recommended reading

Guidelines to standardize network security controls

Computer security professionals plan to release guidelines in the next six months instructing agencies to first fix vulnerabilities in federal networks that hackers are known to exploit most frequently -- a move that represents a significant change from current federal security policy.

Comment on this article in The Forum.The recommendation will be part of the Consensus Audit Guidelines, which will provide agencies a list of controls to stop or quickly recover from known attacks, as well as examples of real-world attacks, to educate agencies about the potential risk of not securing systems. The guidelines are being developed by top security analysts from industry and government, including the Defense, Energy and Homeland Security departments, the National Security Agency and the Government Accountability Office.

One of the recommendations is to concentrate on fixing those vulnerabilities that are the most often exploited by hackers who want to gain access to federal systems. This move,security analysts say, will provide the most improvement in information security. "Let's figure out what are the vulnerabilities being exploited and fix those first," said John Gilligan, president of IT consulting firm Gilligan Group and former chief information officer at the Air Force. "There should be a focus in the investment on what delivers the greatest payout." He spoke on a panel at the Security 2008 conference in Washington, sponsored by 1105 Government Information Group.

The guidelines enable a "defense that is informed by the offense," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Everything is important. But you need to address the known bads first, then move on to the hypothetical."

The strategy to focus on known vulnerabilities was used to develop what eventually came to be the Federal Desktop Core Configuration, which all agencies must follow for computers running the Microsoft XP and Vista operating systems. To create the configuration, NSA conducted briefings with the Air Force on the attack patterns hackers used against the service's systems and found that 80 percent of the attacks were the cause of incorrectly configured commercial off-the-shelf software. Defense established standard security controls for Microsoft operating systems to fix the holes, and OMB later adopted the settings governmentwide in the desktop configuration.

The consensus guidelines essentially will apply the same process to develop the desktop configuration to for networks.

Fixing known vulnerabilities marks a significant change in federal security policy. The consensus guidelines will recommend agencies shift resources to implement and measure the effectiveness of the new controls -- including using automated tools -- and away from the certification and accreditation process required under the 2002 Federal Information Security Management Act.

The legislation requires agencies to identify and inventory IT systems, determine the sensitivity of information stored on systems, find holes that allow hackers access and deploy security controls. But many argue that agencies spend much of their IT budgets complying with the law, leaving little to pay for security practices that provide better results.

"FISMA's intention was good, but unfortunately, it's taken on a life of its own in how it's been implemented," Gilligan said. "The threats are increasing dramatically, and we need more focus. Right now, a good FISMA grade doesn't mean you are secure because FISMA is measuring artifacts."

Gilligan said the legislation was successful for directing more attention on information security, but it has been unsatisfactory in guarding networks from attacks. FISMA has had mixed results in providing security guidance to agencies and encouraging additional cybersecurity investments, he added.

"We're as vulnerable or more vulnerable than ever, and often we think we're better off than we actually are," Gilligan said.

The National Institute of Standards and Technology has published guidelines for implementing information security, but Gilligan said the recommendations are difficult to follow because they are too complex. The NIST risk framework, for example, includes more than 1,200 pages. "The reality is that it takes little talent to come in and find flaws," he said. "It's a target-rich environment."

Gilligan expects the Consensus Audit Guidelines to be available for public comment within six months. Once finalized, he hopes OMB will consider using them to measure how well FISMA has been implemented in agencies.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.