"The superior man, when resting in safety, does not forget that danger may come. When in a state of security he does not forget the possibility of ruin. When all is orderly, he does not forget that disorder may come."
We now live in the new, insecure era of the cyber criminal and terrorist, in which the nature of the threat is remorseless and constantly evolving. Assaults to the integrity of our data are increasing in frequency and sophistication; the stakes are nothing less than the security of the homeland itself.
In response, government IT managers are forging the foundation of a comprehensive national cyber security strategy. In particular, the U.S. Department of Homeland Security (DHS) is making tangible and notable progress on this front. The Department's cyber security methodologies, while in some cases still nascent, are worth emulating in both the public and private sectors. Let's take a closer look at the tactics, technologies and standards of this emerging national strategy, and the universal lessons that can be gleaned from them.
The mission of the National Cyber Security Division (NCSD) of the DHS focuses on the cyber component of the DHS preparedness mission. This mission is to work collaboratively with public and private stakeholders to secure cyberspace and America's cyber assets. Partnerships and collaboration across government at all levels and with the private sector, both domestically and internationally, are the cornerstones of this effort.
The broader context of this effort is the Department's risk management approach. In a world of limited resources, it is essential that the physical and cyber risks be first assessed and then the mitigation of that risk prioritized and the implementation of that mitigation tracked closely. This will allow the Department, and the Nation to focus resources on the most pressing risks.
Priority One: Building a national system
The first priority of the National Strategy to Secure Cyberspace is the creation of a national cyberspace security response system. Such a system requires public and private collaboration on a number of different components, among which are situational awareness, attribution, analysis, response, and recovery. A core component in building this response system is the need for coordinated government preparedness. DHS, in partnership with the Executive Office of the President, the Departments of Justice and Defense and other federal agencies, is enhancing government's ability to coordinate and leverage the capabilities of the federal government for each of these aspects of cyber defense. In coordination with the Department of State and other federal agencies, the government is also working internationally to facilitate and leverage related capabilities on an international basis.
An initial objective in creating this system is to build a robust, cyber-situational, awareness capability in tandem with information sharing among government departments and between the government and the private sector. This requires a strong partnership and collaboration effort between governments at all levels, both domestic and international, and between government and the private sector on a worldwide basis.
The goal of situational awareness is to create the ability to detect and recognize significant cyber activity from among the abundance of white noise existent within normal cyberspace activity. This will enable timely and actionable alerts and warnings to be communicated to government departments, Internet Service Providers, managed service providers, network operators and private system owners and operators, so they can take protective action on their systems and those of their customers. This should help to prevent potentially serious problems from spreading throughout the Internet with cascading consequences.
The capability to provide alerts and warnings to the government and the private sector is, in itself, a critical component of a national cyberspace security response system. The private sector currently has a patchwork system for providing alerts. This system is supplemented by government alerts that are issued by DHS's US-CERT, which is part of the NCSD and the National Cyber Alert System. Among the malicious activities that would trigger a situational awareness response are worms, viruses and their variants, significant malicious criminal or targeted cyber attack activity, the unexplained failures of key systems, and the discovery of new vulnerabilities and active exploits.
With the government working to ensure the consistent and timely sharing of information within government, between the civilian agencies and with the Department of Defense, coordinated situational awareness becomes of utmost importance. In partnership with the Office of Management and Budget (OMB), DHS' National Cyber Security Division as the leader of the United States Emergency Readiness Team (US-CERT), has issued the US-CERT Federal CONOPS that requires reporting of cyber incidents to US-CERT. Agencies are required to report to DHS and OMB important cyber incidents and information, as well as information on their specific efforts to help reduce cyber risk as pursuant to the Federal Information Security Management Act (FISMA).
FISMA is an effort to leverage the capabilities of federal government agencies along with the DOD, civilian agencies, the Intel community, and law enforcement. By undertaking the considerable challenge of discerning what is significant among all the data passing through the Internet, DHS is trying to build a common picture of Internet health in general, and of key government and critical infrastructure systems in particular.
On an international basis, the strategy is to strengthen and build on existing bilateral, regional and global information sharing efforts to facilitate the sharing of critical situational awareness information and begin to collaborate on priority strategic efforts to assess and mitigate cyber risk. There has been real progress in sharing information about the cyber security efforts being undertaken by nations and by global partnerships. However, work continues on enhancing and facilitating the timely sharing of significant information necessary to help build cyber situational awareness among allied nations and more widely.
It is interesting how much of the international dialog surrounding the need to enhance information sharing is concentrated on information types that are difficult to share, such as new vulnerabilities. While that information is important, it is also necessary to expend resources on parallel efforts to facilitate the sharing of information and analysis. By putting more effort here, it may be possible to accelerate the enhancement of global cyber situational awareness. That being said, one of the major challenges is to set up a system whereby 180 countries can share raw information, without simply adding another layer of white noise that's overwhelming. Sharing must be done in a way that adds more value than burden to the recipient.
Recently, the U.S. has been enhancing its efforts to work on strategic cyber security issues with the United Kingdom, New Zealand, Australia, and Canada. The first priority, in direct accordance with the situational awareness component of a national cyber security response system, is to build an international watch and warning network.
Follow the sun
In October 2004, the United States and Germany cosponsored a 15-nation international cyber security conference in Berlin. This event included a tabletop exercise to both explore communication paths and processes and to build an international watch and warning network to help participating nations enhance their cyber situational awareness. The goal was to create a robust system of information sharing that provided value to participating nations. Following the conference, a working group was formed that included representatives from the 15 countries. An initial priority was to leverage global regional models of information sharing. The order of the day was to enhance efforts to encourage trusted relationships of sharing such as in APEC in Asia, the OAS in the Americas, and the G-8 and the European Union in Europe.
At one point during the course of this tabletop exercise, one country representative asked how to determine when to share a particular piece of information. When does anomalous information, an incident or a vulnerability, rise to the level of international significance that needs to be shared internationally? The consensus answer was that if one waits until an individual piece of information in an individual country has attained international significance before sharing it, it might be too late to take appropriate measures. Consequently, it is important to establish a balance among sharing everything until the sharing loses its significance, trying to only share things that have demonstrated to be of significance, and trying to build a learning curve to understand what needs to be shared and what can be shared.
One concept that provides real value in sharing significant events is called "follow the sun" reporting, now used by Australia, Canada, New Zealand, the U.K. and the U.S. At the end of the day, a shift report is shared with the next country, essentially following the sun. The next country to see the sun rise gets the report from the other country going into darkness, detailing the information and related analysis of significant events that were important to them.
In addition to enhancing information sharing among federal agencies, DHS supports the Multi-State ISAC that facilitates information sharing and collaborates on raising awareness among state and local governments. In addition, it is working closely with the IT ISAC to facilitate and enhance the sharing of information among US-CERT, the IT ISAC, and the eight other industry-specific ISACS that share information with them. Part of this effort involves first identifying the gaps in the respective information sources and implementing strategies to fill those gaps.
Together, the government and the private sector should be able to collaborate on strategies to secure additional necessary information. The goal is to embark on a public/private partnership strategy to gain access to information to enhance and build a cyber situational awareness of what is occurring in government cyber space, as well as in the cyber space of critical infrastructure owners and operators. The DHS has cast its net for the kinds of information it needs but this must be supplemented with both targeted requests to new information sources and requests to current information providers to enhance the quality, completeness and timeliness of that information.
Preparedness: Response and recovery
The National Cyber Security Division is part of the Preparedness Directorate at DHS. Although preparedness is what DHS is basically about, this Directorate is keenly focused on preparedness and is working to ensure appropriate coordination between the mission areas to facilitate general preparedness. The DHS is currently working to enhance its preparedness to respond to serious malicious activities and to reduce cyber vulnerabilities and cyber risk. This effort spans government preparedness and that of the privately owned critical infrastructure.
As referenced above, as part of the interagency efforts of the NCRCG, the DHS is working to facilitate coordination and preparedness for response and recovery, within the authority of the Cyber Annex to the National Response Plan (NRP), to make sure that the cyber capabilities of federal agencies are leveraged and coordinated with the private sector and international entities. The purpose of this is to insure readiness to respond to and recover from significant cyber incidents and the cyber consequences of physical attacks and natural disasters.
