cybersecurity

Mobile device management software is helping federal, state and local governments to keep track of employee handheld devices. But as agency programs grow in size, new challenges such as technology life cycle and migration are beginning to surface. To address these issues, organizations are taking a number of approaches designed to meet their specific needs.

NASA straddles the line between device and data management policies. Unlike defense and intelligence agencies, NASA is an “open organization” founded to share its data with the public, said Adrian Gardner, chief information officer at NASA’s Goddard Space Flight Center at the Symantec Government Symposium. Keep reading →

The push to adopt continuous monitoring as a more advanced means for ensuring network security can only work if other network technologies are made secure, said a leading computer scientist from the National Institute of Standards and Technology.

Agencies need to understand the underlying security issues, beyond what continuous monitoring can offer, because adversaries can take advantage of weaknesses to bring down network capabilities, said Ron Ross, senior computer scientist and fellow at NIST. Ross (pictured above, seated far left) made the remarks at the recent Symantec Government Symposium on government security practices. Keep reading →

While Army forces in Afghanistan have more bandwidth and gadgetry than ever, bases back home still make do with archaic copper-wire telephone switches. As the war winds down and units increasingly operate out of the US, the challenge for the Army’s CIO is to move the whole service to a single set of compatible, cloud-based systems.

How do we get the network right?” Lt. Gen. Susan Lawrence, the Army’s Chief Information Officer, aka the G-6, asked at an Association of the US Army breakfast. “We’re going to propose that [cloud-based] strategy to [Chief of Staff] Gen. [Ray] Odierno on Saturday the 17th.” Keep reading →

The nation’s top military cyber commander offered his version of how government and military agencies are likely to work together when America suffers cyber attacks, and warned that industry needs to take a greater role.

“We have laid out lanes of the road,” Gen. Keith Alexander, commander of Cyber Command and director of the National Security Agency said, sketching them out in broad terms for an audience of security professionals yesterday at a symposium in Washington sponsored by Symantec. Keep reading →

This is the last in a series of profiles featuring 2012 U.S. Government Information Security Leadership Award (GISLA) winners. The winners received the awards in October from (ISC)2 a nonprofit serving certified information security professionals and administrators.

As the systems that support space missions continue to grow in scale and complexity, so does the need to keep improving the processes used to assess system vulnerabilities. At the same time, those processes have to remain flexible, reliable and still meet a host of complex continuous monitoring guidelines. Keep reading →

With so much attention focused on the recent deadline for U.S. government agencies to deploy IPv6 on their public-facing websites, it’s important to raise the flag on a much less discussed, but critically important aspect of IPv6. Namely, that the rapid expansion of unplanned and unmonitored IPv6-enabled systems in ‘IPv4-only’ networks is greatly increasing the attack surface presented by those networks.

Limited awareness of IPv6 security issues and incomplete support for IPv6 vulnerability detection in commercial firewall and intrusion detection products are exposing both commercial and government enterprises to cyber attack.

The IPv4 protocol is the primary communications protocol of the Internet. As early as 1992, the IPv4 limit of 4 billion addresses for network-connected devices was recognized as insufficient to support the rapidly increasing growth of the Internet. The Internet Engineering Task Force embarked on a project to define a replacement protocol for IPv4, eventually labeled as IPv6, to resolve the IPv4 address exhaustion problem and support additional capabilities.

The lack of awareness and insufficient IPv6 security defenses are exposing ‘IPv4-only’ networks to attack and exploitation.”

The quantity of addresses supported by the IPv6 protocol is so vast that an IPv6 address could be assigned to every atom on the surface of the earth and still have enough addresses left to cover another 100 earth-sized planets.

This vastly increased address space enables continued growth of the Internet and support for new services and applications. IPv6 also introduces a redesigned protocol that is streamlined and extensible, improving router efficiency and making it adaptable to future protocol requirements. Additional features include network auto-configuration, improved support for end-to-end security, quality of service capabilities and mobile support.

The IPv6 protocol specification was published in 1996 and the last decade and a half has seen much experimentation, testing and refinement. Greatly spurred on by government initiatives to advance support for IPv6 in commercial products, most network equipment, computer operating systems and mobile devices now ship with operational IPv6 communications stacks in addition to the traditional IPv4 communication stack. Just as in the early days of IPv4 adoption, it will take time for these IPv6 software implementations to mature.

While we gain more experience with these IPv6 implementations, vulnerabilities, implementation errors and misconfigurations will continue to expose these systems to penetration and denial-of-service attacks.

