Cyber Security Federal Government Threats

Tuesday, October 26, 2010

Jon Stout


The Federal Government, like all extremely large networks, faces a variety of cyber threats but because of the potential damage to the entire nation resulting from a devastating cyber attack require greater attention.

In addition, the complexity of the federal network and the increasing interconnectivity of individual agencies’ networks create immense vulnerability.

The wide variety of threats and the rapid advance of techniques that hackers use need to be constantly reviewed and monitored by cyber security professionals.

Although more than 90% of the networks in the United States are controlled by the private sector, the 10% remaining government networks contain information that some feel is more vital to the survival of the nation.

Federal agencies routinely and continuously interact with each other as well as with industry, private citizens, state and local governments, and the governments of other nations.

As the IT infrastructure expands to a global scale, “cyberspace” has grown dramatically and new applications and services as well as the risk of cyber attack increase.

Insiders and Social Engineering

The key to malicious or hostile activities in cyberspace is either open or secret access to networked systems and information. Enabling access through the use of insiders can make the cyber criminal’s job easy.

While posing a threat for all networks, insider access is, ironically, also enabled by overly restrictive barriers on many Federal networks that have caused a number of managers to work offsite and open the network to circumvention of cyber barriers.

While external hacking provides a path for malicious activity, insider (physical or logical) access to the network can facilitate attacks. An offensive operation may involve simply copying information to a portable medium (e.g. a USB drive) that can be carried from the premises.

A single well-placed, knowledgeable insider can also exploit IT systems to disrupt local infrastructure and bring down an infected system.

Low Technology Threats

Threats need not be highly sophisticated but they can be dangerous.

One of the most devastating attacks on the department of defense networks for example occurred in 2008 when a virus was introduced through an infected thumb (USB) drive and rapidly caused significant damage throughout a major defense network.

This form of social engineering is an example whereby individuals who use the network deliberately or unknowingly introduce malware into otherwise secure networks is perhaps the greatest area of vulnerability facing all networks today and government networks are no exception.

Use of technology cannot overcome lack of diligence or disciplined operating procedures.

Other examples of devastating low technology threats include exchanging passwords, inappropriate net surfing, utilizing unauthorized peripherals, and indiscriminate WI-FI use.


The IT outsourcing trend that affects activities ranging from computer help desks and data processing to Research and Development can increase the exposure of an organization’s systems and information to cyber attack.

Outsourcing of services, to either foreign or domestic suppliers, increases risk by reducing control over access to systems , information and sensitive databases. In this environment, aggressive and effective cyber security technologies are imperative.

Supply Chain Attacks

Potential attacks through subversion of hardware or software supply chains can be viewed as another type of insider threat. A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during beta testing.

Another approach is to subvert the master copy of software used for broad distribution. Even if software is routinely tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover.

Industrial Espionage

Technically savvy companies have the potential to capitalize on inadequate IT system security to engage in cyber espionage against the U.S. government and domestic corporations, primarily to collect science and technology information that could provide economic or strategic military benefits.

Some of these companies have considerable technical expertise and signals intelligence capabilities and have a strong presence in U.S. IT product markets – including microchips, telecommunications systems, and encryption products.

One consequence of the current espionage climate is that travelers with laptops and other electronic devices risk having information stolen in such locations as airports and hotels.

State-Sponsored Espionage

Gaining access to well-protected information or systems in closed networks remains a resource- intensive effort involving traditional espionage tradecraft. Such operations do not require the simultaneous access to large numbers of systems needed for a strategic military attack and thus are available to a much larger array of foreign adversaries.

Foreign governments for decades have successfully recruited agents in the U.S. government with access to computer systems and cryptographic information. Foreign agents have also established technology companies in this country and sometimes served as subcontractors on U.S. defense contracts to obtain access to technology.

Some governments now have the operational and technical expertise for more aggressive and sophisticated cyber espionage.

U.S. counterintelligence efforts have uncovered an increasing number of such activities by foreign intelligence services, including past and ongoing espionage operations directed against critical U.S. military installations, critical infrastructure and other government systems.

Enterprise and Network Infrastructure Threats

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious sites serving content that contains client-side exploits.

Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered.

There are two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks.

Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the wide spread access that is gained if a valid username/password pair is identified.

SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities enable wide spread attacks and damage.

Application Threats

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office.

This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites.

Because visitors often feel safe downloading documents from the trusted sites, they are often fooled into opening files that exploit client-side vulnerabilities.

The victims' infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers. Compromised systems called Botnets have proliferated throughout the world and particularly the United States.

Although reputable software developers disseminate a steady supply of patches to close vulnerabilities, on average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities.

