Enhancing Security and Functionality At The Same Time

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point. 

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase. 

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.  

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

4. Secure Configurations of Network Devices Such as Firewalls and Routers.

5. Boundary Defense

6. Maintenance and Analysis of Complete Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based On Need to Know

10. Continuous Vulnerability Testing and Remediation

11. Dormant Account Monitoring and Control

12. Anti-Malware Defenses

13. Limitation and Control of Ports, Protocols and Services

14. Wireless Device Control

15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering

2. Red Team Exercises

3. Incident Response Capability

4. Data Recovery Capability

5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.  

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise. 

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
 

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

A Blog I Like: Haft of the Spear

Michael Tanji brings a perspective forged in years of intelligence work and a successful stint protecting information in the financial sector.  He is a well published author who focuses on national security issues and is also a thought leader in the computer security domain.

At Haft of the Spear he writes primarily about technology related/enabled national security issues, which includes a heavy dose of information warfare. 

Read HOTS at: http://haftofthespear.com/

Next week I write about Nicholas Carr and his Rough Type blog.

Unrestricted Warfare Symposium, Sponsored by JHU’s APL and SAIS

For enterprise technologists and national security professionals and most of all for those who fit both of those descriptions, please check out Johns Hopkins University’s 2009 Unrestricted Warfare Symposium at: http://www.jhuapl.edu/urw_symposium  This symposium seeks to advance our understanding of and solutions for some very complex problems related to our nation’s defense.  I’ll be speaking on a panel at the conference (on issues of cyber war and cyber defense) and hope to see you there. 

The following is from an e-mail from Dr. Ron Luman (Johns Hopkins University Applied Physics Laboratory National Security Analysis Department Head)

National Security Community Colleagues:
This is a reminder that the Johns Hopkins University’s 2009 Unrestricted Warfare Symposium will be held 24-25 March 2009, and I encourage you to register now at http://www.jhuapl.edu/urw_symposium/.

The fourth annual symposium is in Laurel, MD at JHU’s Applied Physics Laboratory (APL), and is jointly sponsored by APL and the Paul H. Nitze School of Advanced International Studies (SAIS). Last year more than 300 participants from government, industry, and academia interacted with distinguished speakers and expert panelists who addressed national security issues from three perspectives: strategy, analysis, and technology. In 2009, this uniquely synergistic approach will be applied to the challenge of identifying interagency imperatives and capabilities.

The symposium presentations and panels are organized around four potential unrestricted lines of attack – cyber, resource, economic/financial, and terrorism. We’ll begin each session with a discussion of the potential for such attacks and then expert roundtable panelists will discuss imperatives for interagency action, offering ideas for enhancing interagency capabilities. A fifth session will focus on the role of analysis in identifying and assessing interagency approaches for preventing and combating these types of attacks.

I am particularly pleased that The Honorable James R. Locher, III, Executive Director of the Project for National Security Reform, will open the symposium as our keynote speaker, providing the Project’s timely findings and recommendations for interagency reform. Throughout the two days featured speakers and distinguished panelists, include: Dr. George Akst, MCCDC; Mr. Eric Coulter, OSD(PA&E); Dr. Richard Cooper, Harvard University; Dr. Stephen Flynn, Council on Foreign Relations; Representative Jane Harman; Professor Bruce Hoffman, Georgetown University; Professor Michael Klare, Hampshire College; Dr. Michael Levi, Council on Foreign Relations; Dr. Matthew Levitt, Washington Institute; Dr. Pete Nanos (DTRA); Mr. James Rickards, Omnis, Inc.; Mr. Frank Ruggiero (Department of State); Dr. Khatuna Salukvadze, Georgian Ministry of Foreign Affairs; Mr. Dan Wolf, Cyber Pack Ventures Inc.; Mr. Bob Work, CSBA, to name a few.

The attached announcement identifies confirmed speakers and other essential information. We encourage dynamic networking, and to facilitate audience participation, we will again be utilizing electronic groupware to collect comments, insights, and questions. The collection of papers and transcripts of discussions will again be published as Proceedings, in both hard copy and electronic form. The 2006 -2008 Proceedings, the current agenda/speakers, and 2009 registration details can be found at the symposium website: http://www.jhuapl.edu/urw_symposium/.

Your experience in national security and defense will contribute unique perspectives and challenging questions to our understanding of Unrestricted Warfare, and I look forward to seeing you next month.

Best regards,

Ron Luman, General Chair

I hope to see you all there.

 
Symposium Attachment:
URW2009Flyer 4Feb-1.pdf

The Future of Cyberspace Security: The Law of The Rodeo

This is an update of my now annual assessment of the future of technology associated with good and evil in cyberspace which was first posted here.

Predictions
of the future of technology are increasingly starting to sound like
science fiction, with powerful computing grids giving incredible computational power to users and with autonomous robots becoming closer and closer to being in our daily lives vice just in computer science departments. Infotech, nanotech and biotech are fueling each other and each of those three dominate fields are generating more and more benefits that impact the other, propelling us even faster into a new world.   Depending on your point of view the increasing pace of science and technology can be good or
bad.  As for me, I'm an optimist, and I know we humans will find a way
to ensure technology serves our best interests.   

