Tools of the Trade
For federal systems security chiefs, the hunt for the supertool never ends. “We’re always looking for new and better tools for monitoring and protecting the network,” says John Hannan, chief information security officer at the Government Printing Office. But technology advancements are of little value without also empowering the users, he’s quick to add. “Much of their power and usefulness comes from the skills and education of the people who use those tools.”
To check the pulse of the government’s information technology security shops, FedTech talked to five IT security execs about their strategies and vision. We expected to hear about the latest and greatest security tools — and we weren’t disappointed. They all spoke of new and better utilities for protecting the perimeter, catching malware once it enters the enterprise, making use of encryption applications, and applying monitoring and log utilities. But what did surprise us was that each one reiterated that it’s as crucial to have a trained and educated staff and user base as it is to deploy the newest security applications.
In the next few pages, the IT security chiefs from the Government Printing Office, Postal Service, House of Representatives, Centers for Disease Control and Prevention, and the Health and Human Services Department offer their insights on tools they consider crucial, what can’t be taken for granted, important decisions they feel were made in the past year and what they hope to accomplish in 2008.
Eye in the Sky: At GPO With John Hannan
A wide-ranging overview of the network is one of the best ways to quickly discover anomalies that might be attacks, says John Hannan, CISO at the Government Printing Office.
And a smart way to achieve such a bird’s-eye view is through consolidated log reports. In fact, Hannan rates his decision to implement log and monitoring consolidations as his most important and effective security decision of 2007. “We needed an awareness of events on all the different devices in different parts of the network,” he says. By looking at the consolidated log reports, security staff is in a good position to get a feel for what is normal network behavior, an important prerequisite for determining what events are suspicious and therefore should be investigated. “These logs give us the situational awareness that allows us to catch potential attacks 24 x 7,” he says.
Another important decision was to subscribe to an alert service that warns Hannan and his staff about new types of attacks discovered by other security professionals. The service helps his staff use more of a rifle than a shotgun approach to investigating potential breaches. “Alarm services give us an idea of what to look for. They help us focus on potential problems,” he says.
Without such reports, organizations would be forced to cast such a wide net that they would have problems homing in on the most serious issues, Hannan believes.
Hannan’s goals now are straightforward: keep up with changes both on the technology side — learning about and introducing new security technologies — and on the attack side — identifying and finding solutions to the newest types of threats.
He acknowledges that staying current on new technologies and threats is a never-ending task. “I’ve been in the security business for 15 years, and there hasn’t been any one year where there weren’t major changes, both in the available tools and in the types of vulnerabilities we have to be aware of.”
Still, as good as the tools become for identifying potential attacks, they will never replace well-educated and dedicated security staff as an essential part of the defensive strategy. Like all CISOs interviewed for this article, Hannan says his staff represents his biggest and most effective weapon in the war against cyber-attackers.
Lock and Key Theory: In the House With Lou Magnotti
“You can have the best and most-expensive machines monitoring network traffic all day long, but without an educated and experienced staff, you won’t be able to solve most of your security problems,” says Lou Magnotti, director of information systems security for the House of Representatives.
The paradox inherent in any security technology is that the better and more sensitive it becomes at identifying potential attacks, the more likely it is to yield false positives. Experienced security people have to quickly separate the real attacks from the false alarms and continually tweak applications so that they are less likely to block legitimate traffic, he says.
When Magnotti talks about the importance of people power, he isn’t referring only to his security staff. If his comrades in arms represent the keys in the IT defense equation, he says, the rest of the organization’s users are the locks. In addition to educating his own staff, Magnotti believes that the enterprise should train everyone — both technical and nontechnical employees — to be security-conscious. “Having people understand and follow security policies is a very important piece of our overall strategy for keeping our data safe.”
In fact, Magnotti says he finds himself relying more heavily on the user base as attackers become subtler. If good firewall and virus detection utilities make it nearly impossible for attackers to penetrate the network through brute force, they often try enticing users to invite them in. “The game has changed over the last year or so,” he says. “We used to focus almost entirely on perimeter defense. Now we’re more worried about malicious programs, like Trojan horses, that come in through user actions.”
Training users about how to treat e-mail from senders they don’t know and to not follow links to unfamiliar Web sites or download unauthorized applications has become an essential part of the House’s security strategy.
Magnotti’s security staff also began looking at the code in applications and operating systems last year — a task that will continue well into 2008. As it goes forward, he says, the House will be more proactive in training programmers to be highly security-conscious when writing code, not only checking for bugs in the programs but also for potential security holes that allow data leaks.
Driven by Mission: At CDC With Tom Madden
“Our IT security staff has to understand the organization’s public-health mission as well as the security tools put in place to protect that mission,” says Tom Madden, CISO at the Centers for Disease Control and Prevention in Atlanta.
For example, although CDC doesn’t normally collect medical data that identifies individual patients, sometimes a correlation between a particular patient and specific data set becomes possible if various sources are aggregated. Because of this, his staff must distinguish between data that’s so sensitive it might identify individuals — and can’t be made public — and health data that the agency can release.
On this front, Madden says his chief goal for 2008 is to improve the skill level and training of his security staff as well as that of all IT and business managers across the agency. “The biggest bang for the buck we can get is education,” he says.
