Patch management: It's not sexy, but it can keep you secure
- By William Jackson
- Oct 19, 2009
When it comes to defending information systems, there is no silver bullet that will save administrators and security officials from the day-to-day work of managing system vulnerabilities and monitoring network activity.
More on this topic
Agencies re-engineer their networks to comply with Trusted Internet Connection initiative
Leaders call for bolder security strategy
“It’s not sexy,” said Mischel Kwon, who until recently was director of the U.S. Computer Emergency Readiness Team (US-CERT). “But the majority of our problems today are patchable.”
Even with the growing number of zero-day attacks and increasingly sophisticated threats built around social engineering, the existing base of known vulnerabilities for which patches are available still presents the largest and most frequently targeted attack surface. Reactive security standards that would require real-time network monitoring and response to attacks could help eliminate this soft underbelly of government networks, Kwon said.
Kwon, who also has been deputy director for IT security staff at the Justice Department, where she stood up the Justice Security Operations Center and was the lead for the Trusted Internet Connection, recently returned to the private sector as vice president of public security solutions at RSA, the Security Division of EMC. She spoke bluntly last week about the challenges of government information security, calling inadequately funded IT programs that do not incorporate real-world threat response “just yadda-yadda. That’s a lot of what we do.”
Unfortunately, these apparently simple security solutions to IT security are not practical within current government architectures and resources, she said.
“There is no single federal civil [wireless area network],” she said. There are more than 100 executive branch agencies with their own networks. The 12 Cabinet-level departments alone have the nation’s largest IT budgets, and each has at least 20 subagencies, many of them with their own networks. “It is very difficult to manage networks” in this environment.
The problem is compounded by the segregation of duties and budgets within enterprises, she added. Agency critical missions are being moved onto IT platforms, but those responsible for the missions are not responsible for IT security. Systems are not being watched for threats to the mission and infrastructure, and are not being refreshed and reauthorized as needed to respond to these threats.
The good news is that things are beginning to change, Kwon said. Agencies such as her old home, Justice, the State Department, IRS and the Federal Aviation Administration are consolidating WANs and setting up security operations centers.
At State, “they’re trying to take [the Federal Information Security Management Act] and make it actionable,” she said. It constructed a WAN with limited and trusted Internet connections before TIC was mandated. A department SOC does real-time monitoring of systems and works with the CIO to understand what is happening and to adjust security controls in response to attacks in a continuous life cycle of monitoring and response.
Another positive trend she sees is the government’s embracing of virtualization. Patching is complex and expensive, and putting resources on fewer pieces of hardware can help to simplify patching and configuration management through the life cycle of the system.
“The bad news is, they are not getting money for this,” Kwon said. Agencies have to ask Congress for additional appropriations to help make their systems more security-friendly. Here again, the segregation of business and IT missions makes adequate baseline funding more difficult to achieve.
Although government security awareness programs are improving, this is not a solution, she said. “We are making the same fundamental mistakes over and over again, relying on the user to fix things.” Security has to be baked into the IT architecture and its management.
William Jackson is freelance writer and the author of the CyberEye blog.