WHITE PAPER

Security Solutions

Cyber Security
Protecting Our Federal Government From Cyber Attacks
Introduction: Cyber Security Is a Top Federal Priority
Todays federal cyber attacks are coming from other nations, cyber-criminal organizations, and individuals seeking military, economic and financial gains. To address these growing threats, the White Houses Cyberspace Policy Review report released in 2009 focuses on the risks that cyber threats pose to economic and national security, and the growing number of both state and non-state users compromising, stealing, changing, or destroying informationall of which are causing critical disruptions to U.S. systems.
1

A First Lastname By 2009 study of 285 million compromised records concluded that 87 percent of all breaches were considered avoidable through simple or intermediate controls.
THE 2009 DATA BREACH INVESTIGATIONS REPORT

The sophistication and volume of attempted security breaches of federal information systems is escalating at a frantic pace. The network attacks that severely disrupted several federal agencies on July 4, 2009, remind us that these threats are real and they intend to cause harm to their targets. These far-reaching and persistent denial of service attacks intensified the growing concern about the digital security of federal online systems and vulnerability of sensitive government information. The attacks were aimed primarily at Internet sites operated by major government agencies, including the Departments of Homeland Security (DHS) and Defense (DoD), and the White House. Although federal authorities reported that no systems were disabled and nothing was stolen in that particular attack, it is becoming harder to detect what data, federal agencies, or crucial systems will be at risk.
2 3

Threats to cyber security show no signs of slowing down. In one of the largest known cyber attacks, discovered in January, 2010, more than 75,000 computer systems around the world were compromised. These attacks targeted proprietary data, emails, and login credentials at a variety of firms, including ten federal agencies.
4

Challenges to Preventing Cyber Attacks

With the sophisticated technology and the depth of military intelligence available today, one has to wonder why these attacks are not stopped as soon as they are launched. After all, as early as 2007, a report concluded that 120 countries had, or were developing, cyber espionage or cyber war capabilities. The answer is as complex as cyberspace itself: while the federal government is responsible for protecting and defending the country to ensure the safety of its citizens, the private sector builds, owns, and operates most of the networks, digital technology, and infrastructure that the government uses. Unfortunately, there is a large gap between what our nations intelligence services know about foreign threats, what our law enforcement agencies know about criminals, and how much of that information is directly shared with the private sector in order to improve online security.
5

1 Cyberspace Policy Review, May 2009. http://www.whitehoUSe.gov/assets/documents/Cyberspace_Policy_Review_final.pdf 2 Bain, Ben, Cyberattacks Add Fuel to Cybersecurity Debate, Federal Computer Week, July 10, 2009. http://fcw.com/articles/2009/07/10/cyberattacks-promptcybersecurity-debate.aspx 3 Sang-Hun, Choe, and John Markoff, Cyberattacks Jam Government and Commercial Web Sites in U.S. and South Korea, New York Times, July 8, 2009. http://www.nytimes. com/2009/07/09/technology/09cyber.html 4 Nakashima, Ellen, More Than 75,000 Computer Systems Hacked in One of the Largest Cyber Attacks, Security Firm Says, Washington Post, February 18, 2010. 5 Baker, Stewart, In the Crossfire: Critical Infrastructure in the Age of Cyber War, McAfee, January 28, 2010. http://resources.mcafee.com/content/NACIPReport 1

Cyber Security: Protecting Our Federal Government From Cyber Attacks

Cyber security is highly dependent on computer networks that are available 24x7x365 and have properly implemented all the necessary security components required to provide the elements of a trusted system, such as confidentiality, data integrity, transactional non-repudiation, and the ability to identify the source of information (authentication). The governments reliance upon infrastructures that may not be completely secure is certainly one factor that could be risking national security. And because the government neither owns nor operates the global networks and infrastructure it depends upon, ensuring cyber security becomes a complicated issue. In addition to ownership and governance issues, the federal government also must overcome several additional challenges in order to minimize these security risks, including insufficient protection of assets, building and streamlining public-private sector partnerships, and leveraging the knowledge and skills of infrastructure and network providers. Improving Protection of Critical Assets The federal government doesnt have the authority or ability to secure every mile of fiber optic cable, every networked device, and every application used to transmit or receive information. In addition, cyber security threats within government offices, data centers, and IT shops pose a serious challenge to securing sensitive data and preventing leakage. Even more worrisome is the fact that these adversaries are focused on theft of sensitive data from locations on and off the network where assets are not fully protected. The federal government is very concerned about exfiltration of informationthe theft of sensitive data that is removed via the networks themselves. Exfiltration concerns extend to government contractors, as well. In 2009, there were several reported cases of highly sensitive government information leakages to foreign countries. Most of these leaks were via peer-to-peer networks, social networks, and other non-obvious paths outbound through firewalls that are designed to protect against hostile information flows coming into a network, rather than flowing out of a network.
6

