Security services to the rescue

As agencies begin to free themselves from the burden of Year 2000 remediation, many will focus on the next big blip on management radar screens: securing federal networks from external and internal threats.

As agencies begin to free themselves from the burden of Year 2000 remediation,

many will focus on the next big blip on management radar screens: securing

federal networks from external and internal threats.

For many agencies, the first step toward operating secure networks is to

invest in security assessment software technology. Such tools, like scanners,

are designed to probe network systems and report on system vulnerabilities.

Although it's a reasonable approach to locating security glitches, there is a problem.

"The products just give you raw data," said Mary Stassie, vice president of secure solutions development at Wang Government Services Inc. "It really is the combination of experience and training and translation that is meaningful

to a customer."

Now, a growing number of security vendors and service providers are lining

up to offer that kind of higher expertise. They are armed with an array of services that span from helping agencies with the basics, such as developing general security policies, to the more complex work of building comprehensive

security solutions.

Rich Baich, security delivery manager for Network Associates Inc.'s federal

practice, said agencies need to identify potential risks to networks even

before any security products, such as intrusion detection and antivirus

software, are put in place.

As part of its service offering, Network Associates begins by examining

an agency's potential physical security risks, such as telephone connections

that may reside in an unlocked location. The firm also reviews an organization's

mission to assess how attractive a target its networks are for hackers,

he said.

"If you're a government agency, you're considered to be on the high level

of possible intrusions," Baich said. "You're automatically considered to

be high risk."

Next, the company can evaluate an agency's security policy and test agency

hardware and software to make sure it conforms with the agency's stated

security policy. Network Associates also can work with agencies to train

employees about conformance to security policies.

"If it's not configured properly, and if it's not configured to conform

to policy, then you're wasting your time," Baich said. "The cherry on top

is giving your people the knowledge, the constant knowledge. If you don't

do that, all it takes is three to four months and you're behind the power

curve."

Robert Cooney, manager of the open systems integration and network technology

department for the national capital region of the Space and Naval Warfare

Systems Command (Spawar), said information assurance soon will replace Year

2000 as a top priority for the agency. Although security assessment tools

provide a critical function, they need to be accompanied by services. The

point was driven home recently to Spawar officials after they ran a scanner

over their networks.

"We got these voluminous reports that went on ad nauseam about the holes,

but it wasn't real good about [outlining] how to fix these things," Cooney

said. "There are literally hundreds of servers in this building. The typical...project

leader wasn't as sophisticated as far as security assessment. It all kind

of fell back to the security experts. They couldn't handle all the work.

You hear this cry from the field, 'What do we do about it?'"

In addition, Cooney said, security assessments should be accompanied by

a return on investment analysis to compare the cost of a fix to the potential

cost of an attack. "You need to do the risk analysis and then an ROI," he

said. "How much is it worth to protect this stuff?"

John Negron, manager of U.S. government sales for Axent Technologies Inc.,

said his firm's security assessment services business has doubled in the

past year, and said network security management is a sound investment for

agencies.

"Management of security on a network is the biggest return on investment

today because the cost of implementing a solution that enables you to validate

that you have a sound security implementation is not much," Negron said.

Many security assessment vendors offer services to help agencies triage

the vulnerabilities often identified by network security scanners. Cisco

Systems Inc. works with agencies to identify the severity of problems and

to plug holes, said Joel McFarland, product line manager in Cisco's security

Internet services group. "We provide a very robust reporting capability...that

says, 'Here's all the problems...here's what you should do about them,'

" McFarland said.

In addition, Cisco provides follow-up services to its clients to identify

emerging new threats that its security team has identified so that agencies

can continually update their security solutions.

Wang Government Services also offers services to accompany its scanner products,

said Mike Kociemba, the firm's manager of secure systems. Before Wang ever

touches a customer's network, the service provider examines an agency's

security requirements and how they translate into policy and procedure.

"The world is moving much more toward risk management," Kociemba said. "It's

no longer feasible to prevent all types of security incidents from happening."

Paul Green, Wang's senior security engineer, added that experienced professionals

are critical to the security equation by analyzing the output from network

scanners, identifying false positives and noting patterns that tools may

not recognize. For example, a scanner may find a hole, but because a security

team has assessed the entire architecture, it would know that a firewall

or some other mechanism would cover the weakness, he said.

Wang also offers a service via its advanced technology lab, which can mimic

an agency's network configuration and test products in an interoperable

environment. This service can eliminate security weaknesses often created

when an agency integrates new technology with legacy systems.

When selecting a vendor for security services, Matthew Kovar, a senior analyst

at The Yankee Group, recommends doing your homework. Most vendors offer

comparably good services, but some are better, for example, at addressing

particular operating system vulnerabilities. When your agency's security

is at stake, you want to make sure to hire the most qualified provider available.

Harreld is a free-lance writer based in Cary, N.C.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.