Fortifying the Network

The anguished howl that
arose following the
September 11 attacks
was visceral, loud and its
meaning was clear: We
need better control of our
airports, our border
crossings, our seaports. Not all vulnerable
points of entry are physical, however.
Government computer networks—once
closed systems protected by their isolation
within secure buildings—now have a global
reach via remote access technologies, such
as virtual private networks (VPNs), Web
services and e-mail. These technologies
promote greater communication and
collaboration, but also make government
networks a prime corridor for cyber attacks.

Having recognized the problem, the
Department of Homeland Security (DHS)
and all federal agencies are seeking ways to
harden their networks against such attacks.
In June, DHS launched a salvo against such
incursions by creating the National Cyber
Security Division (NCSD) within the
department's Information Analysis and
Infrastructure Protection Directorate.

"In the past, most of the cyber security
efforts were Band-Aids," says Joseph
Broghamer, DHS director of identity and
credentialing, who works with the NCSD.
Federal agencies must completely overhaul
their cyber security structures, he states.
Broghamer is developing an enterprise
security model at DHS aimed at improving
digital authentication and authorization
while maintaining easy access for users.
The model will protect agency systems at
all levels, including Web sites, any new
internal applications, legacy systems, e-mail
servers and VPNs. The DHS model will
likely serve as a starting point for many
federal agencies, which are under the
gun to implement stronger security. In
December, a House subcommittee
issued report cards on agencies'

cyber security efforts, flunking
eight of the 24 agencies. Overall,
14 agencies earned less than a C.

Taking the First Step

The first action that agency
security managers should take,
Broghamer says, is to create a
certificate authority for public
key infrastructure (PKI). But
creating the certificate authority, a
trusted source for authentication, is
no easy task, he warns. The certificate
authority infrastructure, which requires
all users to definitively identify themselves
in some way, "has been an administration
nightmare" for some agencies, says Willy
Leichter, director of enterprise product
marketing at IT security specialist Secure
Computing Corp. One notable exception is
the Department of Defense, he says. The
DOD's hierarchical structure and its rigorous
identification policies can be translated
relatively easily into certificate authority
procedures.

While acknowledging the IT challenges,
Broghamer points out that most agencies
already have an off-line authority that
issues identification badges for physical
access to their facilities. "In many cases, the
same workflow and structure can be
applied to a certificate authority," he says.

A comprehensive cyber security strategy
should mimic the human immune system,
says Dan Mehan, CIO at the Federal
Aviation Administration (FAA). When the
FAA's cyber security structure is complete,
the agency's network architecture, which he
calls "the android," will have five layers of
protection "for targeting, isolating and
destroying infections."

The top-most layer of cyber security
must be a certification and authorization
program, which uses PKI technology,
Mehan says. During the next two years, he
will impose a policy requiring certification
of all new applications by an authorized
person or group at the FAA. The PKI-enabled digital signature will let users load
the application with confidence.

Second-layer cyber security includes
access control, using such tools as biometric
technologies, smart cards or tokens. The other
three layers are: confidentiality, provided by
encryption; integrity, using analytic toolsets;
and availability, ensured by redundancy.

As the FAA uses more than 40,000 IT
devices, Mehan acknowledges that his job
won't be an easy one, especially as different
facilities have different architectures. "We'll
have to find ways to fit the security layers
with the technology fingerprint of each
facility," he says.

Finding a way to certify the security
strength of hundreds of legacy systems will
present another challenge. Mehan says he'll
handle it by taking "a rifle shot rather than
a shotgun approach." He says that he will
prioritize projects and harden security of
the legacy systems based on how critical
they are and their level of exposure.
Systems that can be accessed via VPN will
likely take precedence over systems that do
not provide remote access or that do not
extend beyond the agency's firewall.

E-mail Flak Attack

Until very recently, most agencies' IT
security operations have focused on
Web services and databases. Now an
increasing number of agencies are
reviewing their e-mail systems as
a second-tier security concern.

"Agencies are discovering
that they face a number of
threats specific to e-mail, and
that those threats can be
extremely dangerous," says Paul
Judge, the CTO of secure e-mail
gateway maker Cipher Trust.

According to Judge, e-mail can
be vulnerable to five classes of
threats:

Spam: Although many agencies see
spam as more of a nuisance than a serious
threat, Judge says the problem is so critical
that it threatens agencies' operations. On
average, 70 percent of incoming e-mail to
agencies is spam; a year ago, the average
spam rate was 40 percent. "The amount of
spam we're seeing today can easily take
down a server or overwhelm a support
desk," Judge points out. Some agencies are
reluctant to install strong spam blockers
because of the potential for false positives,
but new technology reduces the rate of false
positives to a fraction of 1 percent, he says.

Viruses and worms: Three or four
years ago, 80 percent of viruses and worms
came in through removable magnetic
media, Judge says. Today 93 percent
intrude via e-mail. Though conventional
signature-based antivirus software helps
filter malicious code, there can be up to an
eight-hour delay between the time a new
virus appears and the time the signature is
downloaded to all PCs. This delay creates
what can be a dangerous security breach.
New behavioral- and anomaly-based tools
can detect emergent viruses based on such
parameters as content, number of similar
messages received across the entire system
and types of attachments.

Malicious intruders: Until recently,
nearly all intruder-prevention tools focused
on protecting the Web server often ignoring
e-mail crossing the firewall. At best, an
intruder into an e-mail server might not
have access to back-end systems, but were
an intruder to access even a few minutes'
exchange of sensitive e-mail, agencies'
security could be seriously compromised.
Via a compromised server, e-mail hackers
can send apparently trusted messages to
business partners. Judge strongly advocates
including e-mail server protection as part of
a firewall strategy.

Policy violations: Federal agencies must
comply with privacy legislation, and
virtually all agencies have internal policies
regarding e-mail. Agencies are concerned
about the transmission of confidential
documents via e-mail, inappropriate
message content (such as sexually harassing
e-mails), and even sagging productivity
resulting from excessive personal e-mail
activity. E-mail policy management tools
flag for review any messages that contain
project titles, sexually explicit language or
several other suspicious characteristics.

E-mail interceptors: Whenever e-mail is
sent in plain text, as most of it is, there's a
risk of interception. Until recently, agencies
had two choices: Encrypt everything, or
encrypt nothing at the agency level and let
users handle encryption. The first option
takes a heavy toll on resources; the second
inevitably results in uneven application of
encryption policy.

Judge suggests using rules-based
encryption tools, which automatically
encrypt messages that meet criteria such as
containing certain kinds of attachments.

Whether their concern is e-mail, Web
services or databases, IT security managers
are taking an increasingly proactive approach
to protecting government networks, Judge
says. The issue is not response to a disaster,
but prevention of one. "In the past, we'd wait
for the code to be written, for applications to
be distributed and, sometimes, for the break-ins to happen," Broghamer says. "In the new
security environment, we have to anticipate
problems and build tools to protect against
them before delivery of the system."