- News (5)
The new administration must provide leadership to defeat a “clear and present danger.” My father often told me, you deserve what you tolerate. We all must insist on our president’s leadership in removing unacceptable cyber vulnerabilities. Each of us adds weight to this demand, but our CIOs, as the field officers on the front line against cyber attacks, are important to our 44th president in securing our IT infrastructure. The Center for Strategic and International Studies’ Commission on Cyber Security has provided recommendations the president can implement quickly, as well as strategic issues that must be addressed, but it is up to us to insist on presidential leadership and CIO generalship to protect our IT infrastructure. We do deserve what we tolerate and right now we are tolerating known IT vulnerabilities with clear and present danger.
Securing data as an asset is one of the most important functions mission managers and security staff can undertake. So I'm going to take this and the next three columns to explore this part of security.
For people with diverse perspectives who must come together to move along a shared goal or to accomplish a common task, some means of collaboration has always been essential. That’s why organizations, whether government or business, have so many meetings. But more and more, people are expanding the range of collaboration methods by using online tools designed to speed up and reduce the friction of getting to the goal. These collaborative processes might be transformational, but they are often inhibited by concerns for protecting data on the systems that house them.
Mission managers and IT security professionals alike share a concern that the information shared by group members must be protected from unauthorized access and modification. Many of the products for protecting user PCs or the network connecting them don’t meet the need for protecting data after it has been accessed and delivered to authorized people (or systems). It’s like I can keep a secret, but the other people in on the secret can’t.
Fortunately, there are technologies that give the capability to protect and manage data and individuals’ rights to access and modify it. Requirements for securing data as an asset include:
Most folks recognize that information is power. This power is also a source of great vulnerability if information is not protected. The use of enterprise rights management tools to manage and enforce information access policies is a key ingredient to safely sharing sensitive information among authorized collaborators.
The destruction of information security’s “Dr. No.” A four part series on transformation to Security 2.0
The IT communities in the federal government and corporate America have for too long relied on managers who always seem to say no to needed mission support technology innovation because of security concerns.
The nickname Dr. No arose for managers most effective at derailing technical innovations in the name of information security and configuration management. We need to transform Dr. No into a cyber warrior who can deliver rapid, secure mission data and facilitate collaborative information sharing.
Federal information security managers I’ve talked with are working harder than ever to use cyber security and configuration management to support missions that need flexible, collaborative access to information. The challenge is not balancing mission needs with IT security. It is leveraging IT security capabilities to enable Web 2.0 collaboration.
IT security can be a force multiplier to promote rapid, flexible sharing of critical information. Skip Bailey at the Bureau of Alcohol, Tobacco, Firearms and Explosives uses this analogy: “The primary benefit of better brakes on a car is to allow the car to go faster.” IT security should let you do more, not less.
Mary Ann Davidson of Oracle Corp. and Elad Yoran of Security Growth Partners penned an article, “Enterprise Security for Web 2.0” in the November 2007 issue of Computing. It discussed Security 2.0 in terms of securing all data, end points, networks and perimeters. My four part series on leveraging Security 2.0 for data, end points, networks and perimeters will continue Mary Ann and Elad’s discussion using your comments in the MeriTalk Water Cooler.
Collaborative web technologies might be just the tool the good guys need to strike back at hackers and cyber criminals who rob the internet of an essential quality - trust.
Rod Beckstrom, director of the National Cyber Security Initiative, discussed the problems associatedwith internet trust at our June advisory board meeting for the 2008 Symantec Government Symposium (http://www.symantec.com/symposium). Beckstrom pointed out that the internet "was founded based on trust, but that trust has been violated by hackers, criminals and terrorists."
The government and its contractors need to be aggressive in our response to those who violate that trust. We can expand on our traditional system protection planning by using Web 2.0 methods and sites - such as this one - to let thousands of people share proven IT security solutions.
The IT security risk management requirements I have worked with include the Special Publication 800-53 from the National Institute for Standards and Technology and the expanded control catalog from the Center for National Security Systems). These requirements comprised a framework for protecting agencies' mission-related information and for building trust relationships grounded in IT security protections.
Ron Ross and others from NIST have always been eager for feedback, and using it to improve NIST's special publications. Federal agencies - especially the Director of National Intelligence Certification and Accreditation transformation team - are major contributors.
I am suggesting we expand our defense work by extending our communications to thousands of people with Web 2.0, or collaborative, practices. We should add to the current policy discussion using MeriTalk as the medium for the thousands of people sharing risk management priorities, and implementation problems and solutions.
With online collaboration, the effective solutions could be improved and the weak ones exposed. Contributors could share sources with readers needing more information. You can already find NIST IT security publications on MeriTalk. (Here's an example.) I would like to see MeriTalk as part of a Web 2.0 transformational IT security movement.
What started as an easy way to share information and collaborate can be morphed into a powerful tool for collective action. Let's turn the tide against those who violate the trust on which the internet was founded.
Complex problems are best solved by using a series of simple, effective steps—an elegant solution. I am not talking about the dictionary definition of elegant. The definition I like: a simple solution that works.
A few years ago Staples launched its successful "that was easy" ad campaign. Bob West, then the chief information security officer at Homeland Security, adopted the "easy button" theme as a way to focus on accomplishing essential information security requirements.
The problem, of course, is that finding simple solutions that work can itself be difficult. Developing effective information security solutions requires collaboration among dedicated professionals, on a continuing basis. Problems today grow more difficult because our adversaries eagerly take advantage of open communications on the latest malware and cyber disruption techniques that fool people into giving up sensitive information or installing Trojan viruses and key loggers. These cyber terrorists readily share techniques and technology to do harm better than we do to prevent it.
Yet communications through technology user groups have been successful since the 1980s. There are advantages to fighting fire with fire. Ron Ross and others at the National Institute of Standards and Technology have implemented effective strategies that open up draft NIST standards for several iterations of public comment. These standards are an effective foundation set of information security requirements, because of the continuous industry and governmental collaboration with the NIST special publications.
Network defenders and IT operators are key players in identifying and sharing elegant computer security solutions. Collaboration brings more widely applicable solutions. My litmus test of a solution is the answer to this question: "Does it work effectively in all operational environments?"
Communication among network and system operators on system security needs and solutions can be an effective forum for Cyber SWAT, or specialists with automated tools, teams. The law enforcement and intelligence communities are highly effective at identifying threats and the necessary solutions. Most often the solutions are basic IT security hygiene such as access control, patch management, secure configurations, application security, malware protection, and firewall and intrusion prevention. Government and industry sharing of solutions can be a powerful tool in developing and communicating solutions.