate, however, has explained how they'd come up with the billions of dollars needed to secure information systems and data.

One Party Rule?

How the government appropriates money on IT modernization development could be influenced by the outcome of this year's presidential and congressional elections, especially if one party wins the White House and a majority in each house of Congress.

"When the U.S. Senate and the House of Representatives are controlled by the president's ruling party, federal agencies are predicted to invest approximately 8.32 percent more in new IT development and modernization than when the opposition party holds the majority in both chambers," says Min-Seok Pang, assistant professor of information systems at Temple University, who researched the political influence on IT investments in the U.S. government between 2003 and 2016. "The budget allocation decisions between IT development and maintenance in governments are affected by political environments."

Security Benefits

In the current federal budget proposed by Obama, 78 percent, or $63 billion, of the planned federal IT spending of $82 billion is earmarked to maintain legacy systems. Moving some of those legacy-support funds to pay for modernized IT could eventually save money and make systems more secure. "As more and more data is stored online, the need to protect against the adverse consequences of malicious cyber activity becomes more pressing each year," Scott says.

A number of IT security experts agree that modernizing IT would bolster security. "If you use modern, advanced technologies instead of trying to drag forward your old concepts into the new world, you can save money and lower your risks at the same time," says Tom Patterson, chief trust officer at systems integrator Unisys.

The administration's modernization initiative calls for increased use of cloud computing technologies. Says independent IT security consultant Robert Bigman, who served for 15 years as CISO at the CIA: "For a few more dollars" federal agencies and other enterprises using cloud services would receive "better configuration security, better auditing, better identification and authentication and better encryption" than what legacy systems furnish.

Leading this latest edition of the ISMG Security Report: An account of the similarities between resolving the turn of the century's Y2K date problem with toughening security through IT modernization today.

In the report, you'll also hear (click on player to listen):

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Oct. 25 and Oct. 28 reports, which respectively analyze the ways to thwart massive distributed denial of service attacks and evaluate new U.S. government guidance to prevent the hacking of automotive computers and electronics. The next ISMG Security Report will be posted on Friday, Nov. 4.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

Healthcare organizations should take a disaster recovery approach to creating their breach response plans, says Joey Johnson, CISO of Premise Health.

"The biggest thing missing so many times is organizations not testing [these breach response plans] out," says Johnson, who will be a featured speaker at Information Security Media Group's Healthcare Security Summit in New York on Nov. 1 and 2.

"Traditionally, if you test a disaster recovery plan, you learn things every time you try to recover your systems," he says. "Breach response and preparedness is really no different."

Organizations should test various scenarios, such as, for example, how a vendor breach would affect them, he says. And they should evaluate the role of cybersecurity insurance coverage.

Designating Responsibilities

In devising a breach response plan, organizations must spell out who is responsible for different components of the plan, he stresses. "There are internal components, which a technical team handles, but there's a whole other level ... such as who's responsible for responding to media outlets, what's legal [department's] responsibility and who makes the call on whether this is a breach and what and who to notify," he says.

In this audio interview (see link below photo), Johnson also discusses:

Mistakes organizations should avoid in their breach response and recovery plans; Special breach challenges that Premise Health faces as a provider of healthcare services to other companies' employees at their worksites; Predictions about the cyber challenges the healthcare sector will face in 2017.

At the Healthcare Security Summit, Johnson will participate in a panel discussion on creating an action plan for responding to data breaches.

Johnson has more than 15 years of cybersecurity experience. As the CISO of Premise Health, a Brentwood, Tenn.-based provider of worksite healthcare services, Johnson leads all organizational efforts related to cybersecurity; IT and security compliance and policy development;, security audit; and vendor risk management. Previously, Johnson held technical and program leadership roles in the public and private sectors. He formerly served as chief security officer for the U.S. Department of Commerce - Office of Computer Services, and held various security and network architecture roles leading the design and implementation of complex enterprise networks for airports, hospitals, universities and federal agencies.

Endpoint Security , Technology , Vendor Management

Google Details Zero-Day Windows Flaw Before Patch Prepped Microsoft Slams Lack of 'Coordinated Vulnerability Disclosure' Mathew J. Schwartz (euroinfosec) • November 1, 2016    

Warning: Attackers have been targeting a zero-day flaw in Windows to escape Windows security sandboxes and exploit PCs.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

So say engineers at Google, who have publicly announced the flaw and how it can be triggered, just 10 days after first sharing related vulnerability details with Microsoft.

The timing of Google's announcement is sure to reignite long-running debates over what constitutes a "reasonable" time period for bug spotters to wait before publicly announcing the details of a flaw, and the amount of time a software vendor should take to verify and fix flaws (see Google's Psychological Patch Warfare).

In this case, Microsoft was decidedly nonplussed over the timing of the alleged new flaw. "We believe in coordinated vulnerability disclosure, and [the] disclosure by Google could put customers at potential risk," a Microsoft spokeswoman tells me.

So far, the company has declined to discuss the alleged flaw any further or to detail a timeline for when it might get fixed. But the spokeswoman added: "Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."

Attackers Are Exploiting Flaw

In Google's defense, the company says its decision to detail the "critical vulnerability in Windows for which no advisory or fix has yet been released" was due entirely to it already being actively exploited in the wild by attackers. Otherwise, Google says it waits 60 days - down previously from 90 days - before making flaws public.

"This vulnerability is particularly serious because we know it is being actively exploited," Google security engineers Neel Mehta and Billy Leonard say in an Oct. 31 blog post.

The Google engineers have also detailed how the flaw can be exploited. "The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape," they say, noting that the flaw can be triggered via a win32k.sys system call. While Chrome has been updated to block related exploits, that still leaves the rest of the Windows "user space" at risk.

Google's self-determined notification policy is that it gives vendors just seven days to issue an advisory or fix for a flaw that's being actively exploited. Otherwise, Google says it reserves the right to make details of the flaw public.

Adobe's Fast Flash Fix

For comparison's sake, Google says it notified both Adobe and Microsoft of separate flaws - in Adobe Flash and Microsoft Windows, respectively - on Oct. 21. Adobe issued a patch for Flash just five days later, in the form of updates for Flash Player for Windows, Macintosh, Linux and Chrome OS (see 2016 Resolution: Ditch Flash).

The patched flaw, designated CVE-2016-7855, constituted "a critical vulnerability that could potentially allow an attacker to take control of the affected system," Adobe said.

"Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10," it added.

Patching Flash, however, is one thing. Is it reasonable to give Microsoft just seven days to investigate a flaw in its Windows operating system, which has a much larger code base and base of users?

As Cris Thomas - the security researcher better known as Space Rogue - has noted, this is a repeat of a spat that Google and Microsoft got into for the same reasons in early 2015, when both claimed that their approach best protected users (see Google Reveals More Microsoft Zero Days). "It brings up a debate that has been raging in security circles for over a hundred years starting way back in the 1890s with the release of locksmithing information," Thomas wrote in a blog post at the time.

Embracing the Rollup

The rekindled debate over the speed with which actively exploited flaws get fixed comes as Microsoft has been attempting to move away from issuing individual patches altogether.

Nathan Mercer, a senior product marketing manager for Microsoft, noted in an August blog post that Microsoft had begun testing a "convenience rollup" - defined as "multiple patches rolled together into a single update" - in May for Windows 7 SP1, and decided to extend the concept to other supported operating systems.

That move came to fruition in October, when Microsoft switched to a single download for all security updates, replacing the previous approach of allowing users to just download - and test - patches for specific products. The move affects Windows 7 SP1 and Windows 8.1, as well as Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Microsoft says it no longer ships individual patches, but now only offers a single security update every month that "collects all of the security patches for that month into a single update," Mercer says. "The security-only update will allow enterprises to download as small of an update as possible while still maintaining more secure devices," but will not be available via Windows Update.

That's because Microsoft now plans to release a monthly rollup - for each supported operating system - that includes both updates and security patches, which will be available via Windows Update, amongst other update channels. Mercer says the goal is to make these monthly updates "fully cumulative and you need only to install the latest single rollup to be up to date."

Such rollups have big upsides, not least for ensuring that products get fully patched. But when it comes to fixing critical flaws being actively exploited in the wild, users will still require more focused fixes that get released as quickly as possible.