Survey of Government IT Execs Yields Top Ten Security Insights By
Barbara DePompaGovernment organizations face ongoing pressure to improve security to reduce risk and comply with regulatory mandates, although those efforts can quickly deplete constrained resources.
Under a new presidential administration, federal agencies are clearly seeking new ways to integrate risk, compliance and security, to reduce both cost and complexity, while maintaining strong, secure uninterrupted access to government resources and applications.
A recent online survey of government IT executives conducted by the 1105 Government Information Group highlighted their top ten security priorities – not necessarily in order of importance, including:
1) Twin Top Concerns – Intrusion detection and prevention (IDS/IPS) were the top priorities mentioned by 53% of the respondents in this survey. Luckily, both intrusion detection and prevention are also considered most likely to be addressed in the coming months, according to those respondents. While the biggest concerns mentioned revolved around intrusion detection, access control and identity management, both access control and identity management were listed separately in another part of the 1105 survey as the two key areas where agencies will most likely achieve success in the near term.
Meanwhile, identity management tools, such as ID cards, readers and biometric technologies were ranked in the top five among security investments to be made this year, by 37% of survey respondents. Also expected to be important, investments in intrusion detection software, mentioned by 33% of respondents and physical security investments to protect hardware and prevent intrusion, mentioned by 26% of respondents. Ultimately, survey respondents said that if government agencies can get these two areas properly secured, their efforts will go a long way toward having a lasting impact on improving security in all other areas of public sector operations.
2) Rise of Staff Training in Cybersecurity – While fewer than 20% of respondents said they would turn to systems integrators or outside trainers, a whopping 60% said staffers would undergo security training in the coming months, according to the survey results. Respondents said training users and implementing stronger security procedures would be a top priority in 2009. In fact, training for agency personnel was ranked in the top five for security investments to be made this year by 37% of survey respondents. Clearly, respondents recognize the need to upgrade their employees’ security knowledge and practices, but evidently they expect to provide much of this training in house, since only 17% expect to hire integrators and only 22% expect to hire outside training providers. “They may discover, as they get further into the process, that they need to re-think this strategy,” said Maxine Lunn, Director of Research for 1105 Government Information Group.
That’s because a lack of security awareness among employees can lead to leakage of classified or sensitive information, especially through personal emails and ‘social engineering’ schemes. Misconfigured systems also present vulnerabilities and can occur from experimentation, accidental employee actions, allowing security fixes to get out of date and failure to periodically review policies.
3) National Cybersecurity Initiative Still New – Although the overall concept of cybersecurity, very broadly defined, is definitely uppermost in respondents’ minds, as they mentioned it repeatedly throughout the survey, less than half were aware of the National Cyber Security Initiative. This initiative is part of the administration’s comprehensive Cyber Security Initiative. Administered by NIST, this initiative consists of three elements:
a) Technical standards for generating, distributing, using, storing and destroying secret numbers known as cryptographic keys, commonly used to grant access to authorized individuals on encrypted computer networks and systems.
b) Development of multifactor authentication methods that require users to verify their identities using multiple methods, such as passwords and iris scans.
c) Extension of the Federal Desktop Core Configuration (FDCC), which is a set of standard security settings that optimize security across operating systems, applications and network devices.
4) Migration To Trusted Internet Connections – The OMB’s Trusted Internet Connection (TIC) mandate was designed to reduce the number of Internet connections and provide secure IP portals for agency traffic to and from the public Internet. As government has come to rely on the Internet to provide services and enable greater mobility for public sector workers, an increasing number of
Internet-based attacks has driven federal agencies to shrink the number of public Internet access points in the last year, from over 5,000 in 2007 to less than 100 by the end of 2010. Under the Department of Homeland Security’s (DHS) U.S. Computer Emergency Readiness Team (US-CERT) Einstein program, the federal government is addressing the detection of computer worms and anomalies in inbound and outbound traffic, the correlation and sharing of security information and risks, as well as providing real-time trends analysis and threat prevention guidance for all federal agencies.
The TIC will help government organizations combat web-based attacks such as viruses, worms, denial of service attacks, web defacement and hacker penetration. For now, information assurance and cybersecurity remain critical priorities for all federal employees, who must share responsibility for protecting sensitive and classified information.
