SLIDE 8 The Aerospace & Defense Forum Arizona Chapter March 9, 2017 8
15
Dozens of Defense Contractors, Agencies Hacked
Forbes Magazine: The Pentagon's forensics-focused Cyber Crime Center found that between August 2007 and August 2009, 71 government agencies, contractors, universities and think tanks with connections to the U.S. military had been penetrated by foreign hackers, in some cases multiple times. In total, the center performed 116 investigations following spying breaches and found that in all but 14 of those cases the intruders had gained complete administrator-level access to the victim's network. According to Forbes, "military contractors General Dynamics and Northrop Grumman have both been successfully breached by cyber spies in the last two years, according to sources familiar with the security situations of those companies." Sound Familiar?
- Almost every breach investigated, began when an employee was sent a highly
targeted and convincing phishing email.
- When the recipient opened a file attached to that message, it used a flaw in the
target computer’s software to invisibly plant malicious software on the machine and give it access to the user’s network.
- The large majority of attacks didn’t use previously unknown software
- vulnerabilities. Instead, they exploited old software bugs that IT administrators
had failed to patch, configuration errors and even poor password practices.
A&D – An industry with a target
"We can say that any company that's involved in high-technology research and development is a target for these adversaries."
Steven Shirley Executive Director Pentagon Cyber Crime Center 2010
“We were surprised to see that even companies that we regarded as tech savvy in a lot of cases had significant vulnerabilities correlated with inattention to the basic blocking and tackling of information assurance,”
16
What you need to know: What is CUI? Controlled Unclassified Information is any information that law, regulation or government- wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. CUI Examples: Many federal contractors, for example, routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies (e.g., providing credit card and
- ther financial services; providing Web
and electronic mail services; conducting background investigations for security clearances; processing healthcare data; providing cloud services; and developing communications, satellite, and weapons systems
Security Requirements Access control Awareness and training Audit and accountability Configuration management Identification and authentication Incident response Maintenance Media protection Personnel security Physical protection Risk assessment Security assessment System and communications protection System and information integrity
NIST SP 800-171r1
If you have a government contract with a federal agency, such as the DoD, or with a primary government contractor, you may be required to be compliant with NIST SP 800-171 Revision 1, issued in December 2016. If you fall into this category, a recently implemented rule from the Department of Defense called the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 will impact how you handle controlled unclassified information (CUI). You now have until December 31, 2017 to become NIST SP 800-171r1 compliant or risk losing your government contract.
A&D – New Compliance Concerns
The effect NIST SP 800-171r1 has on these organizations can be significant, especially if they currently do not practice basic fundamental security and controls.
