They had names like ILOVEYOU, CODE RED and MYDOOM, and they may have represented a more innocent (though no less destructive) era of network insecurity. In the late 1990s and early 2000s, such computer worms spread fast, exploited unpatched holes in major operating systems and earned spots on the evening news. But network threats have evolved — especially threats to government networks.
"The biggest threat comes from overseas hackers, assumed to be government-sponsored in some cases, who maintain automated systems that scan and attempt to break into government networks nearly 24 hours per day," explains Shawn McCarthy, director of research for IDC Government Insights. "These hackers also target sites that are visited by government employees, including news organizations, reference resources, search engines, associations and more. By compromising those sites, they hope to be able to occasionally compromise a site visitor."
At the same time, government networks themselves have evolved to accommodate an increasingly mobile workforce. "The way information moves across networks has changed," says Simon Szykman, CIO of the Commerce Department. "The idea of being able to put high walls around all your information isn't as meaningful as it might have been in the past."
How should agencies adopt a more effective network security posture? By adopting fresh practices.
"We can't protect everything, so we have to make distinctions about what is most critical and what is most sensitive," says Patrick Howard, chief information security officer for the Nuclear Regulatory Commission.
Over the years, agencies have built network systems to support everything from internal business processes to public-facing services. Some are at higher security risk than others, and knowing which is which helps an agency focus its security resources.
"We're taking a top-down view of risk," Howard says. "We're not allowing low-level system owners to say, 'I want my system to be high [priority] because I want to keep it operating 99.999 percent of the time.' We're providing a risk context for all our systems agencywide and coming up with some definitions for what's allowable, what 'catastrophic' means, and what's serious risk."
Howard says agencies need to look at where their IT security dollars are going and decide which areas are most and least important. Ultimately, the analysis could mean turning off systems or eliminating processes. "Those are difficult choices to make," he says.
8% The average amount of 2012 IT budgets that federal agencies have earmarked for security solutions, according to research firm IDC, significantly lagging behind most industries. IDC believes 19% is realistic for most organizations.
SOURCE: "Perspective: Benchmarking FY12 U.S. Federal Government IT Security Spending by Agency" (IDC, October 2011)
The practice known as "defense in depth" has long been considered a viable way of slowing network attacks by layering security controls on top of security controls. But it can also have an adverse effect on government networks.
"It's very easy to waste a lot of money on defense in depth," says Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency. "It's not that I don't love depth. We need multiple layers of defense. However, it's become kind of a crutch."
Sager says that if an agency does not have a model or framework for why it wants to add more security layers, most of the time the agency is just adding cost and complexity. And if the security technology becomes too cumbersome, people won't use it. "There's no more clever attacker than your own users," he says. "If you make security too unwieldy for them, they'll just figure out a way around the defenses."
"The problem with too much complexity is that it introduces configuration management issues, which introduces the human element," the NRC's Howard says. "For a long time, we've relied on system administrators to submit reports saying their systems are in security compliance. They may think they are, but maybe they haven't patched a system in the last 10 days, or they're running an out-of-date version of software."
Agencies need tools that can automatically ingest information from their various IT systems and network defenses, compare it against a compliance framework, then automatically fix vulnerabilities as they appear, whether they're unpatched systems, incorrect registry settings or other security holes.
Sager says NSA and others are heavily involved with the National Institute of Standards and Technology's Security Content Automation Protocol (SCAP) project. The goal of SCAP is to develop interoperable specifications for automating vulnerability management and ensuring compliance with relevant security requirements, such as the Federal Information Security Management Act (FISMA).
Automated tools and information sharing may greatly improve agencies' security posture, but they can be difficult to implement across multiple platforms. At the Commerce Department, Szykman has made it a priority to standardize software where possible. For example, Commerce recently standardized on a single antivirus platform departmentwide.
"In this resource-constrained environment, standardizing on a smaller number of tools can help reduce costs," Szykman says. "When you buy licenses in larger quantities, you can save money and invest in other areas, including security. Standardization also helps with integrating information from separate organizations so you can better aggregate the information and get a broader picture."
White Paper @ Read more in the CDW•G Network Security Reference Guide: cdwg.com/securityguide
And even that's not enough when it comes to today's network security. "Automation and continuous monitoring are important," Szykman says, "but you can't only rely on automated systems. You need to look at your analytical capabilities, your skills and training, and your professional certifications. And you certainly need end-user awareness that security is a priority."
The Commerce Department has implemented policies that require certifications for people in certain IT security roles. The department also started a cybersecurity development program for its internal security staff so that it can grow its own skill sets rather than always bringing in outside expertise.
"It's an arms race," Szykman says. "The off-the-shelf technologies are good, but even as they get better, the adversaries are also getting bett
Defending a network is a serious challenge, but agencies can help themselves by helping others. Sharing information about cyberthreats and effective defenses can bolster the security of all the parties involved.
"If a bad thing is happening to you right now, the same thing — or something just like it — happened to somebody else yesterday," says Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency. "You'd like to be learning from those occasions."
As threats evolve and networks change, agencies need to move from a technology focus on security to an information focus. "If I learn that an adversary now knows how to exploit a piece of technology, I want to know how many of those I have installed," Sager says. "Where are they? How are they configured? I want to know all that right now so I can assess how much I should care about that particular threat."
So although it's still important to install good firewalls and intrusion detection systems, it's becoming more important that those firewalls generate actionable information so agencies can learn from each other's experience. "We still buy components," Sager says, "but in the future, we can't afford to buy individual tools. They have to be seen as part of a system of information management."