Tagged: services

0

Indiana awaits Homeland Security election risk assessment review as primaries heat up

INDIANAPOLIS — With the midterm congressional primaries about to go into full swing, the Department of Homeland Security has completed security reviews of election systems in only about half the states that have requested them so far.

The government’s slow pace in conducting the reviews has raised concerns that the nation’s voting systems could be vulnerable to hacking, especially after U.S. intelligence agencies warned that Russia plans to continue meddling in the country’s elections.

Among those still waiting for Homeland Security to conduct a risk assessment is Indiana, one of four states with primaries on Tuesday. Its ballot includes several hotly contested races, including a Republican primary for U.S. Senate.

Indiana Secretary of State Connie Lawson said she is confident state officials have done what they can to safeguard Tuesday’s voting, but acknowledged: “I’ll probably be chewing my fingernails during the entire day on Election Day.”

Like other states, Indiana used a private vendor to conduct a risk assessment and is one of 33 states and 32 local election offices that are receiving remote cyber scanning services from Homeland Security to identify vulnerabilities in their networks.

The concerns aren’t just theoretical.

The nation’s intelligence chiefs warned earlier this year that Russia remains interested in disrupting U.S. elections after a multipronged effort to interfere two years ago. That included attempts to hack into the election systems of 21 states.

Election officials in nine of those states said they were still waiting for a DHS risk assessment, according to a nationwide AP survey.

There is no indication Russian hackers succeeded in manipulating any votes, but U.S. security agencies say they did manage to breach the voter rolls in Illinois. That state and Texas are the only two to hold statewide primaries so far this year, and neither reported any intrusions into their election systems.

But a local election in Tennessee last week highlights the concern: Knox County has hired a cybersecurity firm to investigate why a website that reports election results crashed after the polls closed.

The county’s technology director said some of the unusually heavy traffic came from overseas servers. DHS spokesman Scott McConnell said there is no indication so far that the outage was caused by a “malicious actor.”

Homeland Security designated elections systems critical infrastructure just months after the 2016 presidential election, adding them to a list that includes chemical plants, dams and nuclear reactors.

The department said it has completed risk assessments of election systems in just nine of the 17 states that have formally requested them so far. It has pledged to finish them by November for every state that asks, but the reviews are not likely to be done in time for some state primaries, many of which are in May and June.

The number of states is likely to grow. At least 28 said they want Homeland Security to conduct the risk assessments, according to a 50-state survey of state election officials by The Associated Press.

The security reviews are designed to identify any weaknesses that could be exploited by hackers; such examinations are routinely conducted in the private sector. They are just one tool, although an important one, in ensuring a computer network has a robust defense.

Homeland Security officials attribute the backlog to increased demand for such reviews since the 2016 election and say they are devoting more money and shifting resources to reduce wait times. The reviews typically take two weeks each.

“Elections remain a top priority,” said Matt Masterson, the department’s senior adviser for cybersecurity.

Some states prefer to do the security checks on their own, with some, such as New Hampshire, expressing concern about federal overreach in a country where elections are run by state and local governments.

Cybersecurity experts say that as long as the process is robust, it should not matter who conducts the risk assessments.

“You could do this right in a number of different ways,” said Mike Garcia, lead author of a handbook for state and local election officials released recently by the nonprofit Center for Internet Security. “What matters is that you are doing it right.”

The delays have caught the attention of Congress, including the Senate Intelligence Committee, which recommended in March that Homeland Security expand capacity to reduce wait times.

“DHS and the FBI have made great strides, but they must do more,” committee chairman Sen. Richard Burr, a North Carolina Republican, said at the time.

Of the other states holding primaries on Tuesday, the traditional battlegrounds of North Carolina and Ohio said they had received on-site reviews by Homeland Security. Election officials in the fourth state, West Virginia, told the AP they have yet to request a federal risk assessment but plan to do so before the November election. They asked the National Guard to help monitor the state’s election networks on Tuesday.

Other states that told the AP they had received the DHS reviews are Colorado, Maryland, Nebraska, New Mexico and Oregon.

Two of the states targeted in 2016 — Alabama and Oklahoma — have yet to request a DHS security review.

Alabama Secretary of State John H. Merrill said the state could still decide to make the request before the election.

