As agencies begin to free themselves from the burden of Year 2000 remediation, many will focus on the next big blip on management radar screens: securing federal networks from external and internal threats.
As agencies begin to free themselves from the burden of Year 2000 remediation,
many will focus on the next big blip on management radar screens: securing
federal networks from external and internal threats.
For many agencies, the first step toward operating secure networks is to
invest in security assessment software technology. Such tools, like scanners,
are designed to probe network systems and report on system vulnerabilities.
Although it's a reasonable approach to locating security glitches, there is a problem.
"The products just give you raw data," said Mary Stassie, vice president of secure solutions development at Wang Government Services Inc. "It really is the combination of experience and training and translation that is meaningful
to a customer."
Now, a growing number of security vendors and service providers are lining
up to offer that kind of higher expertise. They are armed with an array of services that span from helping agencies with the basics, such as developing general security policies, to the more complex work of building comprehensive
Rich Baich, security delivery manager for Network Associates Inc.'s federal
practice, said agencies need to identify potential risks to networks even
before any security products, such as intrusion detection and antivirus
software, are put in place.
As part of its service offering, Network Associates begins by examining
an agency's potential physical security risks, such as telephone connections
that may reside in an unlocked location. The firm also reviews an organization's
mission to assess how attractive a target its networks are for hackers,
"If you're a government agency, you're considered to be on the high level
of possible intrusions," Baich said. "You're automatically considered to
be high risk."
Next, the company can evaluate an agency's security policy and test agency
hardware and software to make sure it conforms with the agency's stated
security policy. Network Associates also can work with agencies to train
employees about conformance to security policies.
"If it's not configured properly, and if it's not configured to conform
to policy, then you're wasting your time," Baich said. "The cherry on top
is giving your people the knowledge, the constant knowledge. If you don't
do that, all it takes is three to four months and you're behind the power
Robert Cooney, manager of the open systems integration and network technology
department for the national capital region of the Space and Naval Warfare
Systems Command (Spawar), said information assurance soon will replace Year
2000 as a top priority for the agency. Although security assessment tools
provide a critical function, they need to be accompanied by services. The
point was driven home recently to Spawar officials after they ran a scanner
over their networks.
"We got these voluminous reports that went on ad nauseam about the holes,
but it wasn't real good about [outlining] how to fix these things," Cooney
said. "There are literally hundreds of servers in this building. The typical...project
leader wasn't as sophisticated as far as security assessment. It all kind
of fell back to the security experts. They couldn't handle all the work.
You hear this cry from the field, 'What do we do about it?'"
In addition, Cooney said, security assessments should be accompanied by
a return on investment analysis to compare the cost of a fix to the potential
cost of an attack. "You need to do the risk analysis and then an ROI," he
said. "How much is it worth to protect this stuff?"
John Negron, manager of U.S. government sales for Axent Technologies Inc.,
said his firm's security assessment services business has doubled in the
past year, and said network security management is a sound investment for
"Management of security on a network is the biggest return on investment
today because the cost of implementing a solution that enables you to validate
that you have a sound security implementation is not much," Negron said.
Many security assessment vendors offer services to help agencies triage
the vulnerabilities often identified by network security scanners. Cisco
Systems Inc. works with agencies to identify the severity of problems and
to plug holes, said Joel McFarland, product line manager in Cisco's security
Internet services group. "We provide a very robust reporting capability...that
says, 'Here's all the problems...here's what you should do about them,'
" McFarland said.
In addition, Cisco provides follow-up services to its clients to identify
emerging new threats that its security team has identified so that agencies
can continually update their security solutions.
Wang Government Services also offers services to accompany its scanner products,
said Mike Kociemba, the firm's manager of secure systems. Before Wang ever
touches a customer's network, the service provider examines an agency's
security requirements and how they translate into policy and procedure.
"The world is moving much more toward risk management," Kociemba said. "It's
no longer feasible to prevent all types of security incidents from happening."
Paul Green, Wang's senior security engineer, added that experienced professionals
are critical to the security equation by analyzing the output from network
scanners, identifying false positives and noting patterns that tools may
not recognize. For example, a scanner may find a hole, but because a security
team has assessed the entire architecture, it would know that a firewall
or some other mechanism would cover the weakness, he said.
Wang also offers a service via its advanced technology lab, which can mimic
an agency's network configuration and test products in an interoperable
environment. This service can eliminate security weaknesses often created
when an agency integrates new technology with legacy systems.
When selecting a vendor for security services, Matthew Kovar, a senior analyst
at The Yankee Group, recommends doing your homework. Most vendors offer
comparably good services, but some are better, for example, at addressing
particular operating system vulnerabilities. When your agency's security
is at stake, you want to make sure to hire the most qualified provider available.
Harreld is a free-lance writer based in Cary, N.C.