The firewalls, intrusion detection systems and other tools are absolutely fundamental to protecting data, but Madden says spending money on them would be a waste if he didn’t match staff training to his automated implementations. “I get software that spits out a billion pages of log data. But what do I do with that if I don’t have anyone who can interpret it?”
All this is not to say that Madden doesn’t believe in continually improving his organization’s automated security programs, even if some of them are not specifically related to security. For example, he believes the best security decision he made in 2007 was to install an inventory management application. This can ferret out suspicious network devices, which can then be investigated by his staff.
“If I expect to have 15,000 machines and I find 16,000, I want to know who owns the extra thousand and what they’re doing with them,” he says. Now that he has gotten control of his organization’s inventory, even a small change is immediately flagged. “If you come in here with your notebook and plug it into our network, you will not get access; our staff will know about it immediately, and you’ll hear from us.”
Madden says he needs this immediate-response capability because potential enemies have shortened the time between finding a hole in the security perimeter and trying to penetrate it. “It used to take weeks before an attacker took advantage of a vulnerability. Now, in many cases, it’s almost instantaneous.”
One trend Madden sees in security is that intruders are less discriminating in where they aim their attacks. Before, they would attack a specific machine, department or type of data that they felt would yield some valuable result. Now they try to “exfiltrate” whatever they can get their hands on and decide later whether it’s valuable, he says.
Defense in Depth: At HHS With Dara Murray
The more, the better when it comes to IT security, says Dara Murray, CISO at the Program Support Center and director of the Security Services Division at the Health and Human Services Department.
She uses a wide array of tools to protect HHS critical assets from unauthorized exposure. They run the gamut — everything from typical resources within word processors and project management applications to dedicated security products for encryption and intrusion detection. HHS applies full-disk encryption for its hard drives, encrypts data on all mobile end-user systems and runs utilities to protect data-in-flight, such as files downloaded to thumb drives.
Even so, Murray considers her most important secret for keeping up with ongoing threats more cognitive than technological. “There are too many hackers and threats out there, and with technology changing every day, our best secret is to think the way the attackers do.”
Technology tools alone will not take care of everything, she says. They assist with preventing unauthorized access, but training is the key to identifying innocent-looking e-mail from a possible phishing expedition. Murray suggests, “In simple terms, look at the low-hanging fruit. Determine what is the easiest and most affordable way to keep things secure and handle most of your security processes in that way.”
And how do you find the low-hanging fruit? “Educate the everyday users at work and at home and also teach parents and children about the dangers that lurk on the Internet.”
The perimeter, in some senses, no longer exists, so Murray considers it crucial to provide and support antivirus and personal firewalls running on her users’ work and home computers. Then, simply teaching users to recognize threats, such as phishing schemes, can play an essential and complementary role in implementing protective technologies, such as encryption, intrusion detection and network and application scanners.
Given Murray’s trust in and reliance on end users to help keep her organization’s data safe, it should come as no surprise that she believes the best security decision she has made in the past year was initiating a computer security awareness program and conducting seminars on subjects such as identity theft and end-user PC protection.
“You have to reach out to the people you work with who are nontechnical because they are tired of hearing about policy and Federal Information Systems Management Act scores — they want to know about how to protect themselves,” she says. “By reaching out to them with a subject they can relate to, you improve your IT security program.”
Murray’s philosophy of keeping things simple extends to her plans for improving audit reporting for security. Reporting vulnerabilities and detailing security for FISMA reports and certifications have become so unwieldy that the end products are often of little use to anyone, she says.
Going forward, she hopes to produce fewer but more helpful audit reports. She also expects to certify more of the applications on her users’ devices. “By consolidating reports and patching holes in applications, we’ll decrease the vulnerabilities dramatically.
Layer by Layer: At the Postal Service With Pete Stark
The strength of a security system comes not from the power of each individual tool but primarily from the right combination of tools working together as an integrated whole, says Pete Stark, manager of corporate information security at the Postal Service. “Our strategy is to have several different layers of security. Each of the layers complements the others,” he says.
For example, network firewalls and intrusion detection and prevention tools protect the outer perimeter. These applications improve with each new release, but so do the attackers, who look for ways to get around them. If an attacker does penetrate the outer perimeter, another layer of protection comes into play. “We can’t identify every instance of malware,” Stark says. “So we also need tools that work to quarantine and eliminate a virus that has entered the network.”
The standard defense is desktop-based virus detection, and all the PCs at USPS run up-to-date virus software. But traditional virus protection, which matches traffic against virus definitions, only works after someone has identified the virus. To layer on more protection, Stark’s staff looks at data and applications to identify behavior that might be malicious even before a virus or attack mechanism is identified.
The smallest perimeter surrounds individual hard drives. And Stark says the most important decision he made in 2007 was to protect each machine using full-disk encryption. This will now be a requirement both for desktop PCs and notebook computers at the Postal Service. Although he considers the potential for physical theft of a desktop system to be low within the agency, it’s far from zero. And occasionally when a system is repurposed, the hard drive may not be wiped clean, even though that is the policy. “We’ve made a major decision to focus on the end-point,” he says.
Stark says he intends to target another layer of protection: better access-control through improved identity management capability.
