When the Director of National Intelligence gives evidence to the House Intelligence Committee, we pay attention. Cyberattack concerns are so common now that although that he provided a thought provoking House session on the topic, its unfortunate his words wont move many needles. It did make for wonderful news coverage and an opportunity for cool graphics featuring hackers. Beyond that, the world was on to the next new thing.
While not belittling the seriousness of being hacked, the locations for attack origination are not limited to China, Russia or North Korea. Equally, the tools hackers use are not specially coded, government only ion cannons of destruction. The number one tool for detecting vulnerabilities in the enterprise is something called MetaSploit. Turns out it's also the number one tool for exposing and executing vulnerabilities against the enterprise. You can get a masterclass from a 14 year old on YouTube.
But behind the headlines, there are some stark realities. In recent years, the most costly attacks have originated internally – the U.S. State of Cybercrime Survey makes this clear year after year. The root causes - which can be easily defended – are compromised of physical access (unprotected switches, insecure wireless, or IP phones cable 'repurposed') and passwords on post it notes. These remain the greatest threat to both the government and the enterprise alike.
While it was the credit card providers that enacted PCI compliance (the greatest "international law" never to be in statute), it's encouraging to see the U.S. legislature promoting IT security, updating cyber laws, and enforcing standards for federal, state and military environments. In fact, the practice guide afforded by NIST 800-82 R2 outlines the authorization privileges, and the Federal Cybersecurity Enhancement Act 2015 will codify them. Together they address identity verification and misappropriated access. This is driving a transformational change in government security.
Here's a summary of the recommendations.
- The military has been at the forefront of issuing and using Common Access Cards (CAC), a card with an embedded SIM and x.509 digital certificate to protect transactions. Depending on the ability to cause harm or loss, each transaction falls into one of four categories, two for allowing interaction with the general public, and two for interaction with employees, contractors and internal systems.Given how most employees have a security badge, the adoption of something similar using the civilian version, a Personal Identity Verification (PIV) card, there is no good reason they should not be mandated by enterprise security departments for those organization managing the most valuable IT assets and data. Unlike previous government lead initiatives, there is even the recognition that different interfaces (GUI / SSH / CLI) require different solutions. The combination of CAC (or PIV) and 802.1X limits the opportunity for breaches originating from within the government and its agencies.
- The combination of CAC (or PIV) and 802.1X limits the opportunity for breaches originating from within the government and its agencies.
That same technology, process, and control system can be easily deployed in the modern enterprise. We are seeing rollouts in healthcare and finance environments, as well as industries with a heavy focus on intellectual property to protect.
Turns out that Aruba ClearPass has been solving these issues within various federal agencies for some time (did I mention the White House? ). ClearPass can be used to enforce administrator access to a Wi-Fi or wired network that contains Aruba wireless controllers or multivendor equipment. We achieve this through the use of attributes such as an organization's Active Directory group memberships. Specific rules that permit access to switches, but not firewalls, routers, or storage systems based on a user's PIV card, and LDAP authentication is also supported.
To understand these capabilities further please read this white paper. Hopefully, you'll be able to leverage this data and avoid those costly internally-originated attacks. Finally a shout out and hat tip to the author – Dennis Woods, Federal SE for all of the help.
