Identifying Security Gaps in International Postal and Transportation Infrastructure

Cyber Risk , Resilience Management Model (RMM) No Comments »

By Nader Mehravari
Senior Member of the Technical Staff
CERT Cyber Risk Management Team

Nader MehravariIn October 2010, two packages from Yemen containing explosives were discovered on U.S.-bound cargo planes of two of the largest worldwide shipping companies, UPS and FedEx, according to reports by CNN and the Wall Street Journal. The discovery highlighted a long-standing problem—securing international cargo—and ushered in a new area of concern for such entities as the United States Postal Inspection Service (USPIS) and the Universal Postal Union (UPU), a specialized agency of the United Nations that regulates the postal services of 192 member countries. In early 2012, the UPU and several stakeholder organizations developed two standards to improve security in the transport of international mail and to improve the security of critical postal facilities. As with any new set of standards, however, a mechanism was needed to enable implementation of the standards and measure compliance to them. This blog post describes the method developed by researchers in the CERT Division at Carnegie Mellon University’s Software Engineering Institute, in conjunction with the USPIS, to identify gaps in the security of international mail processing centers and similar shipping and transportation processing facilities.

Read more...

Specifying Behavior with AADL

Architecture Analysis & Design Language (AADL) 3 Comments »

By Julien Delange
Member of the Technical Staff
Software Solutions Division

Julien Delange The Architecture Analysis and Design Language (AADL) is a modeling language that, at its core, allows designers to specify the structure of a system (components and connections) and analyze its architecture. From a security point of view, for example, we can use AADL to verify that a high-security component does not communicate with a low-security component and, thus, ensure that one type of security leak is prevented by the architecture. The ability to capture the behavior of a component allows for even better use of the model. This blog post describes a tool developed to support the AADL Behavior Annex and allow architects to import behavior from Simulink (or potentially any other notation) into an architecture model.

Read more...

Unintentional Insider Threat and Social Engineering

CERT , Insider Threat , Social Engineering 2 Comments »

By David Mundie
Senior Member of the Technical Staff
CSIRT Development Team

David Mundie Social engineering involves the manipulation of individuals to get them to unwittingly perform actions that cause harm or increase the probability of causing future harm, which we call “unintentional insider threat.” This blog post highlights recent research that aims to add to the body of knowledge about the factors that lead to unintentional insider threat (UIT) and about how organizations in industry and government can protect themselves. This research is part of an ongoing body of work on social engineering and UIT conducted by the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute.

Read more...

A New Approach for Critical Information Systems Protection

CERT 2 Comments »

By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate

This blog post was co-authored by Barbora Batokova and Todd Waits.

Anne ConnellThe source of a recent Target security breach that allowed intruders to gain access to more than 40 million credit and debit cards of customers between Nov. 27 and Dec. 14, 2013, has been traced to a heating, ventilation, and air conditioning (HVAC) service sub-contractor in Sharpsburg, Pa., just outside of Pittsburgh, according to a Feb. 5 post on a Wall Street Journal blog. The post stated that the intruders were able to gain access to Target’s system after stealing login credentials from one of Target’s HVAC subcontractors, who had been given remote access. This breach demonstrates how any vulnerability in a critical information system can be exploited to disrupt or harm the normal operation of any commercial or industrial sector. In this blog post, we will present a tool we have developed that increases a security incident responder’s ability to assess risk and identify the appropriate incident response plan for critical information systems.

Read more...

An Introduction to DevOps

CERT , DevOps 2 Comments »

By C. Aaron Cois
Software Engineering Team Lead 
CERT Cyber Security Solutions Directorate 
This blog post is the first in a series on DevOps

Aaron CoisAt Flickr, the video- and photo-sharing website, the live software platform is updated at least 10 times a day. Flickr accomplishes this through an automated testing cycle that includes comprehensive unit testing and integration testing at all levels of the software stack in a realistic staging environment. If the code passes, it is then tagged, released, built, and pushed into production. This type of lean organization, where software is delivered on a continuous basis, is exactly what the agile founders envisioned when crafting their manifesto: a nimble, stream-lined process for developing and deploying software into the hands of users while continuously integrating feedback and new requirements. A key to Flickr’s prolific deployment is DevOps, a software development concept that literally and figuratively blends development and operations staff and tools in response to the increasing need for interoperability. This blog post, the first in a series, introduces DevOps and explores its impact from an internal perspective on our own software development practices and through the lens of its impact on the software community at large.

Read more...

Secure Coding for the Android Platform

Android , Java , Secure Coding No Comments »

By Lori Flynn
Member of the Technical Staff
CERT Secure Coding team

Lori FlynnAlthough the CERT Secure Coding team has developed secure coding rules and guidelines for Java, prior to 2013 we had not developed a set of secure coding rules that were specific to Java’s application in the Android platform. Android is an important area to focus on, given its mobile device market dominance (82 percent of worldwide market share in the third quarter of 2013) as well as the adoption of Android by the Department of Defense. This blog post, the first in a series, discusses the initial development of our Android rules and guidelines. This initial development included mapping our existing Java secure coding rules and guidelines to Android applicability and also the creation of new Android- only rules for Java secure coding.

Read more...

The Importance of Automated Testing in Open Systems Architecture Initiatives

Automated Testing , Common Operating Platform Environments (COPEs) , Open Systems Architectures No Comments »

To view a video of this blog post in its entirety, please click here.

By Douglas C. Schmidt
Principal Researcher

Douglas C. Schmidt To view a video of the introduction, please click here.

The Better Buying Power 2.0 initiative is a concerted effort by the United States Department of Defense to achieve greater efficiencies in the development, sustainment, and recompetition of major defense acquisition programs through cost control, elimination of unproductive processes and bureaucracy, and promotion of open competition. This SEI blog posting describes how the Navy is operationalizing Better Buying Power in the context of their Open Systems Architecture and Business Innovation initiatives.  This posting also presents the results from a recent online war game that underscore the importance of automated testing in these initiatives to help avoid common traps and pitfalls of earlier cost containment measures.

Read more...

A New Approach to Cyber Incident Response

Critical Infrastructure Protection , Vulnerability Analysis No Comments »

By Anne Connell
Design Team Lead
CERT Cyber Security Solutions Directorate 

This blog post was co-authored by Tim Palko. 

Anne ConnellAccording to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact “federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information” has increased by 782 percent—from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber incidents, “challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners.” Progress in this area was hindered by “difficulties in sharing and accessing classified information and the lack of a centralized information-sharing system,” the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate are developing to provide the various agencies and organizations that respond to cyber incidents a platform by which to share information and forge collaborations.  

Read more...