The federal government doesnt have the authority or ability to secure every mile of fiber optic cable, every networked device, and every application used to transmit or receive information.
Another equally important challenge to protecting critical assets is preventing common errors. The Verizon Business 2009 Data Breach Investigations Report noted that error is a contributing factor in nearly all data breaches. These errors included poor decisions, system and application misconfigurations, omissions, noncompliance, process breakdowns, and other issues. In many cases, investigators found that the breach could have been avoided if reasonable security controls had been in place at the time of the incident breaches.
7

Developing Government-Private Sector Partnerships Neither civilian nor military agencies within the U.S. government sector, nor the private sector can solve cyber security issues alone. Responsibility for cyber security has to be a shared responsibility, because security operates across many levels and systems, most of which are beyond the control of any single entity. A recent government report states that the U.S. cannot secure cyberspace if it works in isolation. The public and private sectors interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure. What makes cyber security a shared responsibility is the complex ecosystem of technologies, policies, standards, laws, regulations and compliance verifications that define it. These and numerous other factors have to be taken into consideration when devising cyber security plans and making decisions. Identifying and resolving these issues require corporate and government partnerships as well as employee and user involvement.
8

6 Krebs, Brian, and Nakashima, Ellen, Congress Told That File Sharing Leaks Sensitive Information, Washington Post, July 30, 2009. http://www.washingtonpost.com/ wp-dyn/content/article/2009/07/29/AR2009072902273.html 7 Baker, Wade. H., Alex Hutton, C. David Hylender, Christopher Novak, Christopher Porter, The 2009 Data Breach Investigations Report, Verizon Business RISK Team, 2009. http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf 8 Cyberspace Policy Review, May 2009. http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf 2

Cyber Security: Protecting Our Federal Government From Cyber Attacks

In many instances the government has already been working with private and public companies that own and run the worlds networking and communications infrastructures to holistically address these challenges. Groups like NSTAC have a long history of mutual cooperation. In other cases, recent events have created additional opportunities for collaboration. For example, the National Security Agency has agreed to work with Google to analyze a major corporate espionage attack believed to have originated in China.
9

The vast proliferation of networked devices and computers as well as the increase in the number of mobile workers compounds the governments cyber security challenges. In the Cyber Security Mega Trends survey of 217 senior-level IT executives located in various federal organizations, there were significant threats to confidential data, proprietary government systems and the nations critical infrastructure. Seventy-nine percent of the respondents saw the rise in the use of collaboration tools as significantly increasing the storage of unstructured data sources that may contain confidential or sensitive information that is not adequately protected or secured. An equally startling 71 percent of respondents believed that cyber terrorism was on the rise, and this trend posed a very serious threat to the protection of proprietary systems as well as our nations critical infrastructure.
10 11 12

The vast proliferation of networked devices and computers as well as the increase in the number of mobile workers compounds the governments cyber security challenges.
Leveraging the Knowledge and Skills of Infrastructure and Network Providers Most responses to cyber attacks today are not focused on preventing the attack at the source or before it hits the network. While governments can set policy and laws for how to deal with cyber attacks, they lack the holistic view often needed to prevent attacks. Securing global networks requires expertise that spans multiple technologies, from virtual machines, wireless communications and social networks to authentication, encryption and emerging security solutions. The largest technology enablers acquire this expertise by delivering worldwide network support to federal, state, and local agencies in addition to operating networks in hundreds of countries. These providers have first-hand experience securing large, global enterprises with disparate networks, which is particularly important given the global reach of the federal government. More importantly, these enablers are uniquely positioned to significantly improve the level of cyber security and provide their insight to legislatures and regulatory bodies. Yet government officials and regulators all too often turn to the typical federal/military contractors when crafting and implementing a national cyber security strategy. For this reason, defense contractors Boeing and Lockheed both set up new cyberdefense business units, while Raytheon acquired three network security providers. Yet these contractors do not have security expertise and experience that comes from operating a global communication network and infrastructure.
13

