The PrepFire View

Oct 28, 2010

The Federal Desktop Core Configuration is a list of security settings recommended by the National Institute of Standards and Technology for computers that are connected directly to the network of a United States government agency.  But as pointed out by Carter Raines, Director of Technology at PrepFire,  FDCC is only a small part of the problem.  Following an OMB mandate, organizations are implementing aggressive telework policies so users working remotely or on the move is growing at an exponential rate.  New devices are entering the network all the time.  New applications are required for users to do their jobs, and some of these require administrative rights to execute.  And more changes are coming.

Listen to this recorded webcast sponsored by PrepFire to learn more about how you can effectively lockdown your environment to meet FDCC mandates but avoid the reprecussion of increasing calls to your help desk because users cannot perform the functions they need which require admin rights.

FDCC Webcast:  https://www1.gotomeeting.com/register/986551281

Viewfinity - Privilege Management

For more information please contact:
Joel Stevens
PrepFire Solutions
800-208-2404 ext. 5
joel@prepfire.com
www.prepfire.com

Interesting read from Kevin Coleman

http://defensesystems.com/blogs/digital-conflict/2010/09/stuxnet-worm-stealth-attack.aspx?s=ds_290910&admgarea=TC_DEFENSE

Stuxnet worm deemed ‘best malware ever’

by Kevin Coleman

In January 2010, a highly targeted, vendor-specific cyberattack was launched by those yet to be identified. The Stuxnet worm was highly sophisticated — perhaps the most sophisticated attack that is known to the public thus far, leading some in the field to proclaim the piece of code the best malware ever. The fact that this piece of malware operated undetected for nearly six months seems to supports those claims.

Although the attacker is unknown, many individuals and entities believe Israel is behind the attack and that the United States was probably an active participant.

The worm used not one but four unpatched zero-day vulnerabilities, as well as other vulnerabilities that had patches available. Its designers intentionally limited the worm’s spread, which allowed it to go undetected for an extended period of time. Each infected machine could only pass the worm to three additional machines.

The malware made use of two stolen digitally signed certificates that allowed the worm to avoid detection by security software.

The worm was designed to attack machines using WinCC (Windows Control Center) and Siemens SCADA (Supervisory Control and Data Acquisition) visualization system and connected to industrial programmable logic controllers. PLCs are used to control multiple types of processes commonly found at industrial plants, energy/utility complexes, water treatment facilities, critical infrastructures, and numerous other functional areas.

Stuxnet also uploaded its own encrypted software to the PLCs. At this time, it is unknown what that encrypted software does. But multiple experts have speculated that it could open a backdoor for attackers to use whenever they want to steal data files, delete files or change data. However, the biggest concern is that the attackers could execute control processes (for example, close valves or shut off output systems) that would interfere with or disrupt critical operations of industrial complexes.

The worm clearly targeted Iranian facilities, with nearly 60 percent of the system compromises occurring in that country. However, industrial controllers in India and the United States were also hit by the attack.

Some experts believe the ongoing system problems at Iran’s Bushehr nuclear power plant indicate that it might have been the primary target.

As of Sept. 20, the worm had compromised approximately 100,000 systems worldwide. Its primary mission is intelligence gathering and industrial sabotage, and its secondary mission is process disruption with any number of tertiary effects. The situation was remedied in August by Microsoft.

The complexity and sophistication of the attack, as well as its target being PLCs, would seem to point to a nation state-backed group or possibly cyber terrorists. Researchers at Kaspersky Lab and Symantec said they have never seen a piece of malware use that many avenues of attack.

The industrial control system industry is a high-value target. This cyberattack prompted Joe Weiss, an industrial control and security expert, to alert several members of Congress and other U.S. government officials. He was pushing for emergency powers to be given to the Federal Energy Regulatory Commission so that it could require that utilities and others involved in providing critical infrastructure take extra precautions to secure their systems. In March 2009, Weiss testified before the Senate Commerce, Science and Transportation Committee and said networks that power industrial control systems have been breached more than 125 times. He went on to say, “The impacts have ranged from trivial to significant environmental damage to significant equipment damage to deaths.” One of the 125 breaches resulted in U.S. deaths.