“We are trying to be as prepared as we can possibly be with our existing partners,” Merrill said. “We want to keep every option open that we have.”

MORE TOP STORIES | More than 35,000 pounds of ground beef sold at Kroger stores in Indiana recalled for contamination | Dozens of Indianapolis area concerts discounted to just $20 for National Concert Week | Body found on Indy’s southeast side identified as missing 35-year-old man | Mother wants answers after daycare claims another child beat up her 1-year-old son | State closes Indianapolis day care after 1-year-old seriously hurt[1][2][3][4][5][6]

Top Trending Videos

[embedded content]

0

Indiana awaits Homeland Security election risk assessment review as primaries heat up

INDIANAPOLIS — With the midterm congressional primaries about to go into full swing, the Department of Homeland Security has completed security reviews of election systems in only about half the states that have requested them so far.

The government’s slow pace in conducting the reviews has raised concerns that the nation’s voting systems could be vulnerable to hacking, especially after U.S. intelligence agencies warned that Russia plans to continue meddling in the country’s elections.

Among those still waiting for Homeland Security to conduct a risk assessment is Indiana, one of four states with primaries on Tuesday. Its ballot includes several hotly contested races, including a Republican primary for U.S. Senate.

Indiana Secretary of State Connie Lawson said she is confident state officials have done what they can to safeguard Tuesday’s voting, but acknowledged: “I’ll probably be chewing my fingernails during the entire day on Election Day.”

Like other states, Indiana used a private vendor to conduct a risk assessment and is one of 33 states and 32 local election offices that are receiving remote cyber scanning services from Homeland Security to identify vulnerabilities in their networks.

The concerns aren’t just theoretical.

The nation’s intelligence chiefs warned earlier this year that Russia remains interested in disrupting U.S. elections after a multipronged effort to interfere two years ago. That included attempts to hack into the election systems of 21 states.

Election officials in nine of those states said they were still waiting for a DHS risk assessment, according to a nationwide AP survey.

There is no indication Russian hackers succeeded in manipulating any votes, but U.S. security agencies say they did manage to breach the voter rolls in Illinois. That state and Texas are the only two to hold statewide primaries so far this year, and neither reported any intrusions into their election systems.

But a local election in Tennessee last week highlights the concern: Knox County has hired a cybersecurity firm to investigate why a website that reports election results crashed after the polls closed.

The county’s technology director said some of the unusually heavy traffic came from overseas servers. DHS spokesman Scott McConnell said there is no indication so far that the outage was caused by a “malicious actor.”

Homeland Security designated elections systems critical infrastructure just months after the 2016 presidential election, adding them to a list that includes chemical plants, dams and nuclear reactors.

The department said it has completed risk assessments of election systems in just nine of the 17 states that have formally requested them so far. It has pledged to finish them by November for every state that asks, but the reviews are not likely to be done in time for some state primaries, many of which are in May and June.

The number of states is likely to grow. At least 28 said they want Homeland Security to conduct the risk assessments, according to a 50-state survey of state election officials by The Associated Press.

The security reviews are designed to identify any weaknesses that could be exploited by hackers; such examinations are routinely conducted in the private sector. They are just one tool, although an important one, in ensuring a computer network has a robust defense.

Homeland Security officials attribute the backlog to increased demand for such reviews since the 2016 election and say they are devoting more money and shifting resources to reduce wait times. The reviews typically take two weeks each.

“Elections remain a top priority,” said Matt Masterson, the department’s senior adviser for cybersecurity.

Some states prefer to do the security checks on their own, with some, such as New Hampshire, expressing concern about federal overreach in a country where elections are run by state and local governments.

Cybersecurity experts say that as long as the process is robust, it should not matter who conducts the risk assessments.

“You could do this right in a number of different ways,” said Mike Garcia, lead author of a handbook for state and local election officials released recently by the nonprofit Center for Internet Security. “What matters is that you are doing it right.”

The delays have caught the attention of Congress, including the Senate Intelligence Committee, which recommended in March that Homeland Security expand capacity to reduce wait times.

“DHS and the FBI have made great strides, but they must do more,” committee chairman Sen. Richard Burr, a North Carolina Republican, said at the time.