Government agencies need the real-world experience of technology enablers and network providers to educate and advise government organizations about those areas that are most vulnerable to attacks. Through mutual cooperation and exchange of ideas and information, global providers can help to identify where attacks originate and then develop the best recommendations and strategies for preventing future attacks.

Considerations for Maintaining Cyber Security

While government agencies and global network and infrastructure providers continue to develop their public-private partnership, there are several key considerations that can help federal agencies to prevent cyber attacks. Many of cyber security breaches still occur because basic controls or precautions are not in place or those that are present are not consistently implemented across the organization. Often breaches

9 Nakashima, Ellen , Google to enlist NSA to help it ward off cyber attacks, Washington Post, February 4, 2010, http://www.washingtonpost.com/wp-dyn/content/ article/2010/02/03/AR2010020304057.html?sid=ST2010020402509 10 Ponemon, Larry, Cyber Security Mega Trends Study of IT leaders in the U.S. Federal Government, November 18, 2009, http://www.ponemon.org/local/upload/fckjail/ generalcontent/18/file/CA%20Security%20Mega%20Trends%20White%20Paper%20FINAL%202%20(2).pdf 11 Ibid. 12 Ibid. 13 Skillings, Jonathon, Defense Contractors Eye Cybersecurity Bonanza, Cnet News, January 1, 2009. http://news.cnet.com/security/?tag=rb_content;overviewHead 3

Cyber Security: Protecting Our Federal Government From Cyber Attacks

succeed due to the fact that the attacker exploits some mistake or is able to hack into a network and install malware on a system to collect data. In a number of cyber breach cases, a third partys lax security practices allowed the attack. A 2009 study of 285 million compromised records concluded that 87 percent of all breaches were considered avoidable through simple or intermediate controls.
14

Although some of todays sophisticated cyber attacks may not be avoidable, there are measures that federal agencies can take to help prevent most cyber breaches. The following considerations provide a starting point for protecting critical assets and improving cyber security. Identify Critical Assets and Network-Enabled Devices The best defense against cyber crime begins by ensuring that absolutely no sensitive, classified, or critical information is accessible by multiple users unless it is required for business or legal reasons. Breaches happen at those locations where the desired information was not considered to be critical and could easily be accessed by unauthorized devices or personnel. Therefore, it is important to classify all assets and identify what is critical. Purchase and use tools that can provide in-depth data asset discovery and asset classification and make sure all the information is classified correctly. Once all critical information is classified, place it behind a firewall away from non-critical systems and information. Its essential to control critical information assets all the way down to the device level and to be aware of what is transpiring between the various systems on which the information assets reside.
15

A 2009 study of 285 million compromised records concluded that 87 percent of all breaches were considered avoidable through simple or intermediate controls.
THE 2009 DATA BREACH INVESTIGATIONS REPORT

In addition, identify all of the devices that are network-enabled (printers, postage machines, faxes, etc.) and identify which ones are connected to a network or the internet and are capable of being exploited or breached. Put the right technology in place to detect a breach when it occurs. This requires a regular process for monitoring all event and application logs. It also requires auditing user accounts and credentials and looking for signs of abuse or anomalies. Create Procedures to Identify and Respond to Suspicious Activities Another key practice that should be considered is the performance of secure application development and the conducting of frequent code review and application testing. Be sure to scan the code frequently for insertion of malware. Its essential to have a good understanding of what is in the application layers that can be exploited as well as the various vulnerabilities of each of the applications running in the organization. Establish procedures that will be used for responding to cyber attacks and frequently engage in mock incident scenarios to test and perfect processes entailing threat identification and classification, response strategies, the way to properly handle evidence, and other necessary processes. Dont Assume Government Workers Are Exempt From Scrutiny The 2009 Data Breach Report found that end-users and IT administrators continue to be the culprits behind many breaches. This finding for IT administrators is not surprising due to the fact that higher privileges afford greater opportunity and temptation for abuse. A simple way to prevent this is to change default credentials and avoid using shared credentials. Another finding of the report was that unauthorized access via default, shared, or stolen credentials constituted more than a third of the entire hacking category and over half of all compromised records. It is particularly disconcerting that so many large breaches stemmed from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented. The federal governments Identity, Credential and Access Management (ICAM) Roadmap provides good credentialing practices for improving cybersecurity.
16 17 18

