At EPA, security is an inside job
- By Richard W. Walker
- Jun 13, 2003
Agency uses software to nab biggest threat to security'employee hackers
'Getting good, honest people to pay attention to security is a real cultural battle.'
'EPA's Mark Day
For Mark Day, deputy CIO at the Environmental Protection Agency, the insider threat always looms large'largest, in fact.
'There's a growing outsider risk, but the predominant risk is still inside,' said Day, EPA's director of technology, operations and planning. 'Insiders have the greater privilege, greater potential to do damage, greater knowledge about where to do the damage, and the damage they can do is larger.'
A case in point: About six months ago, EPA officials nabbed an employee who had set up on the environmental agency's network a bogus account used in a hacking incident, Day said.
Using vulnerability management software from BindView Corp. of Houston, investigators determined when the account was established, who established it, how it was established and how it was misused, Day said.Innocent mistake
A malicious insider exploiting an innocent mistake is generally the biggest threat, he said.
'Getting good, honest people to pay attention to security is a real cultural battle,' he said. 'The greatest difficulty is getting good insiders to pay attention to the innocent mistake.'
BindView's bv-Control tools let EPA security managers analyze technical settings on servers across agency networks for such mistakes or deviations from security standards.
'One of the great things about it is you can do that centrally,' Day said. 'You don't need to go out and install software on these remote devices to check them. You can apply a single set of standards across the entire agency.'
From the data, EPA officials generate quarterly reports for managers that assess security vulnerabilities and tell them what needs to be fixed to achieve compliance.Targeted problems
'The report says, 'You had 10 deviations from the account-administration standard, and here are the 10 accounts that deviate.' They know which 10 to go fix,' Day said. 'They don't have to go wandering through hundreds of settings to find the mistake.'
EPA officials rolled out the system about 18 months ago and have seen compliance across the agency soar to 93 percent from 38 percent over the period, Day said.
EPA's initial investment in the system was about $1 million, including the cost of the software and staff time. Day estimates maintaining the system will cost about $100,000 annually'which he called a real bargain.
'It's an enormous educational tool,' he said. 'I could have spent millions of dollars on training and education and not gotten the same cultural change.