McLean, VA, Thursday, February 2, 2012–—Success in cyber security requires buy-in from the highest levels – not just among the IT staff, but at the CFO and CEO level, according to government and industry panelists in a recent federal cyber security seminar. Network monitoring, patching or purging outdated software and hardware, communications, and coordination are all essential tools for good risk management policies and practices.
The seminar, “Cyber Security Implementation Strategies for Present and Emerging Threats,” was presented on January 18, 2012 at the International Spy Museum in Washington, DC, by immixGroup, Inc. in cooperation with Federal Computer Week. Moderated by immixGroup co-founder and Executive VP Steve Charles, the event featured high-level speakers from the federal government and private industry, and was sponsored by cyber security companies including Bit9, Hewlett-Packard Enterprise Security, and Sourcefire.
First among the speakers was Donna Dodson, division chief of the computer security division and the deputy cyber security advisor for the National Institute of Standards and Technology (NIST), with the Department of Commerce.
As part of the Department of Commerce, NIST is involved in measurement science in support of the national economy. Through the Federal Information Security Management Act (FISMA) of 2002 and related policy, Dodson said, NIST is mandated to create standards, guidance, best practices, measurements, and test tools for national security.
According to Dodson, NIST is involved in the “intersection of cyber security and IT”—risk management and risk life cycle for the entire infrastructure, not just for individual devices. Success in cyber security has to consider the information to be protected as well as infrastructure. Cyber security has broadened, Dodson said, and tools and technology today must look at cyber/physical systems as well.
In terms of strategy, Dodson recommended to “start with vulnerabilities,” and establish security automation guidelines for continuous monitoring. “Continuous monitoring is very powerful,” Dodson said, noting that it is important to take inventory of potential vulnerabilities and to put techniques into place to address those particular vulnerabilities.
In the coming months, Dodson said, NIST will be issuing major revisions to its SP 800-53 with a close look at cloud and mobile guidelines.
Organizations must be prepared to “push cyber security ownership up” within an organization, said Gil Vega, associate CIO for cybersecurity and chief information security officer with the Department of Energy (DOE). Organizations must be held accountable for risk management decisions, Vega said. At the Energy Department this includes creation of a risk management executive body including senior executives and undersecretaries in the organization. Creating meaningful cyber security practices means sharing the responsibilities of risk management decisions, Vega said.
In addition to pushing cyber security ownership up, Vega recommended activities such as taking inventory of endpoints and patching of applications and operating systems. Network surveillance and incident response are critical activities as well, he said. Similarly important is sharing of information. The Energy Department shares threat information across the organization, with shared analytics and incident management coordination. A Joint CyberSecurity Coordination Center ensures appropriate communication of this type of information.
Through these efforts, DOE is implementing a number of lessons learned:
- Avoid putting too much stock in a layered defense or multilevel security environments.
- Let go of “minority technologies” that may be languishing and creating vulnerabilities.
- Monitor cyber events “24/7.” Most events occur over long holidays, Vega said, leading him to “rue holiday weekends.”
- Maintain core forensic capabilities.
- Keep a senior project manager on response teams to help coordinate all activities. This improves response times.
- Be prepared to call for help from bureaus and other organizations. Don't be afraid to acknowledge that there has been an attack. Use this communication to gather the necessary resources.
- Develop an emergency communications continuity plan. This will enable you to talk, coordinate, and collaborate effectively across long distances in the hours and days following a major event.
NIST’s Dodson agreed with the importance of patching older systems, but cautioned that some legacy systems and applications are so wedded to an organization’s day-to-day operations that tremendous resources will be required to purge them. “Recognize it's going to be a big but critical problem to resolve,” Dodson said.
Among the industry spokespeople, the need to involve executives at the highest levels was equally important to cyber security procedures. Dr. Prescott Winter, chief technology officer, enterprise security, Hewlett-Packard, recommended getting senior officials engaged in the risk management process, even at the CEO and CFO level. He advocated tying security mission and business goals. It’s important to see all assets in relation to mission, Winter said–particularly which assets will cause the most damage if they fail or are compromised.
Organizations have to balance their exposure to risk against the importance of an asset to mission, Winter said. This requires thinking about protection as an overall “computing fabric,” encompassing controls and processes with an architecture including both governance (policy creation and compliance) and operations (executing those policies across the enterprise). Winter also supported the use of sensors and data capture. “You have to see it to protect it,” he said.
Harry Sverdlove, CTO of Bit9, noted that because attackers use many different materials, no one tool is a complete solution. “There is no silver bullet,” he explained, although he noted that security information management is the “heartbeat” of a cyber security system. “You need to have the right sensors to know what's out there to be protected,” said Sverdlove, adding, “it's all about assessing risk.” An organization routinely deals with more information than it can possibly process. Coordinating sensors allows identification of suspicious activity. One organization, Sverdlove said, used this approach to cull truly suspicious activities down to three dozen from 20 million daily network events.
Martin Roesch, founder and CTO of Sourcefire, was dubious of what he termed “defense in depth.” Different security solutions have fundamental areas of incompatibility and a lack of overlap in capabilities. Because 75 percent of malware is unique, and the average life of a piece of malware is approximately six hours, Roesch said new answers are important. Hackers are aware of classic tools, so Roesch advocated building real-time awareness of attacks and allowing tools to adapt to those attacks based on that awareness. He advocated integrating endpoint network monitoring by “building a common map of what's occurring now.” This allows defense based on what's important to the enterprise, Roesch said.
The closing keynote of the cyber security seminar came from Joel Brenner, former senior counsel, National Security Agency, and the author of the book, America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare.
Responsibility for the dissemination and protection of information must be taken together, Brenner said. Quality of security systems is “built in – not inspected in after the fact.” Unless dissemination and security of information are addressed jointly with bureaucratic process, “they are devoted to undermining each other.” This includes auditing your IT and security systems. “A system not subjected to a vigorous audit will eventually get you in trouble,” Brenner said.
As for the most troubling aspects of network security, Brenner said, “you can’t fix authentication, but you can deal with removable media.” He said the reason he included a USB stick as cover art on his new book was that, from a security perspective, removable media such as that is “Mischief Vector Number 1.”