Finding the Weak Links in Security
omeone tries to break into the computer networks at the Naval Surface Warfare Center between five and 50 times a day. Until now, the hackers have been mapping the center's networks and snooping around for unlocked "back doors." But, like their counterparts at many agencies, center officials fear the hackers someday may destroy data or compromise mission-critical applications on the network.
Almost every agency is under assault. Hackers reportedly attempt to break into Defense Department computers 250,000 times a year. Last year the Commerce Department found indications its internal network was being hacked. While Commerce was able to spot the attack and put a stop to it, other agencies weren't so lucky. Hackers vandalized Web sites at the Army, FBI, NASA, Navy, Senate and the White House.
Many other intrusions weren't made public. "The people who really get hammered tend to hush it up, lick their wounds and fix their networks," says Marcus Ranum, CEO of Network Flight Recorder Inc., a Rockville, Md., company that develops intrusion detection software.
With their systems under siege, information technology managers are frustrated and pleading for money. But buying new technology may not be the only answer. Good security begins with policy and management. Without proper security policies, staff buy-in and training, the best software in the world will get you nowhere.
Creating Security Policy
Jack Brock, director of the Government-wide and Defense Information Systems unit of the General Accounting Office, told Senators in October that agencies should conduct a risk assessment before creating any security policy. This is because there is no policy panacea; each government agency has its own data uses.
Roger Baker, Commerce Department chief information officer and co-chair of the Chief Information Officers Council's Security, Privacy and Critical Infrastructure Committee, agrees. "You've got to be aware of what you have to protect. Commerce's security needs are significantly different than those of the Internal Revenue Service or the Social Security Administration. For Commerce, the issue is not how to keep people out of information but how to keep it available," Baker says.
Installing robust protections for every system vulnerability isn't realistic. Even if the technology were available, it would cost a fortune and cut into user satisfaction. The challenge is to match protections with risks.
To assess risk, agencies should understand the relationships between processes and technologies. "Then you ask how an intruder, both internal and external, could exploit the network, either break in or bring it down," says Jeffrey Z. Johnson, CEO of Meta Security Group Inc., an Atlanta consulting firm. This lets agencies more specifically focus their security investments.
But policy development should not be overlooked in the rush to install technology. Security experts say any policy should be short and easily understood. "You need a security policy stating what employees can and can't do," says Greg Adams, vice president of technology at L-3 Network Security, a Denver company. "This takes honest people and keeps them honest." Security policy can include directives on password and access controls, dial-in rules, and file deletion and alteration.
Security policies are not optional. The 1987 Computer Security Act required all agencies to develop such programs. In Appendix III to its Circular A-130, the Office of Management and Budget gave agencies a list of dos and don'ts. And in 1998, Presidential Decision Directive 63 prescribed infrastructure protection measures.
"Policy is the cornerstone of building a secure infrastructure," says Rocco Youmans, network security services director for GTE Technology Organization's Federal Network Systems unit in Arlington, Va.
But the best-laid plans will go to waste if no one takes security seriously. Buy-in and training are key. "Often senior management doesn't understand the issues around security," says Ranum. He says managers often assume security is being taken care of, while the rank and file assumes that if security were a priority, management would let employees know about it.
Finally, agencies must make security part of daily existence. "Effective security strategy is like a good weight loss diet," says Mark Wood, manager of intrusion detection technology at Internet Security Systems in Atlanta. "It must become a way of life."
Security Technology
Where does this leave agencies when it comes to the plethora of security products on the market? If agencies determine their risk, then create policies based on both risk and internal business processes, their technology requirements should be obvious. But it is never this easy.
Agencies already possess a conglomeration of policies and technologies. Often, the technology strays from policy as systems are modified for various purposes. And "security technology is applied after the fact like a Band-Aid," says Ron Gula, president of Network Security Wizards Inc., an intrusion detection software firm in Columbia, Md.
"Historically people have focused on one aspect of security, whether it is at the perimeter or operating system level," says Wood. "Effective security policy is like a chain. One bad link and you can be compromised very easily."
Only a few years ago, agencies could simply control the few entry points to their networks. But today, there are too many of these to control. As agencies do more business electronically, outside traffic will necessarily be allowed further inside the network.
