NIST takes its hits, will share security skills

NIST takes its hits, will share security skills

NIST's Kathy L. Lyons-Burke says she was surprised but pleased to get congressional funding to help agencies help themselves on security.

A small human error in security awareness can undo massive technological safeguards, NIST's William O. Mehuron says.

The National Institute of Standards and Technology, overseer of federal security standards, tries to set a good example of online invulnerability and will share that expertise through a new audit service.

'We are under attack constantly,' said William O. Mehuron, director of NIST's Information Technology Laboratory. 'We're a research organization involved in computer security, but we're not a classified organization. We need very robust protection.'

Between May and July, Mehuron said, NIST's main firewall was scanned more than half a million times.

Although he considers it tempting fate to say so, 'our IT operations have never been defaced or disrupted.'

The main NIST firewall has backups'secondary firewalls to safeguard online financial activities and proprietary information belonging to industry partners, for example.

'We've taken certain precautions against tampering by having a public-access system outside the firewall,' he said. 'And we have pretty good security and awareness training, so people don't do dumb things. A small human error can set you up for problems.'

Because all openings are 'being constantly probed, you can't let your guard down,' Mehuron said.

'Hacking is a game for these people,' said Kathy L. Lyons-Burke, director of NIST's new computer security expert assist team. CSEAT went into action this summer to improve agencies' infrastructure protection and share security practices.

'It was kind of a surprise' to get a budget line item for CSEAT, Lyons-Burke said. 'We didn't expect Congress to give us the money.'

The first review started in June at the Federal Emergency Management Agency. Early last month, CSEAT delivered its first draft of findings.

Gordon Fullerton, engineering division director in FEMA's IT Services Directorate, called the 95-page report 'probably one of the best I've ever seen.'

CSEAT team members studied all the agency's computer and communications systems and IT-related personnel practices.

The team then recommended a list of actions that would give FEMA the most security for its money, Fullerton said.

Fullerton's staff will use the report, once complete, to brief upper-level managers and implement new security practices.

'We don't give a grade, and we don't break in,' Lyons-Burke said of CSEAT's approach. 'We apply consistent control objectives and criteria' across agencies and eventually will draw an overall comparative picture of federal security policies.

NIST's independent reviews will not duplicate the work of existing computer emergency response teams or of the Federal Computer Incident Response Capability, National Infrastructure Protection Center or Critical Infrastructure Assurance Office, Lyons-Burke said.

CSEAT will come in only at an agency's request or, for high-risk programs, with a push from the Office of Management and Budget.

Each review will produce high-level findings, a 'sanity check' of how well personnel understand policies, and a report with prioritized recommendations, she said. NIST requires agency feedback after 30 days and again after 180 days about which recommendations were followed and why.

Agencies can request a security review by sending e-mail to cseat@nist.gov.

GCN associate editor Patricia Daukantas contributed to this story.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above