Cyberwar fundamentally changes how government must handle security. Faced with increasingly sophisticated attacks from gangs of cyber criminals and foreign governments probing systems for sensitive data, threats frequently go undetected for days, weeks, and even months. And it’s not just financial data being stolen. Terrorists and rogue governments may steal confidential data, including intelligence information, that exposes a country and its citizens to potential harm. Unfortunately, the traditional fortress approach no longer suffices. Learn what’s needed to tackle the new threats, and why Tripwire's solutions provide the real-time awareness necessary to fight cyberwar.
Whitepaper here: http://www.tripwire.com/register/cyberwar-threats-new-security-strategies-for-governments/
How to Troubleshoot Apps for the Modern Connected Worker
Cyberwar Threats: New Security Strategies for Governments
1. Cyberwar Threats
NEW SECURITY STRATEGIES FOR GOVERNMENTS
WHITE PAPER
2. Introduction
Cyberwar fundamentally changes how government must help overwhelmed security professionals immediately identi-
handle security. Faced with increasingly sophisticated fy and automatically mitigate any damage from existing and
attacks from gangs of cyber criminals and foreign govern- potential threats. Only with these solutions can government
ments probing systems for sensitive data, threats frequently agencies defend themselves against the threats and conse-
go undetected for days, weeks, and even months. And it’s quences of cyberwar in an age of declining budgets.
not just financial data being stolen. Terrorists and rogue
governments may steal confidential data, including intel-
ligence information, that exposes a country and its citizens
Evolving Threats Require New
to potential harm. Unfortunately, the traditional fortress Cybersecurity Strategies
approach no longer suffices. Firewalls, intrusion detection The attack that compromised Google’s systems in December
systems and other security devices can stop the average 2009 demonstrates just how the new generation of adversar-
hacker, but new threats use stealth techniques that these ies can effectively take down an Internet giant. Google said
defenses cannot detect on their own. that the Chinese government launched the attack to access
Faced with the certainty that attackers will get into their the email accounts of Chinese human rights activists, but
systems, government organizations must take a more proac- that some 20 other organizations fell victim to the attack,
tive approach to risk management. This approach includes including several US defense contractors. The attackers got
focusing security efforts on protecting mission-critical data. past all of the defenses installed by Google, and managed to
To focus those efforts, government organizations need situ- stay hidden for days while they hunted for the activists’ data.
ational awareness. They must know the location of critical In testimony to the US Senate Select Intelligence
data, identify the characteristics of the systems that carry Committee in February 2010, Dennis Blair, the US Director
the data, understand the vulnerabilities of those systems, of National Intelligence, said that these kinds of advanced
and detect changes in activity that signal potential threats. persistent threats (APTs) result in the theft of sensitive
Government organizations around the world must also know information from government networks every day. The tech-
what security controls they have in place throughout the IT nology balance currently favors the attacker, he said, and
infrastructure, and whether these controls protect the infra- may do so for some time.
structure against the potential threats. The UK government’s recently released Strategic Defense
However, the sheer size and complexity of government and Security Review (SDSR) likewise recognizes the new age
infrastructure makes gaining that awareness difficult. For of cyber threats, citing one of its top risks as cyber attacks,
example, the US government boasts thousands of uniquely whether from other states, terrorists or via organized crime.
configured systems strewn across hundreds of offices and The recent discovery of an organized crime ring that used
government departments. The thousands of security devices the Zeus Trojan to steal money from financial accounts lends
throughout the average government IT infrastructure gen- credence to their assessment of this risk; in late September
erates such huge quantities of valuable data that the IT 2010, 10 people in the UK were charged with using the Zeus
departments in these government organizations get over- Trojan to steal millions of pounds.2 Similarly, in the US,
whelmed when faced with collecting and analyzing it. In the FBI and the US Attorney General’s office in southern
addition, governments must secure this infrastructure with New York charged 37 people in a criminal operation that
shrinking budgets, a trend illustrated by the UK govern- used the Zeus Trojan to steal $3 million dollars from bank
ment’s recently announced £81 billion in budget cuts slated accounts. The crime ring allegedly involved operations man-
to take effect over the next four years.1 agers and money mules who, for a commission, laundered
Government organizations urgently need solutions that the stolen money through bank accounts they opened.3
provide automated, continuous, and end-to-end monitoring Deloitte, in its 2010 CSO Cybersecurity Watch Survey,
of that infrastructure to isolate vulnerabilities and risk and found that most organizations it surveyed lacked awareness
Cyberwar Threats | WHITE PAPER | 2
3. of these kinds of attacks, or felt overconfident that their In the UK, the Good Practice Guide No. 13: Protective
current security measures and technology could protect Monitoring, or GPG 13, issued by the UK Government’s CESG
them. More than two-thirds still considered hackers the big- is part of the Security Policy Framework (SPF) designed to
gest threat. protect the government’s IT infrastructure. Similar to NIST,
Unfortunately, these non-agile security tools and process- GPG 13 and the SPF take a risk-based approach to protect-
es don’t work against APTs. The Deloitte report noted that ing the infrastructure. GPG 13 outlines an approach that
intrusion detection, signature-based malware and anti-virus UK government organizations should take to manage the
solutions provide little defense, and rapidly become obso- risk to their critical systems, including the information they
lete against attackers who use such strategies as encryption must record, the events they must report, and the alerts
technology to mask their efforts. they must generate based on anticipated modes of attack to
Cyber attackers typically exhibit much more patience than these systems.
