PROTECTING THE PUBLIC: SECURITY STRATEGIES FOR THE ELECTRONIC GOVERNMENT A Big Time Response to a Big Time Problem Government and industry are engaging in frank and open talk about better information assurance--and, not a moment too soon. When the ink dried on the recommendations supporting Presidential Decision Directive-63 (PDD-63) a few years ago, officials including the highly respected Sam Nunn, the former Georgia senator, suggested that protection of America's critical infrastructure would require an extraordinary public-private partnership. Nothing less than the same level of close cooperation that helped NASA reach the moon, or the United States prevail in the Cold War, is required to make America safe from attacks on its major utility and technological platforms, officials decided. Just the thought of power plants or major transportation systems disabled by foreign opponents is enough to give one pause. But of all critical utilities, telecommunications might be the most vulnerable because it can be attacked from great distances and with virtual anonymity. If we thought otherwise, we certainly confronted the underlying need for PDD-63 earlier this year when a virus was introduced into computer systems, via the Internet, that wreaked havoc around the world. The infamous I Love You bug was set loose in the Philippines, thousands of miles away, costing global interests billions of dollars and immeasurable grief. The virus particularly hard hit heavily computerized North America, Western Europe and Asia. Outside the Box To no small extent, the recent Technology Excellence In Government (TEG) conference in Washington, "Information Assurance: Protecting the Public," was convened to advance the growing partnership that industry and federal agencies are forming around the security issues these kinds of incidents have raised. Although a long time coming, there is finally evidence that the dialogue is opening and the key players are free to get outside the tight box federal IT implementation too often occurs in. Also, as a panel of industry advisers noted, the timing for a public-private security partnership has never been better. The security requirements of federal agencies and of major e business companies are now synchronized at the "nuts and bolts" level. A company like Dell Computer, which transacts $50 million of business a day on the Internet, is just as vested in IT security from the mission critical standpoint as the Defense or State departments. Which is to say, without information assurance the fundamental ability of many large organizations to function is jeopardized. Presented by GCN, the Council for Excellence in Government and the Digital Government Institute, the conference featured broad overviews of federal requirements and security-related programs. The conference also featured forthright presentations by seven industry conference sponsors. Industry officials stressed that new solutions for IT security must be applied as part of broader organizational security initiatives and stronger policy-level actions within agencies. Take it to the Hill Industry offers systems and methods for dealing with the entire horizon of security issues, noted Susan Pequigney, federal program director at Internet Security Systems. "But if you don't implement a sound security policy then everything else you do won't matter," she said. Martin Gonsales, a senior executive with BMC Software, concurred and noted that agencies must begin looking at security across their entire infrastructure and IT architecture, not merely as an isolated discipline within a segment of IT. All agreed that security budgets in government will have to evolve to accommodate such an approach and that the upper reaches of government must be engaged in the effort. Clearly, industry has a stronger sense of the federal security agenda than ever before, and is more confident about what it's role should be, said Maryann Hirsh, a senior vice president at Federal Sources, Inc. The best evidence of this is that IT companies have joined in the lobbying effort on Capitol Hill to garner more funds for security. "Some companies that never worked the Hill before are now spending time up there," Hirsh noted. The basic idea, she said, is to raise security consciousness "because many people in Congress are still not aware of it." Common Ground Conversely, the evidence is strong that agencies are not only more security- conscious than ever but are also moving their focus to strengthening the partnership with industry ASAP. Gaurang G. Shah, a senior product manager at Axent Technologies, said he believes PDD-63 has made the transition from a policy pronouncement to a framework in which the upper levels of government and industry are carving out a coherent agenda. The next step in the partnership is to get specific implementation efforts really rolling, Shah said. Pierce McMahon, a senior business manager with Computer Associates, said the interests of government and industry where IT security is concerned has never been closer, with perhaps only 10 percent of government requirements falling into a "special needs" category. Each side will no longer pursue matters like R&D and testing of new technologies separately, McMahon said. Andrew Lehfeldt, a strategic account manager and PKI expert with RSA Security, said, "standards efforts can now drive the partnership, and cooperation will increase as technologies that can be used across the board are brought to market." "Love" Lessons and More Where IT security was once something of a "black box" issue, there are simply too many interests at stake for anything but a full-bore technology and standards effort to be made, experts have noted. Plus, lessons are beginning to mount. For every worldwide virus or high profile Denial of Service attack, the industry is strengthened by new knowledge. Attacks also increase the resolve of Internet-dependent organizations to overcome what are, admittedly, difficult problems. The lessons have come in various areas of endeavor and have been learned on all