Patrick Howard of the Nuclear Regulatory Commission says agencies should take a top-down approach to risk.

Feb 10 2012

Network Security: More Than a Technology Challenge

High-profile worm attacks may be behind us, but today’s sophisticated cyberthreats require fresh approaches to network security.

They had names like ILOVEYOU, CODE RED and MYDOOM, and they may have represented a more innocent (though no less destructive) era of network insecurity. In the late 1990s and early 2000s, such computer worms spread fast, exploited unpatched holes in major operating systems and earned spots on the evening news. But network threats have evolved — especially threats to government networks.

“The biggest threat comes from overseas hackers, assumed to be government-sponsored in some cases, who maintain automated systems that scan and attempt to break into government networks nearly 24 hours per day,” explains Shawn ­McCarthy, director of research for IDC Government Insights. “These hackers also target sites that are visited by government employees, including news organizations, reference resources, search engines, associ­ations and more. By compromising those sites, they hope to be able to occasionally compromise a site visitor.”

At the same time, government networks themselves have evolved to accommodate an increasingly mobile workforce. “The way information moves across networks has changed,” says Simon ­Szykman, CIO of the Commerce Department. “The idea of being able to put high walls around all your information isn’t as meaningful as it might have been in the past.”

How should agencies adopt a more effective network security posture? By adopting fresh practices.

Assess Risk — and Manage It Accordingly

“We can’t protect everything, so we have to make distinctions about what is most critical and what is most sensitive,” says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission.

Over the years, agencies have built network systems to support everything from internal business processes to public-­facing services. Some are at higher security risk than others, and knowing which is which helps an agency focus its security resources.

“We’re taking a top-down view of risk,” Howard says. “We’re not allowing low-level system owners to say, ‘I want my system to be high [priority] because I want to keep it operating 99.999 percent of the time.’ We’re providing a risk context for all our systems agencywide and coming up with some definitions for what’s allowable, what ‘catastrophic’ means, and what’s serious risk.”

Howard says agencies need to look at where their IT security dollars are going and decide which areas are most and least important. Ultimately, the analysis could mean turning off systems or eliminating processes. “Those are difficult choices to make,” he says.

Reduce Complexity

The average amount of 2012 IT budgets that federal agencies have earmarked for security solutions, according to research firm IDC, significantly lagging behind most industries. IDC believes 19% is realistic for most organizations.

SOURCE: “Perspective: Benchmarking FY12 U.S. Federal Government IT Security Spending by Agency” (IDC, October 2011)

The practice known as “defense in depth” has long been considered a viable way of slowing network attacks by layering security controls on top of security controls. But it can also have an adverse effect on government networks.

“It’s very easy to waste a lot of money on defense in depth,” says Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency. “It’s not that I don’t love depth. We need multiple layers of defense. However, it’s become kind of a crutch.”

Sager says that if an agency does not have a model or framework for why it wants to add more security layers, most of the time the agency is just adding cost and complexity. And if the security technology becomes too cumbersome, people won’t use it. “There’s no more clever attacker than your own users,” he says. “If you make security too unwieldy for them, they’ll just figure out a way around the defenses.”

Automate Security Where Possible

“The problem with too much complexity is that it introduces configuration management issues, which introduces the human element,” the NRC’s Howard says. “For a long time, we’ve relied on system administrators to submit reports saying their systems are in security compliance. They may think they are, but maybe they haven’t patched a system in the last 10 days, or they’re running an out-of-date version of software.”

Agencies need tools that can automatically ingest information from their various IT systems and network defenses, compare it against a compliance framework, then automatically fix vulnerabilities as they appear, whether they’re unpatched systems, incorrect registry settings or other security holes.

Sager says NSA and others are heavily involved with the National Institute of Standards and Technology’s Security Content Automation Protocol (SCAP) project. The goal of SCAP is to develop interoperable specifications for automating vulnerability management and ensuring compliance with relevant security requirements, such as the Federal Information Security Management Act (FISMA).


Automated tools and information sharing may greatly improve agencies’ security posture, but they can be difficult to implement across multiple platforms. At the Commerce Department, Szykman has made it a priority to standardize software where possible. For example, Commerce recently standardized on a single antivirus platform departmentwide.

“In this resource-constrained environment, standardizing on a smaller number of tools can help reduce costs,” Szykman says. “When you buy licenses in larger quantities, you can save money and invest in other areas, including security. Standardization also helps with integrating information from separate organizations so you can better aggregate the information and get a broader picture.”

Take a Holistic Approach

And even that’s not enough when it comes to today’s network security. “Automation and continuous monitoring are important,” Szykman says, “but you can’t only rely on automated systems. You need to look at your analytical capabilities, your skills and training, and your professional certifications. And you certainly need end-user awareness that security is a priority.”

White Paper @
Read more in the CDW•G Network Security Reference Guide:

The Commerce Department has implemented policies that require certifications for people in certain IT security roles. The department also started a cybersecurity development program for its internal security staff so that it can grow its own skill sets rather than always bringing in outside expertise.

“It’s an arms race,” Szykman says. “The off-the-shelf technologies are good, but even as they get better, the adversaries are also getting bett

<p>Nicholas McIntosh</p>

aaa 1