One of the cybersecurity employees at the Homeland Security Department’s Immigration and Customs Enforcement directorate turned a phishing attack into a lessons learned for the rest of the department.
Jeff Eisensmith, ICE’s chief information security officer, said one of his employees strung out the attacker for a week and used this episode to help other ICE employees understand the dangers of phishing attacks.
Eisensmith said this example is part of the way ICE is improving the security of its network.
“Each year we have information assurance awareness training and it’s a requirement to keep users’ access to the network,” Eisensmith said. “About once a month we have a security message that pops out in number of different formats, we have an online newspaper and monthly blurbs that go out to remind employees about cybersecurity. In addition to that, our security staff rotates around the organization and gives specialized training to those who request it.”
ICE is joining other agencies in celebrating Cybersecurity Awareness Month by focusing on where it’s been and where it’s going.
The agency recently received a score of 95 on its Federal Information Security Management Act report for 2011, up from a 94 the year before.
“The 95 was a result of every man and women in ICE that is a security professional, is in engineering and operations pulling in the same direction,” he said. “It was a death march, but we are better for it. But that is not a sustainable way to move forward. This year we are focused on the automation of a lot of our tools moving toward the continuous monitoring mandate. We really worked hard with tools we had to fit them into Secure Content Automation Protocol (SCAP) paradigm. We have a mandate this year to move into continuous monitoring. But we really are going beyond that.”
Eisensmith said ICE is implementing a near real-time dashboard to provide them with data feeds about what’s happening on their network.
“We are not there yet, but that is the direction continuous monitoring is moving us,” he said. “This is a substantial lift for us.”
Once ICE gets their data, it feeds it to the National Protection and Programs Directorate. NPPD will collect all the agency data and feed it into the cyberscope tool, which the Office of Management and Budget mandated the use of by the end of 2012.
Along with continuous monitoring, ICE is focusing on one of the biggest challenges agencies have–the insider threat.
“We are using special tools that collect the audit logs from all of our sensitive systems and then aggregate those logs and set up alarms so that if we see something that not is not normal behavior, something will pop up in our security operations center will have an opportunity to see if something is going on there,” Eisensmith said. “One of the information system security officers’ main jobs is to keep that low level look at each and every system and verify people are using it appropriately. I don’t think that has always been the focus across the federal space. But we are really pushing it here.”
In all, Eisensmith likes to say a “healthy sense of paranoia” is a good thing for the agency employees when it comes to cybersecurity.
That is why Eisensmith believes the story of the phishing attack against one of his security specialists makes such a good learning tool.
“One of the biggest threats we see are threats related to payloads to emails, whether they are executables or zipped or compressed files when people don’t know what they are and they click on it,” he said. “We can try to make education materials there to say, ‘if you don’t expect an email, don’t click on the link.’ There is a famous one about getting an email saying you have a UPS package. We try to tell our employees if they are not expecting something to be shipped to them, don’t click on it.”