Dec 31 2009

The Best Defense

Federal security managers discuss best practices for preventing cybersecurity breaches.

When attacks can come
from any or all sides,
the natural response
is to batten down
the network hatches.
But federal agencies
can't adopt such a
siege response. In fact, they often must
throw open their doors for information
sharing with other agencies, while also
securing sensitive data on their networks.
And they must do it while under budget
constraints and the scrutiny of government
security watchdog organizations.

Meanwhile, a nightmare of worms,
Trojan horses, e-mail viruses, social
engineering attacks, software vulnerabilities
and other cybersecurity breaches parade
through the headlines. Every federal IT
security manager dreads seeing that parade
stop at his or her agency. As a result, these
ever-present security threats are prompting
agencies to adopt best practices and devote
more attention to risk management issues.

Safety Comes First

In May, the U.S. General Accounting Office
(GAO) revealed that the Federal Deposit
Insurance Corporation (FDIC) had
computer vulnerabilities that put
critical financial, personnel and banking
information at risk. The GAO audit found
that network connections to off-site
locations were not adequately controlled,
employees were inadvertently granted
unnecessary access to sensitive data,
known software vulnerabilities were
not patched and intrusion detection
systems were not fully implemented.

Such problems can happen in any
organization. But federal computer security
managers at the U.S. Postal Service (USPS),
Federal Reserve Board and Department of
Homeland Security (DHS) are following
best practices for change control, system
hardening, security training and monitoring
to keep threats at bay.

The USPS recently invested in an
endeavor to enhance its security standards
and practices, and ensure that all its
information resources conform to precise
security configurations, says Peter Myo
Khin, manager of the Corporate Information
Security Office. This is in addition to
the system/application/network security
reviews performed in-house as part of
the USPS information security assurance
process, as well as those performed by its
compliance and monitoring teams. The
assurance information is reviewed by the
USPS Office of the Inspector General,
which conducts its own parallel
monitoring of USPS IT security practices.

This belt-and-suspenders approach
helps ensure adherence to best practices and
offers an effective method to detect security
vulnerabilities. "It is critical to have a
structured approach to security
implementation and assure that our
applications are secure and our systems
are patched to latest security levels," he says.

Effective change control helps eliminate
the risky, expensive and time-consuming
process of cleaning up after a virus or other
attack that's opened by a security hole,
explains Marianne Emerson, IT director at
the Federal Reserve Board in Washington.
"We believe that the largest portion of
breaches come from machines that are not
patched properly and not configured
properly," she adds.

Security teams at the Federal Reserve
use vulnerability scanning tools to search
for security holes on machines running
Windows, Emerson says. In some cases, if
a flaw is found, the Federal Reserve has
coders trained to write Microsoft Systems
Management Server (SMS) 2003 software
scripts that install patches to fix the
problem. In other cases, network
administrators (desktop support
personnel) correct configuration errors.

Emerson says these scripts have kept
the Federal Reserve's machines from being
infected by recent software worms. "We
couldn't live without it," she says. "It has
streamlined our patching process."

Security Comes First

USPS works with internal IT functions
and an external business partner to push
patches out to relevant information
resources, according to Myo Khin. But
before a patch goes out to USPS
information resources for implementation,
it is first tested to make sure that it does not
destabilize core business systems, he adds.

At the Federal Reserve Board, early
adopters test Microsoft patches before
they are rolled out to the rest of the
organization, Emerson explains. And at
both agencies, before new hardware
and software tools can be used, they
pass through a certification process
to mitigate potential vulnerabilities.

Before the Federal Reserve Board
deploys new workstations loaded with
Windows and setup instructions from
vendor CDs, the workstations are
extensively hardened, Emerson says. The
Board's security team has developed a
series of parameter settings for Windows
that make it more difficult to access the
machines from across the Internet.

"You restrict the right to log on locally,
and you limit the right to log on across the
network by changing registry settings," she
explains. And vulnerable ports are closed.

If security dollars are scarce, Emerson
directs available funds to training internal
network administrators and developers.
Developers must be trained to evaluate
code for vulnerabilities and "put boundary
limits on every kind of input so you don't
have any unexpected input code walking
through part of the change control system,"
she explains.

Keeping an accurate and up-to-date
inventory of machines on the network is an
invaluable tool in helping to control
upgrades and data access, Emerson says. IT
managers use the SMS tool to collect serial
numbers, to determine which employee
is using which workstation and to track
machines as they are distributed among the
agency's 2,000 computer users.