sides. John McIntyre, a senior account representative with Symantec, maker of prominent anti-virus software, noted that when the I Love You bug hit, it stirred up enough of a frenzy among the company's many customers that "our site went down even though the virus itself was not the cause." The lesson, of course, is that collateral damage must be considered as part of an organization's incident response plan, he advised. Security can also generate a plethora of unintended consequences. RSA's Lehfeldt recalled that a beefing up of security in one federal agency was planned around the change of user accounts from 8-character passwords to 12. "But because people had such a hard time remembering 12 characters, they had a tendency to start writing their passwords on yellow stickies that they just put out in plain sight on or near their desktop computers," he said. Thus was the entire purpose of this policy change defeated. You Will Be Hit Tom Burke, assistant commissioner, for the Federal Technology Service office of information at GSA, noted that while PDD-63 and IT security budgets have snarled on Capitol Hill this year, agencies have worked around the money crunch. Burke said that better commercial support for federal security could be exploited. "Federal risk management can now be performed using the same COTS packages that are used to do pure economic risk management in the corporate and e commerce sector," Burke said. Most agencies have planned and perhaps even updated their plans for PDD-63. And, though Burke acknowledged that the Office of Management and Budget was accused of being slow on the uptake, OMB has recently shown increased interest. "For the first time, we are seeing the director of OMB putting out memos on IT security," Burke noted. Agencies are also facing their own Inspector Generals, ordered to perform PDD-63 evaluations in more than 70 critical infrastructure areas. Maryann Hirsh said the battle for budget support will continue but said agencies might already have enough money to significantly meet baseline IT security requirements. What they lack is the staff expertise and the priority, she said. Well, almost everyone agreed that the federal know-how shortfall could be supplemented by industry--as long as the priority is clear. Unfortunately, the forthcoming virus, hack or DNS attack that will further galvanize this priority is pretty much a foregone conclusion, several speakers said. Or, as John Winfrey an online consultant with Dell Computer advised, "Don't plan around what you will do 'if' an attack on your system occurs, plan what you'll do 'when' it happens." Information Assurance--The Budget and Beyond The TEG Information Assurance conference took on a plethora of security issues and developments in the federal sector. The recent Technology Excellence in Government conference in Washington featured a view across some of the key issues surrounding Information Assurance including a market summary from Maryann Hirsh, a vice president with Federal Sources, Inc., who analyzes the federal IA market. Hirsh noted that information assurance and IT security is increasingly linked to the imperatives of Presidential Decision Directive-63, which is backed by a $1.7 billion Critical Infrastructure Protection (CIP) budget. While CIP spans the universe of physical plant and electronic technology security concerns, agencies are increasing their direct spending on IA at a faster rate than overall IT spending, Hirsh noted. She said that Information Assurance spending will grow from $1.2 billion in 1998 to $2.5 billion in 2004. Much of the increase is attributable to civilian agencies, Hirsh said, who are playing catch-up with military- and intelligence sector security consciousness. The spending growth trend reflects the growth in real threats to systems. Hirsh said IA-related attacks grew from about 100 significant incidents in 1988 to more than 8,000 in 1999. Distributed Denial of Service (DNS) and web-spread viruses lead the threat list. While panic-style headlines rivet attention on IT security as never before, agency officials lobbying for more support continue to be stymied by the fact that there is no way to measure Return on Investment for IA spending, Hirsh noted. A "Bridge" for PKI Interoperability Whether you are doing business online, or dealing with sensitive information, PKI is something you need to understand. Why? Because PKI is the technology that allows you to be sure the party at the other end of an online transaction is who they say they are, said Denise Silverberg, deputy to the chair of the federal Public Key Infrastructure (PKI) steering committee. The end product of a PKI system is a digital certificate issued by a trusted third party. A digital "cert" authenticates and validates transactions in both the e commerce and information exchange world. The Federal Bridge project is an attempt to give all agencies a way of dealing with each other and non- government organizations regardless of which vendor's PKI is in use. Silverberg called the planned Bridge "a conduit of trust." Essentially, the Bridge will give transactions a place where interoperability across different PKI systems can occur. Where federal-only PKI is concerned, officials are using GSA's recently deployed ACES digital certificate system as a baseline resource from which to set up new trusted systems, she said. The voluntary governmentwide Bridge project has reached various states of prototyping and demonstration testing. It is planed for use by Veteran's Affair, Social Security, the Treasury, Agriculture and Defense departments, supporting a variety of applications--medical records, student loans, online payroll and thrift plans, accounts payable, and financial regulations information sharing. Silverberg, who is a Treasury department information official, told industry attendees that the need for the Bridge will "eventually go away" if vendors continue to move toward interoperable PKIs. She told agency attendees that while PKIs are often a cause for concern about potential legal