Fixing a Hole

Network security assessment seems like an ideal target for automation. Given

the complexity of security in the Internet Age, a software program that

identifies potential security threats, internal or external, should be in

high demand. But, as many systems administrators are now finding out, automation

is not as easy as it sounds.

For many agencies, investing in security assessment tools, such as network

scanners, marks the first step toward operating secure networks.

Network scanners are designed to probe networks to uncover technical

vulnerabilities — such as operating system flaws that have not been patched — and policy infractions — such as weak passwords. They also can uncover

a wide variety of other vulnerabilities, such as World Wide Web servers

located outside the firewall perimeter, poorly configured firewalls and

a lack of encryption.

But with the increasing complexity of networks and the growing number of

hacker tools being developed to target them, security assessments often

must expand beyond the tools themselves to include more costly and complex

services that provide agencies with ways to shield their networks from unauthorized

users.

Agencies should be prepared for front-end work, such as supplying vendors

with information on any type of external connection — like a fax server — that may present vulnerabilities, or culling through the reams of scanner

data before fixing network holes.

"The products just give you raw data," said Mary Stassie, vice president

of secure solutions development at Wang Government Services. "It really

is the combination of experience and training and translation that is meaningful

to a customer."

Axent Technologies Inc., like many other security assessment tool vendors,

focuses on the life cycle of security — from scanning new network connections

for vulnerabilities to monitoring security policy adherence.

"What we do in an assessment is identify critical and sensitive systems

that support the mission," said John Negron, Axent's manager of U.S. government

sales. "We look at external and internal connections. Then we actually look

for vulnerabilities...in those critical systems. We look at what security

mechanisms may be in place and how effective they are. It gives you a snapshot

of...what the potential risk is and how to fix it."

David Timpany, network planning manager for the state of Kansas, said

state officials use Cisco Systems Inc.'s scanner combined with intrusion-

detection software to secure the state's network from potential threats.

In addition to scanning the main state network, the scanner has been

used by individual state agencies to ensure that their firewalls are configured

properly and that agency technology practices conform to security policies,

he said.

"We need to have some feel for what is going on at least at those major

boundaries," Timpany said.

Scanners often generate reams and reams of reports outlining potential

vulnerabilities, and agency work often begins when the scanners have completed

their network probes.

"You do get a lot of information," Timpany said. "It isn't a simple

task of turning it on and it telling you what you need to know."

Many security assessment vendors are offering products and services

to help agencies triage the multiple vulnerabilities often identified by

network security scanners. Cisco works with agencies to identify the severity

of each vulnerability and helps them plug the holes, said Joel McFarland,

product line manager in Cisco's security Internet services group.

"We provide a very robust reporting capability...that says, "Here's

all my problems...here's what you should do about them,' " McFarland said.

"For every vulnerability that the scanner identifies, there's corresponding

dictionary information.... You pull up an HTML page, and it tells you how

to fix the problem."

Wang also offers a variety of services to accompany its commercial and

proprietary scanner products, said Mike Kociemba, the company's manager

of secure systems.

Wang considers network security a subset of information security, which

encompasses many forms of data, including hard copies. Before Wang ever

touches a customer's network, company security teams examine an agency's

security requirements and how they translate into policy and procedure.

"The world is moving much more toward risk management," Kociemba said.

"It's no longer feasible to prevent all types of security incidents from

happening. You are looking at how an organization approaches security."

Paul Green, Wang's senior security engineer, added that experienced professionals

are critical to the security equation by analyzing the output from network

scanners, identifying false positives and noting patterns that tools may

not recognize.

For example, a scanner may locate a hole, but because the security team

has assessed an agency's entire architecture, it would know that a firewall

or some other mechanism would cover the weakness, he said.

Wang also offers services via its advanced technology lab, which can

mimic an agency's network configuration and test products in an interoperable

environment. This service can be used to eliminate many of the security

weaknesses often created when an agency integrates new technology with legacy

systems.

Although services usually accompany an agency's purchase and use of

commercial scanners, some firms are offering virtual security assessment

services.

Patrick Taylor, vice president of the risk assessment business unit

at Internet Security Systems Inc. (ISS), said the company offers virtual

services, in which scanners physically located at ISS facilities can scan

a customer's network at scheduled times. Customers can access the results

via the Internet, he said.

"It's an entirely virtual process," Taylor said. "No bodies come and

visit to do this. It's just a different way to get the value proposition

of a scanner without owning it."

After wading through the list of vulnerabilities, state and local government

officials often will have to examine the value of any data that may be identified

as being vulnerable to determine how much of an investment to make to plug

network holes, said Joe Christensen, a network security consultant working

with Georgia on security assessment.

"It's an art more than a science," he said. "You look at your network

and you figure out what your risks are. Some sites are below the radar screens.

There are things where if we lose it, it's not going to affect our business.

You're going to put more dollars on critical systems. That's where your

bread and butter is."

For many agencies that have not been the targets of hackers or other

unauthorized users, evaluating the return on investment for security assessment

tools and services may be challenging. However, Axent's Negron said that

network security management provides a healthy return on investment for

agencies.

"Management of security on a network is the biggest ROI today because

the cost of implementing a solution that enables you to validate that you

have a sound security implementation is not much," he said.

"A tool you can sit in one location...and check the security configuration

of your network on a weekly basis...implementing that is not expensive,"

Negron said. "If you can do that, you're probably taking care of a big chunk

of the security problem."

Matthew Kovar, senior analyst at The Yankee Group, said that state

and local government agencies considering purchasing assessment tools and

services may want to research a particular company's history addressing

particular operating system vulnerabilities.

For example, some companies have a well-established history targeting

security vulnerabilities in Microsoft Corp.'s Windows NT, while others specialize

in Unix security.

The market for security services is growing, Kovar said, as the government

steadily loses experienced IT workers to the private industry.

"A lot of organizations don't have...a closely knit group of folks that

understand all the systems," Kovar said. "It's a fairly unique set of skills

that you need to have. If you think that it's crucial to your organization

to have zero tolerance [for security problems] you probably want to train,

retain and pay up to hire the people internally. At the same time, you may

want to pay up and have some company validate your work."

— Heather Harreld is a free-lance writer based in Cary, N.C.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.