Archive for Homeland Security

New CISA Cybersecurity Performance Goals For critical Infrastructure Announced By DHS

Posted in Commentary with tags , on October 27, 2022 by itnerd

This morning, the Department of Homeland Security released the new Cross-Sector Cybersecurity Performance Goals (CPGs) to provide baseline cybersecurity goals that are consistent across all critical infrastructure sectors. The CPGs identify and prioritize the most important cybersecurity practices for critical infrastructure operators and provide an approachable common set of IT and OT cybersecurity protections to improve cybersecurity across our nation’s critical infrastructure. 

The security directives were developed by CISA, in coordination with NIST, following the mandates set out in the Biden administration’s July 2021 national security memorandum to improve cybersecurity for critical infrastructure control systems.

Robert M. Lee, CEO and Co-Founder of Dragos had this commentary on these security directives:

“CISA has shown their commitment to working alongside the industrial cybersecurity community with the release of the common baseline Cross-Sector Cybersecurity Performance Goals (CPGs). CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance – exactly the type of support the community has been requesting. It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. Most of the CPGs map closely to the critical controls needed for strong OT cybersecurity—namely, having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management. This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community’s advancement.”

This is the sort of thing that will help to make us all safer and I hope that this is adopted widely so that things like ransomware and other sorts of attacks become less prevalent.

UPDATE: I have a second comment from Yotam Perkal, director of vulnerability research for software security firm, Rezilion:

General impression from the document:

I think the direction CISA chose to take with the CPG is very good. I hope that having the document written in an approachable language, easy to digest, and focused on the fundamentals, will help with adoption. The main underbelly in terms of cybersecurity risk are not the mature, modern enterprises with huge security budgets and an abundance of security controls. Rather, it is the long tail of organizations, without mature cyber programs or procedures in place. For these organizations, a resource such as the NIST Cybersecurity Framework might be overwhelming. If these organizations adopt and implement the bare-minimum recommendations in the GPG, it could go a long way in terms of improving the overall security posture across the US. I also like the fact that CISA is promoting discussion around the guidelines and soliciting for feedback using the discussion page on GitHub

Specifically regarding the Vulnerability Management section:

I think the recommendations are valid and are reasonably straightforward to implement. That said, in order to implement some of them (such as “mitigating known vulnerabilities” and “no exploitable services on the internet”) there is a preliminary stage that isn’t mentioned in the guidelines which is having visibility into your organization’s exploitable attack surface. Assuming that the long tail of less mature organizations have that visibility is a stretch.We have seen evidence to that when we did our Vintage Vulnerabilities research which found over 4.5 million internet-facing devices that are vulnerable to vulnerabilities discovered between 2010 to 2020 that are known to be actively exploited in-the-wild (on the CISA known exploited vulnerabilities catalog). Specifically in the critical infrastructure domain, Security professionals have to be also aware of the capabilities and limitations of their vulnerability scanning tools. As we have shown in our latest research both open-source and commercial scanners and SCA tools are prone to a significant amount of false-positive and false-negative results. For example, when scanning OT assets, a vulnerability scanner without the ability to identify vulnerable components within compiled code will have significant blindspots when it comes to the known vulnerabilities it will be able to identify.

UPDATE #2: Tyler Reguly, senior manager, security R&D at HelpSystems, says:

“The most important take away there is that these goals were selected to address risks to the nation as well as individual entities. This is a big shift from other well-known baseline documents, such as the CIS Benchmarks or the NIST Security Guidance. At the same time, this is not a complete guide, it is a starting point to ensure organizations are all starting on the same footing.”

The Cyber Safety Review Board Releases Their First Report 

Posted in Commentary with tags on July 15, 2022 by itnerd

Last year, President Biden created the Cyber Safety Review Board, with the intention that (akin to the National Transportation Safety Board) the new organization would review cyber incidents, examine root causes and, where necessary, make recommendations. In relation to that, The U.S. Department of Homeland Security (DHS) released its first Cyber Safety Review Board’s (CSRB) report. It should be considered required reading:

Chris Clymer, Director & CISO, Inversion6 had this to say:

Log4J shined a light on long-standing problems in our software supply chain.  IT systems have become incredibly complex, with layers and layers of components put together by layers and layers of integrators and developers.  All of which is often compiled and built in ways where it is extremely difficult to know what components are included in a system your business relies upon.