Of the other states holding primaries on Tuesday, the traditional battlegrounds of North Carolina and Ohio said they had received on-site reviews by Homeland Security. Election officials in the fourth state, West Virginia, told the AP they have yet to request a federal risk assessment but plan to do so before the November election. They asked the National Guard to help monitor the state’s election networks on Tuesday.

Other states that told the AP they had received the DHS reviews are Colorado, Maryland, Nebraska, New Mexico and Oregon.

Two of the states targeted in 2016 — Alabama and Oklahoma — have yet to request a DHS security review.

Alabama Secretary of State John H. Merrill said the state could still decide to make the request before the election.

“We are trying to be as prepared as we can possibly be with our existing partners,” Merrill said. “We want to keep every option open that we have.”

MORE TOP STORIES | More than 35,000 pounds of ground beef sold at Kroger stores in Indiana recalled for contamination | Dozens of Indianapolis area concerts discounted to just $20 for National Concert Week | Body found on Indy’s southeast side identified as missing 35-year-old man | Mother wants answers after daycare claims another child beat up her 1-year-old son | State closes Indianapolis day care after 1-year-old seriously hurt[1][2][3][4][5][6]

Top Trending Videos

[embedded content]

0

Indiana awaits Homeland Security election risk assessment review as primaries heat up

INDIANAPOLIS — With the midterm congressional primaries about to go into full swing, the Department of Homeland Security has completed security reviews of election systems in only about half the states that have requested them so far.

The government’s slow pace in conducting the reviews has raised concerns that the nation’s voting systems could be vulnerable to hacking, especially after U.S. intelligence agencies warned that Russia plans to continue meddling in the country’s elections.

Among those still waiting for Homeland Security to conduct a risk assessment is Indiana, one of four states with primaries on Tuesday. Its ballot includes several hotly contested races, including a Republican primary for U.S. Senate.

Indiana Secretary of State Connie Lawson said she is confident state officials have done what they can to safeguard Tuesday’s voting, but acknowledged: “I’ll probably be chewing my fingernails during the entire day on Election Day.”

Like other states, Indiana used a private vendor to conduct a risk assessment and is one of 33 states and 32 local election offices that are receiving remote cyber scanning services from Homeland Security to identify vulnerabilities in their networks.

The concerns aren’t just theoretical.

The nation’s intelligence chiefs warned earlier this year that Russia remains interested in disrupting U.S. elections after a multipronged effort to interfere two years ago. That included attempts to hack into the election systems of 21 states.

Election officials in nine of those states said they were still waiting for a DHS risk assessment, according to a nationwide AP survey.

There is no indication Russian hackers succeeded in manipulating any votes, but U.S. security agencies say they did manage to breach the voter rolls in Illinois. That state and Texas are the only two to hold statewide primaries so far this year, and neither reported any intrusions into their election systems.

But a local election in Tennessee last week highlights the concern: Knox County has hired a cybersecurity firm to investigate why a website that reports election results crashed after the polls closed.

The county’s technology director said some of the unusually heavy traffic came from overseas servers. DHS spokesman Scott McConnell said there is no indication so far that the outage was caused by a “malicious actor.”

Homeland Security designated elections systems critical infrastructure just months after the 2016 presidential election, adding them to a list that includes chemical plants, dams and nuclear reactors.

The department said it has completed risk assessments of election systems in just nine of the 17 states that have formally requested them so far. It has pledged to finish them by November for every state that asks, but the reviews are not likely to be done in time for some state primaries, many of which are in May and June.

The number of states is likely to grow. At least 28 said they want Homeland Security to conduct the risk assessments, according to a 50-state survey of state election officials by The Associated Press.

The security reviews are designed to identify any weaknesses that could be exploited by hackers; such examinations are routinely conducted in the private sector. They are just one tool, although an important one, in ensuring a computer network has a robust defense.

Homeland Security officials attribute the backlog to increased demand for such reviews since the 2016 election and say they are devoting more money and shifting resources to reduce wait times. The reviews typically take two weeks each.

“Elections remain a top priority,” said Matt Masterson, the department’s senior adviser for cybersecurity.

Some states prefer to do the security checks on their own, with some, such as New Hampshire, expressing concern about federal overreach in a country where elections are run by state and local governments.

Cybersecurity experts say that as long as the process is robust, it should not matter who conducts the risk assessments.

