Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

The Payment Card Industry (PCI) Data Security Standard (DSS) provides a set of Control Objectives for securing information systems involved in the handling of payment card data or transactions. It was originally created in 2004 when five major credit card companies (Master Card, Visa, American Express, Discover, and JCB International) combined their individual information security efforts to establish a common standard across all organizations using their payment cards. This effectively resulted in a global standard for payment card data. The PCI Security Standards Council (SSC) provides management of the standard and oversight of its implementation. As of October of 2008, version 1.2 of the PCI DSS was current.

In a nutshell, the PCI DSS requires companies to build and maintain a secure network using a firewall configuration and secure passwords, protect cardholder data both in storage and transmission, manage system vulnerabilities using secure architectures and applications, implement strong control measures for access to cardholder data, regularly monitor and test network resources and security processes, and maintain a formal information security policy.

The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities. According to the British Crime Survey, payment card fraud amounted to £610 Million ($960 Million) in 2009, affecting 6.4% of card owners—a 40% rise over the prior year. Identity theft, closely related to credit card fraud, affects about 2 out of every 1000 people in the UK every year, while in the US the figure is closer to 30 out of every 1000! Merchants bear the direct liability for fraudulent transactions, and face stiff penalties and clean up costs in repairing the damage caused by loss of cardholder data. Although those costs are ultimately passed onto the consumer, the economic damages are real, and the loss of consumer trust towards careless firms—or those perceived to be careless—can be priceless.

All merchants or service providers that accept a payment card branded by one of the participating card companies listed above are required to comply with the PCI DSS: Those companies found not to be in compliance face daily fines until the inadequacies are corrected, or the brand determines an acceptable compliance plan is in place. However, individual card company policies do vary: Merchants with smaller numbers of card transactions annually (nominally 20,000) may, or may not, be required to formally document their compliance. The largest firms will be required to have an on-site audit, while more moderately sized firms will be able to document their compliance via a Self Assessment Questionnaire (SAQ).

Merchants or service providers performing formal audits will require the services of a Qualified Security Assessor (QSA) for the audit, while companies qualifying for self assessment may choose to consult a QSA to assist with, or conduct, their SAQ. Firms requiring an audit or assessment will also require periodic external scans of their systems to verify that required security controls are functioning properly. These scans must be performed by Approved Scanning Vendors (ASV). The PCI SSC conducts a recurring certification program for each QSA and ASV, and maintains a list of currently qualified providers on their website.

Secure data and the immense potential financial gains for hackers are serious issues for the Payment Card Industry and compliance with the PCI Data Standards require qualified analysis and technical support.

An industry unfortunately lacking standardization and oversight, where the uninformed essentially gamble one of their most valuable assets on a table marked with confusing, and sometimes risky, bets. The “valuable asset” in this analogy is, of course, proprietary data. Businesses, and even governments, frequently fail to comprehend the true value their data and intellectual property represent to their organization—much less the value that information might have to others: “Value” cannot always be measured in monetary terms, and oftentimes the value of an object comes not in its positive potential, but in the negative consequences it might produce in the hands of a competitor, criminal, or wary public.

The attraction to the Cloud is undeniable. Cost savings are frequently realized through the outsourcing of infrastructure, software, technical support, and security controls—assuming those services are effective and reliable. In fact, a service provider may be able to offer a computing capability far beyond what many companies might otherwise be able to afford: An outsourced solution is easily scalable, providing a partial or total solution with ready-made growth capability, and it may also offer increased accessibility to data if that is desirable. With respect to security, for a small or mid-sized company with marginal security to begin with, even a service provider with only modest security features may offer an improvement over the existing system.

When deciding whether or not to outsource it is important for an organization to fully understand and quantify their risk in utilizing the Cloud, starting with a comprehensive assessment of the true value of the data and intellectual property being entrusted to a potential service provider. In an outsourced solution, an organization is relinquishing direct control of their data, and possibly business processes as well, to an entity for which the element of trust may be unknown or at least undeveloped. Significant effort should be expended in understanding the details of the service being provided and defining the level of trust obligated by the contractual relationship. Be wary of Service Level Agreements (SLA) containing contractual elements granting the provider wide latitude and limited liability for the storage or confidentiality of data: For instance, some SLAs include provisions for sharing data with third parties or rights for marketing.
Key information to collect and consider when comparing service providers will include:

• Governance, Oversight, and Liability: When was the service provider’s last assessment, and have they had citations or security breaches in the past? Is the service provider compliant with applicable regulatory requirements in handling your data? Are you in compliance with applicable regulatory requirements in outsourcing your data? What is the provider’s liability and obligation in case of data loss or compromise?

• Physical and Logical Geography: Where are the data centers physically located that will be hosting your information, and how will your data be partitioned on the server(s) relative to other data stored by the provider?

• Security Controls: How is your data secured, both in transit and in storage? How, when, and where is your data replicated, and how long is it retained? How will various security measures impact advertised access and performance characteristics for the service?