This CSRB report is filled with great recommendations, and helps to reinforce that the Log4J issue has not gone away, and that there are likely numerous similar problems out there still unidentified.  CISA has done really great work raising awareness on security the last few years, becoming a singular voice on cybersecurity for the government.  So its striking that this report says that for all that, CISA should be doing MORE to assess and raise awareness.  Theres clearly more improvements to keep making.  They also recommend that the CISA guidance be taken from optional to mandatory by state and federal regulators.  I’m skeptical that many laws will pass here in our current political environment…and sadly, I agree that short of regulations REQUIRING organizations to do things like maintain a Software Bill of Materials, organizations are unlikely to prioritize investing the significant time and money into these efforts.  Many would like to…but the costs to really address these problems will be high.  Without regulatory cover, it is difficult to explain to stockholders why you’re making these investments…especially if you’re the first one making that shift.

This is fundamentally a good thing. For too long, cyber incident response has been uncoordinated, with a lack of systematic review at the Federal level. I look forward to seeing future reports as this one is very instructive.

DHS Worries That COVID-19 Masks Are Breaking Facial Recognition Says Leaked Document

Posted in Commentary with tags on July 17, 2020 by itnerd

The Department of Homeland Security is concerned that according to an “intelligence note” found among the BlueLeaks trove of law enforcement documents, masks related to COVID-19 are breaking police facial recognition:

The rapid global spread and persistent threat of the coronavirus has presented an obvious roadblock to facial recognition’s similar global expansion. Suddenly everyone is covering their faces. Even in ideal conditions, facial recognition technologies often struggle with accuracy and have a particularly dismal track record when it comes to identifying faces that aren’t white or male. Some municipalities, startled by the civil liberties implications of inaccurate and opaque software in the hands of unaccountable and overly aggressive police, have begun banning facial recognition software outright. But the global pandemic may have inadvertently provided a privacy fix of its own — or for police, a brand new crisis. A Homeland Security intelligence note dated May 22 expresses this law enforcement anxiety, as public health wisdom clashes with the prerogatives of local and federal police who increasingly rely on artificial intelligence tools. 

The bulletin, drafted by the DHS Intelligence Enterprise Counterterrorism Mission Center in conjunction with a variety of other agencies, including Customs and Border Protection and Immigration and Customs Enforcement, “examines the potential impacts that widespread use of protective masks could have on security operations that incorporate face recognition systems — such as video cameras, image processing hardware and software, and image recognition algorithms — to monitor public spaces during the ongoing Covid-19 public health emergency and in the months after the pandemic subsides.” The Minnesota Fusion Center, a post-9/11 intelligence agency that is part of a controversial national network, distributed the notice on May 26, as protests were forming over the killing of George Floyd. In the weeks that followed, the center actively monitored the protests and pushed the narrative that law enforcement was under attack. Email logs included in the BlueLeaks archive show that the note was also sent to city and state government officials and private security officers in Colorado and, inexplicably, to a hospital and a community college.

Given the fact that the US is number one when it comes to COVID-19 infections, you would think that the health of the nation would matter more than using facial recognition. But I guess not.

Facial recognition is racially biased, and it doesn’t work to actually catch the bad guys. But it really seems to me that law enforcement is really laser focused on trying to make it a tool that works despite evidence to the contrary. That alone doesn’t seem to be a viable strategy to me. But add on top of this the fact that masks have become an issue, and I have to shake my head.

