By Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications, Department of Homeland Security
It’s fitting that October, which is National Cybersecurity Awareness Month, has also been an extremely busy month for the Department of Homeland Security’s cybersecurity information sharing operations. In the field of cybersecurity, DHS shares timely, accurate information far and wide with our partners and constituents so that they can take proper action to protect themselves.
On October 16, our partners at the Software Engineering Institute’s CERT Division reported to DHS that researchers had disclosed a major weakness in the Wi-Fi Protected Access II (WPA2) protocol that secures nearly all wireless network traffic, and named the exploit technique KRACK, short for “Key Reinstallation Attack” The vulnerabilities are in the 802.11i protocol, which means that any standards-compliant implementation of WPA2 is likely to be affected.
That morning, shortly after being notified by CERT, DHS’s US-Computer Emergency Readiness Team (US-CERT) issued a public alert to ensure that information about the vulnerabilities reached as wide an audience as possible.
When vulnerabilities like KRACK are discovered and disclosed, it is critical that DHS share this information widely and as quickly as possible so that our partners and constituents can be aware of the risk and take steps to protect themselves. In the case of KRACK, if exploited, an attacker within range of a Wi-Fi network can view network traffic that users assume to be protected by WPA2 encryption. If additional layers of transport security (such as HTTPS) are not in place, an attacker could capture email, chat messages, photos, or other user information like credit card numbers and passwords.
To prevent the attack, users and administrators must update affected products as security updates become available. Individuals should also identify which WiFi enabled devices they are currently using (the CERT Vulnerability Note contains a list of affected vendors) and ensure that the necessary updates are applied. There is no one patch for all affected devices. Some Wi-Fi enabled devices that people might overlook are televisions, home security systems and wearable devices. In those cases, users should check for customer support information from the device manufacturer.
That same day, DHS issued a Binding Operational Directive (BOD) 18-01 to all federal departments and agencies. This directive, titled “Enhance Email and Web Security,” mandates the use of specific cybersecurity best practices at all agencies, including DMARC and HSTS. HSTS, or HTTP Strict Transport Security, is a way to force the use of HTTPS. This way, even if wireless frame-level encryption is bypassed—as it is in KRACK—traffic with the HSTS website is protected against snooping, modification or injection. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a way to protect against domain spoofing in email messages, in which a cyber actor uses a fake email address disguised to look like an authentic one.
Later in the same week, on October 20, we released a joint Technical Alert based on collaborative analysis between DHS and the FBI on Advanced Persistent Threat activities targeting critical infrastructure, particularly the energy sector. In the alert, we provide a detailed description of the actors’ tactics, techniques and procedures, including in-depth technical analysis of various phases in the Cyber Kill Chain. We also included several sets of Indicators Of Compromise (IOCS) in the Structured Threat Indicator Expression (STIX), a common language used in disseminating cyber threat information, to help cybersecurity professionals detect and defend against these activities in their own networks.
As these examples show, information sharing is a key part of DHS’s important mission to enhance the awareness of new vulnerabilities and malicious cyber activities. DHS actively collaborates with public and private sector partners every day to share actionable information gleaned from research, network defense, cybercrime investigations, and incident reports. Without this collaboration, we would be less able to inform our partners and constituents on emerging threats and appropriate mitigation strategies. We applaud security researchers who disclose vulnerabilities in a thoughtful and coordinated manner, which has the effect of increasing security of the entire internet ecosystem. We also greatly appreciate the feedback we receive from our partners on products like our Technical Alert, so that we can continuously hone our processes to better help network defenders do their job. As National Cybersecurity Awareness Month comes to a close, DHS is ready to continue sharing valuable operational information and working together to make a safer, stronger Internet for all Americans.