Another effort to build a response system to enhance preparedness and to respond to and mitigate significant cyber attacks is the development of a Concept of Operations (CONOPS) and a set of standard operating procedures (SOP) for both the US-CERT federal agency efforts and for the NCRCG. These efforts, along with the exercises to test and train their use, are advancing preparedness by systematizing response.
The DHS is working to extend this coordinated preparedness to the private sector so it is clear how the government and the private sector will react to a cyber incident of national significance, such as a cyber attack or the cyber consequences of a natural disaster or physical attack. The private sector is well prepared for the typical kinds of attacks it sees every day. However, it is essential to enhance coordinated preparedness to respond to the most serious types of attacks, which have already been experienced or can be imagined, that pose great risk to our government and critical infrastructure.
As relationships and SOPs are built and enhanced, they continue to be tested through the regional and national exercise program. The first federally sponsored, national cyber exercise, Cyber Storm, was held in early 2005. This should provide many lessons from the input of the players who ran the spectrum of affiliations including international, federal and state governments, and a representation from the private sector. Coordination among federal and state government agencies and the private sector is the underpinning of each one of these efforts, to ensure the leveraging, sharing and collaborating needed to enhance coordinated preparedness. All aspects of building an effective cyber defense require this coordination, including situational awareness, attribution, analysis, response, and recovery.
Disruption and recovery
Planning for recovery is a complex issue when dealing with a nation as large as the U.S. Unfortunately, the DHS has had the opportunity to learn significant lessons from Hurricanes Katrina and Rita and other natural disasters. This has focused agency attention on trying to understand the IT impact of such natural disasters. This includes the need to back up systems and to have business continuity/disaster recovery plans in place in anticipation of major disruptions. With the increasing dependence on cyber resources, it is now essential that private networks and enterprises and government agencies plan effectively for what they will do to restore services after a disruption.
The National Recovery Plan (NRP) provides direction on a number of different subject areas. These include emergency support functions (ESF) for communications, for which the lead is National Communications System (NCS), also within the Preparedness Directorate of DHS. NCSD plays a supporting role in this effort. This previously was characterized as "telecommunications" but with technological advances, it is now "communications" and includes both telecommunications and IT that are related to communications.
Accordingly, ESF-2 encompasses recovery from communications disruptions caused by natural disasters or attacks of any kind. Although the NCS has significant experience working with the private sector to facilitate recovery of telecommunications, further consideration is being given to whether the IT portion of communications is adequately covered in the ESF-2 and/or whether SOPs are necessary to more comprehensively address IT issues. Questions may also be raised about whether IT disruptions affecting the private sector are appropriately and adequately covered in the current scope of the ESF-2. Some attention was focused on this issue during the Hurricane Katrina experience when the cell towers went down causing difficulties in communication and transportation and inter-agency dependency.
Regarding cyber Incidents of National Significance, the NRP addresses these in fairly broad terms in the Cyber Annex, mentioned briefly earlier when reference was made to the NCRCG that is the principal interagency mechanism to prepare for and respond to nationally significant cyber incidents. The roles of government and the private sector are laid out in very general terms in the NRP Cyber Annex, but subsequent work on the NCRCG CONOPS and SOPs is adding increased granularity and clarity to who will do what during a nationally significant cyber incident.
For the IT part of ESF-2, we are now exploring the possibility of building two major capabilities to improve recovery of critical systems in the face of a disruption. Also part of this inquiry is whether and how government systems, including state and local, emergency services, and first responders are to be included if such capabilities are built. One area for consideration is whether during a significant disruption there's a need for a clearinghouse for IT requirements. If a disruption occurs, such a capability would answer this often posed question: how do you make it easy for people that have problems, to articulate their requirements in a way that is meaningful and searchable, and match them up with entities that can meet those requirements? This dilemma arose in the aftermath of Hurricane Katrina. Accordingly, the need for such a clearinghouse and how it could be facilitated effectively is under consideration.
The second capability under consideration is whether there needs to be pre-cleared teams of IT professionals who - for a very brief period of time - can be brought into an area suffering a major disruption to help restore critical government and private IT systems. The thinking is that after a disruption, even if you can get all necessary equipment provided and delivered to the affected area with a clearinghouse capability, the question arises as to who will help get the systems back up and running.
Part of the exploration of the issues will be whether there must be a regional, local, or community-based approach to recovery that can do the requisite advanced planning necessary to expedite recovery. The idea being explored with the private sector is whether such regional planning should be encouraged so there is regional preparedness about how the region will communicate, deliver essential services, and get systems up and running in a crisis. In this chapter, we are exploring the IT piece of that equation.
Pursuit of these answers requires partnership with a number of DHS components to explore the possibility of creating locally organized groups representing federal, state, local, and private interests to prepare, in the manner of an individual organization, for business continuity and disaster recovery. How will they do it? What are their plans? By partnering with the private sector, it's easier to identify core requirements that must be met during a disruption. This could be facilitated by the development of templates for a clearinghouse function that also encourages local entities to form IT/telecomm teams who can respond during a disaster in their area, to help bring systems back on line.
These teams will know certain requirements, such as obtaining backup power for communications. They could then be made available to other communities who need additional assistance in a crisis. For example, these locally grown teams can be pre-cleared to help in another area that faces a major disruption that is too big a task for their own locally grown teams, such as the Gulf region after a hurricane. The area that has the disaster can report that they need a certain number and type of teams and could be matched up with these pre-cleared teams around the country, who could then be brought into the area for a short-term, SWAT-like effort to help get systems back up and running.
Another aspect of the National Cyber Security Response System effort involves trying to make sure that, where there is a potential DHS funding source for state and local government, first responders and emergency service personnel, we are reviewing available grant vehicles to make sure they facilitate funding key requirements for cyber security capabilities.
The case for best practices
Part of what we want to do is to identify and support implementation of best practices; this requires helping to make the business case for doing so. A tremendous amount of valuable work has been done in the best practices area. Many say that folks know what to do; they just need to be given the necessary resources. One down side of best practice efforts is that the sheer variety of best practices can diminish the clarity of communication and action. Therefore, one of the things that is being worked on through public-private collaboration is the development of cyber attack scenarios that can advance at least two complementary purposes:
* First, the identification of attack scenarios of a generic nature, and the capabilities needed by state and local government, emergency services, and first responders to mitigate their vulnerability to such attacks. These scenarios can be used in targeting grant dollars. These will supplement DHS' current 15 scenarios that serve those and other purposes in the (largely) non-cyber world.
* Second, the identification of those types of generic and other potentially high impact (including classified) scenarios that can be used to strengthen the business case for best practice implementation by key categories of cyber stakeholders (e.g., DNS server community, ISPs, root servers, data storage suppliers, etc.), to:
(i) Reduce the vulnerabilities associated with the particular attack scenario that is or may be uniquely important to that category of stakeholders, and to
(ii) Identify the capability that the particular category of stakeholder needs in the face of such an attack, to mitigate its impact or the duration of the disruption that it causes. Put another way, the scenarios may be able to showcase what those categories of stakeholders need to do to help reduce the vulnerabilities that may be exploited, and identify what specifically will be done if these kinds of attacks occur. These could be events, for example, like denial of service attacks, intrusions, or targeted attacks on the integrity of data that is critical to a sector or a cross-sectional system.
This may be, in essence, a way to leverage and strengthen the case for implementation of best practices that are recommended across the board. However, they have the added advantage of being developed where we could identify certain things that key stakeholders such as the ISPs, the DNS servers, the root server operators, critical infrastructure owners and operators, need to do in two major areas: the kind of vulnerabilities that need to be reduced in advance and how to respond and mitigate when these attacks happen.
There can be categories of measures or activities that enterprises need to accomplish that highlight best practices and put them in the context of particular kinds of scenarios that people have experienced, or know they could experience, to make it easier for non-experts to understand whether there are important gaps in resources to mitigate the most important risks. This kind of effort may make it easier to perform a gap analysis to highlight what needs to be done and to develop the business case for doing it.
The need for interpretive analysis
DHS is working with federal government agency first responders, the GFIRST community, and the ISACs, and more recently, with some of the representatives of the ISPs, in the private sector, to try to get a better handle on what kinds of raw cyber information and analysis needs to be shared and when. At one level, there is a lot of discussion about what the government needs, particularly because the government determines the threshold for triggering national cyber response coordination when there is a cyber Incident of National Significance.
