More Information Security Woes... Can We Ever Be Safe From Our Own Government?
Agency Officials Say Info Security Law Falls Short
So let's see if we have this correct:
1. Our government, specifically the State Department in this article, has received failing grades for cybersecurity throughout several agencies, including the IRS, the Department of Agriculture, three branches of the military, the White House, the VA and elsewhere;
2. The DHS/NSA combined project of developing an information and intelligence sharing center has encountered so many problems trying to get all the information to share across database platforms and network topographies;
3. The VA, IRS, the high security/top secret defense labs in New Mexico and elsewhere throughout our government there have been numerous (hundreds) laptop computers stolen or lost with confidential and secret data on the hard drives.
4. Experts regarding the use and structure of databases have made the case that the data mining conducted by the NSA, DHS, airport security, etc., is not only ineffective, but a major waste of taxpayer dollars.
Is anyone seeing the pattern here?
How is it that millions of home computer users can protect their computers from such attacks (albeit millions often do not), but our government--with all its resources, expertise and money--cannot protect its computer systems?
The problem is that the people passing the laws do not understand the threats, the technology, the limits and the possibilities involved in not only providing cybersecurity, but even how (and what) to protect governmental computer networks. Given that our lawmakers have relied on the expertise provided to them by government employees, what does this say about who we are hiring and depending on for security.
Let's face facts. Anyone with real cybersecurity credentials is not going to work for our government because the salary is significantly lower than what can be obtained in the private sector, there are better opportunities as a consultant or contractor to the government, and there is just too many damn political issues when working for Uncle Sam. But if we rely on contractors and consultants we run into several conflicts of interest, not the least of which is the fact that it pays for the contractor or consultant to stretch the process out for as long as possible. The other problem is that, given the recent history of scandals, waste and fraud, we have not been able to rely upon the ethics and integrity of governmental contractors and consultants.
These statements really instill our confidence in the way our government conducts its business, don't they? The litany of what these folks do not know is longer than a Catholic novena.
We have to wonder what the Commerce Department focused on before the passing of FISMA. Why is the effort to secure our computers and networks requiring so much focus? Was the security of our computers and networks ignored before FISMA came along? Was the neglect so significant that there is now a need for a complete overhaul? And, if Congressman Langevin's statements are true, how will they know if they get it right?
Of course, anyone that has worked for the federal government knows that the government is almost always five to ten months out of date with its technology implementation. In the world of information technology, that length of time is equivalent to three to five years in most other industries and technologies.
Consider the differences between television technologies and computer technologies as an example of what being out of date means. Recent innovations in televisions include High Definition and digital signals. It has taken almost 15 years to implement both innovations. However, while most computer users are just grasping the possibilities with CD-ROM, CD-R, CD-RW, DVD, DVD-R and DVD-RW storage technologies, the computer industry has already introduced Blu-Disc technology that is slated to replace all the previously listed storage devices. The storage capabilities of home computers have experience innovations and new devices about every 2-4 months, including the elimination of floppy disks; the obsolescence of ZIP, Jazz and other larger external storage devices; the introduction of flash drive technologies; the introduction of micro-drive readers; etc. By the time our government figures it all out, the technology has changed.
On top of all these issues is the fact that the government has so many workers using computers and the amount of training received regarding computer, network and technology security is at best a one-day session and at worst a warning from a supervisor to read the manuals. Even with the best technology experts operating the behind-the-scenes security, the configuration of our governmental networks and the number of people on these systems changes rapidly, creating an unstable networking environment where the level of protection at the end-user level is always in question.
I am not saying that our systems cannot be secured. I am saying that we do not have managers, leaders and lawmakers that understand how to implement security measures well, and we do not train end-users to assist in making our computers, storage devices and networks secure. In other words, we have ignored these issues for so long that we will never be able to catch up without doing a complete analysis and overhaul of the way we have structured our networks and the way we assign access to computers, networks and other technologies.
Given all these issues, I am even more concerned regarding the way the NSA, DOJ, DHS, TSA, IRS, VA, USDA, CDC, CCMS, NSC, DOT and other governmental agencies collect, handle, analyze and use the data they collect. My concerns are especially focused on the issues of national security, law enforcement and civil liberties.
