search menu icon-carat-right cmu-wordmark

Subject: CERT

Six Free Tools for Creating a Cyber Simulator

Six Free Tools for Creating a Cyber Simulator

• SEI Blog
Joseph Mayes

It can be hard for developers of cybersecurity training to create realistic simulations and training exercises when trainees are operating in closed (often classified) environments with no ability to connect to the Internet. To address this challenge, the CERT Workforce Development (CWD) Team recently released a suite of open-source and freely available tools for use in creating realistic Internet simulations for cybersecurity training and other purposes. The tools improve the realism, efficiency, and cost effectiveness...

Read More
Evaluating Threat-Modeling Methods for Cyber-Physical Systems

Evaluating Threat-Modeling Methods for Cyber-Physical Systems

• SEI Blog
Nataliya Shevchenko

Addressing cybersecurity for а complex system, especially for а cyber-physical system of systems (CPSoS), requires a strategic approach during the entire lifecycle of the system. Examples of CPSoS include rail transport systems, power plants, and integrated air-defense capability. All these systems consist of large physical, cyber-physical, and cyber-only subsystems with complex dynamics. In the first blog post in this series, I summarized 12 available threat-modeling methods (TMMs). In this post, I will identify criteria for...

Read More
Improving Assessments for Cybersecurity Training

Improving Assessments for Cybersecurity Training

• SEI Blog
April Galyardt

The CERT Cyber Workforce Development Directorate conducts training in cyber operations for the DoD and other government customers as part of its commitment to strengthen the nation's cybersecurity workforce. A part of this work is to develop capabilities that better enable DoD cyber forces to "to train as you fight" such as setting up high-fidelity simulation environments for cyber forces to practice skills including network defense, incident response, digital forensics, etc. However, cybersecurity is a...

Read More
Threat Modeling: 12 Available Methods

Threat Modeling: 12 Available Methods

• SEI Blog
Nataliya Shevchenko

Almost all software systems today face a variety of threats, and the number of threats grows as technology changes. Malware that exploits software vulnerabilities grew 151 percent in the second quarter of 2018, and cyber-crime damage costs are estimated to reach $6 trillion annually by 2021. Threats can come from outside or within organizations, and they can have devastating consequences. Attacks can disable systems entirely or lead to the leaking of sensitive information, which would...

Read More
IPv6 Adoption: 4 Questions and Answers

IPv6 Adoption: 4 Questions and Answers

• SEI Blog
Joseph Mayes

IPv6 deployment is on the rise. Google reported that as of July 14 2018, 23.94 percent of users accessed its site via IPv6, up 6.16 percent from that same date in 2017. Drafted in 1998 and an Internet Standard as of July 2017, Internet Protocol 6 (IPv6) is intended to replace IPv4 in assigning devices on the internet a unique identity. Plans for IPv6 got underway after it was realized that IPv4's cap of 4.3...

Read More
Cyber Threat Modeling: An Evaluation of Three Methods

Cyber Threat Modeling: An Evaluation of Three Methods

• SEI Blog
Forrest Shull

This post was co-authored by Nancy Mead. Cyber threat modeling, the creation of an abstraction of a system to identify possible threats, is a required activity for DoD acquisition. Identifying potential threats to a system, cyber or otherwise, is increasingly important in today's environment. The number of information security incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased by 1,121 percent from 5,503 in fiscal year 2006 to 67,168...

Read More
Why Netflow Data Still Matters

Why Netflow Data Still Matters

• SEI Blog
Emily Sarneso

Network flow plays a vital role in the future of network security and analysis. With more devices connecting to the Internet, networks are larger and faster than ever before. Therefore, capturing and analyzing packet capture data (pcap) on a large network is often prohibitively expensive. Cisco developed NetFlow 20 years ago to reduce the amount of information collected from a communication by aggregating packets with the same IP addresses, transport ports, and protocol (also known...

Read More
Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data

Traffic Analysis for Network Security: Two Approaches for Going Beyond Network Flow Data

• SEI Blog
Tim Shimeall

By the close of 2016, "Annual global IP traffic will pass the zettabyte ([ZB]; 1000 exabytes [EB]) threshold and will reach 2.3 ZBs per year by 2020" according to Cisco's Visual Networking Index. The report further states that in the same time frame smartphone traffic will exceed PC traffic. While capturing and evaluating network traffic enables defenders of large-scale organizational networks to generate security alerts and identify intrusions, operators of networks with even comparatively modest...

Read More
Vulnerabilities and Attack Vectors

Vulnerabilities and Attack Vectors

• SEI Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today we are highlighting a recent post by Will Dormann, a senior member of the technical staff in the SEI's CERT Division, from the CERT/CC Blog. This post describes a few of the more interesting cases that Dormann has encountered in his work investigating attack vectors for potential vulnerabilities. An attack vector is the method that malicious code uses to propagate itself or infect...