There is a desire by some in the private sector for greater specificity attendant to these thresholds in the NRP, Cyber Annex or documents derived from that authority. On the other hand, it is clear among the ISPs that they handle numerous incidents every day. They see a tremendous amount of raw data, malicious activity, and other problems, so they are accustomed to managing incidents largely on their own, or on relatively rare occasions, by working with law enforcement.
Therefore, while ISPs want to know what information the government requires at certain pre-determined levels of seriousness, it is critically important for the government to know from them what they deem unusual. This includes problems that are not restricted to a particular network but are threatening multiple networks and those that appear to pose a potential threat to government systems and the systems of critical infrastructure owners and operators. The problem is the need to facilitate the sharing of raw information and/or analysis. This necessitates building trust relationships both within government and between government and the private sector.
As discussed above, in the context of the international tabletop exercise in Berlin that DHS participated in, we can't wait for a person, an independent company, an ISP, or a state government to report some malicious activity until they think it actually constitutes a cyber Incident of national (or international) significance. Many individuals within these groups can identify activity that, while it may not yet be obviously national in scope, it does pose a significant risk to significant systems. It is those lesser situations, which appear not yet to be of national importance, which may need some response, depending on the availability of information from additional sources that help enrich the situational awareness. In fact, those situations, identified from different entities, can be combined by centralized entities such as US CERT or the ISAC Council, which collects information from all the ISACs, and synthesizes it in a way that can facilitate the ability to respond and mitigate this kind of malicious activity before it becomes of national significance.
One of things being done on an international basis is sharing the analysis that comes from the end-of-day-shift reports from and between the analysts in the Australia, Canada, the U.K., and the U.S. They write up any unusual activity that they observed during their shift so that the next country in turn, and the other countries in this group, knows what is happening that is of concern. This model for the sharing of this type of analysis data should be encouraged, at least within trusted regional relationships. With such information in hand, if the country or the receiving entity sees malicious activity they can reach back to the source of the information and look for the particular data that corresponds to it to identify a connection or a signature in common, or a common source IP address, and so forth. It may then be identified as the type of activity that an existing tool or a newly fashioned tool can identify and mitigate.
There is another, long-term benefit to this model. For example, the end-of-shift or the end-of-day report attempts to determine the need to respond to some malicious activity, to reduce cyber risk. When combined, they provide an accumulation of activity that together with other information can generate a cyber risk or threat assessment and relevant information that can be shared with, for example, the antivirus community, so they can protect thousands from this particular variant. In some cases, this information may help law enforcement, the Intel community, or the CERT community identify the target of the malicious activity as well as the origin of its source and the vulnerabilities that are being exploited.
This can be applied to deriving potential fixes and follow-up activities such as providing simple advice about patches, notifying international or domestic law enforcement to go after the sources, or applying more proactive steps, such as an authentication or integrity system, to reduce the cyber risks by checking data integrity on an on-going basis. Another important activity is to ensure that the trend of the on-going malicious activity is subjected to an assessment to determine if it may have a significant impact beyond this specific occurrence. This entails looking to see if there is a common thread with other kinds of malware that are out there. A type of response loop is created involving the synthesis and collection of data from different sources that provides an indication of what the threat is, what the risk of that threat is, and who the players are, both for a particular incident and any broader area of concern, that may cut across numerous types of malicious activities.
This demonstrates the need for sharing raw cyber information among key U.S. entities such as US CERT, the multi-state ISAC, and the private sector ISACs, as well as other trusted domestic and international entities such as CERT-CC. This sharing requires a balancing of sorts, to get the right amount and the correct type and source of raw information and analytic reports, whether end-of-shift or end-of-day, on particular kinds of malicious worms or viruses. It also requires sharing the assessments of the risk and the threat, and deriving potential action plans that identify who needs to do what, in collaboration with whom, to try to put a stop to those who are behind that activity. In addition, it will enable attempts to reduce or eliminate the particular vulnerabilities that may give rise to the problem. Those are some of the factors involved in the imprecise weighing of what information is available and what information is needed.
Part of this effort requires working in close concert with the IT ISAC to notify them of what information is available at the federal level, what is being shared, how it is being shared, how timely it is, and what else needs to be shared and when. The complement to this is what the IT ISAC receives from the other ISACs, how much of that they provide to the DHS, and how that information will benefit the government and the private sector. The goal is to arrive at the point where the ISACs take a broader look, similar to the DHS, not only of what they have and what that are sharing, but also what else exists out there that is needed to paint a more robust picture of Internet health for the government, the private sector, critical infrastructure, and the control systems that cut across those critical infrastructures.