snafus, "technology and commerce marches on regardless of legal uncertainties." In addition to building the Bridge, the PKI steering committee can also help agencies prepare their case for better IT security budgets. A Mission Critical Solution Agencies looking for better web security might follow a web e-business leader. Dell Computer's online enterprise architecture evokes federal security requirements in reach and size. People with allegiance to manual business processes want to believe that e- business is like the weather—everyone’s talking about it but no one’s doing it. The fact is, however, that plenty are doing it and talking about it too. At the recent TEG Information Security conference in Washington, web giant Dell Computer not only talked the talk but walked the walk, giving federal officials a look-see at how the company protects its mission critical online business systems. Dell does a whopping $40 – 50 million PER DAY of Internet business, accounting for more than 40 percent of all its sales. At that rate, it will do about $12 billion of business online this year, and about $1 billion in the public sector. John Winfrey, an online consultant with Dell, said the company launched its web e-business platform after an enterprise planning implementation a few years ago “failed miserably.” The company learned the hard lesson that “we needed to build out our technology, our capabilities and infrastructure.” To this end, Dell structured its web presence within multiple data centers, two near its headquarters in Texas but others as far-flung as Ireland and Japan. The redundant Texas centers operate near each other “but on completely separate power grids,” Winfrey said. While Dell uses the major systems and components available in today’s technology-rich marketplace, Winfrey noted that security is ultimately not a technology-only issue. “We look at the policies and procedures we’ve established as more valuable than the tools we can put in place,” he said. It requires a number of managers to tend to security at Dell, he said, but stressed that all 35,000 company employees participate in online security. Dell’s security mantra is “don't protect against WHAT-IF, protect against WHEN.” Winfrey said hacks, viruses and DNS attacks are inevitable. Security must be focused on reality. Lines of communication within Dell regarding possible new threats stay open on a 24/7 basis, he said. Dell’s online enterprise architecture evokes federal security requirements in reach and size, encompassing hundreds of servers and 100+ terabytes of data, with web sites in 44 nations running in 21 different languages. E-business relationships have resulted in the creation of 40,000 extranets with customers and their sensitive account information, Winfrey said. Dell relies on double firewalls, multiple ISPs and routers, encryption, password systems, secure socket layer and other state-of-the-art security methods such as intrusion detection, vulnerability assessment, incident response and investigations. There is no single point of failure. Every component of Dell’s architecture is a result of an “iterative” approach to security, Winfrey said, because threats are always changing. “Security is an ongoing effort,” he told the conference. Certain costs are unavoidable but the larger part of the job is related to policies and procedures that must be maintained within an organization. Either take Internet security very seriously, or don’t use the web, Winfrey advised. For more information on how Dell approaches security for its mission critical online systems, check out www.dell.com/security. State Is In The Vanguard Perhaps there is no way to really measure ROI for computer security spending but there IS a way of measuring the opposite condition, said Fernando Burbano, the State Department chief information officer. Addressing the recent TEG security conference, Burbano noted that earlier this year the I Love You virus impacted 45 million computers worldwide at a cost of $10- to $15 billion -- "all caused by 300 lines of code written by a kid in Philippines," the State CIO added. Faced with threats that range from prankish viruses to diabolical terrorist bombings of embassies and the murder of U.S. officials abroad, State and the U.S. Overseas Presence Advisory Board is in the vanguard of PDD-63 requirements development. Where information technology is concerned, Burbano said 40 U.S. agencies involved in foreign affairs will develop a common IT-secure platform for both classified and unclassified systems. These agencies will opt for Internet and Internet-like technologies for collaboration, and can be expected to apply knowledge management principals/practices for all electronic lifelines--data, telephone, email, Internet and fax. In the meantime, State itself is working to consolidate its three types of networks (classified; sensitive but unclassified; and, classified) into a single infrastructure that can accommodate better security strategies and new COTS systems. Burbano noted that effective Internet security is only now arriving on the market, security itself having been outpaced by the web explosion. "But federal budgets do not reflect that this [commercial security] technology is available," Burbano said. He favors supplemental budgeting such as was used to defeat the Y2K problem. In the meantime, State is investing itself both within the framework of PDD-63 and the emerging IT security e commerce sector. The department is also performing a public key infrastructure (PKI) pilot for the Federal Bridge program, and is applying state-of-the-art risk assessment and risk management strategies to its IA requirements. Burbano said State will continue to cover its expertise shortfall with outsourcing, which it already relies on for 50- to 60 percent of its IT security requirements. Tips From The Trenches The System Administration, Networking and Security (SANS) Institute is a front- line organization in the worldwide effort to establish Information Assurance strategies and tactics at all levels of IT systems management