6 ways to survive major Internet attacks
Facing the difficult task of securing systems, experts offer their advice
Given the increasing importance of the data stored on agency computer networks, perhaps one of the most important chapters in Federal Computer Week's Survivors Guide is on securing those networks.
We decided to go to the experts. FCW editors recently met with seven information technology security officials from government and industry to discuss what they are doing to help their agencies and customers secure their networks.
Those experts said they are focused on the most cost-effective ways to protect government and business data. Creating a mindset of risk management for dealing with
IT security threats is challenging, they said. Their attention is increasingly on what they call endpoint security, which is finding ways to make desktop PCs, laptop computers and handheld devices more secure. Software configuration standards and firewalls that can be configured remotely are a few of the tools and techniques they find useful.
In addition, hiring trustworthy and competent IT security employees is an ongoing challenge, they said. Finally, they discussed some promising next-generation security technologies.
FCW's Rutrell Yasin, technology editor, and Florence Olsen, associate editor, acted as moderators of the roundtable discussion.
The participants were:
- Kenneth Ammon, president of MCI NetSec Global Security Services, an MCI company.
- Bob Dix, executive vice president of government affairs and corporate development at Citadel Security Software.
- Edward Giorgio, a principal and senior systems engineer at Booz Allen Hamilton.
- Dennis Heretick, the Justice Department's chief information security officer.
- Donald "Andy" Purdy, acting director of the Homeland Security Department's National Cyber Security Division.
- Edward Schwartz, a senior architect at NetForensics.
- David Thomason, Sourcefire's director of security engineering.
The roundtable members suggested six ways to avoid disruptive network attacks.
Define the problem
The seven security experts disagreed about the best way to survive threats to information security from Internet attacks. Heretick suggested that the question should be phrased differently. "We often get asked that question, and in a way, it's a bad question," he said.
The best defense is a deep defense, Heretick said. People frequently fall into the trap of focusing entirely on one security measure and overlooking other needs, he said. "If it's something that's really eating our lunch, we over-focus on it, and then we lose in other areas."
Heretick recommended having at least five layers of defense policies, procedures and technologies to survive network attacks. Firewalls, intrusion-detection systems and encryption are some examples of protective technologies that agencies use today.
Schwartz agreed that an in-depth defense is important. But he said situational awareness ranked as his highest priority for defending networks. Real-time situational awareness means being able to identify immediate threats and "the avenues of attack those threats may take," he said, adding that most agencies lack that awareness.
Dix said agencies and companies should put more resources into surviving Internet attacks. He said the problem is "a lack of investment in protecting the infrastructure, which we are seeing manifested time and time again in data compromises that are reported routinely."
Dix said the solution is leadership and vision at the highest levels within the federal government. "I would argue, for example, that the federal CIO needs to be empowered, as was intended under Clinger-Cohen," the 1996 law that created the CIO positions to manage IT at federal agencies.
Giorgio said his greatest concern about network attacks is finding the right people to handle daily network security operations. "It's critical that you have key people with the right experience and background," he said.
"There's no magic bullet," he added. "It doesn't come because we buy nice software and put it in our budget and have a nice appliance somewhere. It's got to be through the use of people. They have to be well-trained."
Purdy said DHS focuses on risk management to address cyberthreats. "Risk management covers many of the issues," he said. "A key element of that for us is building a national cyber response system, but it's also the national infrastructure protection plan." Both projects are major security initiatives.
"You'll see a greater effort as we work with the private sector to identify metrics for use by government and the private sector so we can see [ask], 'How are we doing? Where do we stand?'" Purdy said. "To have a standard for cybersecurity preparedness is going to help us focus on who needs to do what and where are we going to get the resources."
Ammon said he views the solution to network attacks from a carrier's perspective. "We found that being able to stop attacks at the point where they enter the Internet, as opposed to when they come into a customer's network, is a critical element of next-generation security," he said.
For Thomason, the best way to address threats to information stored on agency computer networks can be summed up by the word "intelligence."
"If we can gather intelligence and understand what our network looks like, then we can do a much better job of protecting it," he said. "So today, I'd say the greatest risk is not having intelligence. It's not knowing what we have to defend."
Consolidate standards and purchasing power
According to the Office of Management and Budget, billions of taxpayer dollars are wasted annually on IT security because agencies buy their own IT products and services.
By consolidating those purchases through a central authority, OMB officials say the government could dramatically reduce spending.