Enforcing Security Standards

At DHS, a recently launched IT inventory
project is mapping the agency's network
infrastructure and network architecture,
according to Robert West, director of the
Office of Information Security and chief
information security officer (CISO) for
DHS. Such accounting is key to enforcing
security standards, he says.

The agency's need to share information
with federal, state and local homeland
security and law enforcement organizations
makes designing effective security controls
more challenging. Like other agencies, DHS
must enforce security over communications
between inherited legacy systems.

The department is currently looking at
migrating to a consolidated infrastructure,
with security controls embedded, to control
information sharing and manage appropriate
filters throughout the department. "Ensuring
the right information gets to the right place
at the right time, while also maintaining
an aggressive security posture, is one
of the biggest challenges faced by the
department," says West.

The department has an aggressive
monitoring capability with the use of
intrusion detection systems (IDS). "We
also put firewalls in place to enforce
policies," West explains, "and every
firewall decision about letting a packet
go through creates an auditable event in
the audit log. It is important that
monitoring programs take advantage of
the audit capabilities of all network
devices and not just depend on IDS."

Fine-tuning IDS signatures can also
help minimize false positives on an IDS, as
can writing custom signatures to scan for
specific types of threats faced by an
organization, West explains. When an
exploit is discovered, filtering tools can
help security analysts focus on packets that
could potentially target critical systems.

However, IDS alerts seldom provide
the first indication of malicious activity.
Typically, it's a user who notices something
wrong with their workstation and calls the
incident response desk.

DHS has been working with a
software developer to create a front-end
"digital dashboard" assessment tool that
automates the process of complying
with federal security requirements, West
reports. Instead of trying to centrally
manage its 180,000 to 200,000
employees, DHS staff will use the tool
to look below the department level and
evaluate if organizational elements
within the department are meeting
federal security standards and are
complying with department policies.

"We are a large federal department,"
says West. "We need to make sure we have
the metrics to look at how well a portion
of our programs is responding to the
requirements of the department, and
aggregate it to make sure that we are
meeting our primary mission."


1. Help managers understand that security is a business
imperative—not an add-on or afterthought.

2. Make security considerations a priority at the beginning of any
application system design cycle.

3. Factor the cost of meeting security requirements into the total
cost of doing business. Adjust budgets accordingly.

4. Embed IT security team in business units to include security as
part of business operations.

5. Involve security managers in service units such as the network
operation center, computer operation center and database
management teams.

6. Include the principles and practice of security in the
communications training program for all employees.

Source: U.S. Postal Service


Federal agency security managers aren't developing best practices
and guidelines from scratch, thanks to resources from several
reliable providers.

Many federal security managers base their certification and
assessment policies on guidelines developed by the National Institute
of Standards and Technology. The NIST Computer Security Resource
Center ( provides up-to-date research on
cryptographic standards and applications, security testing, emerging
technologies and security management guidance.

The National Information Assurance Education and Training
Program (, a partnership
of NIST and the National Security Agency, also helps federal agencies
vet software for possible security flaws and develop training
standards. Best practices for federal security systems can also
be found at the federal Chief Information Officers Council

The CERT Coordination Center CERT/CC (, formed
by the Defense Advanced Research Projects Agency in 1988, is the
premier computer security incident response team. Now run by the
Software Engineering Institute at Carnegie Mellon University,
CERT/CC is the major reporting center for Internet security problems.
It provides technical advice, coordinates responses to security
compromises, identifies trends in intruder activity, analyzes product
vulnerabilities, and works with security experts to identify solutions
and disseminate security information.

CERT/CC recently announced a new partnership with the
Department of Homeland Security's National Cyber Security Division
(NCSD). The effort, known as US-CERT (, has created
a national Internet security response system that issues Technical
Cyber Security Alerts. US-CERT alerts not only include information
from the well-regarded CERT Advisories (,
but also integrate additional security information contributed by
public and private sector organizations.

The SANS Institute (SysAdmin, Audit, Network, Security)
(, is another trusted source for information on security
training and certification. It maintains a large collection of security
research documents and operates its own Internet early warning
system, the Internet Storm Center ( SANS also
publishes the weekly vulnerability digest @RISK
( and the weekly news digest
NewsBites (