At EPA, security is an inside job

'Getting good, honest people to pay attention to security is a real cultural battle.'

'EPA's Mark Day

Agency uses software to nab biggest threat to security'employee hackers

For Mark Day, deputy CIO at the Environmental Protection Agency, the insider threat always looms large'largest, in fact.

'There's a growing outsider risk, but the predominant risk is still inside,' said Day, EPA's director of technology, operations and planning. 'Insiders have the greater privilege, greater potential to do damage, greater knowledge about where to do the damage, and the damage they can do is larger.'

A case in point: About six months ago, EPA officials nabbed an employee who had set up on the environmental agency's network a bogus account used in a hacking incident, Day said.

Using vulnerability management software from BindView Corp. of Houston, investigators determined when the account was established, who established it, how it was established and how it was misused, Day said.

Innocent mistake

A malicious insider exploiting an innocent mistake is generally the biggest threat, he said.

'Getting good, honest people to pay attention to security is a real cultural battle,' he said. 'The greatest difficulty is getting good insiders to pay attention to the innocent mistake.'

BindView's bv-Control tools let EPA security managers analyze technical settings on servers across agency networks for such mistakes or deviations from security standards.

'One of the great things about it is you can do that centrally,' Day said. 'You don't need to go out and install software on these remote devices to check them. You can apply a single set of standards across the entire agency.'

From the data, EPA officials generate quarterly reports for managers that assess security vulnerabilities and tell them what needs to be fixed to achieve compliance.

Targeted problems

'The report says, 'You had 10 deviations from the account-administration standard, and here are the 10 accounts that deviate.' They know which 10 to go fix,' Day said. 'They don't have to go wandering through hundreds of settings to find the mistake.'

EPA officials rolled out the system about 18 months ago and have seen compliance across the agency soar to 93 percent from 38 percent over the period, Day said.

EPA's initial investment in the system was about $1 million, including the cost of the software and staff time. Day estimates maintaining the system will cost about $100,000 annually'which he called a real bargain.

'It's an enormous educational tool,' he said. 'I could have spent millions of dollars on training and education and not gotten the same cultural change.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above