• Physical and Logical Access: What security policies are in place for access to, and modification of, the data center and your data? Who will have access to your data? Possibilities include service-provider employees or administrators, third-party vendors, contractors, as well as officials from governmental, compliance, or oversight bodies.

• Balance Risk versus Trust: Evaluate the costs and consequences in the event your data were lost or compromised, and consider maintaining internal control or heightened security measures for that portion of information critical to the organization or the conduct of business. Such sensitive data might concern proprietary products or processes, intellectual property, privacy information regarding employees or customers, or company financials.

Although various initiatives are underway for establishing uniform standards and oversight bodies for the virtual sector, many such efforts have failed in the past and effective legal and industry standards for Cloud computing appear to be years away from realization. As tighter security and control requirements do come into play in the industry, it will be interesting to see whether outsourcing remains a cost-efficient and attractive proposition for businesses when weighed against the relative risks.

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

Short URL aliases are seen as useful because they are easier to write down, remember or pass around, and are less error-prone to write. One of the largest advantages is that shortened URL’s also fit where space is limited. People posting on Twitter make extensive use of shortened URLs to keep their tweets within the service-imposed 140 character limit.

The growth of Twitter and other social media sites has made URL shortening services a welcomed fact of life for many users. Unfortunately, it seems spammers have now taken notice, and are working shortened URLs into their schemes.

Short links are easier to paste or type. The trouble—and abuse—follows because users do not know where these shortened links actually lead until they click them. This is a huge opportunity for abuse. Spammers have already latched onto short URLs to evade traditional filters and infect a number of networks with malware and other malicious files.

Some experts expect to see short URL abuse invade all other forms of Internet communications. The use of shortened URL’s is growing geometrically and will continue to see strong growth as social networking sites become even more active. And, According to recent reports there has been a significant increase in the amount of spam using links concealed with URL shortening services.

This threat is particularly dangerous to government networks where there are large, interrelated networks that are critical to defense and infrastructure networks. As more and more government works use Twitter and other social networks, destructive malicious activity will increase.

Though URL shortening services typically have filters in place, the filters are not foolproof. McAfee recommends using its proprietary URL shortening service–mcaf.ee. McAfee’s shortened URLs are scanned and filtered to weed out malware. This does not eliminate malicious links sent to a user.

Another way to avoid malicious arracks hiding behind innocent-looking shortened URLs is using a tool like Tweetdeck that offers an option to reveal the full-length link behind the shortened URL before visiting it. In addition to a solution to the short URL problem, Tweetdeck also offers management tools for more efficient social networking.

Since 2003 Aspiration Software LLC has provided Cyber Security services to the Intelligence Community and the Department of Defense.

Assembling a winning team however requires experience and skill and prime contractors look for subs that meet certain defined criteria.  Seven subcontractor characteristics are critical in developing a winning team.

1. Unique or Exceptional Skills Desired by the Customer

Each customer requirement is unique and in order to develop a winning proposal the team must identify and include team members with the skills the customer requires. Special skills could include expertise in cyber security, advanced software development techniques or system engineering skills.

Examples of this are defining systems requirements for over 8,000 requirements on a major program, utilizing a special Extract Transform Load toolf to solve a software development effort and developing a PKI cyber system for a classified customer.

2. Possess Extensive Customer Domain Knowledge

Knowledge of the customer, its mission and personnel are mandatory prerequisites to winning. It cannot be over emphasized that intimate understanding the customer organization and operations offers tremendous advantages.

When a multibillion dollar contract award was made to a large team from a major intelligence agency, special knowledge and relationships of the subcontractor was a major success factor for the team.

3. Extensive Proposal Preparation Skills and the Ability to Clearly Write and Persuade the Customer

Proposals are a prerequisite to winning a contract and proposal preparation is both an art and a science. In the Request for Proposal (RFP) mandatory requirements are detailed and evaluation criteria are established.

Concise and persuasive proposal writing is required because customer evaluators receive a large number of proposals and summary checklists are often used to score winning proposals. Since proposals often have a number of authors that write in different styles and voices, a subcontractor with strong editing skills can be especially valuable to the team.

The customer, through the proposal process, demands clear and concise solutions and a well written proposal that meets the customer’s needs is a winning document. This can be seen in a recent large IDIQ contractor where the subcontractor wrote one major sample task order (T/O) and edited a second winning T/O. As a result, the team won a major intelligence agency contract award.

4. Support the Proposal Process and Meet All Data Calls

Value added subcontractors actively support the proposal process by participating in writing technical and management volumes. The process is complex and requires the collection and evaluation of large amounts of data usually developed through data calls on all teammates. The best subcontracting teammates respond to data calls timely with accurate information.

This is particularly true when the proposal is a response to a major multiyear effort. Subcontractors who always respond before the data call due dates generally gain a larger percentage of work share. Subcontractors with a reputation for performance on data calls are often invited to join teams for new projects.