Earlier this year, more than three-quarters of executives working for organizations that use SCADA or industrial control systems say their systems are connected to the Internet or some other IP network, putting them at possible risk of intrusion. Approximately 55 percent of survey respondents in the energy and power sectors and the oil and gas sectors reported that cyberattackers most often targeted SCADA or other operational control systems.

What about the private sector, which owns about 85 percent of our nation’s critical infrastructure? What is being done there? Rep. Jim Langevin (D-R.I.), who chaired a subcommittee on cybersecurity, called representatives of the nation’s electric utilities, which are heavy users of SCADA systems, to Washington to find out what they were doing to fix the power grid’s vulnerabilities. The committee was told that the problem was being addressed, but that turned out not to be the case. At a subsequent hearing seven months later, Langevin’s committee members discovered that almost nothing had been done. “Basically, they lied to Congress, and I was outraged,” Langevin told Steve Kroft of “60 Minutes.”

The United States is the most connected country in the world and the country that is the most reliant on computers, networks and related devices.These two facts make us the most susceptible to a cyberattack. What has to happen before the government, business community, law enforcement, intelligence community and military come together to address this critical deficiency in our nation’s defenses? Maybe some of President Obama’s rumored “second stimulus package” funds can be allocated to defending our nation’s critical infrastructure.

Even though the buzz over cloud computing has reached a fever pitch in the commercial sector over the last 18 months, federal agencies are only now starting to take real notice. With the announcement last week that the flagship White House website, www.Recovery.gov moved its operations into EC2, I am hopeful that the debate of the last 18 months will morph into words into actions.

Although the rhetoric surrounding cloud computing is often hijacked by different people using different terms, the bottom line is that true cloud computing is analogous to electricity. When you plug in your refrigerator, toaster, air conditioner, or computer into your wall socket, you know that you are consuming electricity and that you are going to receive a bill from the electric company for the energy you use. Everyone can understand that on a hot DC summer day, if you put the thermostat down to 60 degrees that it is going to cost you money. It’s simple math.

Now, when it comes to the power of cloud computing it can be scary for the federal government to comprehend. It is hard for IT managers to understand how easy it is to just “plug in” to computer power (infrastructure as a service), or application power (software as a service).

Let’s look at Recovery.gov to better understand.  The White House’s move of Recovery.gov to Amazon allows them to “plug in” to server resources and as they get more traffic (power), they will get a bigger bill. No one has to worry about services or scaling. They just have to realize that the more traffic they get, the more they are moving that thermostat to a lower degree on a summer day.

But some savvy federal agencies are ahead of the curve on this one.  Several agencies are starting to pay about $50 per user per year to access Google applications that include email, calendar, and documents. Why is this important?  Well simplicity is one. If you want to have more people using the Google Apps then all you need to do is plug them in and pay $50.

This type of thinking is now a way of life in Silicon Valley, but in DC, everyone wants to know where the electricity is going, the status of the power lines, how the power plants work, and whether or not they need to build their own. While the government needs to pay closer attention to these questions for some applications, it can rest assured that when it plugs into the cloud they are going to increase productivity and reduce costs. Now that’s some simple math the government should get behind.

If you have any questions or comments, I will be presenting on ways you can “plug into the cloud” at the Gov 2.0 Conference on Thursday, May 27^th at the Washington DC Convention Center. I hope to see you there!

Thanks,

Erik Arnold

The Gov 2.0 Conference?  What? Already? It seems like we were just at the FOSE event, meeting with top tier feds who were interested in finding out about cloud services and PrepFire Solutions innovative approach. We answered a lot of question on what cloud computing is and how it can benefit government agencies – and it looks like we gave some pretty good answers. Since that time we have been hard at work scheduling meetings and conducting presentations for almost every government agency. But now is the time to gear up for PrepFire’s second conference and the Gov 2.0 Conference is as vital as any.

