FISMA compliance falls short of adequate security
Evolving security threats render FISMA obsolete, inadequate
Security professionals will tell you that compared with 10 years ago, government IT security practices are vastly improved. Back then, security was very much an ad hoc approach that varied greatly among agencies and for which erecting a firewall was considered state of the art, if security was considered at all.
Now, driven by regulations such as the 2002 Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Certification and Accreditation Process, IT systems security is a mandated focus for all agencies that have to adhere to a complex series of requirements.
It’s become a very visible game of political football. Government executives do not want their agencies to receive a D or an F on the House Oversight and Government Reform Committee's annual FISMA compliance score card that's compiled from data that agencies provide to the Office of Management and Budget.
Therein lies the main criticism that observers both inside and outside government have leveled at regulations such as FISMA: Agencies hustle to get as good a rating as they can each year, but even an A+ doesn’t guarantee that IT systems are secure. If they’re compliant when the audit is completed, they may no longer be so the next day. All FISMA compliance delivers is a one-time snapshot.
It’s become a seductive alternate for real IT security, said Rob Lee, a director at information security consultant Mandiant and the curriculum lead for digital forensic training at the SANS Institute. He was also a founding member of the Air Force Information Warfare Squadron.
“Compliance is very measurable and security is not because it’s very easy to say this is how well we’re doing,” he said. “As a result, agencies almost have to become compliance driven rather than actually security driven.”
Compliance is the bed on which organizations fall when security fails, he said, “but it’s a very minimal standard. We can do so much better than that. But even reaching that minimum standard is a very complex process for a lot of organizations.”
OMB admitted in its recent fiscal 2010 report to Congress on the implementation of FISMA that this compliance mindset has been the controlling factor for FISMA over the years. FISMA has become just an additional compliance exercise that was related to but removed from the information security mission, it said.
However, OMB also said, as it became clear that compliance alone would never get the federal government to the right level of information security, many agencies have started to develop new ways to protect their systems that often go well beyond that required by policy or regulation.
Other parts of the government have begun to pick up on these developments to move FISMA implementation toward the real-time detection and mitigation of security vulnerabilities, OMB said.
However, government still has a long way to go to improve its security, even by those minimal standards set by FISMA compliance. As reported to OMB by the inspectors general of the 24 federal agencies that fall under the 1990 Chief Financial Officers Act, crucial areas such as systems configuration management, with just 25 percent of agencies compliant, and account and identity management at 21 percent, leave many government systems open to attack.
Changing long-held mindsets about security is the basic limitation, said Prem Iyer, director of the information security practice at Iron Bow Technologies, an IT solutions provider based in Chantilly, Va.
“When we talk to government customers, we find, unfortunately, that there tends to still be a very reactive approach to security,” he said. “They tell us that they have to wait for an incident to happen, and then they’ll get the budget to go and procure a solution to help address it.”
Iron Bow Technologies tries to push those customers to take a holistic approach to security, to move from reactive to something more active and eventually to a fully optimized approach, Iyer said, as opposed to their current attitude, “which is very point solution oriented.”
Meanwhile, the expanding universe of attackers is not waiting for government security to catch up to it. The number and kinds of attacks aimed at IT systems are increasing.
The number of incidents reported to the U.S. Computer Emergency Readiness Team totaled more than 107,000 in fiscal 2010. That was down slightly from the number for the previous year, but the number of federal-only incidents was up 39 percent compared with fiscal 2009, at nearly 42,000 incidents.
Introducing malicious code through multiple means, such as phishing, viruses and logic bombs, were the most widely used methods of attack. Those accounted for nearly a third of the total incidents reported by federal agencies in fiscal 2010.
However, even this doesn’t adequately describe what many observers see as the biggest threat to government systems: the advanced persistent threat.
APTs are not that new. They have been seen in the wild for some years, and DOD in particular has been actively trying to develop defenses. But as some recent incidents showed — notably the Stuxnet worm that targeted various Iranian facilities in 2010 — these kinds of attacks have improved dramatically in terms of their sophistication and their ability to target individual systems and even pieces of data.
Stuxnet used a number of ways to get into the Iranian computers, such as zero-day vulnerabilities and default passwords, and then was able to stay hidden for days while it sought out and inflicted damage on Iranian supervisory control and data acquisition systems.
But Stuxnet was actually an anomaly as far as APTs are concerned. Because it was malware designed to operate in systems that were not connected to the Internet, it had to carry everything it needed to inflict damage in its own code. And it was that stand-alone status that made it vulnerable to detection.
APTs that attack systems that are connected to the Internet don’t need to do that. After the malware has gained entrance into a system, which it could do with multiple attempts using a dozen or more separate methods, it could lie in wait for days, weeks or months, surveying systems for potential exploits. When it finds one, it could gain a connection to the outside by, say, getting a system user to click on a PDF and download its payload.
“The APT comes in there and suddenly they have system level privileges,” Lee said. “Now [security people] say the APT must have X, Y or Z that can be detected but I say that, if they use an exploit no one has seen before, we’ll never be able to detect it, and suddenly they’re no longer persistent on the machine itself because they want to protect their zero-day weapon.”
The government is facing attackers who are vastly more sophisticated and better funded than the lone individuals who were the main threat some years ago and who simply did it for the challenge of it and to flesh out their hacking skills or were opportunistically looking for data here and there.
That picture is now almost quaint. Hackers now are basically employees of organized crime or work for other nations, said Shon Harris, president of Logical Security, a computer security consulting firm and another former member of the Air Force Information Warfare Squadron.
Although it may guarantee that various security practices are in place, compliance with FISMA or other regulations is no match for them.
“We have a huge, false sense of security because we have our anti-malware, our personal and antivirus firewalls, and all these other defenses, but these only capture some 42 percent of the malware that come into the system,” Harris said. “Government organizations can do every single thing right, and still be compromised and not know about it.”