Read the rest of this entry »

Melissa Hathaway Op-Ed on Cyber Security

Below I'm going to post, in its entirety, the text of an e-mail I received from the ODNI notification service.   The subject is an op-ed written by Melissa Hathaway, a senior leader who has been spearheading significant coordination action in the federal government (opinion: Melissa is perhaps the most effective SES-level leader in the US government today, IMHO).

I wanted to post this in totality for a couple reasons.  One is it is something all of us should read.  Although I believe most readers of this blog will find no surprises in this op-ed, Melissa has a real talent for capturing information in easy to understand ways and I think we can all borrow lessons from the way she explains things. 

Read the rest of this entry »

Performance Management In Organizations and Computers

There are some interesting analogies between performance management applied to organizations and performance management applied to computers.

In both cases, performance metrics are crucial to success.  In organizations, what we reward gets measured, and what gets measured can be more efficiently and effectively done.   In our computers, what we decide is important gets measured, and those measurements can help us drive to increasingly effective and efficient performance.

Read the rest of this entry »

Automated Resolution of IT Problems

In January 2008 I was named to the advisory board of Triumfant, a
company who has mastered the automated detection and resolution of IT
problems.  Of all the IT firms I’ve seen, they are the ones with the
most comprehensive approach to automated resolution management and the
only one I’ve seen that can automate the entire lifecycle of IT problem
management, from identification to resolution.

I recently read some very exciting news about Triumfant.   They have
just signed a partnership agreement with one of the largest suppliers
of computers to the federal government: computer giant Dell Inc.  
Triumfant software will be sold pre-installed on Dell computers to
federal customers running Microsoft Windows XP and Vista.   

I take this as a huge endorsement of the Triumfant approach of
automated process monitoring and IT compliance enforcement.   This agreement between Triumfant and Dell is
also great news for enterprise CTOs and other technologists who must
meet the mandate of the OMB’s Federal Desktop Core Configuration
(FDCC). 

Read the rest of this entry »

Protecting Federal Networks Against Cyber Attack

The Department of Homeland Security has released a blueprint for the enhanced protection of federal networks against cyber attacks.  A factsheet for this effort is  available here. 

Here is a summary of that summary:

It declares a policy:  "It is the policy of the
United States to prevent or minimize disruptions to our critical
information infrastructure in order to protect the public, the economy,
government services, and the national security of the United States."

It formally announces a Presidential Directive:  "On January 8, 2008, President Bush approved National Security
Presidential Directive 54/Homeland Security Presidential Directive 23,
which formalized a series of continuous efforts designed to further
safeguard Federal Government systems and reduce potential
vulnerabilities, protect against intrusion attempts, and better
anticipate future threats."

Read the rest of this entry »

Rod Beckstrom and the National Cyber Security Center at DHS

I recently read some GREAT news.  One of the nation’s greatest organizational/technological thinkers and entrepreneurs, Rod Beckstrom, has answered the call to service and will be joining the Department of Homeland Security (DHS).   

Rod Beckstrom is
famous for many things.  Among CTO s and enterprise technologists he is
viewed as a champion for the smart use of new collaborative
technologies to transform organizations.  He is really far more than
that, however.   He is one of a new generation of forward thinking
leaders who understand that sometimes in order to lead you must serve,
and sometimes in order to really lead you must adopt powerful new
organizational frameworks that enable disruption of the current order.
He is the co-author of the bestselling, frequently quoted, often
discussed "The Starfish and the Spider", which gives some hints at the powerful thinking Rod will bring to DHS.

The following is a quote from the Statement by Homeland Security Secretary Chertoff:

"I am pleased to announce my appointment of Rod Beckstrom as the first
Director of the National Cyber Security Center (NCSC). Rod will serve
the department by coordinating cyber security efforts and improving
situational awareness and information sharing across the federal
government.

The department is leading efforts to protect federal networks and
enhance capabilities that defend and reduce cyber-associated risks. The
NCSC will work with the interagency to implement cyber security
strategies in a cohesive way, consistent with our privacy laws.

Rod has over 25 years of experience in designing and implementing
new internet technologies. He brings to the department a specialized
Internet expertise, and unique entrepreneurial and creative business
thinking. Rod received both his BA and MBA from Stanford University,
and was a Fulbright Scholar in Switzerland."
 

This news of Rod’s joining DHS is really very exciting.

So, Rod, good luck and thank you very much for deciding to serve the nation in this capacity. 

Computer Security: a change to the net assessment

The threat to our computers and networks is very real.   Dozens of millions of malicious bots have been projected to be operating in PCs.  Hackers have penetrated sensitive, seemingly well protected corporate sites.  Denial of service attacks have been conducted against businesses and even countries.  And press reporting indicates even sensitive US government computers have been penetrated.  Leaders in allied countries have been quoted in the press saying their PCs have been compromised as well.

On top of this, if you look at projections of the future computing environment, our dependencies on technology and the threat of vulnerabilities only increases (see my posting on the future titled "Good and Evil in the Future of Cyberspace").

So by any calculation, the assessment of our nation’s ability to succeed in cyberspace is in question.  The net assessment is not looking so good.

But there are some very optimistic things happening in Cyberspace, and, with the right technological vision and leadership, we can make a significant change in the net assessment of that domain.

Let me give you an example that has me thinking very optimistically now.

I have a new computer on my desk.  It is a SunRay 270 built by Sun Microsystems.   

Here are some of its features:

Read the rest of this entry »