DHS posts CISA rules for reporting cyberthreat indicators

Roundup: DHS posts first pass at guidelines for cyberthreat indicator reporting under CISA. Plus, the U.S. planned a major cyberattack against Iran if nuclear diplomacy had failed, and more news.

In the first concrete step toward implementing the Cybersecurity Information Sharing Act of 2015, Secretary of...

Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyberthreat indicators under the new law.

The guidelines were issued jointly by the Department of Homeland Security and the Department of Justice on the U.S.-Cert Automated Indicator Sharing website. The four documents outlined procedures for the sharing of cyberthreat indicators and defensive measures; guidance on differentiating between information that would be considered a threat indicator and information that would be protected under privacy laws; procedures for the government's handling of data received through CISA; and a set of interim "privacy and civil liberties guidelines governing the receipt, retention, use and dissemination of cyberthreat indicators by a federal entity obtained" under CISA.

According to Johnson's statement, CISA "importantly provides two layers of privacy protections: Companies are required to remove personal information before sharing cyberthreat indicators, and DHS is required -- and has implemented its own process -- to conduct a privacy review of received information.

"These guidelines provide federal agencies and the private sector with a clear understanding of how to share cyberthreat indicators with DHS' National Cybersecurity and Communications Integration Center, or NCCIC, and how the NCCIC will share and use that information," Johnson said in the statement.

While CISA attracted a great deal of opposition before it was passed, the new guidelines received some positive feedback from security experts. "When it comes to privacy issues, I think what we will all discover, as the information sharing practices described in the bill become more commonplace, is that our biggest fears were unfounded," said Ron Gula, CEO of Tenable Network Security in Columbia, Md.

"Information sharing about cyberthreats is a good idea in principle," Gula said. But because CISA applies only to the private sector and is focused on threat indicators, "we should also be sharing information about security policies and practices at federal agencies," he added.

Gula said the government could share much more without endangering security, including "strategic goals and objectives, technologies deployed, vulnerability data -- like patch rates and scan frequency, data on effectiveness of existing security investments -- all these things could reasonably be disclosed without further exposing government networks to cyberattacks."

"This kind of transparency would increase accountability and focus public attention on the techniques, defenses, and controls that are already in place and making a positive difference. Agencies could look to each other for examples of what works, what doesn't work and how to keep the private data of United States citizens out of the hands of malicious hackers and cyberspies."

President's CNAP appointments

Last week, President Barack Obama announced his Cybersecurity National Action Plan (CNAP), as well as the creation of a bipartisan commission to make recommendations on cybersecurity in the public and private sectors. This week, the president appointed his former national security adviser, Tom Donilon, as chairman of the commission and Sam Palmisano, the former CEO of IBM, as vice chairman.

The president said the commission's goal is to report by Dec. 1 on how to deal with the cybersecurity issues, and to "advise not just me, but the next administration and, potentially, administrations after that."

In his remarks on CNAP, the president said the scope of the commission will be broad. "They're going to be thinking about everything, from how do we keep the huge databases that exist in the federal government more secure to how do we more effectively work with critical sectors of our economy -- whether it's the financial sector or our critical infrastructure, like utilities, to make sure their systems are more secure; how do we provide the general public timely and continuously updated information about the best practices they need to keep their families safe, keep their finances safe, keep their health information private; how are we going to improve the process that we purchased -- IT software and hardware that makes the government run so that it's not as vulnerable to hacking and attacks; how do we make sure that we attract the very best personnel to work on these issues."

The president said other public officials, including Secretary Johnson and Secretary of Commerce Penny Pritzker, will be working with the commission, and "we're going to be announcing additional names from academia, the private sector and the national security sector who can add to this effort."

Cyberattack against Iran

Meanwhile, a plan formulated early in the Obama administration would have unleashed a cyberattack against Iran in the event that diplomacy failed to curb Iran's nuclear ambitions, according to The New York Times. The details came from a new documentary film, Zero Days, which opened this week in Berlin.

The plan, code-named Nitro Zeus, would have targeted Iran's air defenses, communications systems and key parts of its power grid. The Pentagon began work on the plan as early as 2009, as part of an effort to provide the president with options short of military engagement to deal with Iran's nuclear program.

In other news

  • Linux systems are getting hit by a simple Trojan program that does not need elevated privileges to run. The source is apparently the Russia-based Sofacy Group -- also known as APT28, Sednit and Pawn Storm -- cyberespionage group. "Overall, these binaries are assessed as low sophistication, but effective," Researchers at Palo Alto Networks reported. The researchers also noted that while the advanced persistent threat group has a wide range of tools and tactics, including zero-day exploits, they don't always need to use advanced or sophisticated tools to achieve their objectives. "Rather, these actors more often than not hold their advanced malware and zero-day exploits in reserve, and employ just enough resources to meet their goals," the Palo Alto Networks report stated. Google Online Security reported that while remote code execution is possible, it is not straightforward and would require "bypassing the security mitigations present on the system," including address space layout randomization.
  • In other Linux news, researchers at Google and Red Hat have independently identified a severe remote code execution vulnerability in the venerable and ubiquitous GNU C library, or glibc. The problem stems from a buffer-overflow bug in glibc's DNS resolver. The bug allows a subverted DNS server to overflow the victim's buffer with too much data in a response to a DNS request, and then run malicious code on the attacked system. A patch is reportedly on its way and should be available shortly; the vulnerability is present in glibc version 2.9 and greater -- or every version since May 2008.
  • Reports from earlier this week claimed a Los Angeles hospital experienced an internal emergency due to a ransomware attack and a $3.6 million ransom. But according to Allen Stefanek, president and CEO of the Hollywood Presbyterian Medical Center, those reports were exaggerated. "The amount of ransom requested was 40 bitcoins, equivalent to approximately $17,000," Stefanek wrote in a press statement. "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."
  • Remember the Magento vulnerability disclosed last month? The bad guys have taken advantage of the rush to fix the flaw and are piggybacking malware on top of a fake update. According to website security firm Sucuri, the malware is masquerading as the patch and exploiting the vulnerability the patch is supposed to fix.
  • Messy and unhygienic fingerprinting technologies may soon be a thing of the past, as this week, the New York mobile biometrics firm Hoyos Labs announced they are partnering with the National Institute of Standards and Technology "to develop new methodologies for measuring the image fidelity of contactless fingerprint capture devices, to support evaluation of these devices for future inclusion on the U.S. government's Certified Product Lists." Hoyos Labs' 4F identification technology is able to capture fingerprints using the high-resolution camera on modern smartphones. The results so far meet the FBI's 2D image quality standards.

Next Steps

Read more about CISA's impact on enterprise security

Learn why security information sharing can be a double-edged sword

Discover why Fortinet and DHS formed a security information sharing partnership

Dig Deeper on Data Privacy and Protection



Find more PRO+ content and other member only offers, here.

Related Discussions

Peter Loshin asks:

What are your organization's plans to share cyberthreat indicators with the government under CISA 2015 rules?

0  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: