Next week (June 11-14), Layer 7 will be exhibiting at the Gartner Security & Risk Management Summit near Washington, DC (in National Harbor, MD). Speakers will run the gamut from Michael Dell to the Cybersecurity Coordinator for the White House, because enterprises and governmental organizations share a serious interest in securing data and applications.

The combination of security and risk management is particularly interesting these days, as rapid migration to Cloud and Mobile has introduced a new set of risks. These new platforms raise issues around compliance, information security and identity management, which can only be addressed with a comprehensive approach to security, using proven technology.

If you’re at the show, stop by and visit Layer 7 at Booth 92. We’d love to demonstrate how our SOA Governance and API Management solutions can counteract the risks involved with adopting these new technologies. Our solutions – flexibly deployed on-premise or in the Cloud – provide control over data and applications being exposed to partners, Cloud and Mobile.

And our industry-leading technology has been certified at the highest levels for use in both corporate and governmental organizations – PCI-DSS compliance for retail, STIG vulnerability testing for the DoD, FIPS 140-2 for cryptographic functionality and Common Criteria certification for overall security.

Don’t let the risk outweigh the reward – come talk to us!

Layer 7 is proud to be exhibiting at the 2012 Department of Defense Intelligence Information Systems (DoDIIS) Worldwide Conference, which will be taking place in Denver this April 1-4. The show will be focusing on the Defense Intelligence Agency’s goal of unifying defense intelligence infrastructure and information sharing initiatives.

Never before has so much intelligence data been collected and never has the challenge of securely sharing these valuable assets been greater. As new intelligence systems come online, issues inevitably arise around the need to make data and security credentials interoperable between these new systems and existing capabilities.

As the leading provider of secure messaging and security Gateway solutions to the US Federal Intelligence Community, Layer 7 will be at the show, demonstrating its solutions for data and security interoperability within the enterprise and the Cloud. If you’re attending the DoDIIS conference, stop by Booth 917 to see first-hand how you can resolve interoperability and fine-grained access challenges with a Common Criteria EAL 4+ certified solution from Layer 7.

At Layer 7, we often talk about how we can help enterprises open up net-centric information-sharing APIs. Often overlooked is the vital national security role APIs and net-centric computing perform – they are crucial to connecting applications residing across national agencies and even on mobile devices, vehicles and machines.

For several years, Layer 7 has proudly served national security communities in the US, Canada and Europe, with high-resiliency API security and management technologies for various SOA, mobile and Cloud initiatives. We are proud to include among our clients some of the most demanding organizations on Earth, including the US DoD, US Department of Homeland Security, US Department of Justice, US Department of Transportation and NATO.

Layer 7 is continuing its efforts to help organizations like these address the challenges and opportunities associated with SOA-based information sharing and interoperability in the context of reduced budgets, increasing cyber threats, Cloud infrastructure and the need to leverage existing systems in a networked environment.

Due to the sensitive nature of the projects, much of our work to make these efforts successful goes unheralded. However, we are thrilled that one of our recent efforts in supporting Northrup Grumman modernize the US Air Force Air & Space Operations Center Weapons System has been publicly announced.

Layer 7 is working with a consortium of vendors under Northrup Grumman to make the Air & Space Operations Center more agile and net-centric via Service-Oriented, API-based approaches to information sharing. Clearly, SOA and net-centric computing are becoming cornerstones of how applications are discovered, connected and protected and how information is shared.

In the last week Lockheed Martin, then L-3 Communications Holdings have been in the news due to sophisticated cyber attacks on their networks by unknown actors. Now there are rumors that Northrop Grumman may have been targeted as well, since the company shut down remote access to the company's network. Are these events linked to the attack on RSA which was reported on May 17th?

For those that haven't been keeping up, it is assumed the adversaries responsible for the RSA intrusion may have access to the seed files, serial numbers and the algorithm for multiple RSA keyfobs used by over 40 million RSA customers worldwide. Although RSA is saying that this information alone can't be used to launch an attack, it's not hard to assume that the attackers either already have or are confident they can get what they needed to use the stolen RSA information to launch a successful attack.

This recent activity goes beyond the need for "cleanup on isle 9", and leads one to believe that all these events could be the start to a series of attacks which were extensively planned, beginning with the RSA attack, and are now and will continue to be well resourced. Given the high profile nature of the businesses being targeted, and the level of effort involved, I think it's safe to assume that we will see more from these attackers in the future. In an effort to better prepare ourselves for future attacks here are some questions needing answers:

1. What data were the attackers after and why?
2. How did those companies get exploited?
3. Were there signs prior to the exploitation attempts?
4. Was there active reconnaissance of the company or their users?
5. Were there exploitation attempts against their users that failed?
6. Were there exploitation attempts against the company network?
7. Is the RSA attack and these incidents truly linked?

