Tag: #security

Cybersecurity, Data & Artificial Intelligence

Air Force DCIO: Modernizing is ‘Biggest Thing’ to Improve Cybersecurity

Source: www.meritalk.com.

Many Federal agencies are looking to use AI as a key cybersecurity tool, but before agencies get too far ahead of themselves, U.S. Air Force Deputy Chief Information Officer (DCIO) Winston Beauchamp said on Tuesday that the number one thing agencies can do to improve their cybersecurity posture is to modernize their IT architecture.

“I continue to say that the single biggest thing we can do to improve our cybersecurity is modernize our architecture, get rid of our tech debt,” Beauchamp said at the Google Public Sector Summit, presented by Scoop News Group, on Oct. 17. “Because our decrepit, older systems that are out of service by the vendors that built them can’t provide the cybersecurity that we need to survive in today’s environment.”

The deputy CIO said that cybersecurity and AI have something in common, which is that they are both “strapped on after the fact” to legacy systems. This means that cybersecurity and AI capabilities are “really limited” by their infrastructure and the data they have access to, he explained.

However, Beauchamp said that “another thing that they both have in common is that both cybersecurity and artificial intelligence are baked in.” According to Beauchamp, these capabilities are baked into the tools, infrastructure, and basic internet appliances that we use to modernize our networks.

For this reason, he said that “modernizing is number one,” when it comes to improving agencies’ cybersecurity.

“When you modernize, you bring in capabilities that for cybersecurity and artificial intelligence that are baked in, they’re inherent to what you’re delivering,” Beauchamp said. “So, we’re very optimistic about what that future brings.”

“And then the nice thing about it is from an infrastructure perspective, we don’t have to think about designing it. It comes out of the box,” he added. “We’ll tailor it, and we’ll customize it for the mission.”

Nevertheless, Beauchamp said that AI also needs to be on the list of cybersecurity to-dos in order to keep up with our adversaries, who are using AI to tailor their attacks to “basically work around our signature management approach.”

“They can do so at speed faster than we can update our signatures, so we have to run faster,” he said. “And that means using AI to try a different approach other than signature management … I think there’s going to be a ‘guns versus armor’ back and forth for some time on AI’s use in cybersecurity, and we just have to be better and faster than our adversaries.”

 

Cybersecurity

CISA Releases New Identity and Access Management Guidance

Source: www.securityweek.com.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released new guidance on how federal agencies can integrate identity and access management (IDAM) capabilities into their identity, credential, and access management (ICAM) architectures.

The new document (PDF) was released as part of CISA’s Continuous Diagnostics and Mitigation (CDM) program, which provides information security continuous monitoring (ISCM) capabilities to help federal agencies improve the security of their networks.

“There is no singular, authoritative, recognized way to architect an ICAM capability across an enterprise, which results in many U.S. government agencies approaching this from different directions with different priorities. Compounding this issue, agency Identity Management maturities vary, especially those related to tool expertise and ICAM-related policies, which may complicate the ongoing CDM integration efforts and lead to incomplete or ineffective ICAM deployments,” CISA notes.

To address this issue, CISA’s new guidance clarifies the CDM program’s IDAM scope, CDM IDAM capabilities, and federal agencies’ ICAM practice areas, and provides a CDM ICAM reference architecture that can be used to deploy a robust and effective ICAM capability with CDM functionality, the agency explains.

CDM IDAM capabilities, CISA notes, include sub-capabilities for privileged access management (PAM), identity lifecycle management (ILM), and mobile identity management (MIM). Non-person entities (NPE) and other non-PKI authenticators are also included, under manage credentials and authentication (CRED).

PAM focuses on the management of privileged human and non-person entities and includes tools for ensuring strong authentication, ILM focuses on the lifecycle management of user identity and associated privileges, while MIM focuses on securing the use of mobile devices.

The CDM ICAM reference architecture, which also includes federation services (this includes additional service endpoints, the identity provider, and the service provider), is also meant to help agencies enable Zero Trust Architecture (ZTA).

The new guidance also details a notional CDM ICAM physical architecture, provides an overview of challenges that CDM ICAM faces, describes how ICAM use cases are implemented in ICAM services and components, and provides a series of recommendations for federal agencies to advance the development of the Identity Pillar of a ZTA.

Federal agencies are encouraged to review CISA’s new guidance and use it for implementing ICAM capabilities.

Cybersecurity

Can Federal Agencies Meet the 2024 Zero Trust Deadline?

Source: www.federalnewsnetwork.com.

In the realm of federal cybersecurity, change is both inevitable and necessary. The urgency of President Biden’s 2021 Executive Order to implement a zero trust architecture by September 2024 has set the stage for a pivotal transformation. Yet, as the deadline draws near, it’s apparent that while the directive’s intent is clear, the path to its realization is fraught with complexity and challenges.

The zero trust paradigm is a response to escalating threats faced by our nation’s digital infrastructure. However, translating this strategic vision into tangible operational realities is proving to be a formidable challenge. While agency directors and IT leaders alike are championing the cause, the reality is that those responsible for building and maintaining these systems are wrestling with difficult, multifaceted issues and progress is moving slower than anticipated.

That raises an important question: Is the September 2024 deadline still feasible?

In theory, the time frame appears adequate. Yet, it’s crucial to acknowledge the intricate dynamics that arise when integrating a zero trust framework into pre-existing federal IT systems. Federal agencies often operate on a massive scale and their networks have evolved over time, resulting in layers of legacy architecture and technical debt. As these agencies seek to transition to a zero trust architecture, they are confronted with the monumental task of reconfiguring their digital foundations while simultaneously ensuring seamless operations.