Another issue that is receiving increased emphasis is collaboration with those entities in the business of collecting, monitoring, receiving, and analyzing cyber information for profit. How can their capability be utilized in the short term while cyber situational awareness with owners and operators of control systems is being enhanced? What resources do they have that can meet the general need? It is important that the government shares information with internal and external communities that are in need of timely actionable information, to help protect them and reduce their cyber risk.
Proactive security systems
There has been significant progress made in the people, processes and technology components of cyber security. However, the technological advances of those whose objective it is to find and exploit vulnerabilities have also been quite significant. Projecting ahead, the time between a vulnerability being discovered and an exploit being readied has bee n reduced to near zero. In addition, some of these malicious activities can spread across the globe almost instantly and the ability for cyber criminals to develop targeted attacks improves on a daily basis.
However, the fact is that people will have to focus more on low and slow attacks than on the big massive ones, because it is these low and slow attacks that give malicious actors access to a system whenever they want to use it for malevolent purposes, such as the ability to compromise the data upon which critical infrastructure operations depend. Likewise, essential data backup processes can be at risk of exploitation, so that these presumably secure backups can be unknowingly compromised along with their ability to support recovery after a disruption. The need to be able to depend on the validity of the data can then become suspect, which can strike at the cornerstone on which information technology rests: data. If people's confidence in data validity gets chipped away or demolished - or essential data becomes unavailable - the entire network of networks may be in trouble.
The need to create proactive systems is likely to increase in priority. These technologies are envisioned to provide self-healing, at least in the sense of minimizing damage, checking the integrity of data and backups in real time rather than waiting until there is evidence of any kind of attack, and having the ability to automatically close off, hibernate, or create a shell of protection surrounding a system so that only essential ports, performing approved activities, are operating. The recent trend to go beyond perimeter defense to newer technologies such as those involving intrusion prevention and anomaly detection devices are part of this, as is the ability to examine software and make sure there are no vulnerabilities. The future will require these kinds of technologies and these systems and inter-connections, protections, precautions, and abilities to look for the unusual.
It is fundamentally important to advance identity management technology, because it is the underpinning of all other security efforts. This is especially true as we move toward biometrics and other ways of promoting more reliable and secure authentication. Vulnerabilities within those systems could cause huge problems that can't be anticipated. Therefore, they need to be protected and new types of technologies that can protect these systems will become increasingly important.
All of these factors have shifted the security paradigm well beyond the perimeter. The most important shift in security is in the need for technology, people, and processes to try and stay ahead of the emerging and evolving technology threats and the technologies that help propagate those threats.
Changing management attitudes
The need to alter managerial attitudes applies to both the people who supervise the IT professionals as well as the management of the IT professionals themselves. There is a need for the people who manage the IT professionals to be held more accountable if they either do not provide appropriate resources to meet the kind of best practices required of that particular agency or the ability to independently monitor and make sure that those kinds of practices are being followed. This is, essentially, a compliance approach to governance that requires that the right things are done, that the ability to independently check that they are being done is provided, and that it is easy for non-technical professionals to understand the requirements of IT systems, what the resources associated with those requirements are, and how these individual systems meet those requirements.
Managing the IT professional requires the ability to ensure that best practices are being complied with for high priority systems and data, and that independent auditing, testing, and compliance plans to facilitate the reporting of violations are in place. In addition, the insider threat must be addressed more systematically and comprehensively than in the past. Other issues that need attention are the integration of IT authentication systems and the physical security authentication systems, and the monitoring of security breaches of both.
Security breaches involving physical and cyber access need to be matched up to help identify improper use of both the physical facilities and the information technology facilities. It is important to track those violations, report them, and hold management accountable for maintaining reasonable numbers and levels of breaches, and enforcing appropriate discipline and escalation of the seriousness of sanctions for those who may violate the IT or physical security policies.
Consonant with the need to match up IT access and physical security access is the need to audit certain kinds of conduct. Perhaps most important to monitor are escalations of privileges. Monitoring any instance of escalating privileges is analogous to anomaly detection and requires the same kind of approach to be employed in tracking the conduct and exercise of privileges. This encompasses looking for anomalies in who is exercising what types of privileges, when, for what kinds of purposes, by whom, and for what kinds of conduct. Spot auditing will add to the effectiveness of this effort.