VPN access, albeit a necessity for remote users, is a major security risk that needs to be actively monitored. One of the initial steps in conducting network defense is to define the enclave’s borders which is increasingly difficult because of the needs of remote users and the federations across organizations. Each access point of a network needs to be heavily monitored and the systems that are used to access the VPN need to be examined on a regular basis to ensure there is no malicious software located on their systems. Given the current trend to move to the cloud one begins to wonder where the enterprise starts and stops and how we can truly protect the enterprise from the perimeter.

Reference:

http://www.eweek.com/c/a/Security/Northrop-Grumman-L3-Communications-Hacked-via-Cloned-RSA-SecurID-Tokens-841662/

http://www.informationweek.com/news/government/security/229700151

http://www.lockheedmartin.com/news/press_releases/2011/0528hq-secuirty.html

On Tuesday, Google reported in their official blog that in mid-December they detected a "highly sophisticated and targeted" attack on their corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. Additionally, Google stated in this blog that 20 other large companies were similarly targeted. Google went on to state that they have evidence to suggest that a primary goal of the attackers was to access the Gmail accounts of Chinese human rights activists. This incident, as well as the limitation on free speech imposed on Google by the Chinese government, is forcing Google to review the feasibility of their business operations in China.

In follow-up, a number of security firms who are supporting the investigation have concluded that the number of attacked companies is not 20 but between 30 and 34. Most of the attacked were large Fortune 500 companies. The attack code named "Aurora" by the attackers was made up of dozens of pieces of malware, and several levels of encryption to hide itself in the targeted company networks and to obscure activity.

The U.S. Government has been under this type of attack for many years. This is the first time that a highly organized and sophisticated attack was launched on private industry. Who knows what the impact of this will be on the global economy? The mind can only fathom what would happen if each of the companies attacked lost some intellectual property which resulted in them being "second to market" for a product that they have been planning for and building for months or even years.

What we know about Aurora

There is some debate currently on whether Aurora leveraged a vulnerability in Internet Explorer and Adobe's Reader and Acrobat applications or whether the attack only leveraged Internet Explorer. Either way, Aurora installation began on the targeted system by viewing a malicious website or potentially through opening a PDF document sent in an email but as I mentioned this has not been substantiated by Adobe. Once executed in the browser an encrypted shell script would run. The shell script downloaded the binary from an external machine which once executed would open a backdoor to the attackers Command and Control servers. These servers were purportedly running in hosted facilities in the US. This allowed the attacker some level of access into the users machine and the network to which the machine is connected.

Microsoft Versions Affected:

According to Microsoft, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Let's review the time line of events in this event. The following dates/times were derived from various sources on the internet.

Mid-December - Google detects a "highly sophisticated and targeted" cyber attack

January 2nd - Adobe becomes aware of "sophisticated, and coordinated" cyber attack

January 4th - Attack seems to have stopped as Command & Control Servers are shut down

January 12th/3pm - Google announces the Cyber Attack via blog

January 12th/3:16pm - Adobe announces the Cyber Attack via blog

January 12th/Evening - U.S. Government asks China for an Explanation

January 14th - Microsoft issues a security advisory

When looking at the time line the scary thing is that the attack seems to have been commencing from mid-December (let's say the 15th). If Google detected it at its start, which may not be the case, and it was not shut down till January 4th, the attackers had 21 days of access. It's scary to think how much information could have been stolen and potentially how much damage the attackers could have done in 21 days should this have been their goal.

As stated in the U.S. Government Cyberspace policy review, information and communication networks are largely owned and operated by the private sector, both nationally and internationally. The report goes on to state that Cyber security requires a public-private partnership as well as international cooperation. Unfortunately, we are sorely lacking in the ability to ensure a coordinated response and recovery to a significant incident should one occur. This time line only proves this point. It appears as though private/public communication did not effectively start till January 12th, during this time companies were infiltrated, but yet may not have known. Even if Google had notified all the companies it derived were under attack from the information they had available, there is nothing to say that another attack was not going on simultaneously by the same attackers but disconnected from the one affiliated with Google.

With worldwide cyber attacks becoming more focused, we must accelerate our ability to deal with them more rapidly in a coordinated fashion. This particular instance seems to have been about stealing information, monetary gain, or political issues. We need to remember that it could just have easily been about disrupting critical national infrastructure for pursuit of national disorganization and loss of life.