5. Develop Aggressive Pricing

Large government projects are competitive and all teammates need to develop aggressive pricing.

Fringe, overhead and G&A forward pricing must be carefully and accurately developed and the customer usually reserves the right to review prices and cost buildup. The best subcontractor teammates understand government pricing models and requirements and eliminate excess costs from their proposals.

One successful subcontractor offers separate benefits packages based upon market demands that allow aggressive pricing and a more competitive cost proposal. This strategy has resulted in a number of team wins.

6. Use Customer Knowledge to Shape and Win Task Orders

For many large contracts of the IDIQ (Indefinite Delivery, Indefinite Quantity) type, competitive task orders are released that winners must also bid on. The most effective way to win task orders is to interface with the customer, understand its needs and influence the specification of the requirements in a way that teammates can best respond and win.

Subcontractors with marketing knowledge of the customer requirements and who interface regularly with the customer are able to raise the win percentages (PWIN) for awards.

As an example, one small contractor was so entrenched with the customer base of a large intelligence agency that a large contractor bought the company and, as a result, won a multibillion dollar contract award.

7. A Teammate must be an Aggressive Recruiter

For services contracts the subcontractor must be able to recruit and hire the best qualified individual quickly and cost effectively.

One example of a successful recruiting partner is a subcontractor that has invested in recruiting technology and personnel that enable the building of an available pipeline of skilled candidates with required clearances for contracts with the Intelligence Community.

Those teams that add subcontractors that add real value have greatly improved chances of winning major contracts.

Large government contracts are competitive and winning proposals can be very costly. The best winning proposals are a team effort and the best subcontractors on the team meet or exceed the criteria detailed above.

Jon M. Stout

January 12, 2011

As the Federal Government grows larger and larger, the vulnerability to cyber attack of its agency systems grows geometrically. And, since the entire network of diverse agencies and users is becoming more integrated, multiple access points open the entire system to attack.

Although the government is aware of the threats and is talking action often this has inhibited the productivity of several agencies while concurrently causing the use of remote unsecure devices that increase cyber risk

The administration has made cyber security a priority. Many federal executives however, find they are inhibited by cumbersome cyber security procedures and policies at their agency in the areas of information access, computing functionality, and mobility. Agency measures often create cyber security-related obstacles, such as being forced to access information at home and disrupted communication with other employees. As a result, productivity suffers. While cyber attackers are innovative and nimble, federal agency response remains rule bound and out of date.

The resultant cyber security measures, often more bureaucratic than threat responsive, restrict access to websites and webmail accounts that can be helpful to federal executives. Restricting these types of information sources often negatively impacts the efficiency with which executives do their jobs. Agency personnel often encounter slow-loading websites, delayed login times, tedious email downloads, and long file download times.

In order to maintain productivity, federal executives and staff frequently resort to less secure practices when cyber security restrictions prevent access to information they need for their jobs. The most prevalent alternative method of accessing information is the use of nonagency devices like usb thumb dives, random media and unprotected wireless devices. Cyber attackers can use these unprotected devices to wreak havoc with otherwise protected networks.

Federal executives frequently work outside agency buildings. Recent surveys show that approximately half of those responding do at least some work at home or on travel. To facilitate working outside the office, federal agencies often provide them with a mobile device; and many executives have an agency-provided laptop. Many of these devices lack the necessary cyber security precautions.

Since federal executives generally believe access to information is the most important factor to consider when contemplating changes to cyber security policy, it follows, then, that respondents most frequently identify access to information as inhibited by cyber security measures as a major cause of lower productivity at their agency.

Agencies must realize that, in order to increase productivity, executives and key employees need to work offsite with mobile devices. New measures that add security to these devices are required without sacrificing productivity.

More relevant, coordinated and timely cyber policies are required at all federal agencies.  In addition to information access, many federal executives believe a host of considerations—including response time, agency mission, and computing functionality—should be taken into account to improve cyber security policies in the federal space.

On June 23, 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command to establish USCYBERCOM. Initial Operational Capability (IOC) was achieved on May 21, 2010.

Formal Command Name
U.S. Cyber Command (USCYBERCOM or CYBERCOM)

Commander
General Keith B. Alexander

Mission
USCYBERCOM plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

Focus
USCYBERCOM will fuse the Department’s full spectrum of cyberspace operations and will plan, coordinate, integrate, synchronize, and conduct activities to: lead day-to-day defense and protection of DoD information networks; coordinate DoD operations providing support to military missions; direct the operations and defense of specified DoD information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations. The command is charged with pulling together existing cyberspace resources, creating synergy that does not currently exist and synchronizing war-fighting effects to defend the information security environment.

USCYBERCOM will centralize command of cyberspace operations, strengthen DoD cyberspace capabilities, and integrate and bolster DoD’s cyber expertise. Consequently, USCYBERCOM will improve DoD’s capabilities to ensure resilient, reliable information and communication networks, counter cyberspace threats, and assure access to cyberspace. USCYBERCOM’s efforts will also support the Armed Services’ ability to confidently conduct high-tempo, effective operations as well as protect command and control systems and the cyberspace infrastructure supporting weapons system platforms from disruptions, intrusions and attacks.

