Library of Congress CompanyFacts: “The Library of Congress is the largestlibrary in the US, it is located in Washington, D. C.
, and maintained largelyby federal appropriations.” (1) Providing research facilities for members of Congress wasits original purpose; today it also provides research facilities for thepublic. In fiscal year 2016 the libraryemployed 3,149 permanent staff and responded to 1 million reference requestsfrom Congress, the public and other federal agencies and deliveredapproximately 18,380 volumes from the Library’s collections to congressionaloffices. The Annual Report of theLibrarian of Congress in 2016 shows annual appropriations of $642.04 million. Asuccessful hack of the library’s resources could provide an un-authorizeddisclosure of information on military operations, the budget, and other policy information.(2)Leadership: Carla Hayden is the 14th Librarian ofCongress and the Chief Information Officer is Bernard Barton. Mission:To Provide Congress, and then the federal government, and American peoplewith a rich, diverse, and enduring source of knowledge that can be relied uponto inform, inspire, and engage them, and support their intellectual andcreative endeavors.
Vision: The chief steward of America’s and the world’s record ofknowledge, and is a springboard to the future, while providing indispensableservices to Congress.TheBreach: On July 17 2016 the Library ofCongress was the target of a massive distributed denial of service (DDOS)attack by a group called the Turk Hack Team claimed credit for the attack on anonline message board. The hackersattacked the firewalls and got into the website flooding the network with packets,causing outages to websites and services. The CIO Bernard Barton described the attack as “a massive andsophisticated DNS assault, employing multiple forms of attack, adapting andchanging on the fly.” (3) They also defaced the website and changed the messagethat was on the website.
In a blog post, Bernard Bartonexplained, “The attack began on Sunday morningand disrupted a number of services and sites hosted by the library including;Congress.gov, the U.S. Copyright Office, the Congressional Research Service andthe BARD (Braille and Audio Reading Download) service from the National LibraryService for the Blind and Physically Handicapped.
” (4) Congress employees were unable to visit internal websites, theattack also impacted Library databases and incoming and outgoing email.Background:Congress hasbeen the recipient of numerous cyber-attacks in the past including; SQLinjection attacks, website defacements, and inadvertent data leaks. In 2012 thelibrary of congress official website was breached and data stolen was posted ona file sharing website called Pastebin. Theattack included “a SQL injection attack to the LOC’s back end database exposinguser names, passwords and email addresses.” (4) Hacktivist BlitzSec stated thathe the hack was due to legislation like the National Defense Authorization Actand the Patriot Act for calling members “criminals” and “terrorists”. The group claiming responsibility said it used a SQL injectionattack to access the Library of Congress Website’s back end database and exposeuser names, passwords and email addresses. In the 2015 GAOreport stated that “The Library of Congress has established policies andprocedures for managing its Information technology IT resources, butsignificant weaknesses across several areas have hindered theireffectiveness.
” They identified a numberof risks including; no IT strategy, the lack of end-to-end processes to trackassets, the inability to test security controls and mitigate weaknesses in atimely manner, lack of good technical security controls, no assessment of risksto personally identifiable information (PII) in its systems, as well as issueswith stability in the position of the CIO. These and other weaknesses put theLibrary’s systems at risk of compromise. In the field these terms are often usedinterchangeably but Cyber Security is defined as the body of governance,policy, processes and measures to shield data and computer systems fromunauthorized access, incident or attack. However, Computer Security ensures thatavailability, integrity and confidentiality are maintained. This means that authorized users will haveaccess to information when required, unauthorized modification of data isprevented, and there is no unauthorized disclosure of data.Organizations must do a balancing actbetween making information available to employees and customers and protectingthe confidentiality and integrity. The 2015GAO report clearly identified vulnerabilities at the library that needed to beaddressed, however the risks remained un-mitigated.
The 2016 Library of Congress denial ofservice attack was designed to disrupt the integrity and availability aspects ofthe CIA Triad. The attack directlyaffected employees and other sites hosted on the Library of Congress network bychanging and defacing the website, revealing that unauthorized modification wasnot prevented. Authorized users weredenied access to internal websites, databases and email and creating anenvironment of confusion. It is also possible that confidentiality was breachedas the attack could have used an SQL injection to steal PII and other sensitiveinformation.On their website Akamai an American content delivery network and clouddelivery platform states, “Over the past15 years, distributed denial of service attacks, or DDoS attacks, have becomeone of the chief threats to websites, servers and networks. DDoS attacks usemalware to remotely control thousands of computers, or botnets, and cause themto send bogus requests to a specific target. Designed to overwhelm a machine ornetwork resource and render it unavailable to users, DDoS attacks can causesevere damage to a company’s operations, reputation, productivity, and bottom line.