the traditional hacker. When rebuffed, they keep probing The opposition can exploit any weakness, so to manage
until they find a way in. Once past the defenses, they call risk you must know the security status of all of the systems
on their assets time and again to extract data. You would throughout the enterprise. That‘s the essential visibility
not classify these attackers as opportunists; they have a that all agencies will be looking for.
mission and remain focused on it until they succeed. In an interview with GovInfoSecurity.com, Ron Ross, the
head of the team that drew up the NIST guidelines, said
Identifying and Managing Risk continuous monitoring “is critical” for making sure that
agencies know the security state of their systems on an
Given the tactics and tools of cyberwar, IT can no longer
ongoing, day-by-day, hour-by-hour basis. “That is the up
simply man the barricades and plug whatever holes develop
tempo that our adversaries are working in today as they
in their defenses. Instead, government must use continuous,
launch these very sophisticated cyber attacks against our
or protective monitoring, to proactively identify the data
critical systems,” he said.
most at risk and secure the systems that contain that data.
The UK government echoes this belief, citing a major
The desired end? Agencies continue to operate and missions
benefit of protective monitoring as increased situational
remain uncompromised. When it comes to national security,
awareness that results from continuously collecting informa-
defense and essential parts of the country’s IT infrastruc-
tion about threats to, and trends in, critical government
ture, that’s the ultimate goal.
systems and data. This information enables organizations to
In the US, the National Institute of Standards and
identify what attacks are occurring, where they’re occurring,
Technology (NIST) is responsible for drawing up the guidelines
who is behind the attacks, how vulnerabilities have been
for certifying and accrediting the security of government IT
or are being exploited, current and potential future vulner-
systems. NIST puts risk management at the center of its most
abilities, attacks in progress, and how to fix issues that led
recent revision of those guidelines. The guidelines emphasize
to an attack.
building solid security into those critical government systems
as early in their life cycle as possible. Doing so makes it easier
to identify what vulnerabilities and weaknesses remain, which Still a Long Way to Go
makes it easier to manage them within the standard risk deter- Most governments around the world still lack the visibil-
mination and acceptance process. That’s certainly something ity and situational awareness needed to manage risk. Few
that the US Department of Defense (DoD) counts on to keep its know if systems are correctly configured according to a
Global Information Grid, the worldwide collection of computers known, good baseline of policies and controls. Few have
and networks that drives its operations, up and running, and the ability to receive alerts when system changes result
its most important data safe. Of all US government organiza- in insecure configurations so they can fix them before the
tions, cyber attackers consider the DoD the prize target. damage occurs.
3 | WHITE PAPER | Cyberwar Threats
4. As part of their annual FISMA report to the US Office of
Management and Budget (OMB), US government agencies
Tripwire VIA Solutions:
must show they have both an agency-wide security con- Visibility, Intelligence,
figuration policy, and provide evidence on how well they
Automation
have implemented various security configurations on their
The Tripwire® VIA™ suite delivers the real-time, continuous
systems.
monitoring organizations need to counter modern cyberwar
In a July 2009 report, the US Government Accountability
threats, so agencies see the data that matters no matter
Office (GAO) said all 24 of the major US federal agencies it
how much noise the IT infrastructure generates. Armed with
investigated claimed they had a security configuration pol-
this visibility, security professionals detect weaknesses and
icy in place. But almost all of them had weaknesses in their
vulnerabilities, and make fixes before attackers can exploit
information security controls, and over 21 had configuration
them. Tripwire VIA solutions include Tripwire® Enterprise for
management weaknesses. Several agencies did not imple-
industry-leading configuration control, and Tripwire® Log
ment common secure configuration policies across their
Center for next-generation log and security information and
systems, the GAO said, and many did not ensure that system
event management (SIEM).
software changes had been properly authorized, documented
Tripwire Enterprise helps organizations focus on the
and tested. John Gilligan, a former chief information officer
changes that matter with continuous file integrity monitor-
for both the Air Force and the Department of Energy, told a
ing, compliance policy management, real-time intelligence
recent cybersecurity forum that if government organizations
that identifies changes that introduce risk or non-compli-
deployed and enforced security measures such as configu-
ance as they occur, and on-demand automated remediation.
ration controls, these organizations could block some 85
With over 300 out-of-the-box policies, Tripwire Enterprise
percent of attacks.
covers just about any security, regulatory and operational
Devices in the network that record security-related
policy needed for assessing and managing configurations.
events offer another source of useful security information.