Read More
Unintentional Insider Threat and Social Engineering

Unintentional Insider Threat and Social Engineering

• SEI Blog
David Mundie

Social engineering involves the manipulation of individuals to get them to unwittingly perform actions that cause harm or increase the probability of causing future harm, which we call "unintentional insider threat." This blog post highlights recent research that aims to add to the body of knowledge about the factors that lead to unintentional insider threat (UIT) and about how organizations in industry and government can protect themselves....

Read More
A New Approach for Critical Information Systems Protection

A New Approach for Critical Information Systems Protection

• SEI Blog
Anne Connell

The source of a recent Target security breach that allowed intruders to gain access to more than 40 million credit and debit cards of customers between Nov. 27 and Dec. 14, 2013, has been traced to a heating, ventilation, and air conditioning (HVAC) service sub-contractor in Sharpsburg, Pa., just outside of Pittsburgh, according to a Feb. 5 post on a Wall Street Journal blog....

Read More
Provenance Inference in Software

Provenance Inference in Software

• SEI Blog
William Casey

Code clones are implementation patterns transferred from program to program via copy mechanisms including cut-and-paste, copy-and-paste, and code-reuse. As a software engineering practice there has been significant debate about the value of code cloning. In its most basic form, code cloning may involve a codelet (snippets of code) that undergoes various forms of evolution, such as slight modification in response to problems. Software reuse quickens the production cycle for augmented functions and data structures. So,...

Read More
2013: The Research Year in Review

2013: The Research Year in Review

• SEI Blog
Douglas C. Schmidt

As part of our mission to advance the practice of software engineering and cybersecurity through research and technology transition, our work focuses on ensuring that software-reliant systems are developed and operated with predictable and improved quality, schedule, and cost. To achieve this mission, the SEI conducts research and development activities involving the Department of Defense (DoD), federal agencies, industry, and academia. As we look back on 2013, this blog posting highlights our many R&D accomplishments...

Read More
Hacking the CERT FOE

Hacking the CERT FOE

• SEI Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today we are highlighting a recent post by Will Dormann, a senior member of the technical staff in the SEI's CERT Division, from the CERT/CC Blog. In this post, Dormann describes how to modify the CERT Failure Observation Engine (FOE),when he encounters apps that "don't play well" with the FOE. The FOE is a software testing tool that finds defects in applications running on...

Read More
Prioritizing Malware Analysis

Prioritizing Malware Analysis

• SEI Blog
Jose Morales

In early 2012, a backdoor Trojan malware named Flame was discovered in the wild. When fully deployed, Flame proved very hard for malware researchers to analyze. In December of that year, Wired magazine reported that before Flame had been unleashed, samples of the malware had been lurking, undiscovered, in repositories for at least two years. As Wired also reported, this was not an isolated event. Every day, major anti-virus companies and research organizations are inundated...

Read More
Analyzing Routing Tables

Analyzing Routing Tables

• SEI Blog
Timur Snoke

Occasionally this blog will highlight different posts from the SEI blogosphere. Today we are highlighting a post from the CERT/CC Blog by Timur Snoke, a member of the technical staff in the SEI's CERT Division. This post describes maps that Timur has developed using Border Gateway Protocol (BGP) routing tables to show the evolution of public-facing autonomous system numbers (ASN). These maps help analysts inspect the BPG routing tables to reveal disruptions to an organization's...

Read More
Understanding How Network Security Professionals Perceive Risk

Understanding How Network Security Professionals Perceive Risk

• SEI Blog
James Cebula

Risk inherent in any military, government, or industry network system cannot be completely eliminated, but it can be reduced by implementing certain network controls. These controls include administrative, management, technical, or legal methods. Decisions about what controls to implement often rely on computed-risk models that mathematically calculate the amount of risk inherent in a given network configuration. These computed-risk models, however, may not calculate risk levels that human decision makers actually perceive....

Read More
Don't Sign that Applet!

Don't Sign that Applet!

• SEI Blog
Will Dormann

Occasionally this blog will highlight different posts from the SEI blogosphere. Today's post by Will Dormann, a senior member of the technical staff in the SEI's CERT Program, is from the CERT/CC (Coordination Center) blog. This post explores Dormann's investigation into the state of signed Java applet security....

Read More
Network Profiling Using Flow

Network Profiling Using Flow

• SEI Blog
Austin Whisnant

Knowing what assets are on a network, particularly which assets are visible to outsiders, is an important step in achieving network situational awareness. This awareness is particularly important for large, enterprise-class networks, such as those of telephone, mobile, and internet providers. These providers find it hard to track hosts, servers, data sets, and other vulnerable assets in the network....

