Justice's next level of protection

IT security program focuses on database vulnerabilities

Database security

Challenge: Getting the Justice Department's FISMA performance grade out of the basement requires tools to automate the compliance process as much as possible. Key to this is the ability to perform vulnerability assessments of critical IT systems and fix the vulnerabilities as they are found. What's more, Justice needs to document progress and processes for FISMA's certification and accreditation process.

Solution: Justice was already using tools to scan its network for holes and assess security configurations. Application security was the next logical step. The department began with an enterprise license for AppDetective, a database application security-scanning tool already in use by the FBI and the Office of Justice Programs. Administrators are now being trained on the new tool, which will be phased in across the enterprise.

Mission benefit: AppDetective automatically performs application discovery to identify database resources. It then performs penetration testing and audits to identify vulnerabilities. Problems are ranked according to severity, and the software provides information about fixes. Some fixes, such as closing down or changing default accounts and passwords, can be automated.

Lessons learned: It is still early in the implementation process, but introducing a new technology into the database mix will require care, said Dennis Heretick, Justice's IT security staff director. 'You have to work with the implementation to create a workable schedule.' You also should start small and grow, he said. Justice will begin with pilot projects and expand from there. 'Otherwise you make a lot of mistakes all over the place, rather than in one small area.'

That is what FISMA is all about. What are your weaknesses and what can you do about it?' Dennis Heretick, Justice Department

Zaid Hamid

A key element of the Justice Department's security program is managing vulnerabilities in its IT systems. According to director of IT security Dennis Heretick, when it comes to compliance with the Federal Information Security Management Act, this is even more important than implementing operational controls.

'Vulnerability management has been the emphasis of our program,' Heretick said. 'That is what FISMA is all about. What are your weaknesses, and what can you do about it?'

The department started with network and configuration scanning, using tools such as FoundScan from Foundstone Inc. (now a division of McAfee Inc.) and the open-source Nessus scanner, managed by Tenable Network Security Inc. of Columbia, Md. This year the department is expanding its scanning capabilities to assess application security, beginning with database software.

Two Justice offices, the FBI and Office of Justice Programs, already had been using the AppDetective scanner from Application Security Inc. (www.appsecinc.com) of New York. Other offices in the department were making plans to use it, Heretick said. 'We expanded that with an enterprise license' this summer, he said. 'We've started scheduling our training now.'

AppDetective is AppSecInc's flagship product. It is a network-based scanner that can work with other tools such as FoundScan, but it is specialized for identifying and fixing database'rather than network'vulnerabilities. Heretick said he had been aware from the beginning of the need for application-level assessments, but the network and security configurations came first.

'There is so much to be done, we had to prioritize,' he said.

AppDetective performs two primary functions: discovery and assessments.

'You need to know your inventory before you can secure it,' Heretick said.

Application discovery is more than a formality, even for databases that can cost up to $1 million a year to maintain, said AppSecInc's vice president of marketing Ted Julian.

'In almost any organization we are in, they usually find a significant number of databases they were not aware of,' Julian said.

Organizations change over time. People leave, and detailed knowledge of assets can be lost. Auditing organizations that keep track of resources tend to be centralized, while the rest of the enterprise is decentralized, allowing some valuable assets to fall into the cracks. But just because a database doesn't appear on an inventory list doesn't mean that it's an orphan. Somebody is usually maintaining the program, and it's likely to contain valuable data that requires protection.

Once an inventory has been created, App-Detective performs automated penetration tests and inside audits. Penetration tests are done from a hacker's-eye point of view, with no access privileges required for the device. 'If we can see it, we can assess it,' Julian said.

AppDetective also performs an inside audit of databases and their applications to assess security levels. The scanner supports most common databases, including MySQL, Oracle, Sybase, IBM DB2 and DB2 on Mainframe, Microsoft SQL Server, Oracle Application Server and Lotus Notes/Domino. The company recently announced it was seeking Common Criteria certification for the software through the National Information Assurance Partnership. Testing will be performed by Science Applications International Corp. in its Columbia, Md., lab.

AppDetective can run as a standalone product, with licenses costing $900 for each database scanned. For scaling in larger enterprises, the App- SecIncConsole provides centralized management and reporting for the scanner.

Reports rank vulnerabilities according to level of severity, with detailed information and links to vendor patches or data on workarounds. Automated routines are also available to fix common problems such as changing or shutting down default passwords and accounts. 'We build the scripts, and the administrators can plug in their own values,' Julian said.

The FBI and Justice programs began using the database scanner in 2004. Those infrastructures must have been more tightly managed than most, for few unknown databases were uncovered.

'I don't think there were any surprises,' Heretick said. 'There were vulnerabilities.'

AppDetective was able to spot them well enough to convince Heretick to get an enterprise license. He'll also be implementing the $10,000 console for management as AppDetective is rolled out through the department. As training on the scanner progresses, Justice will pilot it throughout the department.

Vulnerability scanning and assessment is not a one-time event. Because of the dynamic nature of networks and the time needed to correct problems, repeated if not continuous scans are necessary to keep track of vulnerabilities and track progress in remediation.

The ability to document remediation and security postures is helpful in meeting FISMA certification and accreditation requirements, Julian said.
Heretick said vulnerability assessments during system development will be valuable for creating secure systems.

Database application security is not the end of the security road for Justice, Heretick said.

'There are other things still on the radar, such as Web applications,' he said. 'The list of things you have to do never stops.'

He said work has begun on Web application vulnerability assessment tools, but nothing has been selected for an enterprise license.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.