Organization
USCYBERCOM is a sub-unified command subordinate to U. S. Strategic Command (USSTRATCOM). Service Elements include Army Forces Cyber Command (ARFORCYBER); 24th USAF; Fleet Cyber Command (FLTCYBERCOM); and Marine Forces Cyber Command (MARFORCYBER).

Seal
The eagle, our national symbol, is revered for the keen eyesight that allows it to pierce the darkness and remain vigilant to protect us.

Forces
USCYBERCOM is a sub-unified command subordinate to USSTRATCOM. Service Elements include:

• USA – Army Forces Cyber Command (ARFORCYBER)
• USAF – 24th USAF
• USN – Fleet Cyber Command (FLTCYBERCOM)
• USMC – Marine Forces Cyber Command (MARFORCYBER)

Point of Contact
U.S. Cyber Command Public Affairs
(301) 688-6584
http://www.defense.gov/cyber

(Current as of October 2010)

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

by
Jon M. Stout
November 9, 2010

At the recent Security Innovation Network (SINET) event held in Washington D.C recently a sober assessment of our nation’s capacity to maintain an adequate cyber defense emerged.

The state of our cyber defense was summarized by Michael Chertoff, former Secretary of the Department of Homeland Security when he concluded that it may take “a digital 9-11” to get business, consumers and governments to fortify their cyber security defenses. In effect we are fighting an asymmetrical war and, at present, we appear to be losing.

Echoing this theme, Mr. Vivek Wadhwa, a respected cyber security analyst, argues, “Government simply can’t innovate fast enough to keep pace with the threats and dynamics of the Internet or Silicon Valley’s rapidly changing technologies.”

Wadhwa goes on to point out that innovative entrepreneurial technology advancements are needed but the government, because of it overwhelming dependencies on large contractors, is not equipped to take advantage of new and powerful cyber defense technology.

Wadhwa concludes that true innovation developed through smaller entrepreneurial firms is being stifled by Federal Government procurement practices.

The Federal Government Acquisition Strategy is Inadequate:

Although Wadhwa’s argument is focused on technology development only it also applies equally to service providers who adapt new technology to new and improving defensive tactics such as vulnerability assessment, analysis of threats and remedial action.

Since effective defense against cyber attacks is an on going process of monitoring and taking coercive action, the role of services and the cyber warrior is also critical and outdated Federal buying patterns are equally harmful.

Much of the problem stems from the present buying and acquisition patterns of the government. For years now the government has preferred to bundle requirements in to large “omnibus” or IDIQ contracts (with negotiated task orders) that favor the largest contractors but stifle innovation and flexibility. Cyber security requirements are treated on a like basis with Information technology requirements and this is a mistake.

In addition, recent Congressional contracting “reforms” have encouraged protest actions on new contracts and task orders for both new and existing contracts, resulting in a significant delay of the procurement process. In the fast evolving world of cyber security, delayed deployment of often obsolete technology solutions increases the risk of a successful attack.

Because these contracts are extremely large, they require many levels of approval—usually by Congress or senior administration officials. It typically takes 3-4 years for government to award these and successful bidders frequently have to go through a grueling “certification” process to get approved to bid. Proposal efforts for large bundled contracts cost millions of dollars to prepare and to lobby government officials and political leaders in order to win.

Because of buying patterns that are slanted toward large, slower moving contractors new technology required to meet the multitude of cyber threats will be ignored in the coming years. This puts the nation at risk.

Small contractors are often overlooked in favor of large contractors who frequently use contract vehicles to provide services and solutions that are often out of date in the rapidly changing cyber world.

Startups can’t wait this long or afford the cost of bidding. But it is not enough to demonize large contractors when the root cause lies is how the government procures technology.

In order to remedy this problem an overhaul of the acquisition and procurement process is required to level the playing field for small cyber security companies: it must be made easier for startups and small service providers to bid for government contracts.

One effective way to do this is to unbundle the cyber requirements for IT acquisitions and use more small business set asides for contract awards. In addition protests at the General Accounting Office must be discouraged and reserved only for obvious abuses of the contracting process.

Procurement times should be reduced to months rather than years; some projects should be done in smaller steps so that the major contractors, whose goal is often revenue maximization and placing unqualified bench staff, aren’t the only ones qualified to complete them.

Cyber attacks on our sensitive infrastructure and government agencies have increased significantly. We need the latest technology and best tools in order to win the cyber war.

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

October 26, 2010

The Federal Government, like all extremely large networks, faces a variety of cyber threats but because of the potential damage to the entire nation resulting from a devastating cyber attack require greater attention.

In addition, the complexity of the federal network and the increasing interconnectivity of individual agencies’ networks create immense vulnerability.