Purdy said OMB's new policy of using the government's purchasing power to acquire affordable security products and services could greatly help secure federal data and computer systems.
By encouraging standardization, OMB's policy might also help agencies improve situational awareness, Schwartz added. That will help agencies know which of their information assets are most important and what sources are threatening those assets.
"The degree to which we can come up with common standards for sharing threat- and vulnerability-related information across federal agencies would achieve a lot of goals," he said.
Private-sector chief information officers rely on standardization, Giorgio said. "If their job is to look across all the business units in their company and drive costs out of the business, then they also want to establish security standards to make sure separate business units don't do things differently," he said.
OMB's policy of consolidation and standardization, which DHS supports, is not about identifying a particular product or service that all federal agencies should use, Dix said. Rather, it ensures that 24 agencies aren't buying the same tool for 24 different prices if they all agree that the tool is useful.
The policy's other benefit is that it brings together experts from many agencies, Purdy said.
"It's not just OMB and DHS having a few people sitting down and dictating policy across federal agencies," he said. "It's the setting up of the task forces, with representatives from the agencies, to bring the security brainpower together so we can get greater efficiency and effectiveness."
Although a centralized approach to IT security is useful, the policy should accommodate differences, Giorgio said.
Schwartz agreed, noting the significant variances among federal agencies in terms of size, their IT organizations' maturity and their readiness to use certain technologies. OMB's policy has good and bad aspects, he said, adding, "The key is to focus on those things that can create some short-term wins, that don't stifle innovation and that improve the security of organizations."
Despite many federal laws, regulations, requirements and guidelines for managing IT security, agency officials are not as concerned about security threats as experts think they should be. The bad guys are getting smarter every day. And people want their personal information, much of which the government collects, to be protected, Dix said.
"There needs to be consistent leadership and resources allocated to protecting networks and desktop [PCs] from the bad guys," he said.
Many people, including some government officials, have the attitude that because no cyber event has caused a loss of life, IT security doesn't need to be a high priority, Dix said. But the possibility of such an event is growing, he added. One challenge for agencies is analyzing risk to know where to spend their IT dollars, he said, adding that agencies need a risk management mind-set for managing security.
Businesses must operate within a similar risk management culture, Dix added, noting that private businesses own 85 percent to 90 percent of the nation's critical infrastructure, including the computerized control systems for oil pipelines, electrical power grids, water treatment plants and other important facilities.
Giorgio said businesses weigh the importance of cybersecurity risks relative to other risks. Banks, for example, face the risk of fraud and the threat of hackers penetrating their networks. But those haven't been the greatest risks, he said.
"When the NASDAQ dropped, businesses lost how many trillions of dollars?" Giorgio asked. "Money evaporated overnight." Compared with an estimated $1 billion lost last year because of IT security breaches, he said, "from a banker's perspective, that's three layers of magnitude less."
In general, businesses are good at managing risk, Giorgio said. But IT security isn't a top priority.
Thomason said that as liability concerns grow, companies will make IT security a higher priority. "Once the whole liability issue starts bubbling up and somebody is found to be negligent, then the attitude in the corporate boardroom is going to change," he said.
In federal agencies, CIOs need the responsibility and authority to create an agency culture in which security risks are manageable, Dix said. "There needs to be a seat at the board of directors of these agencies for the CIO, along with the chief financial officer and the other chief executive officers," he said. But most agencies haven't given CIOs that authority, he added.
At DHS, Secretary Michael Chertoff has adopted a risk management approach to threats, Purdy said. "Secretary Chertoff is focusing on risk, which is a combination of threat, vulnerability and consequence," Purdy said. "We're trying to make sure that we understand what are our most important assets, what are the vulnerabilities, how do we assess what the risk is and then prioritize the protective measures that need to be taken to help mitigate that risk."
Creating a comprehensive security program can drive security officials crazy because of the difficulty of trying to satisfy diverse security needs with rapidly evolving security products. Most agencies are hesitant to invest heavily in every kind of IT security product for that reason, Dix said. But they can gain much by standardizing configuration settings on laptop and desktop PCs, he said.
Purdy said he agreed that reducing the number of software configurations allows agencies to install security patches with more confidence, and they can affordably pretest patches against a smaller set of configurations.
"Configuration management is going to be very important," Purdy said. Without configuration standards, applying software security patches becomes too costly, so that people don't patch their systems or they patch them too late.
"If a laptop is misconfigured or doesn't have the right security software, the next step should be to deny network access to that laptop until it meets the standard," Schwartz said.
Enforcing safe software configurations is especially critical on mobile devices that use wireless connections to access agency networks, Heretick said. With good configuration management practices, agencies can provide centrally managed security and still protect handheld and mobile devices, he said.
"We've grown up in an environment where we wanted maximum flexibility and network availability, and that is very important to the mission," Heretick said. "The challenge now is not to take all of that away but to secure it."
Heretick said protecting national security will increasingly depend on how easy it is to make network and computer systems secure while maintaining high levels of computer and network service.
Giorgio described configuration management, especially for routers, as a high priority for agencies and businesses. "It can be extremely complex to orchestrate 1,000 routers in a large organization, and it takes an awful lot of expertise to figure out how to do that correctly," he said.
Configuration management will increasingly come to be seen as the most critical activity for managing IT security, Giorgio said.
Better people mean more secure networks
The shortage of trustworthy people with IT security skills is a chronic problem that is unlikely to ever disappear. But members of the FCW roundtable suggested several ways to address the deficit.
Giorgio said universities are doing more to fill the gap in IT security skills than they were several years ago. But more could be done. "As a country, we're not training enough engineers and computer scientists and technical folks who can actually go in and do this work," he said. "Getting people with the right technical background to do the work has been the biggest need of all."
Schwartz faulted colleges and universities for offering curriculums in computer science and IT that leave out IT security as an interdisciplinary field of study. With IT security moving to the network, he said, it is a core competency of network engineers and administrators.
Database and software application developers also need IT security skills. "We have to embed security into those fields more effectively," Schwartz said.
DHS is interested in the skills of federal agencies' IT security professionals, Purdy said. A problem, however, is that DHS cannot accurately measure the skills gap because different agencies use different titles and job descriptions.
"If we can have particular job descriptions and titles common across the federal agencies, we'll have the ability to tell if we do have shortcomings," Purdy said. DHS is working on such a survey now, he added.
The trustworthiness of insiders is another growing concern. "The insider threat should help drive some real advancements," Purdy said, especially in physical and electronic authentication technologies. "You need to keep track of who's doing what and control your escalation of IT privileges," he said.
Ammon said agencies could partially address their gaps in IT security knowledge by shifting some of the responsibility for security to IT service companies. In the airline business, for example, companies don't buy jet engines. They buy service-level agreements for those engines. If an engine breaks down, the airline company receives credits that they can spend in the future.
"As the industry evolves, you'll see more shifting of the IT security risk to providers," Ammon said.
Automating security, to the greatest extent possible, will help agencies close some of those skill gaps, Thomason added. "We need systems that take the man out of the loop in many of these processes," he said.
Identify problems early and react fast
The most common approach to computer and network security is to wait for an attack and then go after it. But agencies and businesses do not need to wait, Ammon said. "There is a huge opportunity to do more on the public infrastructure itself, to be more proactive with embedded security services to get ahead of significant threats," he said.
He said such a proactive approach to IT security threats is similar to DHS' efforts to detect and analyze the significance of security incidents on federal networks, discover the source of malicious activity and respond to a cyber incident of national significance.
"We're going to need automated responses, and we're going to need to have folks ready not only for the kinds of attacks we are seeing now and that we have seen, but also for the attacks that can happen," Purdy said. "We're not in bad shape to handle the kinds of attacks we've seen. It's the more sophisticated kinds of future attacks that we're trying to prepare for."
In a typical attack scenario, Ammon said, large Internet service providers know a big attack is happening because they see the spike in activity and watch it hit customer after customer. Often, he said, ISPs wait for someone to complain about a link that has become saturated.
Now, carriers such as MCI and AT&T can analyze traffic on their backbone networks and sell that service to ISPs. As ISPs become better at detecting attacks before they reach their customers' networks, Ammon said, "they can provide an early warning to users."
A threat alert is useful, Ammon said. But the ability to prevent an attack is even more valuable. "A week and a half ago, [MCI] shut down a 13,000-host botnet with just a keystroke," he said. A botnet refers to a collection of remotely controlled software robots on the Internet that usually are programmed to be disruptive or destructive.
Many IT security officials remain uneasy about the next big one a large-scale Internet attack that they can't foresee. Their wake-up call came in 2003 from a fast-spreading worm called SQL Slammer, Thomason said. "SQL Slammer was a perfect example of how a single packet that was authorized to go through most firewalls could take down an entire network in relatively zero time and spread across the whole Internet in 10 hours," he said.