Data governance is another central challenge that demands attention. Federal agencies handle an extraordinary volume of sensitive information and establishing a comprehensive data governance framework is paramount. The zero trust model necessitates granular visibility into data flows, user behaviors and system interactions. Achieving this level of visibility requires not only the implementation of sophisticated tools but also a cultural shift in how data is managed and accessed.

The journey to zero trust is further impeded by operational hurdles that are characteristic of large-scale enterprises. The federal landscape encompasses a diverse array of systems, applications and endpoints, all of which need to be evaluated and aligned with the zero trust framework. Legacy systems may lack native support for the security measures mandated by zero trust, requiring complex workarounds or even complete overhauls.

Despite these challenges, it is still possible to meet the 2024 deadline. Here are some best practices that agencies can use to help their teams accelerate the path to zero trust:

  • Secure leadership’s commitment. While senior agency leadership is usually aware of zero trust’s importance, they may not always understand the breadth and depth of IT capabilities required to implement it. That’s why agency leaders must take ownership of assessing and prioritizing the investments required to address IT and security gaps.
  • Get identity management right. While zero trust depends on executing prescribed security practices on multiple dimensions, agency leaders must ensure IT departments have the necessary resources to focus on user identity and access management. Identity is applied to networking, devices, data access, workloads and automation. As a result, getting identity right is foundational to the rest of the zero trust pillars.
  • Modernize data governance. A strong data governance strategy is at the heart of zero trust. Now is the time to invest in data classification, encryption and access controls, while ensuring that data handling policies are well-communicated and consistently enforced.

 

  • Embrace incremental progress. Achieving zero trust won’t happen overnight. Federal agencies should adopt an incremental approach, focusing on securing critical assets and expanding the scope. This allows for measured implementation, minimizes disruptions, and ensures that security improvements are continuous.
  • Prioritize training and education throughout the entire agency. Zero trust isn’t just a journey for security teams. It’s a journey for an entire federal agency and its implementation affects everyone. That’s why leaders must recognize the importance of allocating resources for training and education throughout the entire agency.

The journey to zero trust is undoubtedly complex, but with the right strategies in place it’s one that federal agencies can navigate successfully. While the September 2024 deadline remains a challenge, it can serve as a catalyst for lasting cybersecurity resilience. By acknowledging the unique intricacies of federal agencies and their respective systems, understanding the challenges they face, and implementing thoughtful solutions, agencies can meet the 2024 zero trust deadline and pave the way toward a more secure digital future.

Cybersecurity

U.S. Government Issues Stark Warning, Calling Firmware Security a ‘Single Point of Failure’

Source: www.securityweek.com

The U.S. government, at the very highest levels, is calling attention to major weaknesses in the firmware supply chain, warning that the layer below the operating system is fertile ground for devastating hacker attacks.

A new joint draft report issued by leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce said firmware presented “a large and ever-expanding attack surface” for malicious hackers to subvert the core of modern computing.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale.”

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two agencies said following a one-year assessment of the supply chains for critical IT infrastructure deployed in the United States.

“Firmware can also be a lucrative target with a relatively low cost of attack. Over the past few years, hackers have increasingly targeted firmware to launch devastating attacks.”

The 96-page report (PDF), published to support the Biden Executive Order on securing America’s supply chains, warned that firmware’s privileged position in the computing stack gives stealthy attackers a major advantage.

Despite its essential role in electronic devices, the agencies insisted that firmware security “has not traditionally been a high priority for manufacturers or users and is not always well protected.” 

During the assessment, the agencies found that firmware on items such as network cards, Wi-Fi adapters, and USB hubs are often not properly signed with public or private keys. 

“These devices have no way to verify that the operating firmware is authentic and can be trusted.”

Even worse, the agencies called special attention to the fact that OEMs and computer makers outsource firmware development to third party suppliers.  “[This] introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”

The government’s warning comes as threat hunters spot signs that nation-state APT actors are using UEFI firmware implants to maintain stealthy infections and survive reboots and OS reinstallations.  The notorious FinSpy surveillance spyware toolkit was also fitted with a bootkit to conduct stealthy infections.

In the report, the agencies also warned of “complex supply chains” that compound the problems securing firmware deployments.

“In PC production, for example, the OEMs are typically responsible for firmware and the rest of the PC platform elements. However, many OEMs outsource firmware development to third-party suppliers where OEMs may not have visibility into their cybersecurity hygiene. Even if OEMs establish security standards, they may not be able to enforce supplier security protocols across a wide range of components and sub-suppliers,” the government agencies warned.

The report also noted that individual OEM vendors may modify the firmware based on device needs once the firmware has been delivered to the OEM. “This can lead to confusion about what party is ultimately responsible for firmware integrity and who is to supply customer updates.” 

“In addition, as devices and firmware change, OEMs often contract with different firmware developers, which can lead to delays or a lack of any update when older devices require updating and the original developer is not available. All of these factors can leave firmware open to malicious attacks,” the report said.

The agencies also called attention to the pain-point of applying firmware updates. “A firmware’s update process and capability vary by device. Some devices receive regular firmware updates. Some may only receive one update over their lifetimes, while others may never receive an update.”

Even worse, the process to install firmware updates is not simple, leading to skipped patches for critical-level vulnerabilities. 

“Firmware updates present a major logistical challenge for many enterprises,” the agences said. “In many instances, device firmware is never updated or may only be updated in an emergency. In addition, vendors may only supply firmware updates if driven by an incident or identified vulnerability.”