As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
1.0 Top Risks
1.1 Drive-by-download infections
Through our incident analysis, we identified drive-by infections as the most significant source of damage over the last year. Drive-bys are caused by malicious code in websites that exploits vulnerabilities in web browser plugins to cause infections. These infections are especially devious as they infect users without their knowledge or any action on their part (no clicks or intentional downloads). Our analysis further identified vulnerabilities in JRE and Flash plugins as the largest source of infection.
To reduce this risk, we provided new tools for updating browser plugins. The BigFix tool automatically patches JRE and Flash for both PCs and Macs, while Qualys can check the status of all plugins (not just JRE and Flash). To encourage adoption of these tools, we introduced an isolation policy based on the ability to detect vulnerable plugins using a customized Bro 2.0 policy. We’ll monitor our drive-by infections to assess the efficacy of the tools and isolation policy.
1.2 Continued Threats from APT
This is an ongoing top risk, although we have not witnessed any significant activity in the last quarter.
1.3 Emergent Security Risks and Evolving Threats
This is an ongoing top risk, although we have not witnessed any new trends in the last quarter.
2.0 LBNL Performance
2.1 Business Plan Performance
The Cyber Team made significant progress on its FY12 business plan. In addition to other items in this report, progress included:
- Objective 1.1: Completion of a significant project to standardize all Bro installations with a modern and consistently configured version of Bro. All Bro policy is stored in a central repository.
- Objective 3.1: Working closely with researchers to implement "Bro Intelligence Framework" which will provide Bro with innate capabilities to digest and act on external data sets. Initial data will be brought in from REN-ISAC and DOE NSM.
2.2 Audit: Data Security of Outsourced Applications (Google)
Summary Conclusion: “In general, Berkeley Lab’s internal controls intended to ensure the confidentiality, integrity, and availability of information processed or stored through Google Apps Premier were adequate and effective at mitigating the significant risks associated with outsourcing the services provided by Google Apps Premier.”
The report included two recommendations based on findings:
- IT management should collaborate with Procurement to amend the Google Apps Premier subcontract.
- The “Cloud Appendix”: IT management should make pertinent information included in the Cloud Appendix accessible Lab-wide.
IT management will complete both of the recommended actions as part of our existing plan to update the Google contract and modify user facing requirements as part of the RPM rewrite.
3.0 PEMP Goals, Objectives, Notable Outcomes
We completed the core aspects of our PEMP Objective 8.2 to “Implement improved intrusion detection by fully deploying a next generation malware protection system and incorporating it into the Laboratory's continuous monitoring program.” After ongoing data collection confirmed that signatures were accurate enough, we fully automated responses to alerts. Responses include removing computer from network, identifying users and sending email, etc. We will continue to refine our use of this tool over the next few months.
4.0 Noteworthy Accomplishments
Our policy team participated in several key activities that broadly benefited or are intended to benefit the DOE complex, including:
- Served as one of two lab/plant representatives on the planning team for the Risk Management Summit hosted by DOE OCIO. Also presented at the summit and received a very positive response, including specific praise from the Safeguards and Security Division Director, Earl Hicks.
- Heavily contributed laboratory system input to a memo used by DOE's Deputy Secretary to negotiate reporting of IT investments with OMB's CIO. Negotiations continue, and if the desired changes are made, they will greatly reduce reporting inefficiencies across DOE.
- Facilitated and wrote much of a memo describing the state of continuous monitoring at DOE Labs and plants. The DOE CISO used this memo to inform initial negotiations with DHS on details of cyber MOU and reporting.
