Mar 07 2008

Before They Arrive

Don't ask when or if a breach will occur. Instead, ask yourself: Has the IT team set the stage to stop and contain an intrusion?

Battening down the network hatches and focusing on end-point security is all well and good, but it won’t do a thing to help the IT security team after a breach occurs — only expertise, good tools, trusted staff and fast action can help then — that, and some guts.

Those were the hard-earned lessons that Dennis Clem, CIO for the Pentagon and Office of the Secretary of Defense, says helped him keep his job after an intruder broke into an OSD network and stole sensitive Pentagon data files.

“You can’t just be a policy CIO,” he contends. In today’s net-centric environment, “you need to know and understand the technology of your network.”

A 25-year veteran of Defense IT, Clem had been Pentagon CIO only a short time and had begun work on a consolidation strategy for the 14 silo networks serving the Defense Department’s headquarters when the now-infamous breach occurred last June.

On Alert

Cyber-attackers have their government targets set and are busy gathering intelligence long before a system goes live. “Within 10 minutes of a new service going up, there’s an attempt to hit the system and find out if it’s vulnerable,” Clem notes.

He and other government CIOs and security chiefs talked at the recent Information Processing Interagency Conference 2008 in Orlando, Fla., about how agencies can prepare to stave off disaster in a climate where wrongdoers, including foreign adversaries and high-profile criminals, will break through government network security to capture information.

“You’ve got to know your network — where your general support systems are and your major applications,” says Patrick Howard, chief information security officer for the Housing and Urban Development Department. Because Clem had begun the consolidation project to create a single network for the Pentagon — a project that’s midway to completion — he says IT knew to the last server where and what was running in OSD.

  • Create an inventory process and use audit tools that will let IT “reach out and have accountability all the time,” Howard says. Networks and technology use are dynamic; things change — so spot inventories and manual counts aren’t sufficient.
  • Establish a logon system that requires IT to check out randomly generated system-administrator IDs and passwords each and every time anyone makes changes to systems or applications. It’s a small but crucial requirement, Clem says.
  • Never allow logical access without authentication. At the Pentagon, that means everyone who wants to access a system must use a two-factor Common Access Card. “There’s no ‘exceptions list,’ ” says Clem.
  • Apply electronic watermarks to all dual-use apps so that IT can reduce false positives when scanning applications and systems during a response to a potential incident.
  • Use digital signatures on all e-mail so that workers can authenticate mail from one another and quickly spot spoofed e-mail.
  • Have a backup plan for affected users. For instance, Pentagon IT set up kiosks for the 1,500 users whose systems were pulled offline in the wake of the breach.

“You have to put in a complete top-to-bottom solution,” Clem says. “Security is a constant moving target.”

Keep Your Guard Up

And those guts mentioned earlier? Clem had his gut-check moment when he made the decision to shutter only one of the 14 networks after the breach and to isolate it while he brought in additional help to use scanning applications to systematically check every single device and application running on the other 13.

Some Pentagon brass wanted him to close down the entire web of systems, but he listened to his staff and tech support team and ultimately took the extreme chance of segregating just the single network. It worked, but it still cost $4 million and took three weeks to close up the holes the intruders had burrowed and to remove the malware they had planted.

Would he do it the same way again? There’s no telling; every incident is unique, Clem says. “But if you don’t trust the information you have at the time or the people providing it or know your network, then shut it all down.”