“You could do this right in a number of different ways,” said Mike Garcia, lead author of a handbook for state and local election officials released recently by the nonprofit Center for Internet Security. “What matters is that you are doing it right.”

The delays have caught the attention of Congress, including the Senate Intelligence Committee, which recommended in March that Homeland Security expand capacity to reduce wait times.

“DHS and the FBI have made great strides, but they must do more,” committee chairman Sen. Richard Burr, a North Carolina Republican, said at the time.

Of the other states holding primaries on Tuesday, the traditional battlegrounds of North Carolina and Ohio said they had received on-site reviews by Homeland Security. Election officials in the fourth state, West Virginia, told the AP they have yet to request a federal risk assessment but plan to do so before the November election. They asked the National Guard to help monitor the state’s election networks on Tuesday.

Other states that told the AP they had received the DHS reviews are Colorado, Maryland, Nebraska, New Mexico and Oregon.

Two of the states targeted in 2016 — Alabama and Oklahoma — have yet to request a DHS security review.

Alabama Secretary of State John H. Merrill said the state could still decide to make the request before the election.

“We are trying to be as prepared as we can possibly be with our existing partners,” Merrill said. “We want to keep every option open that we have.”

MORE TOP STORIES | More than 35,000 pounds of ground beef sold at Kroger stores in Indiana recalled for contamination | Dozens of Indianapolis area concerts discounted to just $20 for National Concert Week | Body found on Indy’s southeast side identified as missing 35-year-old man | Mother wants answers after daycare claims another child beat up her 1-year-old son | State closes Indianapolis day care after 1-year-old seriously hurt[1][2][3][4][5][6]

Top Trending Videos

[embedded content]

0

Myanmar military assures UN of 'harsh' action on sexual assault

MAUNGDAW, Myanmar (Reuters) – Myanmar’s military has assured the United Nations of “harsh” action against perpetrators of sexual violence, state media reported on Tuesday, as U.N. envoys traveled to Rakhine State where the military conducted a widely criticized crackdown.

Rohingya refugees are reflected in rain water along an embankment next to paddy fields after fleeing from Myanmar into Palang Khali, near Cox’s Bazar, Bangladesh November 2, 2017. REUTERS/Hannah McKay

U.N. and rights groups say nearly 700,000 Rohingya Muslims fled to Bangladesh after a military crackdown launched in Rakhine State in August that the United Nations denounced as “a textbook example of ethnic cleansing”.

Many of the arriving refugees recounted incidents of killings, arson and rape but Myanmar largely rejected those reports as well as the accusation of ethnic cleansing.

The government said its forces were engaged in a legitimate security campaign in response to a string of Rohingya insurgent attacks on the security forces.

“Sexual violence (is) considered as despicable acts,” the state-run Global New Light of Myanmar newspaper cited military Commander-in-Chief Min Aung Hlaing as telling the envoys.

The military was “taking harsh and stronger actions against such offenders”, he said.

The U.N. Security Council envoys traveled by Myanmar military helicopters to northern Rakhine on Tuesday, the final day of their four-day visit to the region, flying over burned and bulldozed villages visible from the air.

The envoys arrived in Myanmar on Monday after visiting refugee camps on the Bangladesh side of the border and government leaders in Dhaka.

In Myanmar, they met separately with government leader Aung San Suu Kyi and Min Aung Hlaing.

British U.N. Ambassador Karen Pierce told Reuters that during Monday’s meeting Min Aung Hlaing was “very forthcoming” on the issue of sexual assaults in Rakhine, adding that the military chief said such offences were “not tolerated”.

Nobel Peace Prize laureate Suu Kyi, in her nearly hour-long meeting with the envoys, pledged to investigate any credible accusations of abuse, said diplomats who attended.

Suu Kyi noted Myanmar’s difficulties in transitioning to rule of law after decades of military dictatorship, said the diplomats, speaking on condition of anonymity.

“She said what had happened or what was alleged to have happened to some of the Rohingya villagers was not acceptable and that if evidence were available it should be reported to the Burmese authorities and they would investigate,” said Pierce.

“What we’ve got to do on the council is think how best to turn that into something operational so that the evidence gets collected and given either to the Burmese authorities or to some sort of international mechanism,” she said.

Suu Kyi’s civilian government has no control over the military. Government spokesman Zaw Htay did not respond to requests for comment.

