The Contracting Education Academy

Contracting Academy Logo
  • Home
  • Training & Education
  • Services
  • Contact Us
You are here: Home / Archives for vulnerability

September 3, 2019 By cs

How to manage risk along the federal government supply chain

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base.

The U.S. federal government relies on an ever-expanding supply chain of tens of thousands of contractors and subcontractors to provide critical services, hold and maintain sensitive data, and perform key functions. While this supply chain is essential to agencies’ fundamental operations, it also increases the number of access point nefarious actors have to their systems and data and, consequently, puts agencies and sensitive data at greater risk.

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base. For example, the Navy recently released a report that highlighted growing concerns around supply chain cybersecurity, noting that the federal supply chain has been “compromised in ways and to an extent yet to be fully understood.” In a July 2019 report on the security of its contractors, the Defense Department Inspector General was blunt: The department “does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.”

In fact, data suggests that contractors are not meeting agency expectations for security. Recent BitSight research found that the average security performance rating across all federal agencies was at least 15 points higher than the mean security performance rating of any contractor sector. In other words, there is a significant security performance gap between federal agencies and their supply chain partners.

The time has come for agencies to prioritize this critical risk in their cybersecurity programs. There are steps agencies can take to more effectively measure, monitor and manage this challenge.

Keep reading this article at: https://www.nextgov.com/ideas/2019/08/how-manage-risk-along-federal-government-supply-chain/159401/

Filed Under: Government Contracting News Tagged With: collaboration, controlled unclassified information, cybersecurity, DoD, monitoring, Navy, sensitive data, supply chain, supply chain management, vulnerability

March 11, 2019 By AMK

DoD’s acquisition and contracting sees little improvement on GAO’s ‘high-risk’ list

Despite sweeping legislative and department changes over the past five years, progress on the Defense Department’s systems acquisition and contracting management remain basically stagnant on the Government Accountability Office’s 2019 High-Risk List of areas that are most vulnerable to waste, fraud and abuse.

The list, released last Wednesday, states efforts to shore up problems with DoD weapons systems acquisition remain “unchanged” since GAO’s last high-risk list in 2017. GAO made the same assessment of the Pentagon’s contract management issues, though with a few positive caveats.

The two items on the high-risk list account for almost $2 trillion in taxpayer funds — about $1.66 trillion in investments of 86 major weapons systems and $300 billion in annual contracted services for the Pentagon. Both of the items have been on GAO’s high-risk list since the early 1990s.

At the same time, GAO points out that the government’s inability to address climate change is causing national security issues and will cost DoD more money.

Keep reading this article at: https://federalnewsnetwork.com/defense-main/2019/03/dods-acquisition-and-contracting-sees-little-improvement-on-gao-high-risk-list/

Filed Under: Government Contracting News Tagged With: abuse, acquisition management, acquisition workforce, climate change, contract services, DoD, fraud, GAO, high risk, vulnerability, waste, weapons systems

August 17, 2018 By AMK

Georgia Tech researchers help close security hole in popular encryption software

Cybersecurity researchers at the Georgia Institute of Technology have helped close a security vulnerability that could have allowed hackers to steal encryption keys from a popular security package by briefly listening in on unintended “side channel” signals from smartphones.

The attack, which was reported to software developers before it was publicized, took advantage of programming that was, ironically, designed to provide better security. The attack used intercepted electromagnetic signals from the phones that could have been analyzed using a small portable device costing less than a thousand dollars. Unlike earlier intercept attempts that required analyzing many logins, the “One & Done” attack was carried out by eavesdropping on just one decryption cycle.

“This is something that could be done at an airport to steal people’s information without arousing suspicion and makes the so-called ‘coffee shop attack’ much more realistic,” said Milos Prvulovic, associate chair of Georgia Tech’s School of Computer Science. “The designers of encryption software now have another issue that they need to take into account because continuous snooping over long periods of time would no longer be required to steal this information.”

The side channel attack is believed to be the first to retrieve the secret exponent of an encryption key in a modern version of OpenSSL without relying on the cache organization and/or timing. OpenSSL is a popular encryption program used for secure interactions on websites and for signature authentication. The attack showed that a single recording of a cryptography key trace was sufficient to break 2048 bits of a private RSA key.

Results of the research, which was supported in part by the National Science Foundation, the Defense Advanced Research Projects Agency (DARPA), and the Air Force Research Laboratory (AFRL) will be presented at the 27th USENIX Security Symposium August 16th in Baltimore.

After successfully attacking the phones and an embedded system board – which all used ARM processors – the researchers proposed a fix for the vulnerability, which was adopted in versions of the software made available in May.

Side channel attacks extract sensitive information from signals created by electronic activity within computing devices during normal operation. The signals include electromagnetic emanations created by current flows within the devices computational and power-delivery circuitry, variation in power consumption, and also sound, temperature and chassis potential variation. These emanations are very different from communications signals the devices are designed to produce.

In their demonstration, Prvulovic and collaborator Alenka Zajic listened in on two different Android phones using probes located near, but not touching the devices. In a real attack, signals could be received from phones or other mobile devices by antennas located beneath tables or hidden in nearby furniture.

