|
|
||||||||||||||||||
...
1. Continued Threats from APT
Follow up to PNNL/JLab Attacks
- Established Procedures for Emergency Cyber Security Attacks:
- Purpose: To articulate a clear process and guiding principles for considering highly disruptive actions (e.g. disconnecting Lab)
- Obtained delegated authority from Lab Director to Chief Information Officer to Cyber Security Team for executing highly disruptive actions
...
2. Emergent Security Risks and Evolving Threats
As always, we continue to see new and evolving issues in the cyber security space.
Remote Desktop Protocol scanning from first worm in 7 years
The most recent evolution was a RDP scanning attack of unprecedented scale, with more than 100k unique hosts attacking the lab. With our strong visibility into traffic of all types, including RDP, we were the first people on the Internet to detect it (a month ahead of the rest of the Internet). We submitted the information to REN-ISAC where an analyst analyzed the automation and communicated it out to other labs.
...
- Ongoing review of Incidents and Threats / Ongoing / Internal Assessment
- System Authorization Cycle with Assessments / Complete / Internal and External
2. System Authorization Cycle: External Assessment
Summary: “Of the 263 controls required by NIST, 22 controls were determined not applicable to LBNL systems and 236 were determined adequately documented, in place, and functioning as intended, indicating a highly effective, NIST-compliant cyber security program. LBNL should take note that compliance with 98% of the required NIST controls shows that the planning and execution of their CSPP was very successful.”
Findings: The assessors identified 4 ineffective or non-compliant controls but characterized them as representing “a Low or Negligible risk to LBNL”.
...
We incorporated the findings below into our Plan of Action and Milestones (POAM):
- AC-20: Deviations associated with the use of external information systems, specifically Cloud Computing are not documented. Risk rating: Low
- Action: Cloud Appendix to be completed by October 31, 2012
- IA-5, IA-5(1): Weak passwords (blank, default, easily guessed) are in use at LBNL. Risk rating: Low
- No action defined. We find this to be an acceptable risk.
- CM-7: Hosts are not configured to disable unnecessary services and configurations of certain file sharing and transfer have little or no restrictions. Risk rating: Low
- No action defined. We find this to be an acceptable risk.
- MP-5(4): Backup tapes are not encrypted when being transported. Note: this finding is specific to the Business Systems enclave.
- Already included in the POAM per IS-3 Audit.
Performance Measures
PEMP Goals, Objectives, Notable Outcomes
No notable outcome is defined for cyber security.
Laboratory Management Performance Measures
Cyber Security Incident Analysis
Berkeley Lab experienced a "normal" incident profile in Q4 aside from the RDP scanning mentioned above. Instances of malicious code were within current trends and there were no instances of mal code escalation or compromise of other hosts at the Laboratory. Newer detection measures implemented over the past 18 months continue to pay dividends in terms of speedy detection of these issues. Details provided on Operations Dashboard.
System Availability and Function Data
...