In other words, A FISMA report card is all but meaningless. Given that any efforts to assess FISMA compliance are admittedly focused on a "snapshot in time," and the world of hacking and breaking security is fluid and dynamic, we do not have the ability to secure our networks.
The Senate must have realized what a political football such reporting requirements would be. Imagine what would happen if every federal agency actually reported the failing status of our cybersecurity. What would be the reaction from their constituents? Would there be pressure to retract the requirements from the IRS to use the computer to file taxes? What would the media say? How would the realization that we are not only vulnerable, but also that what we have in place is inaccurate and abused, affect the mood of our nation? Would that change apathy many Americans have regarding the collection of all sorts of data by the government? Would it undermine our confidence (even further than it is now) in our government and its officials?
To Find the Danger, This Software Poses as the Bad Guys
Do not fret too much about the status of our governmental computers and networks, because there is every indication that our corporate computers and networks are not all that secure either.
New Hacker Techniques Threaten Agencies
As if I needed confirmation and affirmation of statements made above, the following article points to new methods hackers are using to exploit computer and network vulnerabilities.
The federal law governing agency information security practices took a beating Thursday in congressional testimony from government cybersecurity officials.
Donald Reid, senior coordinator for security infrastructure at the State Department's Bureau of Diplomatic Security, told a congressional subcommittee that the 2002 Federal Information Security Management Act (FISMA) does not "tell the whole story" when it comes to agencies' information security practices.
Earlier this month, State received a failing grade on the fiscal 2006 cybersecurity report card for the third time in the four years the grades have been handed out. But Reid said that even if the department had received an A+ on the report card, it would not have been able to prevent a June 2006 cyber attack on the department's networks.
"Our ability to detect and respond to intrusions ... nowhere is that measured in FISMA," Reid said. "It's a great baseline log, but we clearly have more work to do."
So let's see if we have this correct:
1. Our government, specifically the State Department in this article, has received failing grades for cybersecurity throughout several agencies, including the IRS, the Department of Agriculture, three branches of the military, the White House, the VA and elsewhere;
2. The DHS/NSA combined project of developing an information and intelligence sharing center has encountered so many problems trying to get all the information to share across database platforms and network topographies;
3. The VA, IRS, the high security/top secret defense labs in New Mexico and elsewhere throughout our government there have been numerous (hundreds) laptop computers stolen or lost with confidential and secret data on the hard drives.
4. Experts regarding the use and structure of databases have made the case that the data mining conducted by the NSA, DHS, airport security, etc., is not only ineffective, but a major waste of taxpayer dollars.
Is anyone seeing the pattern here?
The June 2006 attack was initiated when an employee of the department opened a Microsoft Word e-mail attachment that contained an exploit code, which is a piece of software or data often used to gain control of a computer.
How is it that millions of home computer users can protect their computers from such attacks (albeit millions often do not), but our government--with all its resources, expertise and money--cannot protect its computer systems?
Doubts have been raised about the effectiveness of FISMA for more than a year, with critics stating that it is little more than a paperwork exercise. But OMB officials have said the law needs more time before it can be judged.
The problem is that the people passing the laws do not understand the threats, the technology, the limits and the possibilities involved in not only providing cybersecurity, but even how (and what) to protect governmental computer networks. Given that our lawmakers have relied on the expertise provided to them by government employees, what does this say about who we are hiring and depending on for security.
Let's face facts. Anyone with real cybersecurity credentials is not going to work for our government because the salary is significantly lower than what can be obtained in the private sector, there are better opportunities as a consultant or contractor to the government, and there is just too many damn political issues when working for Uncle Sam. But if we rely on contractors and consultants we run into several conflicts of interest, not the least of which is the fact that it pays for the contractor or consultant to stretch the process out for as long as possible. The other problem is that, given the recent history of scandals, waste and fraud, we have not been able to rely upon the ethics and integrity of governmental contractors and consultants.
Rep. James Langevin, D-R.I., chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, which held the hearing, said incidents at State are just the tip of the iceberg.
