Security is like laundry; something always needs cleansing

Security is like laundry; something always needs cleansing

By DENNIS M. BLANK | SPECIAL TO GCN

ORLANDO, Fla.'There would be martial law in the United States within three days if hackers could disable the banking and financial system through a coordinated attack, a top federal official warned.

'We cannot afford to let our dependence on automation become our Achilles' heel,' said Alan B. Carroll, who supervises the analysis and warning component at the FBI's National Infrastructure Protection Center. 'Our challenge is to button up the holes in our critical infrastructure, and believe me, there are holes.'

Government agencies, as well as companies and other private organizations, get hacked daily, Carroll said. 'Every time we figure out who the hacker is, where [the hack] came from and how to patch up the hole, a new hacking method springs up.'

When experts speak

Carroll was among the experts speaking last month to more than 1,000 investigators and information security system managers, including many from civilian and Defense Department agencies, at the InfoSec World Conference.

The FBI and other agencies are working to improve computer security for eight critical infrastructures: utilities, oil and gas, telecommunications, transportation, banking and finance, water, emergency services and government operations, Carroll said.

Problems extend beyond the nation's borders. Even though most of the security holes have been plugged against enemy attacks, some allied countries have been attempting to penetrate U.S. information systems as well, he said.

A strong vulnerability testing program can cut down on intrusions and track security improvements, said John Ray, NASA's information technology security manager.

A vulnerability testing program that the NASA Ames Research Center in Moffett Field, Calif., started in 1998 sharply reduced the number of system compromises to 10,000 networked computers, he said.

Agencies should identify target vulnerabilities, Ray said. They should keep reporting these weaknesses until corrective action has been taken and managers have signed off on the improvements.

A compromised system can result in lost productivity and a drop in customer confidence, and it raises liability issues, Ray said.

Arion Lawrence, technical director of the vulnerability assessment division at Predictive Systems of New York, said actions can be taken to prevent hacking of electronic-commerce sites. For sites that do financial transactions, invalid user IDs should be tracked for a certain number of bad log-ons and given an account lockout message.

'When locked accounts are reset, [agencies should] require new and different passwords,' Lawrence said.

User authorization should be checked for each transaction, he added, and Web applications should screen any extraneous user input.

'To secure your Web environment, don't focus just on the network infrastructure,' Lawrence said.
'Design security into Web applications during initial stages. Don't wait for an application assessment or audit or hacker to find these problems.'

Featured

  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected