Obama administration aims for bottom-up approach to creating global standards for protection of IT and critical infrastructure.
The idea of locking down an agency’s network perimeter to forestall attacks on the infrastructure is shifting toward a focus on protecting the network’s end-points wherever they are and then on creating security around specific applications and data sets.
“The perimeter is going away, and the crucial protection must run to the end-point,” says David Graziano, manager of federal security solutions for Cisco Systems. Because workers don’t stay tied to a desk or an office as often, organized attacks focus more and more on specific targets and weaknesses that arise because of the increase in mobile users and the increasingly dynamic nature of the government’s networks, he says.
So what are some ways to focus more on the end-point? From a base-level perspective, the IT team needs to understand the agency’s computing assets so it can identify potential threats, rank them according to risk level and then shore up vulnerabilities one by one, Graziano points out. But that’s just the starting point.
Attacks are becoming trickier, and the research shows that they are not nearly so generalized. In some sense, they are “going underground,” says William J. Billings, chief security adviser for Microsoft’s U.S. Public Sector division, who was part of a recent security perspectives panel at Information Processing Interagency Conference 2008 in Orlando, Fla.
He points to a 9 percent decrease in vulnerabilities in operating systems last year but an accompanying rise in application weaknesses as a warning sign that agencies must look to the edges of their networks versus the core. Would-be attackers aggressively track application rollouts, and zero-day attacks have become extremely unique in nature; the targets tend to bedistinct and the motives much less random, Billings says. This means IT must change the priorities for where security attention is directed to meet the shift in how attacks are coming into networks.
A gap exists between policy and enforcement, says John McCumber, strategic program manager for Symantec. “Problems arise when people try to solve policy problems with technology and vice versa,” he says. Agencies can use tools such as firewalls, intrusion detection systems and virus scanners, but the technology tools won’t stop attacks or fix problems on their own. If you deploy products, make a comprehensive investment in policy and people, too, he says.
“The ability to enforce the policy is the most important thing you can do,” Graziano says.
Billings points to a pair of government tools to help close the policy-enforcement gap for most end-user systems: the Federal Desktop Core Configuration and the Security Content Automation Protocol.He says agencies should use FDCC to understand what’s on the network and then SCAP-enable machines to read devices and make sure they comply with the agency’s security policies.
Essentially, the security strategy must take a layered approach, Graziano says, that combinesa user-centric and data-centric view of security with the more traditional perimeter security tact.