DHS cybersecurity professional conduct red team-blue team exercises and training sessions to improve network security. The red team simulates an attack on a system, while the blue team learns effective techniques to defend their network. (DHS)
Federal civilian agencies now have greater access to centralized teams of cybersecurity experts trained to spot network vulnerabilities before hackers do.
The Department of Homeland Security is investing millions of dollars to offer civilian agencies so-called penetration testing services, which have long been provided by the National Security Agency to the Defense Department and intelligence community.
“Prior to our entry into the game [in February], there was no federal civilian equivalent to NSA [National Security Agency] red teams,” Don Benack, cybersecurity assurance program manager for DHS’ Federal Network Security (FNS) branch, said in an interview.
NSA regularly conducts penetration testing for civilian agencies, said NSA spokeswoman Vanee Vines.
Unlike traditional penetration testing, which involves hacking into a system to prove there are weaknesses, FNS is using similar tools and skill sets but taking a different approach, Benack said.
Agencies can choose any network, application or information technology solution that they wish to test, and FNS will determine if security measures need tweaking, if the system can withstand an attack, and the most critical problems, Benack said.
The goal is not only to improve federal cyber defenses, but also to collect data that would be used to produce annual reports on the state of federal network security. The data would be scrubbed of details that could identify an agency, and the anonymous data would be used to provide trends and information for improving national security-related initiatives.
In the past, agencies’ options for penetration testing were limited and, in some cases, costly.
Agencies could have done the penetration tests themselves, purchased the testing tools and relied on in-house expertise to operate them or used contractors, said Rob Karas, risk evaluation program manager for the FNS branch.
“A $100,000 tool may not make sense to an agency that only has a $50,000 IT budget,” Benack said. “But if we [FNS] buy a $100,000 tool and use it across 100 agencies, there’s a return on investment there.”
Red team penetration tests are free of charge to agencies and are initiated upon request, Karas said.
Agencies can request testing for a specific system based on vulnerabilities they are concerned about. In some instances, agencies can correct security issues while the teams are onsite and FNS security experts will retest the system, Karas said. They receive detailed reports on the vulnerabilities and how to prioritize the most serious problems.
More agencies have been requesting security checks of their Web applications, which feds log in to and use to access agency data via the Internet.
Using test accounts, the red teams try to manipulate data going into the application or compromise the database feeding information to the application.
FNS is also developing capabilities to help agencies test the security of cloud solutions, but the approach differs from the testing underway as part of the Federal Risk and Authorization Management Program to ensure cloud products and services meet minimum security standards.
FNS red teams aren’t checking to ensure certain security requirements are in place, but rather whether the security measures in place can be bypassed and expose the agency to cyber attacks, Benack said.
Next month, FNS will conduct a cloud security test to verify whether an agency’s cloud solution can be accessed only from within its network.
Karas and Benack expect business will also pick up in other areas, such as mobile security, as agencies allow more smartphones, tablets and personal devices to connect to their network.
As of this month, FNS had conducted seven penetration tests. Five more tests are to be conducted by Oct. 1.
“I get two requests almost weekly,” Karas said. “Things are really, really picking up right now.”
The larger goal is to complete 20 to 30 tests a year, which would provide a sizable sampling across the government to create annual reports and trends on emerging and persistent security problems.
FNS received between $7 million and $8 million this fiscal year for red team activities.
In addition to agency services provided by its red teams, FNS had supported agencies through its blue team efforts. Benack describes blue teams as small groups of security experts that help agencies determine progress in meeting presidential directives and Office of Management and Budget cybersecurity initiatives, such as continuous monitoring.
“With agencies self-reporting [their progress in meeting these directives], there tends to be a margin of error, and it has been as high as 30 percent, not necessarily through malicious activity or intent to deceive [but] just from misinterpretation or misunderstanding or lack of clarity,” Benack said.
FNS has 18 federal employees and contractor support staff for its red and blue teams, and each team usually has a handful of FNS and contractor security experts. There are four red teams and four blue teams. But amassing that talent hasn’t been easy. FNS has relied on personnel from NSA, the Air Force, the Defense Information Systems Agency and others to share training tactics and procedures.
“We’re competing with the private sector [for talent],” Benack said. “We’re competing with the [intelligence] community. We’re competing amongst ourselves.”