Agencies see better ways to manage IT
GCN's Promising Practices program recognizes IT initiatives that work
Scott Hill oversees the Treasury Department's effort to manage information from a vast network of security systems.
The greatest security challenges facing IT administrators today are not intercepting viruses or blocking attacks but rather controlling the security infrastructure and managing processes.
As vulnerabilities and threats expand, vendors have responded with a growing array of antivirus, intrusion protection and prevention systems; virtual private networks; scanners; and filters. The task, then, is to adequately identify network resources and manage this patchwork of security tools to get full value and performance from them.
A roundup of promising security practices from federal, state and local agencies illustrates this trend. These 14 security initiatives were recognized at a recent GCN conference on cybersecurity held in Washington. Most of the programs below focus on solutions for managing security, networks and regulatory compliance processes rather than on implementing individual security tools. Here, alphabetically, is a quick look:City of Fresno, Calif., on third-party developed solutionChallenge:
How do you continue providing secure information services to city government in the midst of a staggering statewide budget deficit?Solution:
Open-source operating systems and applications available at little or no cost.
Using Red Hat Linux, the city was able to eliminate operating system licensing costs for more than 20 servers. The Snort open-source intrusion detection tool performs real-time traffic analysis and packet logging, and the Analysis Console for Intrusion Databases processes alert data. Clam Antivirus was obtained under an open-source general public license and Apache Spam Assassin handles spam.
The software was obtained at no cost to the city and resulted in a savings of more than $50,000 for Snort and ACID alone.Defense, Defense Intelligence Agency on third-party developed solutionChallenge:
How do you securely share intelligence data from a variety of classified and unclassified networks?Solution:
DOD Trusted Workstation.
The trusted workstation program, based on technology from Trusted Computer Solutions of Herndon, Va., is the product of a DOD Intelligence Information System team that had to overcome cultural as well as technical hurdles to information sharing. It lets DOD intelligence analysts view and share data across multiple classified networks from a single desktop.
Environmental Protection Agency accomplished through strong internal security managementChallenge:
How do you better manage IT systems and monitor security risks?
Solution: IT Governance Support System and Automated Security Self Evaluation and Remediation Tracking tool.
ITGSS, developed by EPA's Office of Research and Development, is designed to handle collection, management and reporting of IT information and share the information with other tools supporting asset management, enterprise architecture and financial systems. It consists of a Web interface hosted on an agency portal.
EPA also developed ASSERT for assessing risks and enforcing corrective action. ASSERT is now a government off-the-shelf tool offered to other agencies. The General Services and Social Security administrations use it to meet FISMA requirements.
Along with ASSERT, EPA has started using scorecards to communicate security performance to management.Homeland security accomplished through strong internal security managementChallenge:
How do you determine the criticality of information and IT systems and the level of security controls needed for each?Solution:
A security program that focuses on people and the decision-making process rather than on technology.
The security team uses a security requirements traceability matrix for each system, which is used for conducting required security compliance testing. Threat assessments are conducted based on the system operating environment and on internal and external threats, both natural and man-made. Vulnerability assessments are done with both manual checklists and automated scanning tools.Homeland security on third-party developed solutionChallenge:
How do you automate reporting of complete and consistent information to the Office of Management and Budget, as required under the Federal Information Security Management Act?Solution:
Trusted Agent FISMA, a Web-based application from Trusted Integration Inc. of Alexandria, Va., provides a single point for data collection and reporting.
Rather than gathering unverified data manually in a variety of formats, data is entered in Trusted Agent FISMA's database using drop-down menus to standardize format and content. TAF automatically generates quarterly and annual FISMA reports.
Senior DHS management can access a Digital Dashboard through the department's in-tranet to get up-to-date information on IT security status and improve compliance with federal mandates.Information technology agency, Pentagon emphasizes certifcation and accreditation of systemsChallenge:
How do you automate the DOD IT Security Certification and Accreditation Process for four different classifications of Pentagon networks and more than 100 systems?Solution:
IA Manager from Xacta Corp. of Ashburn, Va., an off-the-shelf product that guides analysts through the information gathering and entering process to produce the needed documentation.
Equipment lists are imported from a regularly updated spreadsheet, then tests are generated for each piece of equipment and a risk analysis process analyzes the results. A workflow tool can route information automatically to the appropriate officials.
Network Security Services-Pentagon has installed five production servers supporting 47 systems in 16 agencies. The first online accreditation submittal was in March.Information technology agency, Pentagon on third-party developed solutionChallenge:
How do you perform regular network discovery scans during peak periods, identifying all connected devices without affecting network performance?Solution:
IPsonar from Lumeta Corp. of Somerset, N.J.
An NSS-P Network Scanning Project selected IPsonar based on a one-time scan performed by Lumeta. The tool performs network discovery identifying all connected devices, and a Network Leak Discovery feature ensures that all traffic enters and exits the network through structured control points and that unauthorized connection attempts are rejected.
Because it uses a lightweight discovery process, scans can be done in a matter of hours during peak traffic periods without consuming excessive bandwidth.Interior, Bureau of Land Management on third-party developed solutionChallenge:
How do you provide strong authentication for both network and access?Solution:
An enterprisewide e-authentication reference architecture.
The architecture includes strong authentication and a public key e-forms engine. The e-forms are incorporated into the secure IT infrastructure and support rapid development and deployment of secure business processes.
The software complies with OMB requirements for varying levels of assurance associated with both legacy and new IT systems.Internal Revenue Service emphasizes certifcation and accreditation of systemsChallenge:Solution: An IRS team developed a new C and A process with help from other agencies and commercial consultants.
The process identifies, categorizes and defines the boundaries of IT systems and does a risk management assessment of each. This creates a consistent and repeatable C and A process, and the results can be used to identify systemic risks.
Labor accomplished through strong internal security management
The IRS has accredited 13 of 30 general support systems and expects finish by June.
Challenge: How do you move from an F on the annual cybersecurity report card?
Solution: A collaborative computer security program supported by senior management in all DOL agencies.
Agency officials, the inspector general and CIO have established a departmentwide security subcommittee and created a set of common goals. A security manager was hired in 2001 to manage the program.
The program has resulted in consistent FISMA reporting and a B- on the 2004 cybersecurity report card.
State on third-party developed solution
Challenge: How do you monitor a worldwide network supporting 40,000 users to ensure compliance with enterprise security configuration standards?
Solution: Security Baseline Toolkit from ManTech Security Technologies Corp. of Fairfax, Va.
State Department posts use the Baseline Toolkit for scanning all elements of classified and unclassified networks. Mandatory quarterly scans were implemented in October 2004, and scans can be conducted remotely from Washington if necessary.
The toolkit has reduced the time needed to inspect a typical network from more than 600 man-hours to one or two hours, requiring no more than 15 minutes of an IT employee's time. It has eliminated the need for traveling teams of IT experts and provides a central repository of data for reporting and analysis.
Treasury accomplished through strong internal security management
Challenge: How do you manage security data generated for the government's largest secure private civilian network?
Solution: Develop a security information management tool to process alert data from devices deployed throughout the WAN.
The Treasury Communications System has more than 5,700 circuits connected to 1,200 routers at 1,700 sites and supports more than 150,000 employees. The SIM tool correlates real-time alerts from intrusion detection systems and firewalls with vulnerability scan data, according to Scott Hill, the TCS information system security manager.
Active alerts can be correlated with historical data to eliminate false positives.
USAID on third-party developed solution
Challenge: How do you scan your network for vulnerabilities and get actionable results?
Solution: Develop a grading system based on results from the nCircle IP360 Vulnerability Management System.
Before 2004, USAID conducted network vulnerability assessments once a month. Each assessment produced a deluge of results that were outdated before they reached administrators and included a plague of false positives. As a result, IT staff lost confidence in the program.
The agency wanted to implement a security program that graded each vulnerability. USAID selected the nCircle IP360 Vulnerability Management System from nCircle Network Security Inc. of San Francisco.
The nCircle hardware appliances continually scan the USAID network for vulnerabilities. Between the first and twenty-first of every month, scanning picks up even more as the system develops security grades for the agency's assessment. Rather than using words like high, medium and low to evaluate security risks, the nCircle system assigns integer scores based on a variety of variables, including how long the vulnerability has been exposed and how easy it is to exploit.
USAID staffers now have a better picture of the agency's network security. With more than 15,000 hosts worldwide, the average nCircle-derived security score has dropped from 185 to 102, which USAID calls a high B.
USPS on third-party developed solution
Challenge: How do you provide end-point protection on the world's largest intranet?
Solution: The Postal Service chose personal firewalls and intrusion prevention systems.
The personal firewalls and IPSes on 180,000 desktops and servers monitor inbound and outbound traffic, blocking more than 200 million external threats a month at the network perimeter and blocking virus and spyware traffic trying to leave the network.
Security updates are sent in a matter of hours rather than days. Software patches can be applied on a regular schedule.