DHS Buys A 757 To Figure Out How Pwnable Aircraft Can Be

Posted in Commentary with tags on November 15, 2017 by itnerd

This story doesn’t exactly sit well with me seeing as later this week I will hopping on a 787 Dreamliner to fly to India for a week. But I’ll put that aside for a moment. Apparently the folks at DHS wanted to find out what kind of threat a hacker could pose to an aircraft. Could they pwn it and cause havoc to the flying public? To find out, they purchased a 757 and went to town on it. Here’s what happened next:

A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. “We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn’t have anybody touching the airplane, I didn’t have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft.” Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft’s systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, “you can come to grips pretty quickly where we went” on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them. Hickey said newer models of 737s and other aircraft, like Boeing’s 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have these protections.

So while I likely don’t have anything to worry about, a lot of people do quite clearly. Now that this is public, it will be interesting to see how airlines who run this older equipment along with companies like Airbus and Boeing deal with this. Because you can be sure that the bad guys will be looking at this too now that they know that this is possible.

Breaking: DHS Employees Locked Out Of Their Networks

Posted in Commentary with tags on February 21, 2017 by itnerd

It’s not clear what’s going on, but news is filtering out that employees of the Department Of Homeland Security are locked out of some of the agency’s networks because their Personal Identity Verification cards are apparently not working:

Employees began experiencing problems logging into networks at 5 a.m. ET on Tuesday due to a problem related to the personal identify verification (PIV) cards used by federal workers and contractors to access certain information systems, one source said. At least four DHS buildings were affected, the source said, including locations used by U.S. Citizenship and Immigration Services.

Another source said the cards did not appear to be responsible. DHS did not immediately respond to requests for comment.

This could be a widespread technical issue, or something more sinister.It isn’t clear which at this point. But this is a story worth watching. As I get more info, I’ll post it here.

UPDATE: The Reuters story that I quoted has been updated with this:

In a statement, a DHS official confirmed a network outage that temporarily affected four U.S. Citizenship and Immigration Services (USCIS) facilities in the Washington area due to an “expired DHS certificate.”

Reuters first reported the incident earlier Tuesday, which a source familiar with the matter said also affected a USCIS facility in Philadelphia.

And this:

The source characterized the issue as one stemming from relatively benign information technology missteps and a failure to ensure network redundancy. There was no evidence of foul play, the source said, adding that it appeared the domain controller credentials had expired on Monday when offices were closed for the federal Presidents Day holiday.

“We are working to track all device certificate issuance and expirations to ensure future lapses of service do not occur,” the DHS official said in the statement.



US Customs Could Want Your Twitter Handle When You Enter The US

Posted in Commentary with tags on August 24, 2016 by itnerd

The next time that you go to the US, you may have to hand over your Twitter handle as well as your passport if US Customs & Border Protection gets their way. A proposal to ask people to provide details of their social media accounts, such as Twitter, Facebook, Instagram or whatever else, before entering the United States. This of course is causing people to freak out. A coalition of 28 groups, including the American Civil Liberties Union, Center for Democracy & Technology, Consumer Federation of America, and Electronic Frontier Foundation, has sent a joint letter on the last day of the Department of Homeland Security’s public comment period to say that the proposal is a #fail on the grounds that this is beyond invasive and should be scrapped. Now DHS argues that this is required because they would be able to spot those who would do harm to the US because of what is in their social media accounts.

I have to ask the question. Is a terrorist really going to tip their hand on Twitter that they’re going to do something in the US? Is something like that really easy to find via an algorithm or with a bunch of humans scanning various social media sites? Plus keep in mind that Twitter for example has been actively suspending the accounts of people they consider to be terrorists. So I have to wonder how effective this will be. Maybe DHS has some master plan that would make this effective? I don’t know. What I do know is that on the surface, this doesn’t seem to be a great idea, or a great use of taxpayer money. But in the interest of being able to enter the US, you might want to keep your social media accounts as clean as possible.

DHS S&T Announces New Interactive Year In Review

Posted in Commentary with tags on May 14, 2016 by itnerd

Deputy Under Secretary for Science and Technology Dr. Robert Griffin announced the launch of a new take on the Science and Technology Directorate’s (S&T) annual Year in Review at the Internet of Things (IoT) World Forum in Santa Clara, California. The interactive, web-based report provides a guided tour of S&T’s successes and developments in 2015.

