With the threat of another partial government shutdown likely averted (for now), federal security workforce and enterprise security teams can focus on catching up on security tasks and projects that took a backseat last month.
The recent partial government shutdown meant that a significant number of the federal security workforce was not at their posts, and many initiatives were delayed. Some tasks were left undone. The impact wasn’t just on federal systems—enterprise security teams didn’t have access to important information and had to adjust their own timelines and project plans. Reopening the government isn’t as simple as turning the computers back on and sitting back down at their desks—new tasks take precedence over existing to-do lists, and there was the possibility that the political gridlock would mean turning everything off again.
The shutdown lasted for 35 days. When employees go on vacation, they may decide not to unplug entirely to make sure immediate issues are being handled, or designate someone else to temporarily handle the work. That isn’t the case with a shutdown, as employees could not check in time to time or perform ongoing triage, and those designated as being essential had plenty to do. When the federal security workforce finally got back to work at the end of January, there were several high-priority tasks demanding immediate attention, including renewing TLS certificates for government websites, implementing multi-factor authentication on accounts with access to DNS records and auditing DNS records in light of DNS hijacking attacks against government websites, and possibly resetting passwords for employees.
“That’s a long time off with no communication,” said Grant Wernick, government data scientist and CEO of Insight Engines.
Enterprises couldn’t access technical documentation from the National Institute of Standards and Technology related to security frameworks and standards from Dec. 22 to Jan 28, which would have impacted tool evaluations and enterprise deployments. NIST may be back and accessible, but it will take a while for government-provided threat indicators and intelligence feeds to catch up. Enterprises will have to wait for the analytics team to ramp back up, and will have to rely on other information-sharing partnerships within the private sector for the time being. Government analysts may also need to reach out to private sector partners to fill in the blanks of what they missed.
“The source of truth and analysis will have to come from the private sector,” Wernick warned.
The newly formed DHS supply chain task force had to pause its work during the shutdown. The task force was supposed to meet regularly to identify the threats to the supply chain and develop recommendations on managing risk, but had to wait till the shutdown was over before they could finish setting up the group and finalize the membership, according to Politico’s Morning Cybersecurity. The chairs of the working groups are expected to convene in February, with a meeting of the full task force in March.
“While we have lost some time with the shutdown, we still have considerable momentum from our December meeting of the executive committee,” Robert Mayer, senior vice president for cybersecurity at USTelecom, told Morning Cybersecurity.
For enterprises keeping an eye on the task force for guidance on how to secure the supply chain, this is yet another delay in their strategic planning.
Software Updates, Patches
Some of the challenges currently facing federal IT security teams should feel familiar, such as finding the time to test and prepare software updates. There is typically a bit of a lag between when the updates are released and when they are actually deployed, and that gap is the perfect attack window. Any delay that wides that gap is a big risk. Considering that it wasn’t clear until just this week that there wouldn’t be another partial shutdown, testing patches and rolling out software updates for federal IT systems would be high on the list. Systems would need to be updated before going offline for another prolonged period of time.
Renee Wynn, the CISO of National Aeronautics and Space Administration, said at a post-shutdown town hall that NASA employees who kept working during the shutdown had problems running certain software programs on their computers, because they were unable to renew software licenses and install security patches, Space.com reported. "If you don't have a license for your software, you're not getting the patches, and we get fixes every single day for all the software that we do," Wynn said, and on the first day back, furloughed employees had to patiently wait for their computers to install the updates and security patches before they could get back to work.
There were regularly scheduled-releases from Microsoft, Adobe (three separate releases in January), and Oracle during the shutdown. Those needed to be tested and scheduled, alongside the updates that came after the government reopened, including Google’s Chrome update and Mozilla’s Firefox update. Other applications would need their own update windows, and it’s not as if testing windows can be shortened all that much.
Dealing with the backlog would require “ridiculous hours to just get caught up,” Wernick said.
It would be naive to hope that the attackers took a vacation during the shutdown, which means government defenders came back to five weeks of backlog to dig through. Even if the agency had dedicated teams monitoring the systems and networks, they would have focused on the most important issues. Any suspicious incidents or questionable events would require deeper investigation.
The emphasis post-shutdown was on restoring election security support to state and local governments, surveying the impact on cybersecurity programs, and complying with the emergency directive to secure DNS, Christopher Krebs, the director of the newly-created Cybersecurity and Infrastructure Security Agency at DHS, said during a staff meeting to discuss the shutdown’s impact, FCW reported. The contingency plans were designed for one or two week lapses in funding, not for such a prolonged period.
"There is no 35-day shutdown plan, there is no 50-day shutdown plan," Krebs said at the meeting, noting that it would take the agency several weeks to be fully operational again.
Analysts need to sift through threat alerts and log files to look for attack attempts and evidence successful infiltrations during this time period. Analysts need to find the answers to questions such as users who were logged into the systems during the shutdown and what processes were running when no one was at work, Wernick said. There have been reports of increased number of phishing emails containing malware and social engineering attempts to reset employee passwords or download malware.
“Who came in? Where did they go?” Wernick said.
It would be possible to identify unusual activity since normal system usage would not be present. Analysts need to look for normal behavior that shouldn't have happened during those days, such as a login from an employee who was furloughed. Any delay in investigating suspicious events increases the amount of time the attacker who got past the defenses to continue lurking in the network.
However, analysts have a different challenge—likely unanticipated—before they can start digging. Alerts and queries tend to be designed so that analysts can look at incoming events and monitor the network daily. What analysts need now, is to perform the analysis they would normally perform daily over historical data. New historical queries need to be built that is more targeted and asking specific questions, Wernick said.
"You aren't set up for that level of time away," Wernick said.
This is where inter-agency cooperation would be helpful for agencies. Analysts that were able to keep working during the shutdown and agencies that were not impacted by the funding fight could share information about what they saw and how they deal with the incidents. There are some partnerships across agencies, but it isn't across all of them, which means some of the analysis get duplicated, Wernick said.
Hopefully, the typical enterprise would never have to this kind of offline period where projects and initiatives come to a standstill, but there are still valuable lessons to draw about planning for these situations. Whether it’s a government shutdown or a prolonged outage, sensitive systems and data may be uncovered. They need to be moved so that they can be monitored with other sensitive systems, or have additional protections placed around them, Wernick said. Processes that got overlooked but turned out to be important (such as renewing and applying TLS certificates) can be automated to minimize impact when someone is not at the wheel. Another thing to consider is to write new queries and design the alerts for a bigger window of time so that information will continue to be logged and available even if someone can’t get to the alerts right away.