Security is like laundry; something always needs cleansing

Security is like laundry; something always needs cleansing

By DENNIS M. BLANK | SPECIAL TO GCN

ORLANDO, Fla.'There would be martial law in the United States within three days if hackers could disable the banking and financial system through a coordinated attack, a top federal official warned.

'We cannot afford to let our dependence on automation become our Achilles' heel,' said Alan B. Carroll, who supervises the analysis and warning component at the FBI's National Infrastructure Protection Center. 'Our challenge is to button up the holes in our critical infrastructure, and believe me, there are holes.'

Government agencies, as well as companies and other private organizations, get hacked daily, Carroll said. 'Every time we figure out who the hacker is, where [the hack] came from and how to patch up the hole, a new hacking method springs up.'

When experts speak

Carroll was among the experts speaking last month to more than 1,000 investigators and information security system managers, including many from civilian and Defense Department agencies, at the InfoSec World Conference.

The FBI and other agencies are working to improve computer security for eight critical infrastructures: utilities, oil and gas, telecommunications, transportation, banking and finance, water, emergency services and government operations, Carroll said.

Problems extend beyond the nation's borders. Even though most of the security holes have been plugged against enemy attacks, some allied countries have been attempting to penetrate U.S. information systems as well, he said.

A strong vulnerability testing program can cut down on intrusions and track security improvements, said John Ray, NASA's information technology security manager.

A vulnerability testing program that the NASA Ames Research Center in Moffett Field, Calif., started in 1998 sharply reduced the number of system compromises to 10,000 networked computers, he said.

Agencies should identify target vulnerabilities, Ray said. They should keep reporting these weaknesses until corrective action has been taken and managers have signed off on the improvements.

A compromised system can result in lost productivity and a drop in customer confidence, and it raises liability issues, Ray said.

Arion Lawrence, technical director of the vulnerability assessment division at Predictive Systems of New York, said actions can be taken to prevent hacking of electronic-commerce sites. For sites that do financial transactions, invalid user IDs should be tracked for a certain number of bad log-ons and given an account lockout message.

'When locked accounts are reset, [agencies should] require new and different passwords,' Lawrence said.

User authorization should be checked for each transaction, he added, and Web applications should screen any extraneous user input.

'To secure your Web environment, don't focus just on the network infrastructure,' Lawrence said.
'Design security into Web applications during initial stages. Don't wait for an application assessment or audit or hacker to find these problems.'

inside gcn

  • cyber hygiene (Lucky Business/Shutterstock.com)

    Cleaning up cyber hygiene

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group