5) Public/private collaboration to gain situational awareness – This is considered key to survey respondents. That’s because risks associated with not sharing information can lead to missing important clues about an impending attack that could endanger lives and national security. Survey respondents mentioned the National Cyber Security Center (NCSC), within the Department of Homeland Security (DHS), which will coordinate information from all agencies to help secure networks and systems and foster greater collaboration. The NCSC will monitor, collect and share information on systems belonging to NSA, FBI, DoD and DHS. Meanwhile, a Feb. 2009 DoD Directive (number 8000.1), highlighted how the primary challenge both within DHS and with external information sharing partners is creating a widely accepted process for sharing mission-relevant information, while adequately protecting that information. According to the DHS’s information sharing directive, key security components must include:
*robust information protection and data security protocols that comply with applicable laws, regulations and agreements; *sufficient resources to train DHS personnel and the department’s information sharing partners in appropriate security requirements, protocols, practices, privacy and civil liberties standards; and *technological solutions that support the appropriate level of information and data security and commit sufficient resources to the electronic and physical protection of information media. 6) The melding of physical and logical security continues – Of the overall cybersecurity priorities for each particular agency in this survey, the focus was on upgrading physical security, securing mobile devices and protecting critical infrastructure, which is seen as a reflection of the convergence of physical and IT security, according to 1105 Government Information Group Director of Research.
7) Managing the security of mobile devices – Especially the adoption of more and greater encryption technologies as well as stronger physical security measures, was another key area of importance, mentioned as a top priority by almost half, or 49% of respondents. This is one area, however, in which those who responded to this survey were quite hopeful. A total of 33% said securing mobile devices was ranked in the ‘top five’ for agency security investments to be made this year. This is also the one component in which survey respondents expect to achieve security improvement throughout the rest of this year. “We’re quite confident we can address cybersecurity vulnerabilities in mobile devices in the short term,” said one respondent. One method picking up steam is the Secure Mobile Environment – Portable Electronic Device (SME-PED). Department of Defense personnel can now more securely access classified information systems, while away from stationary mediums. The SME-PED is designed to provide up to Top Secret voice and Secret data communication capabilities for users.
Ultimately, industry observers maintain the key to securing handheld devices boils down to maintaining balance between security and usability. Agencies must remember mobile devices are tools to enhance communications and speed decision-making to improve responsiveness. There’s also a need to manage constrained resources for battery power and CPU performance. Running multiple advanced security tools can drain power from these devices in hours rather than days.
8) Protecting critical infrastructure – Another top-ranked problem, according to respondents was the need to protect against cyber attacks on critical infrastructure, including the supply chain, power supply, utilities and biohazard monitoring, among other related infrastructure concerns. This was mentioned by 42% of respondents as a primary area of emphasis for government. This is because government systems and networks have been increasingly targeted by foreign nations seeking intelligence, such as China and Russia, as well as criminal groups and individuals who may want to disrupt power, communication or financial systems. Some attackers are less interested in stealing data than in undermining a system’s ability to operate by planting software that could slow critical networks in emergencies. Security industry observers also warn users to look out for phishing, in which seemingly legitimate e-mails solicit sensitive information, and ‘web redirects,’ which direct a computer to a website where it downloads malicious
software. According to reports, attacks now penetrate IT systems without impairing them, primarily to siphon out sensitive information without detection. One respondent said of this challenge, it’s important to “keep essential computers off line, completely disconnected from cyber access. This is obviously not 100% possible, but can prevent a significant amount of intrusion,” he explained.
Another stressed the need for better emergency preparedness, response and recovery, via tabletop training exercises. Ultimately, survey respondents stressed that implementing procedures to protect against threats propagated through the Internet was of paramount importance.
9) Securing the clouds – Networks, virtualized infrastructures and cloud computing environments were mentioned by more than a third of respondents as three key and growing areas of concern, that haven’t yet to be properly addressed. While cloud computing has been widely touted as the next big thing, most industry observers caution against making large investments quickly, citing security, availability and possible cloud ‘location’ problems that will require further vetting. Also, providing the required level of information protection will likely force cloud computing suppliers to increase the complexity of cloud solutions, which may also reduce some of the flexibility, scalability and accessibility inherent in current cloud solutions. As one respondent put it, “the difficulty is that hackers evolve with the times. They constantly find new methods and techniques to overcome existing security features. Network security is usually in a constant state of playing ‘catch-up.’”
Perhaps this is why industry observers maintain that it’s best to view a virtualized architecture in the way an attacker would. To follow ‘best security practices,’ operating systems and applications running on virtualized servers must be secured in the same way as traditional physical servers. Administrators must have a process and plan for securing storage, staging, deployment, backup, snapshot and the patching of virtual machines. Each of these processes must be secured and tested for security compliance.
10) More Organizations Rely on Chief Security Officer – The rise of the Chief Security Officer (CSO) was evident, as 87% of respondents said their agencies have named a CSO, underscoring the steady increase since Congress passed the 2002 Federal Information Security Management Act, which tasked the OMB and the National Institute of Standards and Technology with leading this effort. CSOs report to agency chief information officers, whose top priority is also cybersecurity. The CSO’s job is to provide the overall leadership, strategic planning and vision for an effective cyber security program within an agency or department. To be empowered in any government organization, industry observers maintain that the CSO must be successful in convincing agency leadership of the importance of security.