Experts now recommend a layered security approach that includes a firewall, intrusion detection software, vulnerability assessment tools, stronger authentication of network users, encrypted file transmission over the Internet and antivirus software at the desktop.
But perimeter defenses are still important. Today that usually means installing a firewall. A firewall controls the content of inbound and outbound network traffic, allowing only authorized traffic through its filters. A firewall typically sits at the point where an agency's private network meets the public Internet, but multiple firewalls placed strategically throughout the network are often recommended today.
Just installing the firewall is not enough. Administrators must take the time to configure and administer firewalls. "A firewall without the proper configuration doesn't protect you from anything," Baker says.
Firewall problems tend to arise when certain network services are exempt from firewall controls. For example, some or-
ganizations have set up Web servers inside their firewalls. Hackers can get access to the Web server and use it as a jumping-off point for their attacks. "Most firewall configuration problems fall into cases where somebody decided they would let some [network traffic] in without doing research on what the vulnerabilities are," Ranum says.
Not all firewalls are the same. Some provide stronger security, with correspondingly bigger price tags. Agencies needing even stronger protection should consider implementing intrusion detection systems (IDS). These are relatively new products whose sole purpose is to detect hacking attempts. Without IDS technology, it is difficult for agencies to spot hacker activity.
IDS comes in two flavors: host- and network-based systems. A host-based IDS resides on servers. It monitors actions at the operating-system level, so that unauthorized commands and changes in system software can be detected.
Network-based IDSs sit at various points on the network and monitor network traffic, searching for known hacking programs. Also, network traffic from abnormal network addresses will be flagged as suspects for further investigation. Hacking commands detected in this fashion can be stopped before they reach their intended targets.
One agency has created its own IDS. In 1996, the Naval Surface Warfare Center decided it needed a more robust security strategy and wanted to know what was flowing on its networks. It also wanted to establish a baseline of normal traffic. So it created the Secondary Heuristic Analysis for Defensive Online Warfare (SHADOW) software to monitor all network activity.
SHADOW is free for download at www.nswc.navy.mil/ISSEC/CID. "If you know what's going on in the network and see what [hackers] are doing to get inside, you can redirect the resources you have," says John Green, program manager and team leader for the center's SHADOW Team. "As new attacks become available to hackers, your posture and policy have to change and perhaps even your defenses."
Another technology that may help agencies patrol their networks is a vulnerability assessment tool, which probes networks for weaknesses, just as a hacker would. Vulnerability assessment is an ongoing necessity because network configurations can be changed inadvertently during day-to-day upkeep. Such changes may introduce entrances for savvy hackers.
A free vulnerability assessment tool, the Security Profile Inspector, is available. This software identifies common security problems like weak passwords and misconfigurations. It was created by the Computer Security Technology Center at the Lawrence Livermore National Laboratory. Federal agencies can download it from http://ciac.llnl.gov/cstc/spi/spi.html.
The next level of defense is at the desktop. Antivirus software has long been a mainstay of desktop security. It's still necessary, but it may not be enough. There is a new threat in the form of hostile code-small pieces of software downloaded inadvertently from the Internet or delivered via e-mail. This hostile code could do major damage to systems, although once again there is little evidence that this has happened. Viruses, meanwhile, are becoming stealthier and potentially more powerful.
An Israeli company, Finjan Software Inc., specializes in preventing outside code from changing or deleting anything on the desktop. Finjan's SurfinShield software uses desktop policies to prevent viruses and hostile code from sabotaging data.
The Inexpensive Approach
Buying and installing many network security products can be expensive. But it costs very little to publish policies and configure operating systems and network routers properly.
"If you configure your routers properly, you will knock off a large number of hacks," says Meta's Johnson. "You also must take advantage of access controls in the operating system. Make sure all unnecessary services are turned off and authentication turned is on." This eliminates unwanted back doors and requires identification through passwords.
The next step is to make sure employees follow security policies. "The bulk of security problems come from the inside rather than the outside," Baker says. He warns against giving employees access to systems they don't need to use. "With the Internet," he says, "the focus is on external hackers. But they don't know your internal processes and what type of valuable information you might have."
Even when the hacks come from the outside, "50 to 60 percent of hacks are nuisance attacks," Johnson says. But he cautions against taking even Web vandalism lightly. "What is a nuisance to some," he says, "is critical to others."
NEXT STORY: The Results Report