US Cyber Command Shares Malware Samples with Cybersecurity Community

US Cyber CommandUS Cyber Command has begun sharing unclassified malware samples with the cybersecurity community through the website VirusTotal.

“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” said an announcement from the US Cyber Command’s Cyber National Mission Force (CNMF), which is overseeing the program.

The cybersecurity industry can also receive unclassified malware samples through the CNMF’s Twitter feed, @CNMF_VirusAlert.

In 2012, the Joint Staff and US Cyber Command directed the services to collectively build a cyber mission force. That force consists of 133 cyber mission teams, four Joint Force Headquarters-Cyber, and the CNMF.

The CNMF plans, directs, and synchronizes cyberspace operations to deter, disrupt, and defeat adversary cyber actors.

The 133 cyber mission teams became operational in May of this year. The teams execute the command’s mission to direct, synchronize and coordinate cyberspace operations in defense of US interests.

“As the build of the cyber mission force wraps up, we’re quickly shifting gears from force generation to sustainable readiness,” US Cyber Commander Gen. Paul Nakasone said. “We must ensure we have the platforms, capabilities and authorities ready and available to generate cyberspace outcomes when needed.”

The cyber mission force teams have been building capability and capacity since 2013. The force structure was developed then, and the services began to field and train more than 6,200 military personnel from all services as well as civilians.

Roles of Cyber Mission Force Teams

Cyber mission force teams support US Cyber Command in the following areas:

  • Identify adversary activity, block attacks, and maneuver to defeat them
  • Conduct military cyberspace operations in support of commander priorities and missions
  • Defend the DoD’s information network, protect priority missions, and prepare cyber forces for combat
  • Provide analytic and planning support

“It’s one thing to build an organization from the ground up, but these teams were being tasked operationally while they were growing capability,” Nakasone said. “I am certain that these teams will continue to meet the challenges of this rapidly evolving and dynamic domain.”

IDC Forecasts Security Spending Will Reach $133.7B in 2022

cybersecurity spending

Market research firm IDC forecasts that security spending on hardware, software, and services will reach $133.7 billion in 2022.

The security market should deliver a compound annual growth rate (CAGR) of 9.9 percent through 2022. By then, security spending will be 45 percent greater than the $92.1 billion forecast for 2018.

Security services will be both the largest ($40.2 billion in 2018) and the fastest growing category of worldwide security spending. Managed security services will be the largest segment within the services category, delivering nearly half of the category total in 2022.

Security software takes the second spot, with spending expected to total $34.4 billion in 2018. Endpoint security software will be the largest software segment throughout the forecast period. This will be followed by identity and access management software and security and vulnerability management software.

Hardware spending will be led by unified threat management solutions, followed by firewall and content management.

Banking Leads Other Industries in Security Spending

Banking will make the largest investment in security solutions, growing from $10.5 billion in 2018 to $16.0 billion in 2022. Security-related services, led by managed security services, will account for more than half of the industry’s spend throughout the forecast.

The second and third largest industries will be discrete manufacturing and federal/central government ($8.9 billion and $7.8 billion in 2018, respectively). They will follow a similar pattern with services representing roughly half of each industry’s total spending.

The industries that will see the fastest growth in security spending will be telecommunications (13.1 percent CAGR), state/local government (12.3 percent CAGR), and the resource industry (11.8 percent CAGR).

“Security remains an investment priority in every industry as companies seek to protect themselves from large-scale cyber attacks and to meet expanding regulatory requirements,” said IDC Customer Insights and Analysis Program Director Eileen Smith.

“While security services are an important part of this investment strategy, companies are also investing in the infrastructure and applications needed to meet the challenges of a steadily evolving threat environment,” she added.

The United States will be largest market for security solutions with total spending of $39.3 billion this year. The United Kingdom will be the second largest geographic market in 2018 at $6.1 billion. Rounding out the top five are China ($5.6 billion), Japan ($5.1 billion), and Germany ($4.6 billion).

Study Finds $250B Economic Benefit from NIST Encryption Standard

encryption standardThe NIST advanced encryption standard (AES) has had at least a $250 billion global economic impact over the past 20 years, a new report concluded.

AES uses a cryptographic algorithm that was approved for federal government use in 2001. It has since been widely adopted by private industry.

As a result, AES protects everything from classified data and bank transactions to online shopping and social media apps.

For the report, RM Advisory Services relied on a survey of encryption users and developers of encryption hardware or software.

Search for New Encryption Standard

In 1997, NIST launched its effort to identify a new standard encryption algorithm for the federal government. It recognized that the 20-year-old Data Encryption Standard (DES) was growing vulnerable in the face of advances in cryptanalysis and computing power.

