Presidential Commission on Enhancing National Cybersecurity: Prioritize mobile security now

The Presidential Commission on Enhancing National Cybersecurity released its report on securing and growing the digital economy  in which one message is clear: de-prioritizing mobile security is no longer an option.

New priorities for a new mobile workplace

The days of employees working only at an office using an organization-issued desktop computer fully managed by the organization are largely over. Market forces and employee demands have made “bring your own device” the de facto option in many workplaces. … Organizations no longer have the control over people, locations, networks, and devices on which they once relied to secure their data. Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms. In short, the classic concept of the security perimeter is largely obsolete.” – Excerpt from the Commission on Enhancing National Cybersecurity report

Employees in the public sector are using mobile devices every day to get their jobs done, whether government agencies know about it or not. Today, having a secured mobile workforce — which includes protection against risky applications, network attacks, and malicious intrusions — is a necessary element of an agency’s overall security architecture.

Mobile devices should be secured like any other endpoint

Simply put, securing thousands of individuals running multiple endpoint-types, across different operating systems is an extremely complex undertaking. The commission acknowledges this, saying in the report:

“Complexity today is affected by the continuously changing and interdependent environment, the increased number of mobile clients, and the compressed time available from when a product is first conceptualized to when it goes to market.”

Mobile devices are just another endpoint in this complex environment, but they are a real endpoint that exists in federal employees’ daily working lives. In fact, 64 percent of IT security leaders say it is very likely that sensitive data is present on their employees’ mobile devices, according to a survey from analyst firm ESG and Lookout.

Mobile’s key role in two-factor authentication

The cybersecurity commission’s report provides the following recommendation:

“Action Item 1.3.1: The next Administration should require that all Internet-based federal government services provided directly to citizens require the use of appropriately strong authentication.”

This should raise flags for agencies, especially those without proper mobile protections in place. Mobile phones and tablets are increasingly being used as the “thing you have” in critical two-factor authentication setups. This puts the mobile device squarely in attackers’ crosshairs, as they must now breach the device in order to gain access into a targeted system. The report states:

“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry-standard public key cryptography.”

What visibility into mobile risks looks like

IT and security organizations within Federal agencies will do a much better job at keeping sensitive data safe when they have visibility into these endpoints. This is no different than any of today’s security measures: typical SEIM technology gives security professionals the information they need to take action when a security event arises. Mobile visibility, however, is dangerously missing from today’s solutions.

Mobile security technology should have the following capabilities:

  • Detection & remediation of mobile malware
  • Detection & remediation of compromised operating systems (i.e., jailbroken or rooted devices)
  • Detection & remediation of sideloaded apps (i.e., apps downloaded from third-party marketplaces)
  • Detection & remediation of network attacks
  • Detection & remediation of risky applications (i.e., non-malicious applications that may still put sensitive government information at risk)

Agencies need to quickly see activity regarding any of the above risks and threats in order to properly address security events on a mobile endpoint.

Check out this eBook to get an in-depth look at what capabilities you need in a mobile security solution, including comments from former CISOs and data sources from industry peers.

Action is needed today

“Malicious actors continue to benefit from organizations’ and individuals’ reluctance to prioritize basic cybersecurity activities and their indifference to cybersecurity practices. These failures to mitigate risk can and do allow malicious actors of any skill level to exploit some systems at will.”

The Cybersecurity Commission’s warning is apparent: Mobile security needs to be a priority today.

Government organizations cannot wait for a public, noisy data breach to begin securing mobile devices, lest they become the headline they want to avoid.

Interested in learning more about how you can secure your agency? Contact us today.

DDoS, IoT Top Cybersecurity Priorities for 45th President

Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama.

commish“The private sector and the Administration should collaborate on a roadmap for improving the security of digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure,” reads the first and foremost cybersecurity recommendation for President-elect Donald Trump. “The urgency of the situation demands that the next Administration move forward promptly on our recommendations, working closely with Congress and the private sector.”

The 12-person, non-partisan commission produced a 90-page report (PDF) and recommended as their very first action item that the incoming President “should direct senior federal executives to launch a private–public initiative, including provisions to undertake, monitor, track, and report on measurable progress in enabling agile, coordinated responses and mitigation of attacks on the users and the nation’s network infrastructure.”

The panel said this effort should build on previous initiatives, such as a 2011 program by the U.S. Department of Commerce called the Industry Botnet Group.

“Specifically, this effort would identify the actions that can be taken by organizations responsible for the Internet and communications ecosystem to define, identify, report, reduce, and respond to attacks on users and the nation’s network infrastructure,” the report urged. “This initiative should include regular reporting on the actions that these organizations are already taking and any changes in technology, law, regulation, policy, financial reimbursement, or other incentives that may be necessary to support further action—while ensuring that no participating entity obstructs lawful content, applications, services, or nonharmful devices, subject to reasonable network management.”

The report spans some six major imperatives, including 16 recommendations and 63 associated action items. The second major imperative focuses on IoT security concerns, and urges the federal government and private industry to embark upon a number of initiatives to “rapidly and purposefully to improve the security of the Internet of Things.”

“The Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days,” the panel recommended. “To the extent that the law does not provide appropriate incentives for companies to design security into their products, and does not offer protections for those that do, the President should draw on these recommendations to present Congress with a legislative proposal to address identified gaps, as well as explore actions that could be accomplished through executive order.”

Meanwhile, Morning Consult reports that U.S. Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the agency could regulate the security of IoT devices. The proposed certification process was laid out in a response to a letter sent by Sen. Mark Warner (D-Va.) shortly after the IoT-based attacks in October that targeted Internet infrastructure company Dyn and knocked offline a number of the Web’s top destinations for the better part of a day.