The MITRE Common Vulnerabilities and Exposures (CVE) database details over 100 known IPv6 vulnerabilities, and that list continues to grow. Increasingly sophisticated attack tools are available to exploit these known vulnerabilities, and through fuzzing techniques, identify new ones.

When plugged into a network, these dual-stack systems will automatically configure themselves into a local IPv6 network and start querying their neighbors for the configuration information necessary to communicate beyond the local network and to the IPv6 Internet. This built-in IPv6 auto-configuration capability, known as Stateless Address Auto-Configuration, or SLAAC, lacks any form of authentication or integrity checking, making it susceptible to spoofing through the impersonation of a valid configuration information source. Essentially, an attacker who can reach these nodes can configure this unmonitored IPv6 network on-demand to support exfiltration of data and deeper penetration into the enterprise environment.

IPv6 tunnels, which encapsulate IPv6 packets inside of IPv4 packets, present another important security issue. IPv6 tunnels enable IPv6-capable systems to reach other IPv6 systems and the IPv6 Internet over an IPv4 network. IPv6 tunnels were intended to aid in the transition of IPv4 to IPv6, but they also can be used to bypass firewalls and intrusion detection systems, supporting covert communications and aiding in exfiltration of data.

Many operating systems ship with support for automatically configured tunnels that can result in unintended and unmonitored connections from inside the enterprise to the IPv6 Internet. For example, all Windows operating system versions since Windows Vista ship with support for ISATAP, 6to4 and Teredo automatic tunnels. Under the right conditions, the Windows operating system will automatically attempt to configure each of these types of tunnels and create a persistent, routable IPv6 tunnel through the enterprise and to the IPv6 Internet.

The unintended presence of native IPv6 traffic and IPv6 tunnels in ‘IPv4-only’ networks introduces a whole new class of network vulnerabilities. Unfortunately, most network security products, including firewalls and intrusion detection systems, still lack the comprehensive security capabilities necessary to fully inspect and filter native IPv6 and tunneled IPv6 traffic. The complexity of the IPv6 extensible protocol design and the difficulty in identifying and inspecting the contents of IPv6 tunnels are some of the reasons why these implementations have lagged behind.

It is imperative that CIOs and CSOs recognize that IPv6 is here, whether they like it or not. The threats resulting from the unplanned and unmonitored deployment of IPv6-enabled systems into enterprise networks can no longer be ignored and appropriate security controls must be put in place to address them.

Knowing that security incidents come down to just plain human error the lack of training professionals greatly increases the risk of more errors. IT and network security staffs need to be trained on the operational and security issues of IPv6 and network security product vendors must made to step up to the challenge of implementing effective counter-measures to IPv6-based attacks.

David Helms is vice president, Cyber Security Center of Excellence at Salient Federal Solutions.
which is developing comprehensive security controls and countermeasures, including those necessary to address the expanding IPv6 attack surface in enterprise networks.

Keep reading →

This one in a series of profiles featuring 2012 U.S. Government Information Security Leadership Award (GISLA) winners. The winners received the awards in October from (ISC)2 a nonprofit serving certified information security professionals and administrators.

As chief information officer of the US Department of Agriculture’s Food Safety and Inspection Service (FSIS), Janet Stevens understands why cybersecurity isn’t just about firewalls and malware protection. Keep reading →

During this time of budget constraints, the federal government is seeking low-priced, technically acceptable (LPTA) solutions to keep projects and innovation alive. In other words, agencies need to find ways to keep technological innovation moving forward, albeit with tighter purse strings.

As Lisa Mascolo, CEO of Optimos Inc., pointed out in her recent Washington Technology Op-Ed article on the topic of LPTA contracts, “When I hear ‘acceptable,’ I think adequate, good enough, not great but okay.” Keep reading →

This is the first in a series of profiles featuring 2012 U.S. Government Information Security Leadership Award (GISLA) winners. The winners received the awards in October from (ISC)2 a nonprofit serving certified information security professionals and administrators.

During a time of significant demand for — and an equally significant shortage of — skilled cyber security professionals, Commander of the Army Reserve Information Operations Command (ARIOC), Col. John Diaz assembled and led a 10-person cadre that set a training strategy into motion that systematically transforms ARIOC’s workforce into elite combat-ready cyber warriors. Keep reading →


Federal information technology professionals are confronted with a management landscape that is perhaps as complex as any have seen in a generation.

That’s due in part to the convergence of three transformational technologies – cloud computing, mobile devices and big data analytics. The benefits of each technology are generally expected to outweigh many of the associated challenges of implementing them. Keep reading →

Page 3 of 291234567...29