Specific to US government organizations, Tripwire Enterprise
Collecting those logs and having some way of analyz-
includes policies for NIST SP 800-53 Rev 3, DISA STIGS and
ing them can help flag potential threats. Unfortunately,
FISMA requirements. For UK government organizations,
most agencies can’t do that right now, due in part to the
Tripwire Enterprise includes a Security Policy Framework
perceived difficulty in implementing a log management
(SPF) policy that can be applied for GCSX CoCo and GPG 13:
solution. However, many are starting to realize what those
Protective Monitoring requirements. These policies include
logs offer. In a recent study, the DoD said that log manage-
weighted tests that help IT managers focus on the configu-
ment ranked among the highest value controls that could be
rations that pose the greatest security risk or most impact
used to block attacks.
system performance.
The security of UK government systems is less publicized,
Tripwire Enterprise also allows organizations to capture
but the recent inclusion of cybersecurity as a top priority in
secure or operationally optimized configurations devel-
the SDSR indicates that cybersecurity is top of mind in the
oped in-house so these configurations can be re-applied as
UK for the foreseeable future. And with the 2012 Olympic
needed. And Tripwire Enterprise automates remediation of
Games in the works, it’s a certainty that the UK govern-
detected issues on-demand for both physical and virtual
ment will scrutinize government agencies more than ever to
environments.
ensure that they have continuously secure system configu-
Tripwire Log Center, captures and stores tens of thousands
rations and the ability to easily review network and activity
of events per second to meet the log management require-
logs for potential threats and forensics.
ments of many standards and regulations. It also enables
4 | WHITE PAPER | Cyberwar Threats
5. Google-like searches of log activity data for deep forensic
analysis. Because Tripwire Log Center supports the most
Conclusion
popular log transmission protocols, it collects logs from just Cyberwar, with its sophisticated, persistent threats, is
about any source out of the box. In addition, Tripwire Log forcing government agencies to move away from an all-or-
Center detects and alerts to events that may indicate suspi- nothing approach to security. These organizations must now
cious activity. The solution’s graphical tools help correlate focus on protecting essential data and ensuring continuous
events, and pinpoint those parts of the infrastructure that availability of critical systems—all without interrupting the
could be open to attack. ability of these agencies to conduct the day-to-day busi-
As part of the Tripwire VIA suite, Tripwire Enterprise and ness activities required to fulfill their missions. As a result,
Tripwire Log Center integrate with each other to provide security becomes a strategic necessity rather than activity
a single solution for complete IT security and compliance. that simply complements the other activities of government
Using Tripwire solutions, IT can investigate individual agencies. Agencies must now apply risk management prac-
changes and events as well as complex sequences of activity tices that ensure systems stay up and running.
like suspicious events related to a change that may indicate To do that, security professionals must shift from their
a new risk or noncompliance. Combined, these solutions also traditional reactive stance to a more proactive one. Because
support incident investigation, reveal patterns of activity they can’t manually plug the holes fast enough, they need a
that indicate threats, and help identify downstream impacts way to get ahead of the threats. Key to this is being able to
of a given change. The combination also enables organiza- get a clear view of the existing vulnerabilities through the
tions to gain instant audit logging capabilities across the noise created by the overwhelming number of systems and
entire IT infrastructure without installing additional code. configurations that make up today’s IT enterprise. Equally
With the Tripwire VIA suite, organizations gain end-to- key is automation that not only detects the vulnerabilities
end visibility across the enterprise, intelligence to help as they occur, but that also enables them to remediate
them make better and faster decisions about threats and these vulnerabilities immediately, before the damage occurs.
risk, and automation to address and fix the millions and Automation is also critical protecting these systems and
billions of changes and events that occur in today’s IT data in the face of decreased budgets and headcounts.
infrastructure. Tripwire VIA solutions provide the needed end-to-end
visibility of all activity and events across the enterprise
so users can identify potential threats in real-time. These
leading solutions also deliver actionable intelligence so
managers immediately know where misconfigurations, and
therefore vulnerabilities and non-compliance, exist. And
Tripwire VIA solutions automate much of the work, includ-
ing remediation, so government organizations can provide
effective security even with today’s reduced budgets and
round-the-clock threat environment.
1 “Spending Review 2010: George Osborne wields the axe”
(www.bbc.co.uk/news/uk-politics-11579979)
2 “UK police charge 10 people with Zeus fraud” (http://news.cnet.
com/8301-1009_3-20018167-83.html?tag=mncol;txt)
3 “Dozens charged in use of Zeus Trojan to steal $3 million” (http://
news.cnet.com/8301-27080_3-20018177-245.html)
Cyberwar Threats | WHITE PAPER | 5