But are we ready?

The short answer is “absolutely,”  but the long answer is more impressive.

To start, the Gov 2.0 Conference is called “The IT Event for 21st Century Government” and is meant to answer the question

“How can we harness these innovations to decrease waste and increase productivity?”

Sound familiar? It should, because the answer to that question is the foundation on which PrepFire Solutions is built. Our mission is to bring the latest technologies to government organizations—securely and at a lower cost—to increase productivity and better serve their users. PrepFire’s vision and approach to provide gov’t agencies with innovative IT solutions makes our mission as unique as our company.  As the only SDVOSB in the cloud technology arena, we take pride in our distinctiveness because it allows us to provide original and agile solutions from start to finish.  We take our mission very seriously to answer the above question for our clients on a daily basis with innovative products and top notch services from our team of industry experts.

Speaking of our industry experts, our colleague Erik Arnold will be presenting at the conference and discussing “The White House has moved to the cloud – have you?”  Make sure you tune in for his presentation that will provide valuable information on how you can move to the cloud and more importantly –  why you should be interested in doing so.

If you haven’t met us already then stop by our booth at Gov 2.0 and find out how you can find your way to the cloud.

Thanks,

Brian

Today is a big day for us at PrepFire. As we put the finishing touches on our first FOSE show, I have to sit back and exhale a bit to realize all we have accomplished, and all we are set to do.  2008 – 2009 was a year of growth.  We researched, we partnered, we spoke, we had success, and some failures along the way.  At the end of 2009 we emerged as the company that we set out to be the day that the partners first got together in a booth at Clydes in DC to start this venture:

PrepFire’s goal is to bring the latest technologies to government organizations—securely and at a lower cost—to better serve their users.

But what does that really mean?  A lot of people are saying it, but why are we not seeing a major push of Cloud/SaaS & disruptive technologies in Government?  We’re not seeing it because there is still a gap, a gap in understanding in how to work in the Government space.  On one side, you have the leading edge product company that is tooled to work in commerical space, but can’t begin to understand Government.  On the other hand, you have the large, beltway bandits getting their execs to start tweeting, while still pushing traditional racks, servers and solutions to Government clients.

PrepFire was formed for one reason.  Provide end to end solutions using the latest products and approaches in the Government space.  To our partners we serve as a trusted advisor to moving their products into the Government market. To our Government clinets, we’re also experts in leagacy systems and can recommend the best path forward to leverage new technologies.

But end to end does not stop there.  We’ve expanded our management team to now provide the Government with a complete product strategy.  That’s the key word here.  Products.  Government needs to and has started to have more of a product mentality.  When you are developing a tool that needs to be marketed within Government, and out to citizens, then you have yourself a product.

PrepFire has added Brian Kelley and Todd Kirby to our management team to productize every project we have.  From concept, to UI design, technical implementation, and grassroots marketing, we offer the complete solution.  Here’s the bio’s for Brian and Todd, not bad eh?

Brian Kelley:  Director of Marketing and Outreach -  Former tours as Supervisor of Grassroots Marketing at Edelman PR and Racepoint Group.

Todd Kirby:  Director of User Experience:  Former Product Manager for Blockbuster, Nutrisystem, Match.com and co founder of Chemistry.com.

So 2010, here we come.  Check out our brand new portal at www.prepfire.com, and continue to follow us for more updates.

Tx

-  Carter

Two years ago, while serving at GSA as the Product Manager for USA.gov Technologies, I was asked along with others to come up with “Big Ideas for 2013″.  I put together the following whitepaper with a concept for a Government Cloud Sandbox.  The primary idea was to elminate barriers to entry for government technologists into new areas like Could Computing, SaaS, & platform computing.  Too often, the opportunity to leverage a cost saving technology in government is squelched by the seemingly endless set of security, 508 compliancy and contracting hurdles.  While each of these technologies can meet the Feds requirements, the process repeats itself everytime someone at an agency at any level trys to get started with a new technology.