and operation. SANS experts come from industry and government and provide counsel in security disciplines that range from the macro policies employed by agencies to the component technologies that best support those policies. Tips from SANS come from the trenches of IT security implementation, and reflect the breadth of best practices recommended by experts today. A mere sampling of SANS guidance is valuable stuff. Get Top-Down Support The Institute stresses that the key elements of a security infrastructure include: • A strong commitment from management to provide sufficient resources to get the work done and to support security policies and procedures. • A well-defined site security policy. • A well-developed security awareness training program. • Clearly defined, implemented and documented security policies and procedures, which are supplied to everyone within your agency. • A strong flow of information to and from the appropriate groups. • The right people and the right tools to do the job. And The Tools Are... SANS notes that the following tools are essential to IT security. • Host-based Auditing tools • Networked Traffic Analysis tools • Security Management and Improvement tools • Firewall, Filtering and Proxying tools • Network-based Auditing tools • Encryption tools • One-Time Password tools • Secure Remote Access and Authorization tools Pick ‘em Off With IDS SANS experts believe intrusion detection systems (IDS) are particularly useful because: • The earlier you detect an attempted attack the better chance you have of preventing a serious and potentially expensive system compromise. • Knowing the types of attacks that are directed against your site helps you tune your defenses. • Detecting attackers and preventing them from using your site as a springboard to attack other sites may save your organization from embarrassment and/or legal costs. Best Practices Performed SANS recommends that a number of practices will ensure that your security infrastructure is sound. The following tasks are well worth performing and include: • New System Installation Security Audits help ensure conformance to existing policies and a standard system configuration. • Regular Automated System Audit Checks can reveal “visitations” by intruders or illicit activities by insiders. • Random Security Audit Checks are your way to test for conformance to security policies and standards (by checking for illicit activity), or to check for the existence of a specific class of problems (e.g., the presence of a vulnerability reported by a vendor). • Night Audits of Critical Files are a way to assess the integrity of critical files (e.g., the password file) or databases. • User Account Activity Audits can help you detect dormant, invalid or misused accounts. • A regular practice of auditing will help an agency devote valuable resources to the most likely areas of system weakness. [sub]Heed These Internet Basics As agencies port more of their information resources to the Internet, they should heed some basic guidance about the most common security snafus that plague web systems. Here’s what SANS has found: • Sites do no dedicate sufficient resources to improve and maintain security. • Support personnel do not have management support or the authority to deploy appropriate security measures. • Vendors still ship systems with poor default security configurations. Customers still implement these systems “as is” even though they are aware of the security deficiencies. • Sites do not install vendor security patches even after receiving them. • Sites do not monitor or restrict network access to their internal hosts. • Sites do not implement or enforce procedures and standards when installing new devices on their networks. The SANS Institute provides a full regimen of advanced training to IT security managers and technicians. For more information on programs that might be of interest to you, and more detail about the above guidance, check out www.sans.org. Train Them, But Don't Tell Do you know exactly how solid your IT security infrastructure is? Do you know where your system is most vulnerable? Money is scarce, so you need to spend it in the right places on the right things--don't you?. Well, lucky are the agencies eligible for the National Security Agency's free Infosec Assessment program, in which NSA experts review agency systems and make recommendations for mitigating uncovered vulnerabilities. Wilbur Hildebrand Jr., NSA's chief of vulnerability assessment services, told the recent TEG conference on Information Assurance that Infosec is a voluntary program that affords agencies "another set of eyes" by which to gauge how effective their current security is. Mostly, NSA is limited by manpower and budget to examining classified military and intelligence systems. But Infosec also offers a training program by which third parties in both industry and other agencies can be certified as experts, and thus extend Infosec-level evaluation services to civilian agencies and elsewhere. Hildebrand said NSA has trained more than 600 contractors in the Infosec Information Assurance Methodology (IAM) as part of a full "tech transfer" program that is only stymied today by one fact. NSA is not yet allowed to refer agencies ready for Infosec to these contractors because of legal considerations, Hildebrand said. Parenthetically, we might postulate that the next time the General Accounting Office, Congress or the press lambastes an agency for faulty security, it might want to look at the Washington legal community too. Quite possibly, the security system under review might not have been so faulty if the critical partnerships across agencies and industry were allowed to function at full throttle and not be hampered by...well, let's be polite and just call it contemporary American legalistic idiocy. But, hey, that's our opinion. To learn more about how your agency's information security officers can enroll in Infosec's valuable two-day IAM training program, check out www.nsa.gov/isso/iam/index.htm. That's where the good stuff is.