by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : July 2013
malicious activity. Its second iteration, Einstein 2, launched in 2008, is a pas- sive, automated system that incorporates intrusion detection based on custom sig- natures of known or suspected threats, and is able to alert US-CERT of malicious activity. It relies primarily on commercial tools for detection. Einstein 2 now is deployed at 17 of 18 agencies that are using a Trusted Internet Connection provider, and at 52 other agen- cies using Managed Trusted IP Services (MTIPS) under the Networx contract. DHS officials say the department is on track to meet its milestone of providing Einstein 2 service to 70 percent of executive branch agencies by the end of fiscal 2013 as legacy networking contracts expire and agencies that are not yet served move to MTIPS. That 70 percent figure for agencies could include as much as 90 percent of .gov net- work traffic, officials said. Einstein 2 already has shown its value for detecting and alerting, department officials said. As analytical capabilities grow its value is expected to increase, and alerting will be expanded from US-CERT to agency security operations centers as well. This is expected to happen in 2014. In its next iteration, Einstein 3 will be a managed service through service pro- viders to not only detect but also auto- matically block malicious traffic before it enters government networks. Under the direction of DHS, service providers will administer threat-based decisions on traffic entering and leaving participating agency networks. Agencies will enter into agreements with DHS to authorize use of intrusion prevention capabilities through service providers. Einstein 3 includes three major activi- ties. The first, operational today, is the ability to connect analysts with the data that will be used to block malicious traf- fic. The second activity is the segrega- tion and aggregation of .gov traffic by ISPs for analysis. Four contracts for this function have been awarded; one is fully operational and two more are expected to become operational this summer. The fourth contract should be operational by the end of September. The final activity is the trickiest one: automated blocking of malicious traf- fic. One contract for this was awarded to an ISP in March, but is not yet opera- tional. Other contracts with ISPs are in the works and service delivery plans are being developed. Initially there will be two countermea- sures used by service providers against malicious traffic. Domain Name Server sinkholing will block malware in .gov networks from communicating with known or suspected malicious domains, redirecting the traffic to safe sinkhole servers. ISPs will have access only to in- formation about the DNS request for this traffic and not to the contents. E-mail filtering will scan incoming mail addressed to .gov networks for ma- licious attachments, URLs and other ma- licious content. Infected e-mails could be quarantined or redirected for further inspection and analysis by DHS. Even without enterprisewide systems such as Einstein and large-scale frame- works such as SCAP, individual tools have demonstrated the power of automation to improve both network security and management. The Nevada DOT was able to spot misconfigured devices almost im- mediately when it began using Splunk to gather and correlate log data and has been able to troubleshoot problems more efficiently. When a remote office was having trou- ble connecting to the network, "we had a really hard time detecting what the prob- lem was," Munoz said. "We had spent six weeks and were no closer to a resolution. Splunk fixed it in a week." The department has 2,000 employees and oversees 5,400 miles of highway and more than 1,000 bridges, and also oper- ates the state's public 511 road service and a statewide video traffic network. These systems have generated as many as 35,000 errors an hour in the past, but the visibility provided Splunk has helped re- duce that to 2,500 errors a day. • SECURITY AUTOMATION CYBERSECURITY SCAP Version 1.2 includes 11 component speci cations in ve categories: WHAT'S INSIDE SCAP • Languages for expressing security policy, technical check mechanisms and assessment results, including Extensible Con guration Checklist Description Format, Open Vulnerability and Assessment Language and Open Checklist Interactive Language. • Reporting formats to express collected information, including Asset Reporting Format and Asset Identi cation. Although Asset Identi cation is not explicitly a reporting format, SCAP uses it in identifying the assets. • Enumerations, standard nomenclatures and an o cial dictionary of items expressed using that nomenclature, including Common Platform Enumeration, Common Con guration Enumeration and Common Vulnerabilities and Exposures. • Measurement and scoring systems for evaluating severity of a security weakness, including Common Vulnerability Scoring System and Common Con guration Scoring System. • Integrity of SCAP content and results, Trust Model for Security Automation Data. 26 GCN JULY 2013 • GCN.COM