On the other hand, companies that promote this technology do not see a value proposition in trying to work with Government.  When your are trying to sell your product to a small government group, lets say1000 people (not small is it?), its not worth it to a product company to adjust their product to meet Government regulations.  A product that costs 20k soon becomes a 500k project. 

So what happens? IT shops go the traditional route and build it, add contractors, and manage it, costing millions for something that a commercial company would only pay thousands for.

So where are we now?  This article is not a shot at GSA.  In fact, they have grown by leaps in bounds.  Their move to Terramark, a virtual/cloud host was one of the best moves I’ve seen in Government.  They continue to push free Cloud/SaaS products like Youtube, Facebook and others to adjust their user & legal agreements to allow Government to leverage them.  They’ve moved their USASearch product to a cheaper, more agile host, using Bing.  The point of the article is to say, they’re ready.

We don’t need to wait till 2013.  The Feds are ready to work with vendors to create a cloud computing sandbox, that will allow the little guys in government IT to show what they’re made of and create great applications, using the best in Cloud/SaaS technology, and show their organziations what can be done without having to navigate their own internal processes. 

The original idea:

Create a Cloud Computing Sandbox, and related Cloud Computing BPA.

Description of Goal:

Cloud Computing and Software as a Service (CC/SaaS) is a hot topic on the minds of government IT executives due to its potential for a high ROI, rapid development timeframes and minimal infrastructure cost. However those same executives are afraid to make the initial investment to enter into the CC/SaaS space, and are hesitant to shift from a conventional environment to a cloud based infrastructure. While there is resistance from government IT executives to invest in CC/SaaS applications, low to senior technical employees are embracing the technology, following their peers in private industry. The issue lies in the fact that these employees do not have enough influence or resources to start in the space. For those who push forward, they are left re-creating the wheel when it comes to major requirements like 508 compliance and Security Certification and Accreditation (C&A). On the other side of the equation, CC/SaaS companies are having much of the same issue. Since the commercial sector is far ahead of the government in embracing the CC/SaaS platform, the focus of CC/SaaS companies is not in the government sector. When an RFP is released for bid, CC/SaaS companies lack experience or staff to reply properly to a government RFP, if they reply at all. Or, the company cannot see the value in updating their product to align with government requirements. This creates an especially dangerous dynamic where companies are not incorporating accessibility compliance into their development roadmap, increasing the gap between the capabilities in commercial and government sectors. A frequent example is the heavy use of Ajax in commercial UI’s, and its lack of 508 compliance. While this gap cannot be solved with this “Big Idea,” this can be an effort by USA.gov to bring the two communities together, and to influence the industry through numbers. By creating a “Cloud Computing Sandbox” and a related BPA, we have an opportunity to lead, enabling government agencies to easily collaborate, develop, and purchase CC/SaaS based applications. We can’t afford to ignore this issue, or we may someday be left with “government technology” and “commercial technology.”

 Actions to Achieve Goal:

1. Use USA.gov’s leverage to seek a low or no cost partnership with cloud providers. The partnership would open up their development API’s to government “affiliates”, allowing them to create CC/SaaS applications without the advertisements that are currently included in free versions of their products. Create a usage ceiling, where if the application reached a touchpoint threshold, the affiliate’s organization would be required to purchase the tools off of the “USA.gov Cloud Computing BPA” to continue.

2. Leveraging the Webcontent.gov and USASearch Affiliate communities, build a community around the free tools, encouraging the developers and IT professionals from across the government to collaborate on research, innovation, government security and accessibility requirements.

3. Create a CC/SaaS BPA and award to 25 CC/SaaS companies with provisions for security and section 508 accessability (VPAT), streamlining the purchase of these technologies.

How Do We Measure Success:

1. Recognition as a government leader in technology best practice and education would continue to increase.
2. # of affiliates added to the community
3. # of applications created
4. # of touchpoints from the applications, (until they are funded by the organization themselves via the BPA)

Who’s in the cloud?
Google, Zoho, Amazon, Booze Allen, Yahoo, Microsoft, Salesforce