Developing a Framework to Improve Critical Infrastructure Cybersecurity

Here are thoughts from our CTO, Bill Worley PhD, on properly securing critical infrastructure in our highly connected world. They are particularly applicable with what we have seen in the last year with increased DDoS attacks focused on the DNS and compromised systems for the theft of intellectual property. Read more

DNSSEC Adoption is Slow for Government Agencies

Even though more than two years have passed since federal government agencies were required to support DNS Security Extensions (DNSSEC) on their web sites, only 57 percent of agencies have met these requirements. In other words, about 40 percent of federal agencies have not secured their domains to protect users from domain name hijacking and cache poisoning attacks.

As this Network World article explains, Read more

Recent Government Cybersecurity Actions

Last week President Obama signed an Executive Order in an attempt to strengthen the cybersecurity of critical infrastructure in the United States. This is an area much in need of improvement, but this Executive Order barely scratches the surface. The main points addressed by the order are to facilitate information sharing and to develop a Cybersecurity Framework.

To assist information sharing, the Order expands the voluntary Enhanced Cybersecurity Services Program to go beyond defense industrial information sharing to include other government sectors. This program enables near real time sharing of cyber threat information. The information is intended to assist participating critical infrastructure companies in better positioning to deal with cyber threats.

The National Institute of Standards and Technology (NIST) is being directed by the Order to work collaboratively with critical infrastructure stakeholders to develop a Cybersecurity Framework. This framework is to be based on existing international standards, practices, and procedures that have proven to be effective.

The Order also includes privacy and civil liberties protections. Agencies must follow the Fair Information Practice Principles along with other pertinent policies. They also must conduct regular assessments of the impact of their activities on privacy and civil liberties. These assessments will be made public.

The Department of Homeland Security is directed by the Order to work with Sector-Specific Agencies and Councils to develop a program to assist companies with implementing the Cybersecurity Framework, including incentives for adoption.

Per the Order regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated.

This is just an Executive Order so it has no force outside of Government and is lacking strong requirements for quick action. Some areas not covered but considered to be very important and woefully exposed includes minimum requirements for how crucial infrastructure such as power and water systems should be protected, or requirements on protecting the transfer of financial information.  One of the main targets of Cyber attacks has been the systems (SCADA) used by companies overseeing the nation’s critical infrastructure. These systems are notoriously outdated and insecure as the infrastructure was put together before the potential for a serious cyberattack existed. Any actions in these areas require Congressional action.

In response, the House Intelligence Committee leaders Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) re-introduced the Cyber Intelligence Sharing and Protection Act (CISPA).  The intention of the bill is to remove legal barriers that prevent government and industry from effectively sharing information about cyber threats. This is the same bill that passed the House last year but failed in the Senate.

The main criticism of the bill has been that the broad language in CISPA would allow companies to send customers’ electronic communications to the intelligence community, such as the National Security Agency (NSA). The general feeling is the bill should include a measure that requires companies to strip personal information from cyber threat data before sending it to the government and that a civilian agency, like the Homeland Security Department, should oversee the information sharing. The Senate cybersecurity bill last year addressed both these issues by requiring that companies “make reasonable efforts” to remove sensitive personal information from data on cyber threats before they share it with the government and put civilian agencies in the role of overseeing the information sharing exchanges.

It is critical that actions be taken to better secure the U.S. cyber communications environment. The actions of the Executive Order and CISPA bill are a start, but much more is needed including guidelines on truly securing the transfer of information using tools such as DNSSEC or DANE. Secure64 can assist in providing a secure basis for protecting DNS traffic.

DNSSEC Deployment Lags

DNSSEC has been slow to be accepted by commercial sites, leading a lag in DNSSEC deployment, even though it is the best solution to prevent the exposure to site hijacking. This type of hijacking is possible because of a major flaw in DNS that makes it possible for hackers to launch cache poisoning, found by security researcher Dan Kaminsky 5 years ago. Read more

A New DNS Vulnerability

A new DNS vulnerability was found in BIND yesterday, CVE-2012-5688. It is listed as a critical vulnerability.

This adds to the list of major vulnerabilities discovered in BIND. Since February of 2011, a new high vulnerability has been found on average every 60 days. This is a worrisome trend for DNS administrators concerned with the increasing sophistication and level of attacks. None of these vulnerabilities have affected Secure64 DNS servers. Read more

Need More Secure Operating Systems

Kaspersky Lab has announced that they are developing a secure operating system for protecting SCADA (supervisory control and data acquisition) and ICS (industrial-control systems). These are the systems used for industrial control. They are core to most utility companies and industrial infrastructure, controlling such things as valves or switches. Read more

Protecting Your DNS

There have been several recent Denial of Service attacks reported on banks, hosting providers and federal agencies around the world.  As always with these types of attacks, one of the victims is the DNS server. Attacking DNS is effective, once the DNS server is taken down by the hacker, customers can’t reach any of the victim’s servers including mail servers, web servers, etc.

Besides the effectiveness there are also other reasons why the DNS server is the bully victim of the Internet. One of the more technical reasons is that DNS service is UDP based and not TCP based like most other services. Many simple types of attacks can be performed towards UDP based system.  Additionally, UDP is also much easier to forge than TCP so the hacker does not have to reveal his IP-address in the attack. All of this makes the DNS a juicy target.

The traditional way of protecting DNS and other servers is via stateful firewalls. However, this protection mechanism does not work well for UDP based attacks. In fact, most firewalls actually contribute to the problem rather than helping since they are not designed to cope with large floods of small packets. You can verify that this is the case by reading the fine print in the specifications of your firewall. It is probably rated at an impressive number of gigabytes per second but if you look at the number of packets, it is not that high. And even if you have a firewall capable of millions of packets per second it will not do you much good as it is not doing much inspection of the DNS traffic. Traditional firewalls are not smart enough and do not look far enough into the packet to really be able to determine if the packet is legit or not.

What is really needed for adequate protection is a specialized DNS firewall that sits outside of the firewall. This device can either be configured with the DNS data so that it can respond directly or simply forward the scrubbed traffic to “softer” DNS servers behind it.

Secure64’s products can be used in such a setup. Our products defend against Denial of Service attacks and other types of attacks directed towards the DNS servers while we are still able to respond to legitimate traffic. For more information on our products please visit us at our web site.

DDoS Attacks Get Serious

In the last couple of weeks there has been a big jump of DDoS attacks focused on the websites of major US financial institutions. Among those reportedly attacked has included Wells Fargo, JP Morgan Chase, Bank of America, PNC, and U.S. Bank. A distributed denial-of-service attack or better known as a DDoS Read more

GoDaddy’s DNS Outage Exposes the Need for DNS Redundancy

The GoDaddy DNS outage had wide spread effect. Hacktivists claimed to have caused it but Interim CEO Scott Wagner said the service outage was due to a series of internal network events that corrupted route data tables.

No matter what the cause, whether it was internal errors or external attacks, the outage Read more

Botnets, Route Hijacking, and Other Security Threats

Cyber crime has become big business. In the past, hackers tended to work alone or in small groups, and their impact was usually quite minimal. Sometimes it was done just for bragging rights rather than monetary gain, and often had no adverse affects on most of the general public. Read more