Read More
Writing Effective YARA Signatures to Identify Malware

Writing Effective YARA Signatures to Identify Malware

• SEI Blog
David French

In previous blog posts, I have written about applying similarity measures to malicious code to identify related files and reduce analysis expense. Another way to observe similarity in malicious code is to leverage analyst insights by identifying files that possess some property in common with a particular file of interest. One way to do this is by using YARA, an open-source project that helps researchers identify and classify malware. YARA has gained enormous popularity in...

Read More
Helping Developers Address Security with the CERT C Secure Coding Standard

Helping Developers Address Security with the CERT C Secure Coding Standard

• SEI Blog
David Keaton

By analyzing vulnerability reports for the C, C++, Perl, and Java programming languages, the CERT Secure Coding Team observed that a relatively small number of programming errors leads to most vulnerabilities. Our research focuses on identifying insecure coding practices and developing secure alternatives that software programmers can use to reduce or eliminate vulnerabilities before software is deployed. In a previous post, I described our work to identify vulnerabilities that informed the revision of the International...

Read More
Effectiveness of a Pattern for Preventing Theft by Insiders

Effectiveness of a Pattern for Preventing Theft by Insiders

• SEI Blog
Andrew Moore

Since 2001, researchers at the CERT Insider Threat Center have documented malicious insider activity by examining media reports and court transcripts and conducting interviews with the United States Secret Service, victims' organizations, and convicted felons. Among the more than 700 insider threat cases that we've documented, our analysis has identified more than 100 categories of weaknesses in systems, processes, people or technologies that allowed insider threats to occur. One aspect of our research has focused...

Read More
The Latest Research from the SEI

The Latest Research from the SEI

• SEI Blog
Douglas C. Schmidt

As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in workforce competency and readiness, cyber forensics, exploratory research, acquisition, and software-reliant systems. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website....

Read More
The CERT Perl Secure Coding Standard

The CERT Perl Secure Coding Standard

• SEI Blog
David Svoboda

As security specialists, we are often asked to audit software and provide expertise on secure coding practices. Our research and efforts have produced several coding standards specifically dealing with security in popular programming languages, such as C, Java, and C++. This posting describes our work on the CERT Perl Secure Coding Standard, which provides a core of well-documented and enforceable coding rules and recommendations for Perl, which is a popular scripting language....

Read More
The Latest Research Reports from the SEI

The Latest Research Reports from the SEI

• SEI Blog
Douglas C. Schmidt

Happy Memorial Day. As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in architecture analysis, patterns for insider threat monitoring, source code analysis and insider threat security reference architecture. This post includes a listing of each report, author(s), and links where the published reports can be...

Read More
Developing Controls to Prevent Theft of Intellectual Property

Developing Controls to Prevent Theft of Intellectual Property

• SEI Blog
Randy Trzeciak

According to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, CERT Insider Threat researchers have collected incidents related to malicious activity by insiders obtained from a number of sources, including media reports, the courts, the...

Read More
Modeling Malware with Suffix Trees

Modeling Malware with Suffix Trees

• SEI Blog
William Casey

Through our work in cyber security, we have amassed millions of pieces of malicious software in a large malware database called the CERT Artifact Catalog. Analyzing this code manually for potential similarities and to identify malware provenance is a painstaking process. This blog post follows up our earlier post to explore how to create effective and efficient tools that analysis can use to identify malware....

Read More
Fuzzy Hashing Against Different Types of Malware

Fuzzy Hashing Against Different Types of Malware

• SEI Blog
David French

Malware, which is short for "malicious software," is a growing problem for government and commercial organizations since it disrupts or denies important operations, gathers private information without consent, gains unauthorized access to system resources, and other inappropriate behaviors. A previous blog postdescribed the use of "fuzzy hashing" to determine whether two files suspected of being malware are similar, which helps analysts potentially save time by identifying opportunities to leverage previous analysis of malware when confronted...

Read More
Measures for Managing Operational Resilience

Measures for Managing Operational Resilience

• SEI Blog
Julia Allen

The SEI has devoted extensive time and effort to defining meaningful metrics and measures for software quality, software security, information security, and continuity of operations. The ability of organizations to measure and track the impact of changes--as well as changes in trends over time--are important tools to effectively manage operational resilience, which is the measure of an organization's ability to perform its mission in the presence of operational stress and disruption. For any organization--whether Department...

Read More
Fuzzy Hashing Techniques in Applied Malware Analysis

Fuzzy Hashing Techniques in Applied Malware Analysis

• SEI Blog
David French

Malware--generically defined as software designed to access a computer system without the owner's informed consent--is a growing problem for government and commercial organizations. In recent years, research into malware focused on similarity metrics to decide whether two suspected malicious files are similar to one another. Analysts use these metrics to determine whether a suspected malicious file bears any resemblance to already verified malicious files. Using these metrics allows analysts to potentially save time, by identifying...

Read More