As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
In addition, the outcome of a series of major Inspector General provides additional assurance that the program is operating as intended (see section 2.2).
1.0 Top Risks
1.1 Drive-by-download infections
Drive-by infections (malicious code on websites that exploit vulnerable web applications) continue to be our most significant source of damage. We believe that our aggressive patching of Java Runtime Environment (JRE) and Flash has helped reduce malware infection at the Lab to the lowest level in 16 months. However, in some cases (e.g. transient visitors) our protections will only increase the speed of detection - not preventing them outright.
We also expanded our baseline in BigFix to patch a larger set of applications (Firefox, Quicktime, etc.). This baseline was applied to CFO, HR, and key IT administrator systems where we have the greatest risk.
Lastly, decreasing license costs combined with little to no implementation costs prompted us to purchase 1000 additional BigFix licenses and we now have 3080 clients.
1.2 Continued Threats from Advanced Persistent Threat (APT)
This is an ongoing top risk, although we have not witnessed any significant activity in the last quarter.
1.3 Emergent Security Risks and Evolving Threats
Historically, attacks are largely associated with IP addresses. However, over the last year or so, we’ve seen a migration to domain-centric attacks. To address this emerging threat, we studied and then implemented a Response Policy Zones (RPZs) technology. Using this technology, if a computer or user requests a domain that has been identified as malicious, we can take automated action to prevent the computer from accessing the domain.
2.0 LBNL Performance
2.1 Business Plan Performance
The Cyber Team made significant progress on its FY12 business plan. In addition to other items in this report, progress included:
- Objective 2.1: We set up a new scan systems with the tools necessary to conduct web vulnerability assessment (NetSparker and Burp). We are becoming familiar with the usage of these tools in anticipation of using them to scan all registered web servers.
- Objective 3.1: We are now performing analysis on pdf and doc attachments in email using Bro's mail analyzer and a specific heuristics tool from malware-tracker.com. This system is architected to find malicious pdf and word document not detected by AntiVirus. Our initial use of this tool identified new signature that we submitted to Sophos.
2.2 Audit: DOE Inspector General Audits
The Department of Energy’s Inspector General concluded its audits of Berkeley Lab in the following areas:
- Cyber Security Incident Management
- IT General & Application Controls
- FISMA
- IT Vulnerability Assessment (internal and external)
At this time, we are aware of only one finding from the internal IT Vulnerability Assessment portion of the audit:
“In FY 2012, we determined that five LBNL web applications, including the PeopleSoft Human Resource Information System (HRIS), accepted malicious input data that could be used to launch attacks against legitimate application users. Such attacks, referred to as cross-site scripting attacks, when successfully launched could allow an attacker to compromise legitimate users' web application login credentials and workstations.”
Although we considered this finding to be low risk (it requires an attacker to both gain an internal foothold and use social engineering to exploit), we committed to reviewing existing web application controls and then develop and implement a graded approach to web application input testing and ongoing review consistent with the Lab’s risk management approach. We’ve already begun work using tools to support this (NetSpartker and Burp mentioned above).
3.0 PEMP Goals, Objectives, Notable Outcomes
PEMP Objective 8.2 Notable Outcome to “Implement improved intrusion detection by fully deploying a next generation malware protection system and incorporating it into the Laboratory's continuous monitoring program.”
We presented our completion of the notable outcome to BSO.
4.0 Noteworthy Accomplishments
As one of the earliest detectors of a new attack vector, we communicated our experience with a large scale and slow attack to DOE and .edu, resulting in several other sites finding similar traffic. The feedback from these communities has furthered the understanding of this attack.
Our policy team participated in several key activities that broadly benefited or are intended to benefit the DOE complex, including:
- Contributed to report summarizing potential incident response requirements as part of a simulation of a DOE-wide incident.
- Collaborated with DOE OCIO to develop a process for reviewing and vetting orders with the Information Management Working Group.