The wide variety of threats and the rapid advance of techniques that hackers use need to be constantly reviewed and monitored by cyber security professionals.

Although more than 90% of the networks in the United States are controlled by the private sector, the 10% remaining government networks contain information that some feel is more vital to the survival of the nation.

Federal agencies routinely and continuously interact with each other as well as with industry, private citizens, state and local governments, and the governments of other nations. As the IT infrastructure expands to a global scale, “cyberspace” has grown dramatically and new applications and services as well as the risk of cyber attack increase.

Insiders and Social Engineering

The key to malicious or hostile activities in cyberspace is either open or secret access to networked systems and information. Enabling access through the use of insiders can make the cyber criminal’s job easy.

While posing a threat for all networks, insider access is, ironically, also enabled by overly restrictive barriers on many Federal networks that have caused a number of managers to work offsite and open the network to circumvention of cyber barriers.

While external hacking provides a path for malicious activity, insider (physical or logical) access to the network can facilitate attacks. An offensive operation may involve simply copying information to a portable medium (e.g. a USB drive) that can be carried from the premises. A single well-placed, knowledgeable insider can also exploit IT systems to disrupt local infrastructure and bring down an infected system.

Low Technology Threats

Threats need not be highly sophisticated but they can be dangerous.

One of the most devastating attacks on the department of defense networks for example occurred in 2008 when a virus was introduced through an infected thumb (USB) drive and rapidly caused significant damage throughout a major defense network.

This form of social engineering is an example whereby individuals who use the network deliberately or unknowingly introduce malware into otherwise secure networks is perhaps the greatest area of vulnerability facing all networks today and government networks are no exception. Use of technology cannot overcome lack of diligence or disciplined operating procedures.

Other examples of devastating low technology threats include exchanging passwords, inappropriate net surfing, utilizing unauthorized peripherals, and indiscriminate WI-FI use.

Outsourcing

The IT outsourcing trend that affects activities ranging from computer help desks and data processing to Research and Development can increase the exposure of an organization’s systems and information to cyber attack. Outsourcing of services, to either foreign or domestic suppliers, increases risk by reducing control over access to systems , information and sensitive databases. In this environment, aggressive and effective cyber security technologies are imperative.

Supply Chain Attacks

Potential attacks through subversion of hardware or software supply chains can be viewed as another type of insider threat. A software supply chain attack might involve, for example, a subversion embedded in lower-level system software not likely to be evaluated during beta testing.

Another approach is to subvert the master copy of software used for broad distribution. Even if software is routinely tested, subversions may be difficult to detect since they would typically be revealed only under circumstances difficult for a defender to discover.

Industrial Espionage

Technically savvy companies have the potential to capitalize on inadequate IT system security to engage in cyber espionage against the U.S. government and domestic corporations, primarily to collect science and technology information that could provide economic or strategic military benefits.

Some of these companies have considerable technical expertise and signals intelligence capabilities and have a strong presence in U.S. IT product markets – including microchips, telecommunications systems, and encryption products.

One consequence of the current espionage climate is that travelers with laptops and other electronic devices risk having information stolen in such locations as airports and hotels.

State-Sponsored Espionage

Gaining access to well-protected information or systems in closed networks remains a resource- intensive effort involving traditional espionage tradecraft. Such operations do not require the simultaneous access to large numbers of systems needed for a strategic military attack and thus are available to a much larger array of foreign adversaries.

Foreign governments for decades have successfully recruited agents in the U.S. government with access to computer systems and cryptographic information. Foreign agents have also established technology companies in this country and sometimes served as subcontractors on U.S. defense contracts to obtain access to technology.

Some governments now have the operational and technical expertise for more aggressive and sophisticated cyber espionage. U.S. counterintelligence efforts have uncovered an increasing number of such activities by foreign intelligence services, including past and ongoing espionage operations directed against critical U.S. military installations, critical infrastructure and other government systems.

Enterprise and Network Infrastructure Threats

Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious sites serving content that contains client-side exploits.

Web application vulnerabilities such as SQL injection and cross-site scripting flaws in open-source as well as custom-built applications account for more than 80% of the vulnerabilities being discovered.

There are two main avenues for exploiting and compromising web servers: brute force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH servers are popular targets for password guessing attacks because of the wide spread access that is gained if a valid username/password pair is identified.

SQL Injection, Cross-site Scripting and PHP File Include attacks continue to be the three most popular techniques used for compromising web sites. Automated tools, designed to target custom web application vulnerabilities enable wide spread attacks and damage.

Application Threats

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office.

This is currently the primary initial infection vector used to compromise computers that have Internet access. Those same client-side vulnerabilities are exploited by attackers when users visit infected web sites.

Because visitors often feel safe downloading documents from the trusted sites, they are often fooled into opening files that exploit client-side vulnerabilities. The victims’ infected computers are then used to propagate the infection and compromise other internal computers and sensitive servers. Compromised systems called Botnets have proliferated throughout the world and particularly the United States.

