Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Federal Report Gives Guidance on Beating Botnets

A report from the Departments of Commerce and Homeland Security provides five goals for protecting infrastructure from botnets and other automated threats.

In May 2017, the Trump administration issued Executive Order 13800, "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." Yesterday, one response to that order was made public as the secretaries of Commerce and Homeland Security jointly released "A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats."

The report, at 51 pages, is a relatively concise look at the state of defense against botnets and similar threats. Reports such as these "are important in terms of being able to assess what the current state of cybersecurity is, what we're able to do, and what we need to be able to do about it," says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors.

More than the specifics of the assessment, the level of the report is important, says Chris Wysopal, founder and CTO of CA Veracode. "This looks at the whole system development life cycle, from planning through end of life," he says. He argues that the level of conversation is critical because consumers buy products with gaping security holes — and will continue to do that until vendors make safe products an economic priority.

Five Goals
The report is based on five goals for improving security. The five broad goals are:

  • Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  • Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  • Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.
  • Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities, domestically and around the world.
  • Goal 5: Increase awareness and education across the ecosystem.

The goals are important because they give guidance to a variety of stakeholders on which steps they should be taking to secure their systems and networks. The real question is whether any of those stakeholders will take meaningful action.

A History of Reports
"Look up the '2004 NIAC Hardening the Internet Report and Recommendations.' About 80% of that report is reflected in this report," says Andy Ellis, CSO of Akamai. That isn't entirely a reflection on the skills or dedication of IT security professionals, though. "It's because a lot of the problems are really hard," explains Ellis.

"The issues are, 'what are the action items, who owns the action items, and what dollars are being put behind fixing them?" says Pierson. Now, he says, it's time to move forward. "Given 10 years of describing the risk, what are the low-hanging fruits, what are we going to do about it, and who's going to pay for it?"

At the federal level those questions are critical, given the just-released "OBM Federal Cybersecurity Risk Determination Report and Action Plan," in which 71 of 96 federal agencies were shown to be at risk or at high risk for cybercrime issues. "We're talking about the bad things that are happening, but when are we going to take about solving them? How do we solve them, when do we solve them, who solves them?" asks Pierson.

Steps Ahead
There's at least one step that would be direct, if not necessarily easy to implement. "The government could just change their procurement to follow the recommendations. That would incent vendors to change their practices if they wanted government business," says Wysopal.

"Everyone who's in the industry should read through the list and see what they can work on," says Ellis. As an example, he mentions the recommendation that education for every engineering and technical discipline have a cybersecurity component, instead of waiting until young professionals are in the field to begin their training on the subject.

Ultimately, though, Ellis sees real value in the process. "I think that the important thing is that this represents the work of a lot of groups that have come together. It's not a final product but part of a process to make things better," he says.

Pierson acknowledges the value of the process but has a stark assessment of the progress made so far. "It's 10 years later and we're still at the same place."

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
6/9/2018 | 10:31:19 AM
Guidance on Beating Botnets - report
While the report and the executive order are meaningful, a number of the points mentioned in the article are questionable, if not downright head-scratching.  Those referenced in the article summary are perplexing - but recourse to the full report doesn't resolve the ambiguities or provide actionable and effective guidance. 

Reading the full report is a challenge (if you take the time to consider what's said - started with hip-boots, switched to chest waders, and may need to go with a snorkel). 

As just one example of the politico-bureaucrat-esse muck, are the references to "the IoT community".  There are a number of things the report says this community must do or should do, such as "The IoT community must work collaboratively [my emphasis] to identify and adopt existing best practices, frameworks, and guidelines that are...".  When the authors of this report compile a comprehensive and authoritative list of the individuals members of this community, then they can assign the responsibilities of identifying, and adopting best practices, frameworks and guidelines...; at which point I'm sure they'll form a committee, to assess how well the community is doing, and suggest new ways to make their work more effective.  Not only is the idea of an IoT community ludicrous; any list of best practices, frameworks, etc. would be out of date before it could be published, let alone implemented.  The only comedy relief is contemplating who will emerge as their spokes(person): Amazon Echo, or Google Home

Sadly, the IoT community gibberish is but one example; you can hardly take a step through the report without splatting into another. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.