Undersecretary by jrnbbyzbujktdafk


									                                             Brian P. Burns
  Deputy Chief Information Officer for Emerging Technology
Department of the Navy Chief Information Officer (DON CIO)
                          E-mail: Brian.P.Burns@Navy.Mil

                                           August 26, 2009
•   Charter signed in Dec 2008

     –   Align Cyber, IdM Efforts Across Federal Government
     –   Use the power of the Federal CIO Council to collaborate across Government and advise OMB

•   Co-Chairs
     –   Robert Carey, Chief Information Officer, Department of the Navy
     –   Vance Hitch, Chief Information Officer, Department of Justice

•   Comprised of 4 Subcommittees:

     –   Security Program Management Sub Committee (SPMSC)
           • Coordinates with ISSLOB, CIOC IT Workforce Committee
           • Advises on FISMA reporting tools and Security Policy

     –   Security Acquisitions Sub Committee (SASC)
           • Recommends Security Contract Language
           • Reviews CNCI Supply Chain Activities

     –   Identity, Credentialing, and Access Management Sub Committee (ICAMSC)
           • Coordinates Federal Identity Credentialing, Federal PKI, and HSPD-12

     –   Network and Infrastructure Security Sub Committee (NISSC)
           • Coordinates with CIOC Architecture and Infrastructure Committee
           • Advises on Web 2.0, TIC, FDCC, DNS Security, Key Escrow, Directory Services, Multi-factor
             Authentication, and Network Security.
         International Organizations
    Public/Private National Organizations
               Private Citizens

              Federal Government
        Department of Defense (DoD)
             Department of the Navy
Department                             Department
   of the        Navy                    of the
 Air Force                               Army
                 Naval MILDep

•What is Web 2.0?
•Web 2.0 Terminology
•Web 2.0 Security Issues
•Internet Threat Landscape
•Application to the Federal Government
    –Spear Phishing
    –Social Engineering
    –Web Application Security
•Some Considerations
(Source : Earl Crane, DHS)

Note: The Government does not endorse the use or imply preference for any vendor commercial products or
                               services mentioned in this presentation
•Web 2.0 is the business
revolution in the computer
industry caused by the move to
the internet as platform, and an
attempt to understand the rules
for success on that new platform.
– Tim O’Reilly

•The Main Issue:
    – How do we enable the
      federal government to
      securely use the internet as
      a platform?

•   Government 2.0                                    • `
     – Embracing Web 2.0 technologies
         throughout the federal government                           Gov 2.0
•   Web 2.0
     – Using the internet as a platform
•   Social Media                                                     Web 2.0
     – Websites enabling communication and
         collaboration through online social networks
•   Security must be considered for many more          Mashups     Geotagging     New Media
    Web 2.0 technologies not covered in this
     – Mashups, Geotagging, Other New Media             Social Media     Cloud   Computing
     – Cloud Computing, PAAS/SAAS/IAAS
     – Public perception management
     – Service Oriented Architectures (SOA)                                        SOA
         (Data.gov)                                                   IAAS

•   Why is Web 2.0 security any
    different than Web 1.0?

•   Web 2.0 the browser is the application
     – Not just a reader

•   Web 2.0 relies on User-Created
     – Global contributors
     – Not just webmasters
     – Contributors not accountable

•   Web 2.0 provides feature-rich
    applications and content
     – Not just viewing a website, but
        USING a web application

•   Social Media has revitalized the old-school method of receiving viruses from your
•   Example: Koobface
      • Virus distributed through Social Media Sites
      • Links with Virus disguised as video sent to victim’s circle of friends
      • Friends click video link to download virus
      • Social Networks is an emerging attack vector, Koobface is being updated
          (Source: McAfee Threats Report: First Quarter 2009)

• “As malicious code continues to grow at a record pace we’re also seeing
    that attackers have shifted away from mass distribution of a few threats to
    micro-distribution of millions of distinct threats,” said Stephen Trilling, vice
    president, Symantec Security Technology and Response.
    Source: Symantec Internet Security Threat Report - Volume XIV

