search menu icon-carat-right cmu-wordmark

The Latest Work from the SEI: Microservices, Ransomware, and Agile in Government

Douglas C. Schmidt
• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published SEI reports, podcasts, conference papers, and webcasts highlighting our work in cybersecurity, the future of cybersecurity education, microservices, ransomware, Cybersecurity Maturity Model Certification (CMMC), and Agile in government. We have also included a webcast of a recent discussion on Department of Defense (DoD) software advances and future SEI work.

These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.

NICE Framework Cybersecurity Evaluator
by Christopher Herr

This cybersecurity evaluator is designed to assess members of the cyber workforce within the scope of the NICE Cybersecurity Workforce Framework.

The Software Engineering Institute (SEI), in partnership with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), researched, designed, and developed a Cybersecurity Evaluator with the goal of assessing potential and current members of the cyber workforce within the scope of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). Initial research was conducted to ascertain how knowledge, skills, and abilities (KSAs) aligned across the NICE Framework within their respective categories, specialty areas and work roles. By identifying overlapping KSAs, the SEI discovered that a Cybersecurity Evaluator tool could provide a reasonable baseline assessment using just 65 questions, which target approximately 28 percent of the key KSAs within the NICE Framework. Assessment results will help individuals identify the NICE category and potential roles that best align to their current talents and strengths.
Read the white paper.

The Future of Cyber: Educating the Cybersecurity Workforce
by Dr. Diana Burley and Roberta (Bobbie) Stempfley

The culture of computers and information technology changes quickly. The Future of Cyber Podcast series explores the future of cyber and whether we can use the innovations of the past to address the problems of the future. In our latest episode, Bobbie Stempfley, former director of the SEI's CERT Division, interviews Dr. Diana Burley, executive director and chair of the Institute for Information Infrastructure Protection, or I3P, and vice provost for research for American University. Their discussion focused on educating the cybersecurity workforce in a way that closes the gap between what students are taught in school and the skills they'll need to use in the workplace.
View/listen/download the podcast.

Quality Attribute Concerns for Microservices at the Edge
by Marc Novakouski and Grace Lewis

Bringing computation and data storage closer to the edge, such as disaster and tactical environments, has challenging quality attribute requirements. These include improving response time, saving bandwidth, and implementing security in resource-constrained nodes.

In this webcast we review characteristics of edge environments with a focus on architectural qualities. The characteristics and quality attribute concerns that we present are generalized from and informed by multiple customer experiences that we have undertaken in recent years.

We present an overview of edge environments, in both military and civilian contexts, and provide a discussion about edge-specific challenges and how they can differ based on the context. We discuss architectural quality attributes that are well suited to address the edge-specific challenges, and provide examples of how each apply. A microservices architecture provides an opportunity to address several of the quality attribute concerns at the edge. Through a final consolidated scenario as an exemplar, we discuss how the presented qualities can be addressed using microservices.

This webcast should be useful for anyone interested in better understanding the challenges of edge environments and learning about representative scenarios of work currently being done.
View the webcast.

Current Ransomware Threats
by Marisa Midler, Kyle O'Meara, and Alexandra Parisi

Ransomware continues to be a grave security threat to both organizations and individual users. The increased sophistication in ransomware design provides enhanced accessibility and distribution capabilities that enable attackers of all types to employ this malicious tool. This report discusses ransomware, including an explanation of its design, distribution, execution, and business model. Additionally, the report provides a detailed discussion of encryption methods and runtime activities, as well as indicators that are useful in their detection and mitigation.

Ransomware has evolved into a sophisticated tool that is usable by even non-technical persons and has multiple variants offered as Ransomware as a Service (RaaS). RaaS decreases the risk for ransomware authors, since they do not perform attacks, and reduces the affiliates' cost to mount attacks. Additionally, as of 2019, some ransomware families have started threatening public disclosure of a victim's sensitive data if they do not pay a ransom and are following through with the threat. This report recommends both proactive and reactive approaches that help avoid having to pay a ransom and minimize the loss of data.
Read the report.

An Updated Framework of Defenses Against Ransomware
by Timur D. Snoke and Timothy Shimeall

The proliferation of tools and techniques to disrupt enterprise systems has evolved from those capable of supporting merely opportunistic attacks to those enabling targeted attacks. Furthermore, attackers continue to develop methods for monetizing their efforts, resulting in ransomware, a very disruptive threat to business as well as governmental departments and agencies. Ransomware developers are now selling their tools as a service, enabling attackers (individual criminals, organized crime, ideological hackers, or nation-state teams, all hereafter referred to as affiliates) to use tools they do not build or maintain to attack vulnerable systems.

In the last few years we have seen a rise of successful ransomware affiliates that purchase the malware that they use and incorporate it into a ransomware tool chain that is targeted to a specific victim. These attackers lock victims out of their own data, usually by encrypting it, and attempt to extort money to restore the victim's access to the enterprise data under threat of data destruction or disclosure as a response for non-payment. Recent high-profile cases, including attacks. attest to the seriousness of the problem. In each case, the victims suffered operational disruptions with monetary losses.

This report, loosely structured around the NIST Cybersecurity Framework, seeks to frame an approach for defending against Ransomware-as-a-Service (RaaS) as well as direct ransomware attacks.
Read the whitepaper.

Developing an Effective CMMC Policy
by Andrew F. Hoover and Katie C. Stewart

The Cybersecurity Maturity Model Certification (CMMC) for the Defense Industrial Base (DIB) defines specific cybersecurity practices across five levels of maturity while also measuring the degree to which those practices are institutionalized within an organization. The CMMC model draws on maturity processes and cybersecurity best practices from multiple standards, including the National Institute of Standards and Technology (NIST) frameworks and references, as well as input from DIB entities and the Department of Defense. CMMC requires that DIB organizations complete an assessment of all CMMC practices at a particular level and become certified by a CMMC third-party assessment organization. When fully implemented, CMMC will require all DIB companies to achieve certification at one of the five CMMC levels, which includes both technical security practices and maturity processes. In this SEI Podcast, Andrew Hoover and Katie Stewart, architects of the CMMC model, present guidelines for developing an effective CMMC policy.
Download/listen/view the podcast.

Agile in Government: Go for Insight, Not Just Oversight
by Suzanne Miller

This webcast provided practical insights into how a government program office can productively engage with a contractor using Agile and Lean methods. By reorienting the Agile Manifesto for a system acquisition context, we will consider the distinction between oversight and insight then briefly share examples of the impact of continuous delivery on technical review, requirements, testing, and system engineering.
View the webcast.

Additional Resources

View the latest SEI research in the SEI Digital Library.
View the latest installments in the SEI Podcast Series.
View the latest installments in the SEI Webinar Series.