S&T’s Year in Review includes highlights from 37 of S&T’s projects that represent the directorate’s progression toward meeting long-term visionary goals. The review includes an introduction on programs and initiatives and further discusses how S&T meets its mission and fits into the larger mission of the department.

A video by Under Secretary for Science and Technology Reginald Brothers opens the review with an overview about what sets S&T apart from other research and development organizations, how the department is facing shifts in research and development funding, and where directorate is going in the future with its visionary goals.

S&T’s Year in Review breaks down the directorate’s research and development efforts and the measurable differences it has brought to the homeland security landscape with animations and graphic features as aids. From the FINDER technology that saved four lives in Nepal to the improved structure fire fighter gloves that keep firefighters safe from punctures and burns—S&T tells its story of addressing problems from the global to the community level.

With this review, S&T shows the directorate’s commitment to effective communication, which was highlighted in the S&T Strategic Plan published in 2015. This review is one of the many vehicles through which S&T has worked to inform, educate, and even captivate its audience in new and inventive ways.

Going To The US? Keep Your Devices Charged Up For Inspection Purposes!

Posted in Commentary with tags , on July 7, 2014 by itnerd

If you’re travelling to the US anytime soon, you’ll need to ensure that your laptop as well as your tablet and phones are fully chargedup so that the TSA can inspect it at airport checkpoints. If they can’t turn the device on, the device will get confiscated. This was documented in an announcement from the TSA that was posted last night:

As the traveling public knows, all electronic devices are screened by security officers. During the security examination, officers may also ask that owners power up some devices, including cell phones. Powerless devices will not be permitted onboard the aircraft. The traveler may also undergo additional screening.

This is in response to credible threats that a bomb could be disguised as a cell phone or laptop and brought onto a plane. So make sure that you have your devices fully charged BEFORE you hit the airport.

US Court Limit Laptop Searches

Posted in Commentary with tags on March 10, 2013 by itnerd

I’ve written about the fact that US Customs And Border Protection has a habit of searching laptops of travellers. That might be changing thanks to a court decision that came down on Friday:

The Ninth Circuit Court of Appeals ruled that Homeland Security’s border agents must have “reasonable suspicion” before they can legally conduct a forensics examination of laptops, mobile phones, camera memory cards, and so on.

Today’s opinion (PDF) is a limited — but hardly complete — rejection of the Obama administration’s claim that any American entering the country may have his or her electronic files minutely examined for evidence of criminal activity. Homeland Security has said the electronic border searches could detect terrorists, drug smugglers, and people violating “copyright or trademark laws.”

It’s only a limited rejection because certain warrantless searches at the border remain permissible: The judges said that “a quick look” or “unintrusive search” of a laptop, such as asking its owner to turn it on and peruse open windows, is perfectly OK. In addition, the court indicated that previous criminal history qualifies as “reasonable suspicion” that justifies a complete forensics analysis.

This will not stop warrantless searches. But perhaps it may reduce them because you have to wonder about the need to just search anyone they come across in an airport or at a border crossing. Personally, I’m not a fan of this and I am not convinced that any country that does this is making that country any safer.

I Have Sent Java To The Trash On My Mac

Posted in Commentary with tags , , on January 21, 2013 by itnerd

After all of the security issues with Java including the most recent one which had an out of cycle fix due to the fact that it was very dangerous, I became really wary of having it on my system. That was until I read this:

“This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered,” DHS said in an updated alert published on the CERT Web site. “To defend against this and future Java vulnerabilities, consider disabling Java in Web browsers until adequate updates are available.”

Even though I am in Canada, I still pay attention to what DHS has to say. That spooked me into removing it from my system entirely. Now if you’re on a Mac like I am, here are instructions for you which are very simple to run. For PC users, here are instructions for you to work from which are equally as easy.

If you ask me, unless you need to run Java, I would say that you should get rid of it. You’ll be safer without it.