Buddhist-majority Myanmar has for years denied the Rohingya citizenship, freedom of movement and access to basic services such as healthcare. Many in Myanmar regard the Rohingya as illegal immigrants from mostly Muslim Bangladesh.

When asked if the council could help ensure evidence of crimes such as rape is collected, Russia’s deputy U.N. ambassador Dmitry Polyanskiy said: “I don’t think this is a council matter, frankly speaking. There are a lot of agencies apart from the Security Council.”

‘COOPERATION NEEDED’

In northern Rakhine, the council envoys were shown a reception center Myanmar has built for repatriating Rohingya, aiming to accept a total of 150 people a day, and a transit camp that can house 30,000 returnees.

The envoys passed two bulldozed villages near the camp. They were also shown a rebuilt village.

The Security Council asked Myanmar in November to ensure no “further excessive use of military force” and to allow “freedom of movement, equal access to basic services, and equal access to full citizenship for all”.

On Monday, the council envoys met Bangladesh Prime Minister Sheikh Hasina, who asked them to press Myanmar to take back “their citizens”.

Hasina said the refugees should return “under U.N. supervision where security and safety should be ensured”.

Myanmar and Bangladesh agreed in January to complete the voluntary repatriation of the refugees within two years but differences between the two sides remain and implementation of the plan has been slow.

Suu Kyi’s office also said in a statement that cooperation was needed from Bangladesh on the repatriation of refugees.

Reporting by Michelle Nichols and Yimou Lee in YANGON; Editing by Robert Birsel and Darren Schuettler

0

Senators lobby to bring new armored brigade team to Texas …

U.S. Senators Ted Cruz and John Cornyn sent a letter Monday to Secretary of the Army Mark Esper requesting the Army relocate a newly-designated armored brigade combat team to either Fort Hood or Fort Bliss.

The Army’s 2nd Brigade, 4th Infantry Division, currently located at Fort Carson, Colorado, is in the process of conversion from an infantry brigade combat team to an armored brigade combat team. The two Texas Army installations already have the training ranges necessary to prepare an armored brigade combat team for deployment.

“We write regarding the conversion of the Army’s 2nd Brigade, 4th Infantry Division from an infantry brigade combat team to an armored brigade combat team,” the senators wrote. “As this conversion occurs, we also write to express our strong support for the relocation of the 2nd Brigade from Fort Carson, Colorado to one of Texas’s premier armor installations. The conversion of an infantry brigade combat team to an armored brigade combat team is a daunting task. Nevertheless, as you look across the Army, Fort Hood and Fort Bliss stand out as hosts for a unit of this size and composition.”

Both installations are equipped with the infrastructure necessary to support the rapid deployment and redeployment of armored brigades, the letter stated. Fort Hood and Fort Bliss both have rail access, airfields capable of handling any size aircraft needed for rapid air transportation of personnel and equipment and the capacity to host an additional brigade.

The letter also touted the “superb quality of life including affordable housing, military friendly communities, recreational activities, and easy access to services” for family members. “Over the years, our installations and the surrounding communities have worked together to identify and provide the best available resources for soldiers and their families assigned to the region.”

0

Secretary of Homeland Security visits San Diego

SAN DIEGO (NEWS 8) — A day before the President tours the border[1], a top member of his cabinet was in San Diego on Monday.

Secretary of Homeland Security Kirstjen Nielsen spent the morning at the U.S. Coast Guard base.

It was Nielsen’s first visit to San Diego as Homeland Security Secretary. Not only did she speak to members of the Coast Guard, but she also went out on the water with them to see how they track down and stop illegal activity.

News 8 followed behind Nielsen as she got a first-hand look at the Coast Guard’s maritime security response team – one of just two specialized units in the United States.

Known as MSRT they respond to cases involving drug smuggling and illegal immigration, which may be the main reason behind the secretary’s last-minute visit.

It coincides with President Trump’s planned tour of the border wall prototypes on Tuesday.

Prior to being on the water, Nielsen was on board a helicopter taking a look at the prototypes herself.

Following her aerial tour, Nielsen addressed hundreds of coast guard members saying her first priority as Homeland Security Secretary is border security.

“True border security involves a wall system, which of course includes the physical infrastructure, but also mission-ready agents, patrol roads, sensor technology and support resources,” Nielsen said.

