Printer Friendly

Nef safety: office protects U.S. diplomats from digital attacks.

The target was an embassy workstation in East Asia. The bait was a cleverly forged e-mail carrying what appeared to be a copy of a government official's speech. When an unsuspecting user clicked on the infected attachment, it launched malicious software, triggering an intense three-week chase as the Bureau of Diplomatic Security's (DS) cyber security team pursued network intruders who were infiltrating computers and installing back-door communication channels all across the region.

"It was a classic Trojan Horse incident--an e-mail attachment loaded with malicious computer code that goes from compromising a single machine to attacking an entire network," recalled Mary Stone Holland, director of DS's Office of Computer Security (DS/SI/CS), whose analysts and engineers led the Department's response to the May 2006 incident.

This kind of e-mail attack, known as "spear phishing," requires a multibureau task force and some creative engineering by the Bureau of Information Resource Management (IRM) and DS cyber teams. Such incidents have since become common throughout government and industry. Yet that month long battle against sophisticated adversaries exploiting a never-before seen vulnerability in Microsoft software, galvanized the DS/SI/CS strategy for responding to such intrusion attempts. It also demonstrated how cyber security has become essential to the Department's digital diplomacy and ensures the reliability and integrity of daily business operations.

"In looking back, it validated our basic operations model and taught us how to respond to a complex cyber incident in real time," Holland said. "We've since built off that experience to continually improve how we detect, react, analyze and respond to network intrusions and other pressing cyber threats."

The DS/SI/CS team safeguards the Department's global diplomacy networks, which support 275 overseas embassies and consulates in more than 190 countries and involve more than 100,000 users. To protect this international maze of IT assets, information and users, DS/SI/CS's "defense-in-depth" strategy deploys an array of security teams, tools and operational programs to uncover and close security holes before malicious actors can exploit them.

"Our mission is to detect, respond to and defend against any cyber threats to the Department, as well as detect and correct any vulnerabilities in the Department's infrastructure," said Holland. "All our functional programs work like interlocking spokes to provide the best front-line support. We must always think ahead and position ourselves to be prepared for the latest threat."

In the Office of Computer Security, the Incident Response Team (DS/CIRT) maintains a 24/7 DS cyber security operations center, where analysts provide near real-time detection, collection, analysis and reporting of cyber security events that threaten Department networks. The center's intrusion-detection sensors flag millions of questionable computer network traffic events that are correlated with other security data sets to validate whether an event represents a threat to the Department. The DS/CIRT team coordinates with numerous Department offices to remediate security events upon detection, and reports the status of Department cyber security to senior management daily.

From fiscal 2010 to fiscal 2012, the number of DS/CIRT incidents more than doubled, from 7,269 to 16,740. A member of the DS/CIRT team works full time on the watch floor at the U.S. Computer Emergency Readiness Team (US-CERT) to ensure the fast, accurate exchange of information about security incidents affecting the Department's foreign affairs networks and those of other federal agencies.

DS deploys regional computer security officers (RCSOs) to provide timely information systems security support, expertise and hands-on assistance to U.S. missions worldwide. These specially trained Foreign Service security engineering officers are its "boots on the ground" for security assessments of posts' cyber security postures. The RCSOs proved vital to DS' efforts to combat the 2006 intrusion mentioned above, by investigating computer compromises at EAP sites and helping restore those locations to normal operations.

Adding another dimension to this global cyber threat picture is the CS Security Scanning program. A team of security engineers and analysts deliver a recurring snapshot of the Department's cyber posture through weekly vulnerability and configuration compliance checks that are run against overseas and domestic sites. Using an integrated suite of tools, the analysts hunt for known security weaknesses, reporting the results back to system owners through the Department's iPost portal to ensure all security gaps are closed.

DS/SI/CS also brings cyber intelligence reporting and advanced technical analysis to its operational capability through the Cyber Threat Analysis Division (CTAD). This team of analysts provides overseas posts and senior management with indications and warnings of cyber threats affecting the Department's critical infrastructure. The staff correlates information from the DS/CIRT and other cyber intelligence sources to generate a comprehensive threat picture, performs in-depth analysis of intrusions and provides technical support for DS's counterintelligence and criminal investigations units.

CTAD received special recognition from the National Security Agency for its innovations in tracking malicious cyber activity and promoting the sharing of technical threat information throughout the federal network defense and cyber intelligence communities. A CTAD staff member is stationed at the NSA's National Threat Operations Center to help ensure the timely exchange of cyber threat information affecting the Department and other agencies.

The office's Monitoring and Incident Response Division (MIRD) has, according to Division Chief Bobby Miller, developed "a better understanding about how our adversaries work and the kinds of technical exploits they deploy. But by working as an office team, we can frequently identify and isolate network intrusions and adjust our defensive posture in response to new threats."

Perhaps the office's fastest-growing initiative is the CS Awareness program. Using a series of technical and operational guidance and educational materials, the CS Awareness team has helped transform the Department's 100,000-plus users into the front line of network defense. The team's tools include the Annual Awareness Course, Cyber Threat Bulletins, Policy Post-its and its awareness website, which aim to keep users safe while on the Internet at work and at home.

Technology will continue to provide new tools for digital diplomacy, but cyber threats will also become more pervasive as hacking technologies become cheaper, more readily accessible and easier to use. However, DS/SI/CS will be there every step of the way, helping ensure that digital diplomats have the tools to perform their missions effectively and securely.

Story by Marlene Chandler, program chief, Policy and Awareness, Office of Computer Security Photos by Kevin Casey, Bureau of Public Affairs
COPYRIGHT 2013 U.S. Department of State
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2013 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Office of the Month
Author:Chandler, Marlene
Publication:State Magazine
Date:Jan 1, 2013
Previous Article:Remnants of war: U.S. navy dolphins make a splash in Montenegro.
Next Article:Chili cook-off raises $4,000 for CFC.

Terms of use | Privacy policy | Copyright © 2022 Farlex, Inc. | Feedback | For webmasters |