NIST Revises Rules For Protecting Unclassified Information in Contractor Computers

NIST Special Pub 800-171 sets the rules for protecting information that defense contractors create and/or store called “Controlled Unclassified Information” or CUI.  CUI includes the information that would be very enticing to foreign governments such as Russia, China and others.

SP 800-171 was originally released last year and NIST publications usually have a 3 to 4 year revision cycle, so seeing a revision after just one year is very unusual.

The controls specified in this document are based on NIST Special Pub 800-53, which is now on it’s 5th revision.  People in the government and defense communities know that document very well.

The objective of Both SP 800-171 and SP 800-53 is to protect the confidentiality of sensitive information and also the integrity and availability of that information.  The Confidentiality, Integrity and Availability triad, referred to as C-I-A, is the foundation of all DoD information security programs.

As we see more and more industrial espionage – whether private or state sponsored – the government has gotten very concerned about contractors protecting both information that they create under government contracts and information that they receive from the government in order to execute those contracts.  While SP 800-171 deals with unclassified information, the government is also working very hard, separately, to protect classified information after a number of massive classified information breaches such as Bradley Manning, Edward Snowden and Harold Martin III.  While Manning was a solider and hence a government employee, both Snowden and Martin were civilian contractors working for the NSA but on the payroll of Booz, Allen, Hamilton.

As more and more data is being stored electronically, attackers from around the world are attempting to steal that information.  When the information was locked in a file cabinet, it was very difficult for someone in, say, Kiev, to steal it.  They had to fly halfway around the world and run a much higher risk of getting caught.  The odds of a Russian being caught and prosecuted, while not zero, are pretty close to zero.

So what does SP 800-171 Rev 1 say?

The DFARS are the rules that DoD contractors must follow if they are applying for or awarded a contract.  The DFARS specify an amazing amount of things that contractors can or cannot do.  Specifically, DFAR 252.204-7012 (Safeguarding covered defense information and cyber incident reporting) is now a MANDATORY contract clause and MUST “flow-down” to every sub-contract that a prime defense contractor is awarded.  That means that tens of thousands of businesses are obligated to follow what NIST SP 800-171 says.

The only exception to this rule is for standard, commercial, off the shelf software – like if the government buys a copy of Microsoft Office.

In addition, Federal civilian agencies are beginning to specify compliance with NIST SP 800-171 in their contracts also, meaning even more companies will have to follow these rules.

Companies that are awarded contracts subject to the DFARs must provide adequate security but do not have be in full compliance with SP 800-171 until December 31, 2017. But there is a catch.  If a contractor is awarded a contract and is not in full compliance with the safeguards of NIST SP 800-171 right now, they must report any gaps between the protections that are in place today and what will be required when SP 800-171 goes into full effect at the end of 2017 to the Department of Defense within 30 days of the contract being awarded. 

Some of the key changes that are a part of SP 800-171 Rev 1 are –

  • All references to information systems have been replaced by the term “systems” reflecting the fact that almost everything these days has an information component – from a missile to a smart refrigerator.  This newly expanded term also includes industrial control or SCADA systems used in factories and other commercial situations.
  • The rules now require the companies to develop, document and periodically update system security plans that describe system boundaries, operating environments, how security requirements are implemented and the relationships with or connections to other systems.
  • While this version of SP 800-171 does not REQUIRE the company to create a plan of action with milestones for remediating any gaps, it strongly encourages doing that.  A plan of action is likely going to be an important part of defending your current system security plan when the contract auditors pay you a visit.
  • Encryption is now REQUIRED on mobile computing platforms (i.e. phones, tablets and laptops).
  • Companies are now REQUIRED to scan for vulnerabilities both in SYSTEMS and APPLICATIONS.  Given the number of applications that most companies use, this is a big job.

Those are some of the changes.  What other major requirements were and are still in SP 800-171?  Here are some of those:

  • Access control – limiting access to information based on a need to know has 22 separate sub requirements.
  • Security awareness training is required.
  • Companies must create, protect and retain audit records that allow forensics experts to figure out what happened in case of a security incident.
  • Companies must set up a configuration management system that tracks systems throughout their entire lifecycle, including tracking any changes during the years that the systems are in place.
  • Enforce the identification of system users including using multi-factor authentication.
  • Create and maintain an effective incident response capability  that allows for detection, analysis, containment and recovery from events.
  • Protect all media – whether electronic or physical – containing controlled unclassified information.
  • Screen employees who have access to controlled unclassified information and protect systems after personnel “actions”.
  • Implement physical protections for systems.
  • Conduct periodic risk assessments that include risks to organizational mission, function, image and reputation.
  • Conduct periodic security controls risk assessment to ensure that controls that are in place are effective.  This could be implemented by conducting periodic internal and external penetration testing by a qualified and independent third party.
  • Protect all communications of sensitive information

As you can see, for those organizations handling sensitive information, the rules for protecting are pretty robust and companies will need to up their game in order to get into compliance.