The “One & Done” attack analyzed signals in a relatively narrow (40 MHz wide) band around the phones’ processor clock frequencies, which are close to 1 GHz (1,000 MHz). The researchers took advantage of a uniformity in programming that had been designed to overcome earlier vulnerabilities involving variations in how the programs operate.

“Any variation is essentially leaking information about what the program is doing, but the constancy allowed us to pinpoint where we needed to look,” said Prvulovic. “Once we got the attack to work, we were able to suggest a fix for it fairly quickly. Programmers need to understand that portions of the code that are working on secret bits need to be written in a very particular way to avoid having them leak.”

The researchers are now looking at other software that may have similar vulnerabilities, and expect to develop a program that would allow automated analysis of security vulnerabilities.

“Our goal is to automate this process so it can be used on any code,” said Zajic, an associate professor in Georgia Tech’s School of Electrical and Computer Engineering. “We’d like to be able to identify portions of code that could be leaky and require a fix. Right now, finding these portions requires considerable expertise and manual examination.”

Side channel attacks are still relatively rare, but Prvulovic says the success of “One & Done” demonstrates an unexpected vulnerability. The availability of low-cost signal processing devices small enough to use in coffee shops or airports could make the attacks more practical.

“We now have relatively cheap and compact devices – smaller than a USB drive – that are capable of analyzing these signals,” said Prvulovic. “Ten years ago, the analysis of this signal would have taken days. Now it takes just seconds, and can be done anywhere – not just in a lab setting.”

Producers of mobile devices are becoming more aware of the need to protect electromagnetic signals of phones, tablets and laptops from interception by shielding their side channel emissions. Improving the software running on the devices is also important, but Prvulovic suggests that users of mobile devices must also play a security role.

“This is something that needs to be addressed at all levels,” he said. “A combination of factors – better hardware, better software and cautious computer hygiene – make you safer. You should not be paranoid about using your devices in public locations, but you should be cautious about accessing banking systems or plugging your device into unprotected USB chargers.”

In addition to those already mentioned, the research involved Monjur M. Alam, Haider A. Khan, Moumita Dey, Nishith Sinha and Robert Callen, all of Georgia Tech.

This work has been supported, in part, by the National Science Foundation under grant 1563991 and by the Air Force Research Laboratory and DARPA LADS under contract FA8650-16-C-7620. The views and findings in this paper are those of the authors and do not necessarily reflect the official views of NSF, DARPA or the AFRL.

Source: https://www.news.gatech.edu/2018/08/09/researchers-help-close-security-hole-popular-encryption-software

 

Filed Under: Georgia Tech News Tagged With: Air Force Research Laboratory, authentication, cybersecurity, DARPA, encryption, Georgia Tech, NSF, software, vulnerability

August 11, 2017 By AMK

NDAA would fully approve cyber funding for DoD

The House Armed Services Committee’s National Defense Authorization Act (NDAA) for fiscal 2018 recommends additional cybersecurity funding and assessments for the Defense Department, which would help address cybersecurity concerns and offer opportunities to federal information technology vendors.

The bill would fully fund the defense budget request for cyber operations and provide resources for cyber warfare. The funding would go toward the HASC’s recommendations outlined in 13 issues of the report’s Cyber-Related Matters section.

If the bill is passed, the following issues could effect defense IT contractors in fiscal 2018, due either to requirement changes or to potential opportunities resulting from the fully funded and potential increases in cybersecurity operations.

Keep reading this article at: https://about.bgov.com/blog/ndaa-fully-approve-cyber-funding-dod/

Filed Under: Government Contracting News Tagged With: cybersecurity, DoD, innovation, NDAA, vulnerability

March 4, 2016 By AMK

‘Hack the Pentagon’: Will DoD’s bug bounty program attract top talent?

Challenged by hackers and staffing shortages, the Pentagon is inviting plainclothes techies to a competition where they can poke around military code for security bugs.

The idea is to find and fix vulnerabilities unknowingly inserted in software before the bad guys do.

pentagon-sealThe contest draws inspiration from “bug bounty” programs in the private sector open to hobbyists and professional penetration testers. Microsoft, for instance, offers a reward of up to $100,000 for attacking its software. General Motors earlier this year launched a car-hacking program that seeks glitch reports but doesn’t yet pay for them.

The military’s new “Hack the Pentagon” program, unveiled Wednesday, potentially could offer cash prizes, according to a Defense Department announcement. Perhaps some of those bucks could come from the nearly $7 billion Pentagon Secretary Ash Carter expects to spend on cybersecurity in 2017.

Keep reading this article at: http://www.nextgov.com/cybersecurity/2016/03/pentagon-launches-open-contest-hack-military-websites/126383/

Filed Under: Government Contracting News Tagged With: contract award, crowdsourcing, cyber, cybersecurity, DoD, hack, hackers, incentive, Pentagon, prize competition, vulnerability, web resources

Popular Topics

abuse acquisition reform acquisition strategy acquisition training acquisition workforce Air Force Army AT&L bid protest budget budget cuts competition cybersecurity DAU DFARS DHS DoD DOJ FAR fraud GAO Georgia Tech GSA GSA Schedule GSA Schedules IG industrial base information technology innovation IT Justice Dept. Navy NDAA OFPP OMB OTA Pentagon procurement reform protest SBA sequestration small business spending technology VA
Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter

Search this Website

Copyright © 2023 · Georgia Tech - Enterprise Innovation Institute