Although reputable software developers disseminate a steady supply of patches to close vulnerabilities, on average, major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities.

During the last few years, the number of vulnerabilities being discovered in applications is far greater than the number of vulnerabilities discovered in operating systems

Wireless Threats

The ease and pervasive use of Wi-Fi devices offers a good opportunity for wide spread destructive cyber attacks. Wi-Fi devices are ubiquitous in their use in a number of industries. Some of the threats to WI_FI networks include:

• Complete access to files on the server
• Stolen passwords and intercepted e-mails
• Back door entry to wired networks
• Vulnerability to DDoS attacks
• Violations of user privacy
• Creation of ”Zombie” servers
• Aggressive “Spamming”

Since WI-FI operates on the airwaves the data passed is virtually unprotected and offers tremendous opportunities to cyber criminals.

Operating System Attacks

Operating systems continue to have less remotely exploitable vulnerability that lead to massive Internet worms.

Other than Conficker/Downadup, no new major worms for OSs have appeared.  Even so, the number of attacks against buffer overflow vulnerabilities in Windows recently tripled and constitute over 90% of attacks seen against the Windows operating system.

Rising Numbers of Zero-Day Vulnerabilities

Studies show that world-wide there has been a significant increase in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years.

There is a corresponding shortage of highly skilled cyber warriors and vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks.

High Risk Attacks

These categories are Server-Side HTTP attacks, Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finally SQL Injection attacks.

The SQL Injection attacks that compose this category include “SQL Injection using SELECT SQL Statement”, “SQL Injection Evasion using String Functions”, and “SQL Injection using Boolean Identity”.

SQL Injection on the Internet can be divided into two sub-categories: Legitimate SQL Injection and Malicious SQL Injection. Many web applications on the Internet still use “SQL Injection” for their normal functionality. It should be noted that this is only a difference in intent.

There are many ways to protect against these attacks through development of software defenses and increased vigilance by system administrators but the Federal Government system, because of its size, interconnectivity and strategic nature does not have the resources to properly cope with a coordinated attack.

And, due to the extreme ease with which these attacks are carried out, and the enormous benefit of a successful attack, attacks such as these are likely to remain popular for some time.

Application Patching is Much Slower than Operating System Patching

As vulnerabilities are identified developers address the security need by offering patch downloads to correct the problems. Operating systems developers however are currently more effective in supplying patches through regular updates that are pushed through to users.

Many vulnerabilities primarily vulnerabilities found in applications receive less attention and get patched on a much slower timeline. Some of these applications, such as Microsoft Office and Adobe Reader are very widely installed and so expose the many systems they run on to long lived threats.

Other Trends

Many malicious code attacks are “blended threats” that exploit multiple vulnerabilities or propagate via multiple means. Among these new classes of threats are adaptive or mutating threats, which like many viruses that affect the human body, are able to change their characteristics and appearance in order to avoid detection and elimination.

Attacks can exploit operating systems, other software applications, software running on hardware components (e.g., routers and firewalls), or more infrequently, the hardware components themselves. Cryptographic attacks to undermine encryption- based security processes might attempt to exploit one or more of these avenues of attack.

Hacking crews and individuals are increasingly working together around the globe in virtual, anonymous networks of specialists in different types and parts of attacks, such as propagation speed, denial of service, password logging, and data theft.

An increasing number of adversaries are developing new options for penetrating the security of the United States through cyberspace, creating damage as well as conducting espionage. Cyberspace provides easily accessed and clear avenues along with the prospect of anonymity.

Foreign governments, hackers, and industrial spies are constantly attempting to obtain information and access through clandestine entry into computer networks and systems by intruding into closed and protected systems to steal secrets and proprietary information.

Because innocent users can unwitting spread malware through infected systems called botnets attribution to the real villains is difficult. Attackers discovered in other countries moreover cannot easily be brought to justice under U.S. laws, and their conduct may not even be illegal in the jurisdiction in which they are operating.

These trends are exacerbated because the network and system redundancy, diversity, and excess capacity that traditionally contributed to IT infrastructure resilience are decreasing with time, in part due to economic pressures. Federal agency personnel concerned with cyber security and information assurance view this factor as a key contributor to increased cyber vulnerability.

Federal Cyber Security Priority

Although any existing network is vulnerable to many of the threats the listed, those attacks that affect the networks of the Federal Government can cause the greatest damage for the minimum amount of effort and cost. When you are talking about National Security and Infrastructure of the entire country extra cyber security efforts are required.

After a slow start that included excessive bureaucracy, cumbersome reporting, duplication of effort and lack of clear direction, the Federal Government has refocused and is starting to make limited advances. Critical to this effort were the formation of Cyber Command and the reconciliation of the roles of the new Cyber Command and the Department of Homeland Security for a more focused cyber defense.