Nielsen told the crowd she’s also focused on encountering terrorism, preparing for natural disasters and combating cyber threats.

“A cyber-attack could in fact, today, have catastrophic effects on public health, safety, national security and our democracy,” Nielsen said.

She reiterated the importance of working together – that includes reaching across the aisle when it comes to immigration reform.

“That’s why we’re committed to working with Congress on both sides of the aisle,” said Nielsen. “This should not be a political issue to find legislative solutions to existing laws that are incompatible with public safety.”

The secretary spent the rest of her day meeting citizen immigration services. Tuesday, she will be with President Trump as he tours the border wall prototypes.

RELATED COVERAGE

0

Homeland Security's IT security continues to fall short

The Office of Inspector General (OIG) has released its “Evaluation of DHS’ Information Security Program for Fiscal Year 2017”[1] (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.

When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.

The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”

NIST Cybersecurity Functions are: Identify, Protect, Detect, Respond, and Recover. After conducting an audit, the OIG said, “DHS could protect its information and systems more fully and effectively,” as DHS only hit the targeted Level 4 for Identify and Respond.

Yet even with scoring a Level 4 for Identify, “64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely.”

Protect, Detect, Recover = Fail

The Protect function means appropriate safeguards to ensure delivery of critical infrastructure services have been developed and implemented. The OIG found DHS fell short in the Protect department, saying it “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.”

Specific Protect-fail examples included a DHS Headquarters system, a Coast Guard system, and a Secret Service system still using an unsupported version of Windows 2003 servers. (Microsoft stopped supporting and releasing security updates in July 2015 for those servers.)

Additionally, the OIG detected critical and high-risk vulnerabilities due to missing patches on Windows 2008 and 2012 systems; some of the security updates had rolled out in July 2013. Some other DHS components had not deployed critical patches that were released in July 2016.

The OIG also found several Windows 7 and 8.1 workstations had not been patched to protect against WannaCry ransomware. Other missing patches were for internet browsers, Flash Player, Adobe Shockwave, and Adobe Acrobat. Vulnerability assessment testing examples included 12 unique, high vulnerabilities and four critical flaws on DHS Headquarters Windows 7 workstations, and five critical bugs on DHS Headquarters Windows 8.1 workstations.

NIST’s Detect function means “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event.” However, the OIG found that DHS fell short of Level 4 because it had not maintained software licenses for unclassified systems and had relied on “data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”

DHS also failed to reach Level 4 regarding NIST’s Recover function, which “entails developing and implementing plans for resiliency and restoration of any capabilities or services impaired due to a cybersecurity event.”

OIG’s conclusion after evaluating Homeland Security’s IT systems

The OIG concluded:

Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M process to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.

The OIG gave five recommendations that the DHS chief information security officer agreed to complete no later than Sept. 20, 2018.

Talented security experts needed, but security skills of DHS employees unknown

It is interesting to note that DHS, the agency in charge of protecting U.S. cybersecurity, claims to need qualified security experts but doesn’t know the skills of those already employed by DHS.

The OIG noted that DHS “has not assessed the knowledge, skills, and abilities of its cyber workforce. Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”

Yet DHS told the OIG that “a lack of qualified security engineers from the overall labor market” was “the foremost reason for components failing to meet its SA metric.” That failing may stay the status quo until “cybersecurity becomes a common skill-set across the Nation.”

0

Homeland Security's IT security continues to fall short

The Office of Inspector General (OIG) has released its “Evaluation of DHS’ Information Security Program for Fiscal Year 2017”[1] (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.

When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.

The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”

NIST Cybersecurity Functions are: Identify, Protect, Detect, Respond, and Recover. After conducting an audit, the OIG said, “DHS could protect its information and systems more fully and effectively,” as DHS only hit the targeted Level 4 for Identify and Respond.

Yet even with scoring a Level 4 for Identify, “64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely.”

Protect, Detect, Recover = Fail

The Protect function means appropriate safeguards to ensure delivery of critical infrastructure services have been developed and implemented. The OIG found DHS fell short in the Protect department, saying it “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.”

Specific Protect-fail examples included a DHS Headquarters system, a Coast Guard system, and a Secret Service system still using an unsupported version of Windows 2003 servers. (Microsoft stopped supporting and releasing security updates in July 2015 for those servers.)

