[ insider_reports_insider ]
Government Digital Security Leaks, We Bleed
David Utter
Staff Writer
2008-03-21
 Insider Reports RSS Feed
A glacial readjustment of security priorities from the evil-outsider model to the accidental internal leaker of data leaves federal resources playing a frantic game of catch-up.
 | | Government Digital Security Leaks, We Bleed |  |
The politically minded have plenty of venues upon which to heap their scorn of the current government. They focus on different issues, like Iraq and health care and an economy dependent on the foreign support of its native currency.
Be afraid, certainly, but consider the problems run deeper, yet receive little discussion. The boundless size of federal agencies presents a broad frontier for the bad guys to try and penetrate.
Our frontier appears to lack a sheriff, or anyone willing to take a bag of gold in exchange for defending the homestead from the evildoers.
GAO officials and security industry groups told a Senate Subcommittee the war goes poorly. GovExec.com said the Senate Homeland Security and Governmental Affairs Subcommittee on Federal Financial Management heard a grim assessment from one industry association:
"Quite frankly, the bad guys are winning," said Tim Bennett, president of the Cyber Security Industry Alliance. He added that attacks on federal networks were now occurring on a daily basis, and are now backed by large criminal enterprises and enemy states with tremendous financial resources. "This is warfare, and it needs to be stopped," Bennett said.
The issue of whether there are more attacks, or more reporting of attacks, seems irrelevant to us. Attacks are attacks. Security pros don't equivocate over number or nature of threats, as even the most benign incident could harbor the seeds for greater problems.
That apparently happened to the Department of Homeland Security, where unknowingly accepting Trojans into a network ended up with some 150 computers dishing out information to servers in China. Anyone who thinks there's no conflict with China as there has been no open declaration of hostilities need only recall September 11, 2001, to realize how quickly things can go from simmering anger to boiling-over hostility.
Though DHS deserves whatever bashing it receives, whether for spending $1.7 billion to safeguard systems ineffectively or for simply existing as a multi-billion dollar redundancy of the Department of Defense and other law enforcement agencies, they aren't the only big federal agency to suffer from data leaving their confines for remote servers.
Sadly, Fidelis Security VP of Product Management David Etue would not name the other agency, only saying "DHS is not alone in that." His firm looks at security from the inside out, what Fidelis likes to call extrusion prevention.
If you came along as a security pro and cut your teeth on Snort and other means of intrusion prevention, extrusion prevention represents a change in world view. Our interview with Etue reinforced the idea that outgoing information, whether an innocently emailed spreadsheet of sensitive data, or a Trojan sending files to a remote host, merits the attention today that intrusion attempts gained in the past.
Protections against access exploits and intrusions remain necessary, Etue said, but agencies need to take an incremental posture on identifying areas of concern, and addressing them.
The reason for this is the majority of data leaving an agency isn't being sent away with malicious intent. Etue put it at roughly half and half when it came to sending data in the clear to an otherwise vetted third party working on an issue (encrypt that email, folks), and transferring data to a consumer-oriented service, non-governmentally owned like a web-based email provider, so someone can work on it from home.
Note to our friends working with nuclear details: please don't send that stuff to Hotmail, Gmail, Yahoo Mail, or any other consumer-based email service. We would like our Easter weekend to be radiation free.
Education presents challenges to agencies, with thousands of employees. Etue said the ones he has observed try to do this, as part of the incremental building of security knowledge. We'll restate one important point here: don't click links or open attachments in suspicious email messages.
Still, the government is trying, which we hope means the White House understands that criminal and espionage activities online are just as bad as some villain running off with a satchel full of top secret documents from someplace like the Department of Energy.
Rod Beckstrom, creator of Twiki.net, joined DHS to run an interagency group that will bear responsibility for protecting government networks from attack. Brian Krebs at the Washington Post said no one is commenting officially on Beckstrom's role, including Beckstrom himself.
If he ends up doing more of the same in looking at the outside-in threat, rather than the inside-out dispersal of information that should not be leaving a dot-gov domain at all, Beckstrom's group won't help security one bit. So please Mr. Beckstrom, figure out who and how presents the best opportunities for stopping sensitive data from going to some server run by a Beijing state committee or an Organizatsiya phishing cabal.
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