” Software:System and Application software must be designed withsecurity in mind. Security should be planned initially as well as worked intoeach phase of the software development lifecycle. During the 2016 attack, hackers flooded and overloadedthe system with packets crashing the system which allowed the system to becomevulnerable and subject to further attack. Since the system was unable toprotect itself, hackers were able to bypass the system security and gainunauthorized access to information on servers, and other sites hosted on theLibrary of Congress network.All websites are designed using HTML code. Hackers wereable to gain system access and elevate their privileges in order to edit theHTML code used to display webpages. The elevated privileges gave them fullaccess to add, change or remove web page contents and to deface the Library ofCongress website.
It is clear that hackers were able to access both theSimple Mail Transfer Protocol (SMTP) and the Post Office Protocol version 3(POP3) and Interactive Mail Access Protocol (IMAP) email servers as the hackprevented employees from accessing both incoming and outgoing email.Programmers should regularly review systems software,application software and software interactions to determine vulnerabilitiesthat could be exploited. Code reviewsshould be done to inspect the program code in order to find mistakes overlookedduring the software development process. The objectives are to determine best practices, discover errors,identify common vulnerabilities and malware discovery and fix weaknesses in atimely manner. White and Black Box testing should be done to ensure secure codedesign and software usability.Data Flow Across NetworksPenetration Testing There are many common cybersecurity attacks whichinclude; malware threats, denial-of-service, session hijacking, hackingapplications, SQL injections, cross-site scripting, and hacking wirelessnetworks and numerous others. Penetration Testing should be performed on the Library ofCongress network using some of the common attacks to determine the strength ofthe network. Pen Testing or Ethical Hacking would include simulated attacksperformed by white hat and/or black hat testers to evaluate the system securityand help identify vulnerabilities within a network.
These are vulnerabilities that may exist thata hacker could exploit. This wouldprovide the organization direction on what areas need to be addressed in orderto secure the Library of Congress information systems and network. NFATIn order to monitor activity on the network forensic investigators use Network `ForensicAnalysis Tools (NFAT).
Some of these tools include; When there are network anomalies it is important thatthey be identified, researched and mitigated prior to doing any possibledamage. Utilizing EnterpriseSecurity· Discuss the principles that underlie the development of anenterprise cybersecurity policy framework and implementation plan.Microsoft determines that “The key to securing yourenterprise now and into the future is knowing your current security posture andits potential weaknesses.” (9) Cybersecurity Strategy should be designed basedon organizational vision, mission, goals, business requirements, and criticalareas of organizational risk. The strategy should be developed to bequantifiable with each task measured by a metric.
The enterprise-wide security metric program should bedesigned to ensure the organization is meeting its goals and reported to seniorleadership on quarterly, monthly or weekly basis. Metrics should be presented holisticallyacross they various cybersecurity areas in an electronic tool specificallydesigned to measure strategy with a drill down capability of delving intospecific areas of issue. The implementation plan should be a further drill downof the identified strategy with specific steps for implementing theorganizations strategy.”A computer security model is a scheme for specifying andenforcing security policies.
A security model may be founded upon a formalmodel of access rights, a model of computation, a model of distributedcomputing, or no particular theoretical grounding at all.” Security models canbe categorized as positive or negative. A positive security model would be like a whitelist which says what isincluded and everything else is rejected. A negative security model would list everything that is rejected ananything else would be automatically allowed.New Threats and Countermeasures in Digital Crime and CyberTerrorism, 2015 edited by Dawson, MauriceSome of the security models include; Bell and LaPadula(BLP) Confidentiality Model, Biba Integrity Model (opposite to BLP), ClarkWilson Integrity Model, Information Flow Model, Non Interference Model, GrahamDenning Model, Harrison-Ruzzo-Ullman Model, Lattice Model. The Library of Congress would first have todetermine what security model it’s policy will be based on. Review the security models and determinewhich model fits best with the type of customers, data and level of securityrequired.
The Library of Congress should employthe NIST Framework for Improving Critical Infrastructure Cybersecurity which “providesindustry a risk-based approach for developing and improving cybersecurityprograms”. The framework core identifiesspecific functions; “Identify, Protect, Detect, Respond and Recover—thatprovide a strategic view of the lifecycle of an organization’s management ofcybersecurity risk.” Harvard PaperAnd finally, Defense in Depth should be employed acrossthe organization’s network to ensurethat there are various layers of security measures designed into the enterprisecybersecurity policy framework and the implementation plan. This ensures that though an attacker getsthrough one layer there are additional layers to penetrate in order to gainaccess.