Additionally, the OIG detected critical and high-risk vulnerabilities due to missing patches on Windows 2008 and 2012 systems; some of the security updates had rolled out in July 2013. Some other DHS components had not deployed critical patches that were released in July 2016.

The OIG also found several Windows 7 and 8.1 workstations had not been patched to protect against WannaCry ransomware. Other missing patches were for internet browsers, Flash Player, Adobe Shockwave, and Adobe Acrobat. Vulnerability assessment testing examples included 12 unique, high vulnerabilities and four critical flaws on DHS Headquarters Windows 7 workstations, and five critical bugs on DHS Headquarters Windows 8.1 workstations.

NIST’s Detect function means “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event.” However, the OIG found that DHS fell short of Level 4 because it had not maintained software licenses for unclassified systems and had relied on “data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”

DHS also failed to reach Level 4 regarding NIST’s Recover function, which “entails developing and implementing plans for resiliency and restoration of any capabilities or services impaired due to a cybersecurity event.”

OIG’s conclusion after evaluating Homeland Security’s IT systems

The OIG concluded:

Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M process to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.

The OIG gave five recommendations that the DHS chief information security officer agreed to complete no later than Sept. 20, 2018.

Talented security experts needed, but security skills of DHS employees unknown

It is interesting to note that DHS, the agency in charge of protecting U.S. cybersecurity, claims to need qualified security experts but doesn’t know the skills of those already employed by DHS.

The OIG noted that DHS “has not assessed the knowledge, skills, and abilities of its cyber workforce. Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”

Yet DHS told the OIG that “a lack of qualified security engineers from the overall labor market” was “the foremost reason for components failing to meet its SA metric.” That failing may stay the status quo until “cybersecurity becomes a common skill-set across the Nation.”

0

Homeland Security's IT security continues to fall short

The Office of Inspector General (OIG) has released its “Evaluation of DHS’ Information Security Program for Fiscal Year 2017”[1] (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.

When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.

The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”

NIST Cybersecurity Functions are: Identify, Protect, Detect, Respond, and Recover. After conducting an audit, the OIG said, “DHS could protect its information and systems more fully and effectively,” as DHS only hit the targeted Level 4 for Identify and Respond.

Yet even with scoring a Level 4 for Identify, “64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely.”

Protect, Detect, Recover = Fail

The Protect function means appropriate safeguards to ensure delivery of critical infrastructure services have been developed and implemented. The OIG found DHS fell short in the Protect department, saying it “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.”

Specific Protect-fail examples included a DHS Headquarters system, a Coast Guard system, and a Secret Service system still using an unsupported version of Windows 2003 servers. (Microsoft stopped supporting and releasing security updates in July 2015 for those servers.)

Additionally, the OIG detected critical and high-risk vulnerabilities due to missing patches on Windows 2008 and 2012 systems; some of the security updates had rolled out in July 2013. Some other DHS components had not deployed critical patches that were released in July 2016.

The OIG also found several Windows 7 and 8.1 workstations had not been patched to protect against WannaCry ransomware. Other missing patches were for internet browsers, Flash Player, Adobe Shockwave, and Adobe Acrobat. Vulnerability assessment testing examples included 12 unique, high vulnerabilities and four critical flaws on DHS Headquarters Windows 7 workstations, and five critical bugs on DHS Headquarters Windows 8.1 workstations.

NIST’s Detect function means “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event.” However, the OIG found that DHS fell short of Level 4 because it had not maintained software licenses for unclassified systems and had relied on “data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”

DHS also failed to reach Level 4 regarding NIST’s Recover function, which “entails developing and implementing plans for resiliency and restoration of any capabilities or services impaired due to a cybersecurity event.”

OIG’s conclusion after evaluating Homeland Security’s IT systems

The OIG concluded:

Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M process to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.

The OIG gave five recommendations that the DHS chief information security officer agreed to complete no later than Sept. 20, 2018.

Talented security experts needed, but security skills of DHS employees unknown

It is interesting to note that DHS, the agency in charge of protecting U.S. cybersecurity, claims to need qualified security experts but doesn’t know the skills of those already employed by DHS.