This is analogous to the universe of classified information. It is not enough to have a TS/SCI clearance; for certain kinds of information you still have a need to know. Unfortunately, additional resources are likely necessary to do this right. An added audit layer is required, because of the need to spot check who is doing what. Without these checks, malicious actors may be able to get away with escalating privilege with negative impacts. The idea is that meaningful security depends on meaningful audits and on security personnel aggressively enforcing rules on limitations on privileges. Also important are traditional information security principles, e.g. separation of duties, auditing where duties are supposed to be separated, checking connections, and rotating people.
The emerging threat of mobile workers
Employees that remotely access systems from their homes or other remote locations using home computers heighten the concern about the challenge of protecting core systems. There is an obvious security risk associated with remote access to corporate networks. Similarly, the use of wireless is a major security concern whether it is a formal part of the enterprise or entails wireless access via home computer to an information system.
Many of the types of activities that go unregulated at home are regulated, in fact or at least in theory, in the workplace. These include file-sharing activities, the filtering of incoming emails and suspicious attachments, the use of firewalls, and security settings. This generally heightens security issues normally associated with the workplace because of risky activities from remote locations.
A prevalent example of malicious code that can get into systems by such means includes spyware. Another similar threat is keystroke loggers that capture and dispatch login information, even via a VPN, into the corporate network or government network when someone is in those systems with permitted access.
The need for a compelling business case
An important, but often overlooked, major aspect of a business case for action is for managers performing risk assessment to clearly communicate to system owners the results of an assessment that prioritizes risk, as well as the specific risk mitigation measures that need to be taken.
First, determine the access rules and the existing limitations on certain types of conduct, or software and administrative privileges. Second, communicate those rules in a way that persuasively educates the user about what they are or are not allowed to do, and explain the resources in place to track access and conduct that is inconsistent with those rules. This is regardless of whether this conduct is a type of on-line activity, such as file sharing; surfing the web and accessing certain external web sites; opening unsolicited spam email; opening attachments that should not be opened; loading personal software directly; or downloading software into the organization's system.
Third, create a compliance structure with an audit system that makes it easy to track information systems, access privileges and physical environments. Monitor access privileges to make sure that the same people getting the physical access are using their own information systems access, to ensure that rules violators can be and are held accountable. Essentially, the aim is to ensure that good behavior is encouraged and bad behavior punished.
The ability to have effective authentication and non-repudiation helps create an environment, a business case if you will, for employees to realize that they do, in fact, have to take seriously the rules and regulations that have been articulated from above. Part of that compliance system is using the same kinds of mechanisms that exist in corporate compliance plans. Generally, those are intended to detect, deter and punish those who in their corporate organizational capacities commit crimes of one type or another. The company would have things like ombudsmen, toll-free lines for anonymous complaints, and a clear training program as to what is and is not required, what is expected, what is rewarded and what is punished. This is critical.
The business case is the argument for what is required in the system for effective security in pursuit of appropriate risk assessment and mitigation. There are frequent opportunities for managers to assess the risk of negative financial consequences, analogous to what DHS is trying to do in the National Infrastructure Protection Plan, which entails identifying the most critical assets of the organization and what are the threats and vulnerabilities to those assets, then assessing the consequences if those threats and vulnerabilities are exploited. Based on that risk assessment, managers can allocate their resources to mitigate the most significant risks that threaten the most significant operations and business practices of their enterprise.
The specifics, of course, depend on the nature of the company or the enterprise. Those that are involved in e-commerce, for example, may identity theft or data leakage. Wholesale data breaches can create a reputation risk that can destroy an organization or, at least, pose a significant negative impact on income, net worth, and stock price.
The stakes are high, which is why government and the private sector must work collaboratively to assess and mitigate cyber risk. This collaboration must include all activities that are related to preparedness from a cyber perspective. We must build a national cyber security response system that readily detects, responds and recovers from significant cyber attacks, or from the cyber consequences of physical attacks and natural disasters.
Andy Purdy is director of Cyber Security for the U.S. Department of Homeland Security. He can be reached at: [email protected]