NSA cryptologist to feds: Use the security that's there
- By William Jackson
- Sep 11, 2002
NSA no longer stands for No Such Agency. National Security Agency agents came at least partway out of the closet to ask help from hackers at the recent Black Hat Briefings in Las Vegas.
'We had our own closed world for a long time,' said Richard George, an NSA cryptomathematician. 'Now the government is playing a bigger part in security.'
NSA for years monopolized cryptography. It discouraged commercial development although strong cryptography became a commodity in the 1990s.
Now, George says, 'I don't really see a downside' to government reliance on off-the-shelf cryptographic products. 'U.S. industry has done a phenomenal job of making these products available.'
George has worked for the past 32 years in NSA's Information Assurance Directorate or its predecessor groups. He is technical director of the Security Evaluation Group, which tests commercial products.
'I'm an old-time cryptie, and I don't think you can ever have too much security. You always need more,' he said. But an even greater need is for 'users who are aware enough of security to employ the technology that's available.'
Chris Mullins, compliance solutions director for BindView Corp. of Houston, said the foundation of an effective security program is policy, not products.
BindView announced Policy Builder, the first product in its Policy Center line. The Web-hosted Policy Builder software lets an agency custom-design a security policy from a library of best practices and incorporate its own existing policy. The security manager is guided through defining needs and objectives as well as proper configuration of specific hardware and software.
The interactive application produces a charter that an agency executive signs, giving a security officer the authority to enforce policy. It also can push the policy out to users and document their acceptance.
Policy Builder issues alerts about new vulnerabilities, tailored to the user's platform, and it regularly updates a library of best security practices. The service starts at $30,000 for three users who create, deploy and edit policy. But the product is not yet complete.On the bright side
'The Holy Grail is to have it tell you if you are in compliance,' Mullins said. 'We're not there yet.' There is a checklist for technical compliance, however, and other BindView network management products can produce reports to compare against policy, he said.
Users have long called for software vendors to improve software quality and design in security, rather than fixing problems after the fact. But George said he is not optimistic that adequate security ever will be built in. New functions create new vulnerabilities, which will have to be patched later, he said.
George praised the IT industry for responding to the avalanche of reported security problems. 'The people I talk to seem like they care and are willing to fix the problems,' he said.
The challenge is getting users to install the patches, he said. Pushing fixes to systems is the only way to ensure they get installed, but doing so without thorough testing can cause problems.
'I think [agencies] should have a standard configuration,' George said, to ensure that patches could be pushed through with minimum risk.