The OIG noted that DHS “has not assessed the knowledge, skills, and abilities of its cyber workforce. Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”

Yet DHS told the OIG that “a lack of qualified security engineers from the overall labor market” was “the foremost reason for components failing to meet its SA metric.” That failing may stay the status quo until “cybersecurity becomes a common skill-set across the Nation.”

0

Homeland Security's IT security continues to fall short

The Office of Inspector General (OIG) has released its “Evaluation of DHS’ Information Security Program for Fiscal Year 2017”[1] (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.

When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.

The OIG assigned each agency’s cybersecurity functions with a maturity level: 1) ad-hoc; 2) defined; 3) consistently implemented; 4) managed and measurable; and 5) optimized. If an agency can achieve Level 4 in the majority of those five cybersecurity functions, then its information security program is considered to be “effective overall.”

NIST Cybersecurity Functions are: Identify, Protect, Detect, Respond, and Recover. After conducting an audit, the OIG said, “DHS could protect its information and systems more fully and effectively,” as DHS only hit the targeted Level 4 for Identify and Respond.

Yet even with scoring a Level 4 for Identify, “64 systems lacked valid authority to operate, and components did not remediate security weaknesses timely.”

Protect, Detect, Recover = Fail

The Protect function means appropriate safeguards to ensure delivery of critical infrastructure services have been developed and implemented. The OIG found DHS fell short in the Protect department, saying it “did not implement all configuration settings required to protect component systems, continued using unsupported operating systems, and did not apply security patches timely to mitigate critical and high-risk security vulnerabilities on selected systems.”

Specific Protect-fail examples included a DHS Headquarters system, a Coast Guard system, and a Secret Service system still using an unsupported version of Windows 2003 servers. (Microsoft stopped supporting and releasing security updates in July 2015 for those servers.)

Additionally, the OIG detected critical and high-risk vulnerabilities due to missing patches on Windows 2008 and 2012 systems; some of the security updates had rolled out in July 2013. Some other DHS components had not deployed critical patches that were released in July 2016.

The OIG also found several Windows 7 and 8.1 workstations had not been patched to protect against WannaCry ransomware. Other missing patches were for internet browsers, Flash Player, Adobe Shockwave, and Adobe Acrobat. Vulnerability assessment testing examples included 12 unique, high vulnerabilities and four critical flaws on DHS Headquarters Windows 7 workstations, and five critical bugs on DHS Headquarters Windows 8.1 workstations.

NIST’s Detect function means “developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event.” However, the OIG found that DHS fell short of Level 4 because it had not maintained software licenses for unclassified systems and had relied on “data calls to monitor national security systems as part of its continuous monitoring process to detect potential incidents.”

DHS also failed to reach Level 4 regarding NIST’s Recover function, which “entails developing and implementing plans for resiliency and restoration of any capabilities or services impaired due to a cybersecurity event.”

OIG’s conclusion after evaluating Homeland Security’s IT systems

The OIG concluded:

Specifically, since the Department’s inception in 2003, components have not effectively managed and secured their information systems. Components have continued to operate systems without ATOs, used unsupported operating systems that expose DHS data to unnecessary risks, ineffectively managed the POA&M process to mitigate identified security weaknesses, and failed to apply security patches timely. Such repeated deficiencies are contrary to the President’s Cybersecurity Executive Order and clear indicators that departmental oversight of the enterprise-wide information security program needs to be strengthened. Until DHS overcomes challenges to addressing its systemic information security weaknesses, it will remain unable to ensure that its information systems adequately protect the sensitive data they store and process.

The OIG gave five recommendations that the DHS chief information security officer agreed to complete no later than Sept. 20, 2018.

Talented security experts needed, but security skills of DHS employees unknown

It is interesting to note that DHS, the agency in charge of protecting U.S. cybersecurity, claims to need qualified security experts but doesn’t know the skills of those already employed by DHS.

The OIG noted that DHS “has not assessed the knowledge, skills, and abilities of its cyber workforce. Lacking such an assessment, DHS cannot assure that its employees possess the knowledge and skills necessary to perform their various job functions, or that qualified personnel are hired to fill cybersecurity-related positions.”

Yet DHS told the OIG that “a lack of qualified security engineers from the overall labor market” was “the foremost reason for components failing to meet its SA metric.” That failing may stay the status quo until “cybersecurity becomes a common skill-set across the Nation.”