It is unlikely that most companies are in compliance with these rules today,  The good news is that they have until December 31, 2017 to get there – which means that 2017 will be a busy year for information security.


No More Ransom!


For anyone who has seen a ransomware lock screen like the one above, the first thought is panic. The next thought is …..

Now there is some organized help in the form of a web site supported by some real security powerhouses – Intel Security (AKA McAfee), Kaspersky, Europol cyber crime center and powered by Amazon web services and Barracuda.

Now they have been joined by Trend Micro, Checkpoint, Bit Defender and others.

The site recently added a way to decrypt 32 additional ransomware strains.  During the first two months of operation, NoMoreRansom.Org helped 2,500 people avoid paying ransomware.  To date, they have helped almost 6,000 people decrypt their files.

The portal was originally available in  English.  Now it is available in Dutch, French, Italian, Portuguese and Russian.

In addition, there are police involved from 22 countries and private organizations from around the world lending their help to the problem.

The web site asks the user for information and to upload a small sample file.  It also asks for the text from the ransom message.

With that information, if the site can give you instructions to decrypt your files, it will do so.

In addition, the web site has instructions and tools for a number ransomware strains if you already know what “disease” you have.

Given the support for this web site from across the globe, I anticipate that it will add more capabilities over time.

While recovering from a ransomware attack is great if you can do it,  what you really want to do is avoid being in that situation.  That means training your employees, having really robust backups and implementing the best security you can afford. And if all that fails, having access to the best ransomware recovery tools available is a good thing.  No guarantees, but a good thing.

Information for this post came from ZDNet.

Google Adds Easy iOS Management Option for G-Suite Users

For those Google G-Suite (AKA Google Apps and Google Apps for Work) users, Google has released a new option for managing iPhones and iPads.

What is great about it is that it does NOT require installing an agent on the phone or pad.

Google calls it the Basic Mobile Management option for iOS and it allows G-Suite administrators to manage iOS devices without having to install an agent or a profile.

It allows administrators to enforce screen locks or passwords on the devices including the minimum or maximum number of characters in a password and the expiration period.

It can also force a factory reset after too many failed login attempts.

Administrators can wipe the entire device if it is lost or stolen or just G-Suite data if the user is leaving the company.

The software allows an administrator to see all of the devices connected to their domain which is certainly a nice feature.

Administrators will be able to set up corporate accounts on the devices similarly to setting up personal accounts.

Google does offer a more robust product, advanced mobile management, for users that want even more features, but for a lot of companies. Basic will be sufficient.

Curiously, this only works on non-Google (Apple) devices.  Users have to install an agent on Android devices to do the same thing.

Google Mobile Management is available at no extra charge for G-Suite users.

Information for this post came from eWeek and Google Support and G-Suite admin help.


Broker Dealer Fined $650k Because Third Party Provider Was Breached

While this post should be of direct interest to Broker Dealers, it really applies to anyone who outsources information services.

You can delegate the task but not the responsibility.

In this case, the broker dealer used a cloud provider to store customer information.  This is no different, for example, than a mortgage company using a cloud loan origination system or a doctor using a cloud based patient care (electronic health record) system.

Apparently, between 2011 and 2015 the customer records of this broker dealer were not adequately secured and information on over 5,000 clients was compromised by a foreign hacker.

5,000 clients represents a medium size multi office broker dealer.  In this case, it was a broker of Lincoln Financial Network.

The key point is that while you can outsource the function, you cannot outsource the responsibility.

In fact, you may be able to hold the outsource vendor liable for damages, but in most cases you will either be fighting an uphill battle with the vendor’s insurance company or if the company doesn’t have insurance, trying to get money out of the company itself.  Without regard to whether, after many years of legal battles, you prevail, it is your reputation and your client’s data that is at risk.

Let’s say the outsource vendor company is Google or Amazon or Microsoft.  Do you think they are just going to write you a check for $650,000?  I don’t think that is likely.  If the outsource vendor company is a smaller company, they may not have the resources to reimburse you.  In this case the fine was only $650,000.  P.F. Chang was fined $1.9 million by Visa for costs associated with reissuing compromised cards.  Target has spent hundreds of millions as a result of their breach a couple of years ago.

For many companies that store their customer data in the cloud – either using a cloud service that they run such as Amazon Web Services or a cloud service that someone else runs such as – there is real risk.  Did you do everything you were responsible to do?  Did the vendor do everything they were responsible for doing?  Did you actively manage that risk during the entire period of the contract?

For many industries such as financial services, they are required by regulation to maintain an effective third party risk management program.   Even if you are not required to maintain such a program, if you store non-public personal information (or company proprietary data) in the cloud, you really need to run such a program because if anything happens in the cloud, the regulators, the Federal Trade Commission or plaintiff’s counsel will come knocking at your door.  Or all of the above.