Aspiration Software LLC has over 10 years experience in the Intelligence Community and the Department of Defense providing high quality Information Technology, Systems Engineering and Cyber Security solutions. Our core capabilities include:
Software Development and Systems Integration:
Database Development:
Cyber Security and Information Assurance:

DNS- At the Heart of the Internet

It is safe to say that without the Domain Name System (DNS), the Internet would not be the force it is today.

In the early days of the Internet, users trying to reach another host on the network were required to input lengthy IP number strings (e.g., 74.125.45.105- a listed IP address for Google). As the internet grew number strings became cumbersome and unworkable as most users could not consistently remember the proper sequencing of random numbers.

To simplify this process, a solution was developed based on a flat file that paired each IP address with a comparatively easy-to-remember common language address (e.g., Amazon.com, U-Tube.com, and Twitter.com) that was easy to remember and provided ease of use.

By the late 1980s, the flat file had evolved to the Domain Name System (DNS) in use today—a system that is open, distributed, and expands as users, enterprises, Internet Service Providers (ISPs) and domains appear on the network. Ease of use and expandability was the goal but, since cyber security attacks and malware were virtually unknown, DNS security was not a priority.

DNS is effective and works in the background of search activity. Internet users expect that when they type in a URL or e-mail address, they will be connected to the correct Web site or e-mail box. Many commercial companies developed brand strategies based on this in order to use the Internet’s reach to develop more customers and increase sales/revenue. Most of these companies adopted a .com or .net extension. The Federal government adopted a .gov or .mil extension.

DNS Brand Implications

The functionality of DNS opened the branding world to the Internet. Common names became commonplace brands (e.g. Google, Bing, Amazon, and E-Bay) and powerful strategies were developed to market brands on the Internet.

An entirely new marketing strategy called Search Engine Marketing (SEM) developed whereby keyword searches and positioning on search pages developed into a major industry. Premier placing on the first page of a search engine gave the recipient an advantage for more business versus the competition.

Google became a multi-billion dollar concern by developing algorithms that enabled effective and powerful key word searches. Web based purchases supported by easy, convenient key word searches now account for 20-30% of all retail business and the web based e-commerce market share continue to enjoy strong growth. DNS is an integral part of this success. But as traffic on the Internet grew, the entire net became vulnerable to Cyber attacks. A good portion of this vulnerability can be attributed to the inherent vulnerability of DNS.

DNS is inherently Insecure

The original design of the Domain Name System (DNS) did not include robust security features; instead it was designed to be a scalable and open distributed system with backwards compatibilityand attempts to add security were rudimentary and did not keep pace with the skills of malicious hackers.

Security may top the list of enterprise and network administrators, but too often the link between security vulnerability and DNS is not understood nor appreciated. In order to enhance security and defend against cyber attacks, government agencies, commercial enterprises and network administrators must acknowledge the importance of DNS to the secure operation of the Internet.

Consequently, any commercial company that uses the Internet for sales, service, marketing or logistics, as well as Internet Service Providers (ISPs) and large, strategically sensitive government networks need to be aware of DNS vulnerability.

As the Internet expands in terms of users, devices and traffic, so does the opportunity for sophisticated DNS mayhem—whether malicious (hacking), aggravating (spam) or illegal (accessing sites containing content that violates legal and regulatory mandates).

Enterprises and ISPs must protect their users and networks—sometimes from the amateur hacker but increasingly from organized crime and state sponsored cyber terrorism.

The internet is also growing by an order of magnitude and just about every user of the internet is directly affected by the Domain Name System (DNS). The Domain Name System (DNS) is an essential part of the Internet. Many Internet security mechanisms, including host access control and defenses against spam and phishing, implicitly or explicitly depend on the integrity of the DNS infrastructure and DNS Servers.

DNS Servers

DNS servers running the software known as BIND for Berkeley Internet Name Daemon, or sometimes Berkeley Internet Name Domain, is one of the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims it to be so.

Presently, BIND is the   standard DNS server. It is a free product and is distributed with most UNIX and Linux platforms. Historically, BIND underwent three major revisions, each with significantly different architectures: BIND4, BIND8, and BIND9. BIND4 and BIND8 are now obsolete. BIND9 is a ground-up rewrite of BIND featuring complete Domain Name System Security Extensions (DNSSEC) support in addition to other features and enhancements. But even with the rewrite many consider BIND vulnerable.

The Internet Systems Consortium has also started development of a new version, BIND 10. Its first release was in April 2010, and is expected to be a five-year project to completion.

BIND 4 and BIND 8 have had a large number of serious security vulnerabilities over the years and as such their use is now strongly discouraged. While BIND 9 was a complete rewrite, it has still experienced several vulnerabilities.

Although BIND is still the de facto DNS software because it is included by most UNIX based server manufacturers, a number of other developers have produced DNS Server software that addresses the inherent weaknesses of BIND. Ratings of these packages can be found on http://www.kb.cert.org/vuls/

Common Vulnerabilities: Cache Poisoning and Distributed Denial of Service

The DNS vulnerabilities open the affected networks to various types of cyber attacks but cache poisoning and DDoS attacks are usually the most common.

