Looking to address a substantial shortfall in the government’s major weapon for defending against cyber attacks, the Department of Homeland Security's (DHS) said it has added a new intrusion prevention security service to the National Cybersecurity Protection System (NCPS)— also known as Einstein 3A.
In a Privacy Impact Assessment , the DHS said the intrusion prevention, a Web Content Filtering system, provides protection at the application layer for web traffic by blocking access to suspicious websites, preventing malware from running on systems and networks, and detecting and blocking phishing attempts as well as malicious web content. This service will be added to the existing E3A intrusion prevention security services that are already in place, the DHS stated.
+More on Network World: Feds' primary network security weapon needs more bang+
Einstein is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies’ computer networks, prevent intrusions, and support data analytics and information sharing. A tall tale no doubt but one that is imperative to protecting the gargantuan amount of government intelligence and personally identifiable information the feds watch over.
There has been plenty of debate over the success or failure of the program since its inception. Most recently, a Government Accountability Office recently the NCPS system needs some work on its four chief areas of coverage. From the GAO report:
- Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its “signatures” do not address threats that exploit many common security vulnerabilities and thus may be less effective.
- Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.
- Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.
+More on Network World: 26 of the craziest and scariest things the TSA has found on travelers+
- Information sharing: DHS has yet to develop most of the planned features for NCPS's information-sharing capability, and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit—and agencies did not always provide—feedback on them.
According to the DHS, the initial implementation of Einstein 3A involved two intrusion prevention security services: Domain Name Server (DNS) sink holing and Email Filtering. DNS sink holing protects against the use of DNS as a means to establish communication with compromised hosts or to distribute malware. Email filtering protects against the use of malicious file attachments and embedded links in email content by preventing emails that match known cyber threat indicators from reaching their intended destination and collecting information on malicious activity.
“DHS will add further protections to federal civilian Executive Branch department/agency networks with the addition of WCF which will provide protection for web traffic by blocking access to certain websites that are known to be, or include, malicious content. In addition, WCF will prevent malware from suspicious websites from running on federal civilian Executive Branch D/A systems and networks. Finally, WCF will also detect and/or block phishing attempts as well as the undesirable content that may be included in those attempts,” the agency stated.
+More on Network World: 20 years ago: Hot sci/tech images from 1995+
WCF capabilities also include in-line Secure Socket Layer (SSL) decryption; malware detection; and advanced analytics. WCF SSL provides visibility into specific types of organizational traffic (including web content) that has been encrypted, for the purpose of protecting that traffic from malicious activity that would otherwise remain hidden by traversing encrypted channels. The capability decrypts web traffic of D/As participating in the Einstein 3A WCF for the purpose of detecting and preventing malicious web content on the D/A network, DHS said.
DHS is not interested in the behavior of individuals; decryption is focused on web communications, not communications between individuals. DHS does not use this capability investigate the behavior or private content of individuals. Malware detection is an inherent part of operating WCF, the agency stated.