•   The Federal Government is unique in the way we are targeted by our adversaries for
    cyber attacks.
     – We have now learned first-hand about this growing category of threats that
        directly target the Federal government, our systems, and our information. We
        have also witnessed how these threats have become more persistent, more
        pervasive, and even more aggressive than we imagined. These actors appear to
        be highly-motivated and well-resourced, and it will take all of our collective efforts
        to keep them out of our networks.
          • Margie Graves, Acting Chief Information Officer, U.S. Department of
             Homeland Security Before the House Oversight and Government Reform
             Subcommittee on Management, Organization, and Procurement (May 19,

•   Three significant Cybersecurity issues affective federal employees and contractors
    using government equipment to access social media websites are new variants of
    traditional security issues
      – Spear Phishing
      – Social Engineering
      – Web Application Security
• Spear Phishing
   – An attack targeting a specific user or group of users that
     attempts to trick a user to perform an action that launches an
     attack, such as opening a document or clicking a link

• Traditional Spear Phishing attacks use email to target specific users
   – Phishers take the easiest path, follow the money
   – Social media websites allow attackers to use new techniques
   – Federal threats most likely not targeting credit cards

•   Social Engineering relies on exploiting
    the human element of trust.
•   Federal employees may self-identify
    on social networking websites
      – This creates a department
         footprint, which is valuable
         information to our adversaries.
      – Federal employee footprint
         growing larger
•   High-profile federal employees create
    an even larger footprint


•   A large social media footprint creates a target-rich environment for
    adversaries, helping them to target specific individuals as they launch
    various Social Engineering attacks.

     • Example: Information Elicitation
        • Attacker learns personal information about a target and builds a
          trust relationship by expressing interest in similar topics. Victim
          trusts the attacker and establishes a relationship.
        • Attacker gains more information about the user, or use their
          relationship to expand their influence to friends, family, coworkers.

     • Example: Modified Letter Scam
        • Attacker hijacks a current account and sends targeted social
          engineering emails to friends asking for information or money.

•   Web Applications are dynamic web pages that use scripting to provide additional
    functionality to the user.
      • Additional functionality = opportunities for abuse
      • Example: Cross Site Scripting (XSS) attack to launch a javascript-based
        keystroke logger, capturing user keystrokes, including account usernames and
      • Example: Cross-Site Request Forgery (CSRF) to ride user session credentials to
        other websites.

•   While a hijacked personal account may be annoying and personally costly or
    embarrassing, a hijacked account of a federal user or a federal account may have
    more serious effects.

     –   Unofficial posts, tweets or messages may be seen by the public as official messages, or may
         be used to spread malware, encouraging users to click links or download unwanted

     –   Attackers may gain unauthorized access to federal information systems.

•   Training                                •   Network Controls
     – OPSEC (Operational Security)              – Web Content Filtering based on
        Awareness                                   agency social media Acceptable
     – Educate users about social                   Use Policy (AUP)
        networking privacy controls              – High Assurance Gateway
     – Educate users about threats to            – Use of Trust zones and
        consider when sharing personal              virtualization technologies
        information online                       – Trusted Internet Connection (TIC)
     – Recommendations on how to                 – XML schema
        identify as a Federal employee              validation/Proxy/Deep Packet
     – Recommendations on                           Inspection
        personal/professional accounts           – New technologies that verify new
                                                    sources and users (DNSSEC)
•   Social Media Provider controls
     – Code validation and signing          •   Host Controls
     – Federal-employee specific profiles        – Endpoint Protection
        and privacy settings                     – Common Operating
     – Partnership with social media                Environment/Federal Desktop
        providers (multiple options)                Core Configuration
                                                 – HSPD-12 Logical Access Control      14
User Identity Management
    System Controls
 Information Attributes


Security of Social Media starts with

    Protection of Data (Confidentiality, Integrity, and Availability)

    And User Behavior (Personal and Professional)

    Not Necessarily the Tool Sets


To top