Morning Consult’s Brendan Bordelon notes that while Wheeler is set to step down as chairman on Jan. 20, “the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.”

ANALYSIS

It’s nice that this presidential commission placed a special emphasis on IoT and denial-of-service attacks, as these two threats alone are clear and present dangers to the stability of e-commerce and free expression online. However, this report overall reads very much like other blue-ribbon commission reports of years past: The recommendations eschew new requirements in favor of the usual calls for best practices, voluntary guidelines, increasing industry-government information sharing, public/private partnerships, and public awareness campaigns.

One recommendation I would like to have seen in this report is a call for federal legislation that requires U.S.-based hosting providers to block spoofed traffic from leaving their networks.

As I noted in a November 2015 story, The Lingering Mess from Default Insecurity, one major contributor to the massive spike in denial-of-service attacks over the past few years is that far too many ISPs and hosting providers allow traffic to leave their networks that did not originate there. Using well-known attack techniques known as traffic amplification and reflection, an attacker can “reflect” his traffic from one or more third-party machines toward the intended target.

In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack. According to the latest DDoS report from Akamai, more than half of all denial-of-service attacks in the third quarter of 2016 involved reflection and spoofing.

One basic step that many ISPs and hosting providers can but apparently are not taking to blunt these spoofing attacks involves a network security standard that was developed and released more than a dozen years ago. Known as BCP38, its use prevents abusable resources on an ISP’s network from being leveraged in denial-of-service. BCP38 is designed to filter such spoofed traffic, so that the reflected traffic from the third party never even traverses the network of an ISP that’s adopted the anti-spoofing measures.

However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice. This blog post from the Internet Society does a good job of explaining why many ISPs decide not to implement BCP38. Ultimately, it comes down to cost and to a fear that adoption of this best practice will increase costs and prompt some customers to seek out providers that do not enforce this requirement. In some cases, U.S.-based hosting providers that allow spoofing/reflection have been sought out and recommended among miscreants involved in selling DDoS-for-hire services.

In its Q3 2016 State of the Internet report, Akamai notes that while Chinese ISPs occupy the top two sources of spoofed traffic, several large U.S.-based providers make a showing here as well:

Image: Akamai.

Image: Akamai.

It is true that requiring U.S. hosting providers to block spoofing would not solve the spoofing problem globally. But I believe it’s high time that the United States led by example in this arena, if only because we probably have the most to lose by continued inaction. According to Akamai, more than 21 percent of all denial-of-service attacks originate from the United States. And that number has increased from 17 percent a year ago, Akamai found. What’s more, the U.S. is the most frequent target of these attacks, according to DDoS stats released this year by Arbor Networks.

Fake Forbes story becomes bearer of “smart drug” news

First, there are fake online Canadian pharmacies, and then fake diet supplements. Now, we have fake brain enhancers.

fake-forbes-news-inteligen-marked
click to enlarge

Stephen Hawking Predicts, “This Pill Will Change Humanity”

Stephen Hawking credits his ability to function and maintained [sic] focused [sic]
on such a high level to a certain set of “smart drugs” that enhance cognitive brain
function and neural connectivity, while strengthening the prefrontal cortex and
boosting memory and recall.

In an interview with Anderson Cooper, Stephen Hawking said that his brain is
sharper than ever, more clear and focused and he credits a large part to using
InteliGEN. Hawking went on to add “The brain is like a muscle, you got to work it
out and use supplements just like body builders use, but for your brain, and that’s
exactly what I’ve been doing to enhance my mental capabilities”.

Everyone has taken this, from athletes like Tom Brady to musicians like Kanye West
have nothing but praise for the brain booster, which doubles IQ, skyrockets energy
levels and connects areas of the brain not previously connected. InteliGEN works so
well for these guys, we had to ask…Is it safe?

Above is a bird’s-eye-view shot of the fake Forbes article that we encountered recently with its partial content excerpt. We came across this article after receiving a spam message from our honeypots, containing a Baidu URL that redirects to armasphoto[DOT]ru, then redirects for the second time to a random domain hosting the said fake Forbes article.

Scams of this nature don’t only arrive via email. They may also be shared via social networking platforms, chat sessions, public comments on forums, and blog posts, and (if legitimate websites aren’t careful) sometimes they’re inadvertently shared via ads on sites, especially if user browsing is done via mobile devices.

Once users click any of the multiple text links on the fake news page, they are redirected to a page about InteliGEN, the said “smart drug” in question. Below is a snapshot of one of its several purported official websites:

inteligen-official
click to enlarge

The earliest account about the fake news stories featuring InteliGEN was in August of this year; however, according to an independent blog, a string of fake brain enhancers has been on the net months earlier. Below is a list of these “brands” the said blog has accumulated:

  • Addium
  • Alpha ZXT
  • Brainfire
  • BrainPlus IQ
  • BrainStorm (Elite)
  • Cogniq
  • Geniux
  • Intellux
  • Neurocell
  • Synagen

For those who want to read more about InteliGEN and its brain enhancement claims, Snopes has written this article back in September of this year.

If you encounter the above fake Forbes story via email, social media, or anywhere else on the Web, simply close that browser tab and avoid clicking the links on it. And for those who regularly surf the Web on their mobile devices, it would help if you disable JavaScript on your browsers to minimize unwelcomed redirects from sites that may be unaware that their visitors are being redirected to fake or scam pages.

Jovi Umawing