14 15 16 17 18

Baker, Wade. H., Alex Hutton, C. David Hylender, Christopher Novak, Christopher Porter, The 2009 Data Breach Investigations Report, Verizon Business RISK Team, 2009. Ibid. Ibid. Ibid. Federal Chief Information Officer Council, Identity, Credential, and Access Management Segment Architecture, August 26, 2009. http://www.idmanagement.gov/ documents/ICAM_Roadmap_Snapshot.pdf

Cyber Security: Protecting Our Federal Government From Cyber Attacks

Keep Security Updated A key step for maintaining tighter security is to implement smarter patch management strategies and have patches implemented as soon as theyre available. Its essential to have security professionals institute procedures and technology that can verify that those patches have been properly installed. Since targeted attacks accounted for 90 percent of all compromised records, one of the fundamental self-assessments every federal government organization should undertake is to determine whether they are a target of choice or target of opportunity. If the agency is a target of choice, then it should expect and prepare for determined and sophisticated attacks. If the agency is a target of opportunity, then it should minimize the opportunities it presents so as to become less of a beacon for attack. The right strategic partner can help government agencies assess their potential vulnerabilities.
19 20

About Verizon Business

Verizon Business, a unit of Verizon Communications (NYSE: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the worlds most connected IP networks to deliver award-winning communications, IT, information security and network solutions. We securely connect todays extended enterprises of widespread and mobile customers, partners, suppliers and employeesenabling them to increase productivity and efficiency and help preserve the environment. Many of the worlds largest businesses and governmentsincluding 96 percent of the Fortune 1000 and thousands of government agencies and educational institutionsrely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

Work With an Experienced Partner Cyber crime, managing risk, mitigating vulnerabilities, and balancing limited resources are real issues, causing real concern. Outsourcing all or part of critical network security operations can be a smart option and a good way to maintain compliance with federal mandates. With the importance and urgency of securing federal systems, government decision-makers should look at the experience and capabilities of a global provider of IT, security, communications, and network solutions for government agencies and businesses. Although many federal defense contractors offer Security Operations Center (SOC) solutions, look for a provider who offers visibility across one of the worlds most connected global networks, which provides an awareness of Internet traffic (and the threats to it) that few others have. Its an advantage that helps government agencies stay ahead of emerging cybercrime activities. With this level of global expertise, government organizations gain the benefit of collective intelligence, along with the peace of mind of knowing that the provider is working the front lines, identifying, accessing, and responding to security threats as they emerge.

Government decision-makers should look at the experience and capabilities of a communications provider that is one of the largest global providers of IT, security, communications, and network solutions for government agencies and businesses.
Conclusion: Cyber Security Through Cooperation
Cyberspace has evolved into a highly interdependent and technologically dynamic environment. The vulnerability of networks around the world presents challenges to securing the federal government from cyber attacks. The only hope for securing classified and highly sensitive information, and the safety of the public and the country, is through public and private sector partnerships. The complexity of maintaining secure networks, systems, and offices, makes it virtually impossible for one entity or sector to achieve success without the assistance of the others. By working together, the federal government and the private sector can leverage the vital skills, expertise, and assets that each provides to reduce cyber risk. While cyber attacks will continue to increase, government organizations can achieve tighter security by working with experienced communications and network providers to prevent cyber crime before it happens and defend against cyber attacks when they occur. As a trusted partner to the federal government, Verizon can help government agencies make cyber security a reality. For information, visit www.verizonbusiness.com/federal and contact your Verizon Account Manager.

19 Ibid. 20 Ibid.

verizonbusiness.com
2010 Verizon. All Rights Reserved. WP14347 4/10 The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizons products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. 5