"These are not the only agencies experiencing problems," Langevin said. "They are simply the only attacks that have been made public."
According to information provided by Langevin, hackers using Chinese Internet servers launched an attack on the computer systems at the Commerce Department's Bureau of Industry and Security in October 2006. The hackers used a "rootkit" program that allowed them to mask their presence to gain access to the system.
"I think these incidents have opened a lot of eyes in the halls of Congress," Langevin said. "We don't know the scope of our networks. We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
These statements really instill our confidence in the way our government conducts its business, don't they? The litany of what these folks do not know is longer than a Catholic novena.
Dave Jarrell, manager of the Commerce Department's critical infrastructure protection program, said the department focuses a significant amount of attention on FISMA, which primarily centers on certifying and accrediting an agency's information technology systems.
We have to wonder what the Commerce Department focused on before the passing of FISMA. Why is the effort to secure our computers and networks requiring so much focus? Was the security of our computers and networks ignored before FISMA came along? Was the neglect so significant that there is now a need for a complete overhaul? And, if Congressman Langevin's statements are true, how will they know if they get it right?
Any rating of an agency's systems under FISMA is merely a snapshot in time, Jarrell said. A change to a system, such as an introduction of new technology or a new user, changes the security variables that an agency looks at, Jarrell said. While FISMA is a good tool, an agency also has to look at other capabilities and vulnerabilities.
"Having the ability to put more technology in place so that we can secure that system is also a great issue," Jarrell said. "It seems that there needs to be more of a balance of FISMA and the introduction of new technology."
Of course, anyone that has worked for the federal government knows that the government is almost always five to ten months out of date with its technology implementation. In the world of information technology, that length of time is equivalent to three to five years in most other industries and technologies.
Consider the differences between television technologies and computer technologies as an example of what being out of date means. Recent innovations in televisions include High Definition and digital signals. It has taken almost 15 years to implement both innovations. However, while most computer users are just grasping the possibilities with CD-ROM, CD-R, CD-RW, DVD, DVD-R and DVD-RW storage technologies, the computer industry has already introduced Blu-Disc technology that is slated to replace all the previously listed storage devices. The storage capabilities of home computers have experience innovations and new devices about every 2-4 months, including the elimination of floppy disks; the obsolescence of ZIP, Jazz and other larger external storage devices; the introduction of flash drive technologies; the introduction of micro-drive readers; etc. By the time our government figures it all out, the technology has changed.
On top of all these issues is the fact that the government has so many workers using computers and the amount of training received regarding computer, network and technology security is at best a one-day session and at worst a warning from a supervisor to read the manuals. Even with the best technology experts operating the behind-the-scenes security, the configuration of our governmental networks and the number of people on these systems changes rapidly, creating an unstable networking environment where the level of protection at the end-user level is always in question.
I am not saying that our systems cannot be secured. I am saying that we do not have managers, leaders and lawmakers that understand how to implement security measures well, and we do not train end-users to assist in making our computers, storage devices and networks secure. In other words, we have ignored these issues for so long that we will never be able to catch up without doing a complete analysis and overhaul of the way we have structured our networks and the way we assign access to computers, networks and other technologies.
Given all these issues, I am even more concerned regarding the way the NSA, DOJ, DHS, TSA, IRS, VA, USDA, CDC, CCMS, NSC, DOT and other governmental agencies collect, handle, analyze and use the data they collect. My concerns are especially focused on the issues of national security, law enforcement and civil liberties.
Greg Wilshusen, director of the Government Accountability Office's information security issues division, said if the performance measures established by the Office of Management and Budget do not spotlight the effectiveness of security activities, FISMA cannot be not fully effective.
"Just performing certain activities doesn't mean they are being performed effectively," Wilshusen said. "Just because a system is certified and accredited does not make it necessarily secure."
He said receiving a higher grade on the FISMA score card is more an indication of the measures used to assess security implementation rather than of the actual state of government information security.
In other words, A FISMA report card is all but meaningless. Given that any efforts to assess FISMA compliance are admittedly focused on a "snapshot in time," and the world of hacking and breaking security is fluid and dynamic, we do not have the ability to secure our networks.