This is not the first time Lincoln was fined.  In 2011 they paid $400k for similar problems.

So as businesses move more of their information to the cloud, they need to make sure that the third party service providers are effectively protecting their information.
Information for this post came from Stock Broker Fraud Blog.


Russians Hacked Joint Chiefs

The Pentagon – David Gleason under Creative Commons License from Flickr

While the Republicans and Democrats are arguing whether the Russians hacked the DNC and affected the outcome of the presidential election, former Chairman of the Joint Chiefs Martin Dempsey, in an interview with CBS, spoke about a Russian hack which has mostly been rumors up until now.

I think we can reasonably accept that the Chairman of the Joint Chiefs can probably speak with authority on this subject.

Dempsey said that in August 2015, the Russians hacked into the unclassified portion of the Joint Chiefs own network and stole both passwords and electronic keys used to sign messages.

Dempsey heard about the breach in the early morning hours by a phone call from the head of the NSA, Admiral Mike Rogers.

Once they got in, it only took the Russians an hour to take over the network.  The network is used by over 3,000 Pentagon employees.

The Pentagon was forced to shut down the network completely.

How did they get in?  The Russians sent 30,000 emails to a west coast University, FOUR of which got forwarded to the Pentagon and ONE of which was opened.

ONE email did the Pentagon’s Joint Chief’s network.  One email.

Think about your company.  Could a hacker get an employee to open a malicious email?

Why did the Russians do this?  It is believed that the Russians were mad at U.S. sanctions of Russia for their invasion of Crimea.  They wanted to cause the Pentagon as much pain, expense and embarrassment as possible.

The network was down for two weeks while they replaced hardware, rebuilt systems and added extra controls to try and keep the Russians out.

As far as we know, they have not gotten back in to that network.

This story emphasizes that employee education and training is critical. If the four employees at the University in California did not forward the malicious email or the one employee at the Pentagon did not open it, this story would not exist.  If the IT department supporting the DNC did not give Podesta the wrong instructions, the outcome of the Presidential election might have been different.

It is a very fragile balance and the hackers have the advantage.  The good guys have to do right all the time  – 1 out of 30,000 emails was enough to take the Joint Chiefs network down.

Information for this post came from CBS News.

1.7 Billion and Counting

UPDATE:  Some people are suggesting that you cancel your Yahoo account immediately.  This is likely a really bad idea.  If you cancel the account, someone else may be able to open an account with the same name.  If they do, they will be able to send emails that appear to be from you and they will also be able to receive emails sent to you.

Instead, what you want to do is delete all the content (emails, contacts, calendar items, etc.) from your Yahoo account, change the password and add two factor authentication.

Periodically, log into the account to see who is still sending email to that address and redirect them to your new account and delete the mail.  Over time, you will be able to do this less frequently.

But, DO NOT delete the account.  It’s free, after all – you won’t save any money by deleting it and it will just make you more vulnerable.

No, it is not the number of hamburgers McDonald’s served yesterday.  It is the number of identities stored by Yahoo that they have admitted have already been compromised.

Today Yahoo said that in a different hack than the 500 million identities admitted recently, which they said was different than the 200 million identities hacked earlier, they are adding to that another MORE THAN 1 billion identities hacked by “an unidentified third party” in August 2013.

Information taken in this hack includle names, emails, phone numbers, birth dates, passwords, security questions and security answers.  Some of the data was likely encrypted.  The company does not BELIEVE credit card information was taken.

If I was Marissa Mayer, I would hide in a closet right now.

This hack was discovered as part of the investigation of the small 500 million identity hack in 2014.

I do believe that Yahoo will get the prize out of this one for the largest number of userids ever hacked in one attack.  EVER!

If one were a reasonable person one might ask why did it take three plus years to disclose this.  Reasonable question.

Rumor had it, after the 500 million user hack, Verizon wanted to reduce the price of it’s bid by $1 billion and create a slush fund of another $1 billion to deal with costs of the breach.  There are already dozens of lawsuits filed.

While these lawsuits are super annoying, they are going to be hard to win because people are going to have to show how they were actually harmed.

From the Verizon side, does it make sense just to cut your losses and move on?

Or do you try and buy it for, say, $1 billion instead of almost $5 billion?  It is clear that it is unlikely that Yahoo will have many other suitors any time soon.

It is also unclear how long Marissa Mayer can hang on.

Yahoo recommends changing your password, but it is not clear how to deal with compromised security question answers.  If you answered that your mother’s maiden name is Smith, that is hard to change.  This is why I recommend lieing on those questions.  If your mother’s maiden name was Smith, say it was Jones.  Or Cucumber.  The answer doesn’t really matter as long as you can remember it.

Information for this post came from BBC News.