The U.S. Department of Homeland Security (DHS) has been offering a free service to test companies’ abilities to withstand cyber attacks, according to KrebsOnSecurity. The little-known program involves penetration testing of companies’ infrastructure and has drawn both support and criticism from private security experts.
Under the program, private firms, primarily energy companies and banks, commission the DHS to conduct penetration tests with the goal of strengthening firms’ network and computer defenses against real attackers. The testing is provided by the National Cybersecurity Assessment and Technical Services (NCATS).
The program came to light after a risk manager at a small Eastern U.S. financial company sought KrebsOnSecurity’s advice when comparing the free services with private sector offerings. KrebsOnSecurity contacted other sources about the program and found none were aware of the program.
DHS Publishes Program Information
DHS declined to be interviewed about NCATS, but it has published information about the program. The NCATS provides penetration testing through two separate programs: a Risk and Vulnerability Assessment (RVA) and a Cyber Hygiene evaluation, both of which help the client organization understand how infrastructure and external systems look to attackers.
Sy Lee, a DHS spokesman, told KrebsOnSecurity via email that the agency works with private and public sector partners to improve the resilience and security of their systems against cyber attacks. NCATS focuses on government at all levels and private sector stakeholders to improve cyber security.
The RVA program scans clients’ databases, operating systems and web applications for vulnerabilities. It then tests for weaknesses. Program participants are scanned for rogue wireless devices. “Social engineering” is used to see how employees respond to phishing attempts.
The Cyber Hygiene program is mandatory for federal civilian executive agencies and optional for state, local, tribal and private sector stakeholders. This program includes both external and internal vulnerability and web application scanning.
Reports Cite Need For Improvement
The program’s reports provide clients detailed information about their vulnerabilities and recommendations for corrective action.
Program data was used to create an FY14 End of Year report which is available on the program’s website. It includes information from over 100 engagements. The report notes:
• Manual testing was needed to identify 67% of RVA vulnerability findings (as opposed to automated vulnerability scans).
• Over half of the 344 vulnerabilities discovered during the scans received a severity rating of high (40 percent) or critical (13 percent).
• RVA phishing emails delivered a 25 percent click rate.
In 2015, NCATS served 53 private sector clients, the majority being financial services and energy companies. The financial service companies were mainly smaller firms such as credit unions.
DHS has been criticized for its own cybersecurity shortcomings, KrebsOnSecurity noted. Given these issues, the NCATS program appears to be an attempt to mollify criticism.
Cyber Security Experts Weigh In
KrebsOnSecurity sought input from the private sector testing industry on the government’s services.
Dave Aitel, chief technology officer at Immunity Inc. in Miami Beach, Fla., said DHS can learn about real-world vulnerabilities from the program. As a major player in regulation policy, DHS should have technical expertise in penetration testing, Aitel said. The more DHS knows about information security, the better its policy recommendations will be.
At the same time, Aitel said, you sometimes get what you pay for.
He wondered if the data DHS finds will affect a company’s SEC liabilities. He also wondered if there are legal ramifications if the government gains access to customer data.
The DHS provides no warranties related to its services, KrebsOnSecurity noted.
Aitel, a former National Security Agency (NSA) research scientist, further noted that vulnerabilities found inside the government are required to go to the NSA, which could use the vulnerabilities for clandestine programs.
There are also legal issues when the government competes with private industry.
An Excuse For Not Investing?
Alan Paller, research director at SANS Institute, a Bethesda, Md.-based security training firm, said DHS’ free assessments can serve as an excuse for companies for spending less on security. He said the services measure a limited set of vulnerabilities.
Paller further noted that NCATS testers do not conduct active penetration tests against the network, despite what its documents claim.
He said NCATS mostly does traffic analysis and architectural assessments. Using big packet capture, NCATS baselines, profiles and does some protocol analysis. Scans done by DHA can only reveal a certain amount of information, he said, and the people doing them do not have extensive experience with important aspects of critical infrastructure systems.
The architectural reviews are conducted by younger people with minimal real world experience and the customer is not completely advised on the assessment and testing limitations, Paller noted.
Images from Shutterstock and the DHS.