Rep. Tom Davis, R-Va., who issues an annual report card on FISMA compliance, said last week that while the law could be improved, criticism of it has come "mainly from failing agencies." He also said he wants "to take FISMA to the next level."
Davis introduced legislation in the last session of Congress that would have amended FISMA to require all government chief information offices to enforce rules accounting for and securing IT equipment containing sensitive information.
The legislation, which would have required agencies to inform the public when data breaches involving sensitive information occur, passed the House but never made it out of the Senate.
The Senate must have realized what a political football such reporting requirements would be. Imagine what would happen if every federal agency actually reported the failing status of our cybersecurity. What would be the reaction from their constituents? Would there be pressure to retract the requirements from the IRS to use the computer to file taxes? What would the media say? How would the realization that we are not only vulnerable, but also that what we have in place is inaccurate and abused, affect the mood of our nation? Would that change apathy many Americans have regarding the collection of all sorts of data by the government? Would it undermine our confidence (even further than it is now) in our government and its officials?
To Find the Danger, This Software Poses as the Bad Guys
Do not fret too much about the status of our governmental computers and networks, because there is every indication that our corporate computers and networks are not all that secure either.
FOR all our dependence on computer software, the truth is, it isn’t very safe. Recent data breaches involving tens of millions of confidential company files have made this all too clear.
Why is software potentially so dangerous to the health of a business? There are scores of reasons. The big one is that software systems are so complex that it is next to impossible to find all the holes.
That can lead to trouble: hackers stealing trade secrets, for example, or customer information. Company servers can also be infiltrated and used to send spam, or data can inadvertently be exposed to anyone with access to a search engine.
The rise of the Web, which encourages companies to connect their programs to those of other companies, creates the potential for even more software problems — most code wasn’t written with sharing in mind.
Then there is the growing practice of releasing unfinished “beta” code to the Web to keep ahead of competitors, which can make it seem as if the software industry prefers to fix products after the fact. Indeed, at times, the software industry appears to be racing downhill while still trying to build its car.
A new company, Veracode, of Burlington, Mass., gives companies a way to help keep the wheels on. In February, Veracode introduced SecurityReview, a service that lets companies automatically test their code, either alone or with other businesses. The goal is to find vulnerabilities that could leave data exposed or that hackers could exploit.
Some of these vulnerabilities are as old as software itself — like the buffer overflow, in which hackers hijack computer systems by interrupting program commands and inserting new ones. Veracode’s tool finds these and other common problems with software by acting as an automatic hacker.
New Hacker Techniques Threaten Agencies
As if I needed confirmation and affirmation of statements made above, the following article points to new methods hackers are using to exploit computer and network vulnerabilities.
With hackers constantly concocting new types of malicious software, government agencies are struggling to stay abreast of the latest threats, according to testimony released Thursday by federal auditors.
One new trick that intruders are trying involves a covert form of "malware" called a rootkit. A rootkit remains dormant, invisible to the user and even the computer's operating system, while gaining access to information in the computer and any network connected to the computer.
"[T]he purpose of the rootkit is to jimmy the door or make a key to the house that no one else knows that you have, so you can gain entry," said Jim Butterworth, the director of incident response at Guidance Software, a computer investigation firm. "It's a significant threat to all government agencies."
While rootkits can be outwitted by users and sophisticated technical protections, including a tool offered by Guidance, agencies are not fully executing their defense strategies, according to the Government Accountability Office (GAO-07-751T).
User training is critical to combating threats, Butterworth said. "A lot of times it is human error that results in an intrusion. It is accidental. ... It is unintentional."
He added that checking Web-based mail or surfing the Internet could open a computer to a rootkit. Thumb drives, too, can become conduits for malware. Butterworth urged agencies to mitigate the danger posed by removable devices by disabling USB ports on all employee computers, except ports used for required work-related purposes.
Labels: computer security, corporate security, governmental networks, national security
posted by Jim Downey at 2:47 AM
0 Comments:
Post a Comment
<< Home