During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems

Wireless Threats

The ease and pervasive use of Wi-Fi devices offers a good opportunity for wide spread destructive cyber attacks. Wi-Fi devices are ubiquitous in their use in a number of industries. Some of the threats to WI_FI networks include:

  • Complete access to files on the server
  • Stolen passwords and intercepted e-mails
  • Back door entry to wired networks
  • Vulnerability to DDoS attacks
  • Violations of user privacy
  • Creation of ”Zombie” servers
  • Aggressive “Spamming”

Since WI-FI operates on the airwaves the data passed is virtually unprotected and offers tremendous opportunities to cyber criminals.

Operating System Attacks

Operating systems continue to have less remotely exploitable vulnerability that lead to massive Internet worms.

Other than Conficker/Downadup, no new major worms for OSs have appeared.  Even so, the number of attacks against buffer overflow vulnerabilities in Windows recently tripled and constitute over 90% of attacks seen against the Windows operating system.

Rising Numbers of Zero-Day Vulnerabilities

Studies show that world-wide there has been a significant increase in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years.

There is a corresponding shortage of highly skilled cyber warriors and vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks.

High Risk Attacks

These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks.

The SQL Injection attacks that compose this category include "SQL Injection using SELECT SQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using Boolean Identity".

SQL Injection on the Internet can be divided into two sub-categories: Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the Internet still use "SQL Injection" for their normal functionality. It should be noted that this is only a difference in intent.

There are many ways to protect against these attacks through development of software defenses and increased vigilance by system administrators but the Federal Government system, because of its size, interconnectivity and strategic nature does not have the resources to properly cope with a coordinated attack.

And, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack, attacks such as these are likely to remain popular for some time.

Application Patching is Much Slower than Operating System Patching

As vulnerabilities are identified developers address the security need by offering patch downloads to correct the problems. Operating systems developers however are currently more effective in supplying patches through regular updates that are pushed through to users.

Many vulnerabilities primarily vulnerabilities found in applications receive less attention and get patched on a much slower timeline. Some of these applications, such as Microsoft Office and Adobe Reader are very widely installed and so expose the many systems they run on to long lived threats.

Other Trends

Many malicious code attacks are “blended threats” that exploit multiple vulnerabilities or propagate via multiple means. Among these new classes of threats are adaptive or mutating threats, which like many viruses that affect the human body, are able to change their characteristics and appearance in order to avoid detection and elimination.

Attacks can exploit operating systems, other software applications, software running on hardware components (e.g., routers and firewalls), or more infrequently, the hardware components themselves. Cryptographic attacks to undermine encryption- based security processes might attempt to exploit one or more of these avenues of attack.

Hacking crews and individuals are increasingly working together around the globe in virtual, anonymous networks of specialists in different types and parts of attacks, such as propagation speed, denial of service, password logging, and data theft.

An increasing number of adversaries are developing new options for penetrating the security of the United States through cyberspace, creating damage as well as conducting espionage. Cyberspace provides easily accessed and clear avenues along with the prospect of anonymity.

Foreign governments, hackers, and industrial spies are constantly attempting to obtain information and access through clandestine entry into computer networks and systems by intruding into closed and protected systems to steal secrets and proprietary information.

Because innocent users can unwitting spread malware through infected systems called botnets attribution to the real villains is difficult. Attackers discovered in other countries moreover cannot easily be brought to justice under U.S. laws, and their conduct may not even be illegal in the jurisdiction in which they are operating.

These trends are exacerbated because the network and system redundancy, diversity, and excess capacity that traditionally contributed to IT infrastructure resilience are decreasing with time, in part due to economic pressures.

Federal agency personnel concerned with cyber security and information assurance view this factor as a key contributor to increased cyber vulnerability.

Federal Cyber Security Priority

Although any existing network is vulnerable to many of the threats the listed, those attacks that affect the networks of the Federal Government can cause the greatest damage for the minimum amount of effort and cost. When you are talking about National Security and Infrastructure of the entire country extra cyber security efforts are required.

After a slow start that included excessive bureaucracy, cumbersome reporting, duplication of effort and lack of clear direction, the Federal Government has refocused and is starting to make limited advances. Critical to this effort were the formation of Cyber Command and the reconciliation of the roles of the new Cyber Command and the Department of Homeland Security for a more focused cyber defense.

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include: software Development and Systems Integration, Database Development, Cyber Security and Information Assurance

Possibly Related Articles:
Government Hacking Cyber Security
Post Rating I Like this!
Tom Coats This was a hard topic to cover.
The scope of the Blog is too large to cover effectively. And it leaves very interesting and controversial assertions just hanging. Users are "uniwtting" without addressing the why? Legal jurisdiction issues are raised without addressing the "why are there different jurisdictions?" This would open fascinating and important avenues of discussion such as The US response to WikiLeaks; the German response to child-pornography and Neo-Nazi propaganda; China's approach to Liable and freedom of speach; and even Japans perception of the acceptability of Manga.

In general the approach is representative of a US-Centric view of the world which blinds itself to the distinct and more basic questions of "How can you protect resources 'you' recognize as valuable and sensitive?" or "How do you (and should you) regulate an international medium which exists in the jurisdiction of over 200 different nations?"
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.