Security on a shoestring

Here's where resourceful IT managers find help with their security problems

Like public officials everywhere, information system

managers are struggling to create policies and procedures aimed at preventing a terrorist attack or other large-scale emergency from bringing down federal, state or local computer

infrastructures. Recent events like the destructive W32.Blaster worm,

while not believed to be terrorist inspired, show how vulnerable computer networks and individual network nodes are to malicious hackers.

But although chief information officers say security is high on their list of priorities, and was even before the Sept. 11, 2001, attacks, they also report that federal resources for new IT infrastructure, training and technical assistance are in short supply.

The Homeland Security Department and other federal agencies have outlined a number of assistance programs. For now, however, most of those anxiously awaited resources are in their infancy and have yet to deliver concrete results.

"The problem is they're in the process of getting up and running, and DHS hasn't made any outreach to the states" for cybersecurity, said Larry Kettlewell, chief information security officer for the state of Kansas in Topeka. "DHS is not in a position to talk technology subjects yet. But the problems are here and now, not in the future."

What can federal and local CIOs do in the meantime? The response for many is to take advantage of some venerable federal resources and develop grass-roots efforts that use the Internet as a nationwide information clearinghouse for best practices, policy templates and interactive/instant advice when a new security problem hits home.

Making do

Although cybersecurity has been at the top of Iowa's strategic list, only recently have state officials seen DHS focus on it in a substantive way, said Ellen Gordon, homeland security adviser and emergency management administrator for Iowa's Department of Information Technology Enterprise in Des Moines.

"We would like to see from the federal government help in understanding the interdependencies among state, federal and local cybersystems," she said. "We don't have that picture at this point. Ultimately, that would lead us to identify what's most critical for our continuity of

operations."

Like many other governments, Iowa has pushed forward in the absence of federal help, using resources that are available now. For example, the state is working with Iowa State University's Information Assurance Center.

For Matthew Baum, computer security officer and acting director of information assurance at the Education Department in Washington, D.C., the National Institute of Standards and Technology (NIST) provides a lifeline for the department's security efforts.

"A lot of security officers are using that more and more," he said. The attraction is that NIST posts security procedures and plans devised by it or other federal agencies that can become templates for others.

The NIST Web site "is time-

consuming to go through, but the rewards can be great because it reduces the amount of time you need to produce" security policies, Baum said.

For example, Education recently needed an updated security checklist for its mainframe systems. Even though the NIST site didn't offer any alternative, Baum e-mailed a NIST forum for federal security managers — a group of about 500 IT specialists — asking for help.

"Within a day or two, another federal agency forwarded what they use, and we modified it to fit our environment," Baum said.

Collective intelligence and online information sharing have become increasingly popular features of that forum in recent years, Baum added. Now, "not a day goes by when a security officer doesn't raise a security issue or a question, followed by a response by someone who has solved the problem," he said. The result is that new policies and practices are put in place more quickly than when security managers worked alone to address challenges.

"In the past, if we identified a security issue and didn't have the resources in-house to solve it, we contracted someone from the outside," Baum said. "These days, with the NIST Web site and the Security Managers' Forum, the development of a document isn't something you create from scratch anymore. You can get a template for a complete document so you're not reinventing the wheel. In the long run, when a lot of agencies share information, some of their costs for program management are going to go down."

As chief of information technology security for the relatively small National Labor Relations Board in Washington, D.C., Daniel Wood said information about what larger agencies are doing to "button down" their networks saves time and money.

Both NIST and the Federal Computer Incident Response Center (FedCIRC), a DHS clearinghouse for incident reports and prevention measures, provide this information. Access control, intrusion detection and IT security policies are important topics on which Wood has looked to NIST for help.

"Larger agencies may have standardized on particular standards," he said. "Utilizing what's already been published helps to facilitate the acceptance of these standards within our agency."

Wood also gives high marks to FedCIRC's Patch Authentication and Dissemination Capability, a Web service that automatically sends alerts about new computer threats and provides validated "patches," pieces of software that shore up security holes in applications, operating systems and network components.

"It helps us understand what the current threats are, and in addition, it helps us to better address those which we may be most susceptible to," he said.

In the Midwest, an effort called the Secure Michigan Initiative is attempting to minimize cybersecurity risks and build awareness of safe practices among state employees. To do this, the state is testing a pilot Web site that it plans to fully launch early next year. It provides security fundamentals and online training for Michigan workers.

Dan Lohrmann, chief information security officer for the state, said the site used the Stay Safe Online Web site from the National Cyber Security Alliance as a model. The alliance is a collaborative effort by DHS and technology companies. "There's an abundance of information about security out there, so it's a matter of packaging it in an efficient way to not inundate users," Lohrmann said.

Gary Underwood, deputy CIO and state security officer for Arkansas, depends on security reports from InfraGard, a service run in part by the FBI.

"The daily briefings on vulnerabilities are very valuable to get an idea of what's coming," he said. "Sometimes the reports verify what we're already trying to battle, sometimes they provide an advanced warning about a vulnerability that's been exposed that we haven't already seen. It helps you understand that other people are dealing with the same problems you are."

Although no one wishes to share the pain of a cyberattack, sharing practical information about stopping one can be an important key for cybersecurity. l

Joch is a business and technology writer based in New England. He can be reached at ajoch@monad.net.

NEXT STORY: DOD buys Blackboard technology

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.