Aliya Sternstein

Agencies are more concerned about insiders leaking citizens’ and partner organizations’ information than their own general business information, according to a new survey by the Ponemon Institute.

Meanwhile, the commercial sector cares more about inappropriate disclosures of business data than customer data. Ponemon surveyed 693 industry and government information technology personnel who had high-level access to internal networks.

Overall, 59 percent, the majority of whom worked in industry, said their business information is most at risk without the right protections. Only 49 percent said client information is most in jeopardy.

Among participants employed at state, local and federal agencies, 54 percent said customer information is the most vulnerable type of information they need to protect. Roughly 42 percent of those government personnel indicated their own business information is most susceptible to leaks.

Software that monitors utility plants and other operations at several military installations has been found to be affected by the recently discovered superbug Heartbleed, when configured a certain way, according to the Homeland Security Department and the software’s manufacturer.

"The latest release of Schneider Electric Wonderware Intelligence Version 1.5 SP1 is not susceptible to the OpenSSL vulnerability. However, users have been known to reinstall Tableau Server, the vulnerable third-party component that is affected. Therefore, Schneider Electric Wonderware has issued a patch and a security bulletin addressing this vulnerability in all versions," states a bulletin from the DHS Cyber Emergency Response Team.

Exploits made by hackers "that target this vulnerability are known to be publicly available" on the Web, DHS said. Heartbleed is a defect in common Web encryption software that researchers discovered in early April.

The National Institute of Standards and Technology (NIST), the government's standards-making body, announced guidelines for agency technologists and industry engineers on how to bake security into critical systems.

The steps, currently in draft form, are meant to consummate an approach the Office of Management and Budget has been advocating since 2010, under the first-ever federal Chief Information Officer Vivek Kundra. The 11-step process covers defining system requirements in cooperation with employee users, as well as design, testing, and maintenance and operations -- all the way to technology disposal.

"This is the process to do what Vivek talked about," said Ron Ross, a NIST fellow and co-author of the publication. “We've been talking about it forever," he said. "This provides a disciplined and structured process to show how that security actually does get baked into the process.”

About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon.

The findings -- stripped of identifying information -- do not mention ex-contractor Edward Snowden's mammoth leak of national secrets. Even if Snowden's leaks had been included in the tally of results attributed to insider threats, they wouldn't have made much of a dent.

Most (34 percent) of the insider incidents in the global public sector during the past three years were miscellaneous errors such as emailing documents to the wrong person. Unapproved or malicious use of data by public servants accounted for 24 percent of reported incidents. Surprisingly, cyberspying and intrusions via security holes in websites, known to be big problems in government, represented less than 1 percent of the situations reported.

The off-kilter numbers in government reflect mandatory reporting requirements for mundane incidents, Jay Jacobs, a Verizon senior analyst and co-author of the report, said. Small data leaks that happen every day overshadow frequent, but not daily, hacks.

The tax agency needs to better audit its own accounts, according to the Government Accountability Office.

GAO officials discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems. In addition, this is the seventh consecutive year the IRS has failed to patch security vulnerabilities that could compromise financial data, a review of GAO reports dating back to 2007 reveals.

"Serious weaknesses remain that could affect the confidentiality, integrity, and availability of financial and sensitive taxpayer data," Nancy Kingsbury, GAO managing director for applied research and methods, and Gregory Wilshusen, GAO director for information security issues, wrote in a new report.

The IRS did not apply critical patches in a timely fashion to multiple systems, including programs for procurement and email, the auditors said. In addition, the agency was running unsupported software on workstations and databases that developers are not even issuing security fixes for anymore. GAO officials also noticed that systems handling transfers of financial data were not configured to encrypt login information.

The Homeland Security Department announced future plans to overhaul an organization that defends DHS’ own internal networks.

A counter-hack mechanism called the intrusion defense chain, or "kill chain” -- developed by researchers at Lockheed Martin -- is expected to drive the revamp, according to DHS officials. A kill chain predicts an intruder’s attack plan and breaks it down into steps that must be taken to achieve the ultimate hack -- for instance, obtaining a map of the most critical US water plants from a DHS network. Operators then devise a countermeasure for each action that, if applied along any point in the chain, will thwart the criminal's plan.

The office of DHS Chief Information Security Officer Jeff Eisensmith is requesting security operation ideas, "including most notably the employment of an Intrusion Defense Chain methodology to 'align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise," stated a market research survey. The notice quotes a 2011 Lockheed paper. The potential plans also ask vendors how they would measure the effectiveness of the center, if given the management job. And officials want contractors to list staffing and facilities requirements DHS should consider.

A little-known website sitting behind a firewall has been exchanging sensitive hack intelligence between companies and agencies at a rate of one new threat hallmark per hour, a top Homeland Security Department official said.

The Cybersecurity Information Sharing and Collaboration Program, launched in 2011, virtually convenes about 70 critical industry and analytics organizations – think energy companies -- as well as federal departments. The result is bulletins provided in formats that computers can "read" so they can apply the appropriate protections. And containment recommendations are pumped out in plain text that people can read.

"It enables us to identify those threats or organizations" that are a danger, said Roberta Stempfley, DHS acting assistant secretary of cybersecurity and communications. "We have shared through this program more than 26 unique indicators a day. You wouldn't think that that sounds like a large number. But it's unique indicators in a day. That's more than one an hour."

A major concern about Obamacare is that the online swap of patient information between providers and the federal government's data hub will jeopardize consumers' privacy and security, according to a new study by the Ponemon Institute.

As far as cyber threats that affect patients, "the Affordable Care Act (ACA) is seen as a contributing factor because of the documented insecure websites, databases and health information exchanges that are highly vulnerable to insider and outsider threats,” state the findings of the report. Health and Human Services officials have maintained, ever since registration for Obamacare plans launched on Jan 1, that HealthCare.gov is safe and that there have not been any breaches detected.

About 70 percent of hospitals and clinics said they believe the Affordable Care Act, in general, increases the risk of compromising patient data. The factors driving their fears: insecure online exchanges (75 percent); unprotected databases (65 percent); and the website registration process (63 percent).

The Defense Department will recompete a $26 million contract to support a classified cyber intelligence network, after federal attorneys determined the Pentagon failed to properly evaluate contractor proposals, Defense officials said.

The project in question involves a network that holds "signatures" of known cyber threats identified by the National Security Agency. The system, part of a Defense Information Systems Agency program, feeds these classified and sometimes unclassified indicators of potential hacks to cleared defense companies so they can apply appropriate computer protections. A DISA spokeswoman said the agency will amend its original solicitation and recompete the contract.

[March 7]

The Transportation Security Administration has called off -- for now -- live tests of technology that would expand background checks on airplane passengers to include analyses of their online presences.

The idea was to have contractors analyze consumer data -- potentially including dating profiles and shopping histories -- on fliers who apply for the voluntary "Pre✓” program. Pre✓, open to all US citizens, lets passengers breeze through dedicated checkpoints without removing shoes, belts, laptops or TSA-compliant liquids after paying an $85 fee and proving their identities. The agency got as far as watching "prototype implementations" but decided against trying a system out on actual passengers, according to a March 4 notice published in a government acquisition database.

Under the Pre✓ data mining strategy, private screeners would aggregate biographic and biometric “non-governmental data elements to generate an assessment of the risk to the aviation transportation system that may be posed by a specific individual,” the 2013 announcement stated. The vendor would have to provide a “reliable method that effectively identifies known travelers, based on a sound analysis and the application of an algorithm that produces dependable results.”

[March 7]