1.0 Introduction
As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
The Laboratory completed its new System Authorization Process (formally Authority to Operate / Certification and Accreditation). During this period we completed full reviews of our systems and updated and revised the contractor assurance system for cyber security at LBNL. The independent assessors we hired as part of this process characterized our program as “very successful”. Additional details are in the Assessments section.
2.0 Most Significant Risks
2.1 Continued Threats from APT
Follow up to PNNL/JLab Attacks
Established Procedures for Emergency Cyber Security Attacks:
- Purpose: To articulate a clear process and guiding principles for considering highly disruptive actions (e.g. disconnecting Lab)
- Obtained delegated authority from Lab Director to Chief Information Officer to Cyber Security Team for executing highly disruptive actions
2.2 Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space.
Remote Desktop Protocol (RDP) scanning from first worm in 7 years
The most recent evolution was a RDP scanning attack of unprecedented scale, with more than 100K unique hosts attacking the lab. With our strong visibility into traffic of all types, including RDP, we were the first people on the Internet to detect it (a month ahead of the rest of the Internet). This allowed us to provide early warning about a pending attack of significant scale. We provided infection signatures to the DOE and Education community that allowed a number of sites to detect active infections in their networks (e.g. Universities of Idaho, Waterloo, Albany, Simon Fraser University, Columbia). We submitted copies of the malware to Antivirus vendors (who had not yet detected it) that allowed for mass detection of the malware.
Internally, our response to this attack demonstrates our ability to dynamically adapt. We quickly created new methods to detect and alert on attacking/infected hosts and developed new defenses to block scanning.
3.0 Assessments
Description / Schedule / Internal or External
- Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
- System Authorization Cycle with Assessments / Complete / Internal and External
System Authorization Cycle: External Assessment
Summary: “Of the 263 controls required by NIST, 22 controls were determined not applicable to LBNL systems and 236 were determined adequately documented, in place, and functioning as intended, indicating a highly effective, NIST-compliant cyber security program. LBNL should take note that compliance with 98% of the required NIST controls shows that the planning and execution of their CSPP was very successful.”
Findings: The assessors identified 4 ineffective or non-compliant controls but characterized them as representing “a Low or Negligible risk to LBNL”. We incorporated the findings below into our Plan of Action and Milestones (POAM):
- AC-20: Deviations associated with the use of external information systems, specifically Cloud Computing are not documented. Risk rating: Low
- Action: Cloud Appendix to be completed by October 31, 2012
- IA-5, IA-5(1): Weak passwords (blank, default, easily guessed) are in use at LBNL. Risk rating: Low
- No action defined. We find this to be an acceptable risk.
- CM-7: Hosts are not configured to disable unnecessary services and configurations of certain file sharing and transfer have little or no restrictions. Risk rating: Low
- No action defined. We find this to be an acceptable risk.
- MP-5(4): Backup tapes are not encrypted when being transported. Note: this finding is specific to the Business Systems enclave.
- Already included in the POAM per IS-3 Audit.
4.0 Performance Measures
4.1 PEMP Goals, Objectives, Notable Outcomes
No notable outcome is defined for cyber security.
4.2 Laboratory Management Performance Measures
Cyber Security Incident Analysis
Berkeley Lab experienced a "normal" incident profile in Q4 aside from the RDP scanning mentioned above. Instances of malicious code were within current trends and there were no instances of mal code escalation or compromise of other hosts at the Laboratory. Newer detection measures implemented over the past 18 months continue to pay dividends in terms of speedy detection of these issues. Details provided on Operations Dashboard.
System Availability and Function Data
Cyber security systems experienced normal up-time profiles during this quarter.
Training Completion
92% of individuals are up to date (target is 90%)
Training Feedback
3.8 on a scale of 1-5. Selected comment: "In general, I appreciated the attitude of the course and the material covered, so it was one of the better courses (rated 5)."
5.0 Other Issues/ Concerns
We have no new issues or concerns.
6.0 Noteworthy Accomplishments
- Completion of system authorization cycle and shift to continuous authorization methodology, including the updated contractor assurance system/plan
- Completion of Procedures for Cyber Security Emergencies and approval of delegated authority for high impact actions
- First on Internet to identify new worm, subsequently named Morto