Talk to just about anyone with systems security know-how, and they’ll tell you that compliance requirements tools — such as the Federal Information Systems Management Act reports and annual congressional security report card — are not only ineffective at gauging an agency’s information security, they can also be counterproductive.
“You have the presumption that if I have a bad grade, I have bad security. I don’t know if this is true. But I do know that if I get a good grade, I don’t necessarily have good security, because the security we see in federal agencies today is failing,” says Alan Paller, director of research for the SANS Institute in Bethesda, Md.
Last year, agencies were prominent on the list maintained by the Privacy Rights Clearinghouse (www.PrivacyRights.org) of organizations that lost private, sensitive or secret data — through everything from hacker-installed rootkits and employee negligence to loss of unencrypted notebooks, backup tapes and thumb drives. Many agencies appeared two, three, even four times on this list — among them were the departments of Commerce, Education, Transportation and Veterans Affairs, and the Census Bureau, Navy and Social Security Administration.
It’s also common knowledge that unclassified Defense Department networks regularly come under attack and have suffered breaches by Trojan horses and rootkits used for spying and remote controllers, adds Paller. More recently, in October, Commerce’s Bureau of Industry and Security had to replace hundreds of computers riddled with rootkits and eliminate direct access to the Internet.
Government IT leaders agree with analysts that compliance scorecards do little to indicate whether security processes work under real-life stressors. But these tools do, at least, raise awareness, which was an important step accomplished in 2006, says Lisa Schlosser, CIO for the Housing and Urban Development Department and co-chairwoman of the CIO Council’s Architecture and Infrastructure Committee.
“If you’ve done what FISMA wanted you to do, which is to get executive attention and support for your risk management plan,” she says, “then you can get resources and implement creative ways to get the needed level of security and testing into your environment.”
This is exactly the point that Tom Jarrett, Delaware CIO and secretary to the National Association of State CIOs, campaigns about when meeting with local, state and federal officials. It’s crucial to get the ear of senior leaders so that your agency can be creative about improving security, he says. Don’t let the reporting requirements become the focus. When addressing lawmakers, he likes to point out what would happen if emergency services and infrastructure providers’ Internet Protocol networks got knocked out because of a security breach. The presentations “scare the hell” out of people, he says, because they make the risks relevant to the government’s ability to conduct business and respond to crises.
With a new congressional IT security report card just out and the Office of Management and Budget’s latest FISMA report expected shortly, experts offer their insights into the top security approaches that federal CIOs and chief information security officers can pull from their hats to ratchet their security beyond compliance in this year:
1 MAKE SECURITY an Infrastructure Component
Vulnerability scanning, patch management, antivirus, intrusion detection and prevention, wireless security and authentication. These aren’t security tools, they’re infrastructure tools, contends Howard Schmidt, international president of the Information Systems Security Association and former cybersecurity adviser to the president. “All of these things are being built into the infrastructure as part of the availability and integrity scheme in the coming year,” he says.
2 NETWORK in Segments
CIOs need to adopt extraordinarily granular levels of network segmenting, either departmentally or otherwise as risk assessments dictate, Paller says. “Not because users are untrustworthy,” he adds. “It’s because the bad guys get in and become users.” When that happens in a segmented environment, damage can’t spread beyond the affected segment, greatly reducing response and remediation time, while protecting the rest of the network.
3 APPLY Benchmarks
“The next stage in security is coming up with a better metric to prove that not only were people trained, but that the training was effective,” Schlosser says. “Generally, the trend is we’re getting more able to measure how well we’re doing with security. The ability to prove this gets us more time at the executive table, allowing us to bake security in from the beginning of new projects.” Agencies need to have this expertise to know exactly where their systems stand at any given time, she says.
4 UTILIZE Log Information
Log management needs to shift from compliance management to early warning systems. “There’s a big shift to log management systems with filtering to tell me how events coincide inside the network,” Paller says. This is important because you can’t keep malware out of the network anymore, so you need to take measures to respond and react to real-time events inside the network, he says.
5 PROTECT Personal Information at the App Level
So far, agencies have done a pretty bad job with privacy of personally identifiable information (PII), judging by the millions of people whose information was exposed by government systems last year, according to the Privacy Rights Clearinghouse.
Applications housing PII are often the least protected layers in the information protection chain, according to Patrick Howard, CISO for HUD. “Too many systems and applications use and process PII unnecessarily,” he says. Agencies should strip it out as often as possible, he suggests.
Plus, agencies need to develop rules about the use of PII during a system’s development rather than tacking it on after the fact.
6 ENCRYPT Critical Data for Portable Systems
The trend toward encrypting sensitive and private data on devices started gaining momentum in the last year after agencies experienced multiple, embarrassing leaks — most notably after a notebook went missing after a Veterans Affairs Department employee took it home.
There’s no reason not to jump on this trend, says Paul Kocher, president and chief scientist at Cryptography Research in San Francisco. Database, backup and device encryption are readily available and easier to deploy, he says.
7 BE READY to Respond
Dealing with incidents must evolve to an integrated, cross-network process that goes beyond just finding and fixing individual problems, says Travis Reese, president of federal services for Mandiant, a security services provider in Alexandria, Va.
Enterprise response processes must always integrate host- and network-based approaches, he says. “When you have an incident, you have to scope a problem across the rest of the network, conduct stress tests and practice response drills across all those departments,” Reese says.
8 MAKE Alternate Plans
Agencies need to develop more in-depth strategies, through their continuous operations planning, for running things after the unthinkable happens, Delaware’s Jarrett says.
“We have big plans through our emergency management operations for alternate routes if roads go out, but nobody’s thought much about what happens if you lose the network,” he says.
Furthermore, CIOs and CISOs need to plan for the instances when it’s impossible to access your disaster recovery plan or points of contact through the network, Jarrett adds.