As always, the primary ongoing assurance activity is the review of incidents conducted by the security program to determine if the program is efficiently and effectively protecting the scientific mission of the Laboratory. This ongoing review suggests that the program is functioning well and we continue to make adjustments to controls and policies as required by the environment.
1.0 Risks
1.1 Drive-by-download infections
Drive-by infections continue to decrease. But they continue to be a source of risk given the low barrier to conducting an attack, difficulty defending, and the large number of potentially vulnerable systems. Although Our existing mitigations (broad deployment of BigFix, isolating unpatched computers, and RPZ) continue to manage this risk to an acceptable level.
1.2 Continued Threats from Advanced Persistent Threat (APT)
This is an ongoing top risk, although we have not witnessed any significant activity in the last trimester.
1.3 Emergent Security Risks and Evolving Threats
Network Time Protocol (NTP) Vulnerability. NTP is a protocol used to keep time synchronized across computers. In early December 2013, miscreants figured out a way to abuse this protocol to amplify network traffic. By amplifying network traffic, an attacker can overwhelm a network or computer, causing a denial of service (DoS). Details about this attack and our response in person.
Supervisory Control and Data Acquisition (SCADA) systems. We continue to work with the Bro research team under the NSF grant to develop tools for monitoring SCADA. We are currently studying and characterizing the Backnet protocol on our facilities network that includes all of our Johnson Control systems (building automation system).
Intelligent Platform Management Interface (IPMI) Vulnerability. At our last meeting we discussed vulnerabilities in the IPMI protocol which allow for remote exploitation of servers that results in full access to the OS and hardware. Less than 5% of computers at the Lab were vulnerable. Our mitigations drove this down to zero: blocked ports at board, deny booted vulnerable computers, and implemented a daily vulnerability scan.
2.0 LBNL Performance
2.1 Business Plan Performance
- Border Router. Our new border router is live with increased block capacity (amount and duration). This new blocking capacity has allowed us to easily block new risks (IPMI, NTP) as well as extend our blocking to additional protocols.
- Communication and Outreach.
We’ll be hosting the annual Network Security Monitoring’s conference for DOE, which will include a two day Bro workshop. This was rescheduled from fall 2013 to May 2014.
We’ve held a series of information sharing activities with SLAC’s cyber and network groups and will likely be helping them deploy Bro.
- CPP Sensors. PNNL is signing the agreements with HQ.
- PII Review. Steady progress is happening on CATS from the PII review.
2.2 Audits
No audit activity in last trimester related to cyber security. Office of Science is conducting a Physical Security review in spring, which may touch parts of information security.
3.0 PEMP Goals, Objectives, Notable Outcomes
None defined.
4.0 Noteworthy Accomplishments
No new noteworthy accomplishments.