By David McIntyre
Public Affairs Officer
The
email was flagged urgent and screamed in capital letters: YOUR
IMMEDIATE ATTENTION REQUIRED! The message said a software update was
needed to avoid major system disruption, and to click a link and enter a
network password.
The
NRC employee who received the email thought the message looked
suspicious. Instead of clicking on the link, she forwarded the message
as an attachment to the NRC’s Computer Security Incident Response Team.
Within
minutes, a CSIRT member was analyzing the email on a computer
unconnected to the NRC network. He quickly determined the message was
bogus, a “phishing” attempt to gain unauthorized access to the system.
He instructed the employee to delete the message and block the sender to
avoid receiving any further attempted intrusions from that Internet
address.
Had
the employee provided her username and password, she could have exposed
the NRC’s computer network and its sensitive information to compromise
and possible disruption. Personal information about NRC employees would
have been at risk, as well as sensitive pre-decisional information about
agency policies and licensees.
While
Safeguards and classified information about the security and status of
nuclear plants is maintained on separate higher security systems, the
information we process on the NRC corporate network must also be
protected.
CSIRT,
part of the NRC’s Computer Security Office, is a small group of
experts, all highly trained in cyber defense. Their mission is to detect
and thwart attacks on the NRC’s computer networks and prevent “spills”
of sensitive information. Such attacks can come through phishing
attempts, such as the fictional incident described above, malware
implanted in website advertisements or viruses and malware on portable
data devices.
The
team routinely works with other federal agencies, including the
Homeland Security Department’s U.S. Computer Emergency Response Team
(US-CERT) to stay up to date on the latest vulnerabilities. They even
practice “white hat” hacking to test the NRC’s systems.
As
a response team, CSIRT investigates suspicious emails that have already
passed through the NRC’s extensive SPAM filters and Internet firewall,
robust cyber security defenses mounted by the Office of Information
Systems.
About
10 million emails are directed to NRC.gov addresses each month, and
nearly 90 percent of them are blocked by the agency’s network security
technologies as spam or for carrying viruses or suspicious attachments,
says Mike Lidell, IT Specialist in the OIS Security Operations and
Systems Engineering Branch. The OIS team administers the NRC’s
firewalls, intrusion detection systems and spam filters.
While
the percentage of blocked emails seems high, Lidell says it’s pretty
much “par for the course” for any large organization or government
agency. Emails that get through the initial line of defense are scanned
again by the internal servers and a third time by the end-user’s
individual computer. Internet data returned from the Web is scanned by
NRC servers and individual workstations as well to guard against
“drive-by downloads” of malicious software.
As
Lidell points out, the “defense in depth” is necessary because the
attacks are always evolving and changing. Thorne Graham, CSIRT’s team
leader, praises a fourth line of defense against email attacks on the
agency’s network: The NRC’s 4,000 employees. All NRC employees take
annual online computer security training.
“Our best defense is the individual employee,” Graham says. “Security is everyone’s business.”
REFRESH is an occasional series where we republish previous posts. This originally ran in November 2014.
No comments:
Post a Comment