Cache poisoning is arguably the most prominent and dangerous attack on DNS. DNS cache poisoning results in a DNS resolver storing (i.e., caching) invalid or malicious mappings between symbolic names and IP addresses. Because the process of resolving a name depends on authoritative servers located elsewhere on the Internet, DNS protocol is intrinsically vulnerable to cache poisoning.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is focused on making a computer resource unavailable to its intended users. A DDoS  consists of the concerted efforts to prevent an Internet site or service from functioning efficiently or at all.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as government agencies, banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks.

Until effective solutions are developed that reduce DNS vulnerabilities cyber attacks will increase particularly as new protocols expand the reach of the Internet.

Internet Protocol Version 6 (IPv6)

The Internet is rapidly running out of capacity and solutions in the form of expanded Internet Protocols for this problem may create additional vulnerability. A phenomenon known as IPv4 address exhaustion results and Internet space disappears.

Internet Protocol Version 6 (IPv6) is designed to succeed Internet Protocol version 4 (IPv4), the first publicly used Internet Protocol in operation since 1981. IPv6 is an Internet Layer protocol for packet-switched internetworking. The main driving force for the redesign of Internet Protocol was the foreseeable IPv4 address exhaustion. In effect, without new protocols, the Internet will run out of capacity.

IPv6 has a significantly larger address space than IPv4 based the use of a 128-bit address. The present IPv4 uses 32 bits. This expansion provides flexibility in allocating addresses and routing traffic and eliminates the primary need for network address translation (NAT), which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.

IPv6 protocol expansion also opens new vulnerability for malicious cyber attacks as more and more users and applications gain access to the Internet.

DNSSEC

Some analysts believe that the Domain Name System Security Extensions (DNSSEC) provides an effective and comprehensive solution for DNS vulnerability issues.  This is not the case however.

DNSSEC enables the use of digital signatures that can be used to authenticate DNS data that is returned to query responses. This will help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware but it does not guarantee secure data.

DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as that created by cache poisoning. All answers in DNSSEC are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical to the information on the authoritative DNS server.

DNSSEC does not provide confidentiality of data and DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks .

It is widely believed that securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered by several difficulties not the least of which is the lack of universal deployment and overcoming the perceived complexity of deployment.

Some of these problems are in the process of being resolved, and deployment in various domains is in progress. This may take an extended period of time however and during the process DNS continues to be vulnerable.

Progress in implementing DNSSEC has been slow particularly in the Federal Government. Although the Office of Management and Budget mandated that all government agencies will adopt DNSSEC by December 2009, nine months after the deadline for federal agencies to implement DNSSEC only 30-40% of agencies have complied.

Government Network Solutions

Today’s complex government networks must deliver the utmost security and reliability to protect against potential national security threats. A poorly architected DNS service infrastructure poses one of the greatest security vulnerabilities for any government network.

Likewise, choosing the wrong DNS solution can turn an otherwise well-architected service infrastructure into a compromised system capable of undermining data integrity and network stability.

Security against cyber attack is mandatory for government networks. More than any other networks, government networks demand the highest level of monitoring and visibility, security fortification, alerting and blocking to ensure appropriate corrective action. Without this protection, National Security and other nationwide infrastructure can be compromised.

Government Networks Have Unique Needs but Face Cumbersome Solutions

Until recently, federal cyber security efforts have been fragmented and cumbersome. Greater attention was paid to time consuming reporting requirements in order to meet standards. Although standards are important for establishing a baseline of security and meeting standards in order to reduce cyber attack damage, overly restrictive reporting requirements diminish their effectiveness.

In many ways, for government organizations, the information superhighway has become a virtual minefield. Government networks face this new global problem as much, if not more than other networks.

Not only do they have to support their users’ performing the tasks necessary to complete their missions with uninterrupted Internet access, but they also have to ensure that this access remains uncompromised. Network administrators must continuously balance the need for open access for critical users against the need to keep the network secure.

When a user at a government organization goes to a Website (on multiple types of networks), they need to know that the content they receive is exactly what they were expecting. And just like subscribers on a Service Provider network, they need to be protected from known and suspected sites used to break into computers. The critically of very large networks and the drive to interconnect agencies make many federal networks particularly vulnerable.

All of this has to be done with the highest possible level of performance and availability. Government organizations also need to be absolutely certain that they can comply with DNSSEC and IPv6 mandates.

The government recognizes is addressing the needs of cyber security. Recent step include the creation of Cyber Command for DOD and Intelligence Agencies, a streamlining by the Office of Management and Budget of reporting requirements and an elevation of cyber security to a priority effort by the administration.

However, progress has been slow. Officials from key federal agencies, including the departments of Defense, Homeland Security and the Office of Management and Budget say they’re moving too slowly to implement most of the 24 recommendations President Barack Obama outlined in his May 2009 cyber policy review