Following an open international competition, in 2000 NIST announced its proposal for the replacement standard. Rijndael, an algorithm that was submitted by two cryptographers from Belgium, Vincent Rijmen and Joan Daemen, was selected.

The unclassified, publicly disclosed encryption algorithm used in the AES standard is available royalty free, worldwide. And it is used by the US government in its FIPS standard and voluntarily by private organizations worldwide.

The development process involved the collaboration of the worldwide cryptography community. The AES program continues to create economic value by transferring know-how into the network of communications and transactions.

“AES has been tremendously successful at helping to establish trust in IT systems around the world,” said NIST’s Charles Romine. “We are pleased with how it has stood the test of time in its ability to provide security in a wide range of commercial products and public and private systems.”

CVE Program Takes Heat from Republican Lawmakers

CVE programRepublican leaders of the House Energy and Commerce Committee are calling for changes to the CVE program, which provides common identifiers for known cybersecurity vulnerabilities.

Common Vulnerabilities and Exposures (CVE) program is sponsored by the Department of Homeland Security (DHS) under contract with MITRE.

The lawmakers want DHS to transition the CVE program from a contract-based funding model to a cost-neutral dedicated program, project, or activity line item in the department’s annual budget. In addition, they want DHS and MITRE to perform biennial reviews of the program’s stability and effectiveness.

CVE Is Critical Cyber Infrastructure

“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence. Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure,” wrote Energy and Commerce Committee Chairman Greg Walden (R-OR), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-MS), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) in letters to DHS and MITRE.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” the lawmakers noted.

“The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes – the contract-based nature of the program and the lack of oversight – which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program.”

The committee gave DHS and MITRE until September 10 to respond to the lawmakers’ recommended changes.

DHS Falls Short in Achieving its Cybersecurity Mission, Says GAO

mainframe computers

The Department of Homeland Security (DHS) has fallen short in fulfilling its mission to lessen cybersecurity risks on federal and private-sector computer systems and networks, judged the Government Accountability Office (GAO) in a recent report.

In particular, DHS has failed to develop metrics to measure and report on the effectiveness of its cyber risk mitigation activities or the IT security posture of the eight critical infrastructure sectors for which it is the lead federal agency, the report found.

The department’s National Cybersecurity and Communications Integration Center has failed to develop metrics and methods to evaluate its performance against statute-defined implementing principles.

Also, DHS’s National Cybersecurity Protection System had only partially met its objectives of detecting and preventing intrusions, analyzing malicious content, and sharing threat information.

The department has not identified all of its cybersecurity position, has not assigned codes to filled and vacant positions, and has not determined critical skill requirements for those positions.

“Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department’s ability to improve and promote the cybersecurity of federal and private-sector networks will be limited,” the GAO concluded.

Adobe Flash Is Bane of IT Security Professionals’ Existence

computer vulnerabilityAdobe Flash has been the bane of IT security pros for years. Adobe has tried to keep ahead of Flash vulnerabilities by getting patches out in timely manner. Unfortunately, Flash security problems continue.

One example is a Flash zero-day exploit uncovered by Kaspersky Lab that enables attackers to deliver FinSpy malware disguised in a Microsoft Office document.

The FinSpy malware and other FinFisher products are made by Gamma International and sold to governments and other law enforcement agencies to conduct surveillance. The latest version includes added anti-analysis techniques that make it hard to analyze the malware.

Kaspersky suspects that the attackers are part of the BlackOasis cyberattack group because of similarities in this most recent payload with other attacks carried out by the group. Kaspersky also suspects that another FinSpy attack uncovered by FireEye in September is the work of BlackOasis because the attackers used the same command and control server.

The security firm explained that the Flash exploit is a memory corruption vulnerability enabling attackers to gain arbitrary read/write operations within memory.

BlackOasis targets include people involved in Middle Eastern politics, including UN officials, opposition activities, and regional news correspondents.

“We estimate that the attack on HackingTeam in mid-2015 left a gap on the market for surveillance tools, which is now being filled by other companies,” Kaspersky researchers wrote in a SecureList blog post.

“One of these is Gamma International with their FinFisher suite of tools. Although Gamma International itself was hacked by Phineas Fisher in 2014, the breach was not as serious as it was in the case of HackingTeam. Additionally, Gamma had two years to recover from the attack and pick up the pace,” they noted.

“We believe the number of attacks relying on FinFisher software, supported by zero-day exploits such as the ones described here will continue to grow,” they concluded.

The Kaspersky researchers advised organizations to disable Flash, although this may difficult to do and disable applications that rely on Flash, and to deploy a multi-layered approach to security, including strict access policies, anti-virus software, network monitoring, and application whitelisting.

Kaspersky informed Adobe about the Flash exploit, and the company released a patch.