Fixing a Hole
Network security assessment seems like an ideal target for automation. Given
the complexity of security in the Internet Age, a software program that
identifies potential security threats, internal or external, should be in
high demand. But, as many systems administrators are now finding out, automation
is not as easy as it sounds.
For many agencies, investing in security assessment tools, such as network
scanners, marks the first step toward operating secure networks.
Network scanners are designed to probe networks to uncover technical
vulnerabilities — such as operating system flaws that have not been patched — and policy infractions — such as weak passwords. They also can uncover
a wide variety of other vulnerabilities, such as World Wide Web servers
located outside the firewall perimeter, poorly configured firewalls and
a lack of encryption.
But with the increasing complexity of networks and the growing number of
hacker tools being developed to target them, security assessments often
must expand beyond the tools themselves to include more costly and complex
services that provide agencies with ways to shield their networks from unauthorized
users.
Agencies should be prepared for front-end work, such as supplying vendors
with information on any type of external connection — like a fax server — that may present vulnerabilities, or culling through the reams of scanner
data before fixing network holes.
"The products just give you raw data," said Mary Stassie, vice president
of secure solutions development at Wang Government Services. "It really
is the combination of experience and training and translation that is meaningful
to a customer."
Axent Technologies Inc., like many other security assessment tool vendors,
focuses on the life cycle of security — from scanning new network connections
for vulnerabilities to monitoring security policy adherence.
"What we do in an assessment is identify critical and sensitive systems
that support the mission," said John Negron, Axent's manager of U.S. government
sales. "We look at external and internal connections. Then we actually look
for vulnerabilities...in those critical systems. We look at what security
mechanisms may be in place and how effective they are. It gives you a snapshot
of...what the potential risk is and how to fix it."
David Timpany, network planning manager for the state of Kansas, said
state officials use Cisco Systems Inc.'s scanner combined with intrusion-
detection software to secure the state's network from potential threats.
In addition to scanning the main state network, the scanner has been
used by individual state agencies to ensure that their firewalls are configured
properly and that agency technology practices conform to security policies,
he said.
"We need to have some feel for what is going on at least at those major
boundaries," Timpany said.
Scanners often generate reams and reams of reports outlining potential
vulnerabilities, and agency work often begins when the scanners have completed
their network probes.
"You do get a lot of information," Timpany said. "It isn't a simple
task of turning it on and it telling you what you need to know."
Many security assessment vendors are offering products and services
to help agencies triage the multiple vulnerabilities often identified by
network security scanners. Cisco works with agencies to identify the severity
of each vulnerability and helps them plug the holes, said Joel McFarland,
product line manager in Cisco's security Internet services group.
"We provide a very robust reporting capability...that says, "Here's
all my problems...here's what you should do about them,' " McFarland said.
"For every vulnerability that the scanner identifies, there's corresponding
dictionary information.... You pull up an HTML page, and it tells you how
to fix the problem."
Wang also offers a variety of services to accompany its commercial and
proprietary scanner products, said Mike Kociemba, the company's manager
of secure systems.
Wang considers network security a subset of information security, which
encompasses many forms of data, including hard copies. Before Wang ever
touches a customer's network, company security teams examine an agency's
security requirements and how they translate into policy and procedure.
"The world is moving much more toward risk management," Kociemba said.
"It's no longer feasible to prevent all types of security incidents from
happening. You are looking at how an organization approaches security."
Paul Green, Wang's senior security engineer, added that experienced professionals
are critical to the security equation by analyzing the output from network
scanners, identifying false positives and noting patterns that tools may
not recognize.
For example, a scanner may locate a hole, but because the security team
has assessed an agency's entire architecture, it would know that a firewall
or some other mechanism would cover the weakness, he said.
Wang also offers services via its advanced technology lab, which can
mimic an agency's network configuration and test products in an interoperable
environment. This service can be used to eliminate many of the security
weaknesses often created when an agency integrates new technology with legacy
systems.
Although services usually accompany an agency's purchase and use of
commercial scanners, some firms are offering virtual security assessment
services.
Patrick Taylor, vice president of the risk assessment business unit
at Internet Security Systems Inc. (ISS), said the company offers virtual
services, in which scanners physically located at ISS facilities can scan
a customer's network at scheduled times. Customers can access the results
via the Internet, he said.
"It's an entirely virtual process," Taylor said. "No bodies come and
visit to do this. It's just a different way to get the value proposition
of a scanner without owning it."
After wading through the list of vulnerabilities, state and local government
officials often will have to examine the value of any data that may be identified
as being vulnerable to determine how much of an investment to make to plug
network holes, said Joe Christensen, a network security consultant working
with Georgia on security assessment.
"It's an art more than a science," he said. "You look at your network
and you figure out what your risks are. Some sites are below the radar screens.
There are things where if we lose it, it's not going to affect our business.
You're going to put more dollars on critical systems. That's where your
bread and butter is."
For many agencies that have not been the targets of hackers or other
unauthorized users, evaluating the return on investment for security assessment
tools and services may be challenging. However, Axent's Negron said that
network security management provides a healthy return on investment for
agencies.
"Management of security on a network is the biggest ROI today because
the cost of implementing a solution that enables you to validate that you
have a sound security implementation is not much," he said.
"A tool you can sit in one location...and check the security configuration
of your network on a weekly basis...implementing that is not expensive,"
Negron said. "If you can do that, you're probably taking care of a big chunk
of the security problem."
Matthew Kovar, senior analyst at The Yankee Group, said that state
and local government agencies considering purchasing assessment tools and
services may want to research a particular company's history addressing
particular operating system vulnerabilities.
For example, some companies have a well-established history targeting
security vulnerabilities in Microsoft Corp.'s Windows NT, while others specialize
in Unix security.
The market for security services is growing, Kovar said, as the government
steadily loses experienced IT workers to the private industry.
"A lot of organizations don't have...a closely knit group of folks that
understand all the systems," Kovar said. "It's a fairly unique set of skills
that you need to have. If you think that it's crucial to your organization
to have zero tolerance [for security problems] you probably want to train,
retain and pay up to hire the people internally. At the same time, you may
want to pay up and have some company validate your work."
— Heather Harreld is a free-lance writer based in Cary, N.C.