Shoestring Security

Taking prudent cyber security measures doesn't mean breaking the bank.

by / June 4, 2002
Hacker attacks on government agencies appear to be on the increase, according to recent news reports. But in an era of shrinking budgets, how much can a state or local agency do to fight cyber crime?

Quite a bit, experts say.

In fact, experts say state and local governments already possess many of the tools they need to protect themselves, they just need to learn how to apply them. And the biggest cyber-crime fighting tool is well within the budget of any government agency: common sense.

"They have 99 percent of what they need if they just figure out how to use what's built into the operating systems, the software and just train users on common sense," said Ira Winkler, chief security strategist of Hewlett-Packard. "People have to be trained, but most of the time people want to go out and spend millions of dollars on some hot new technology or something because that's what the vendor tells them."

The California Department of Information Technology (DOIT) recently posted the "Top 20 Actions to Initiate Mitigation of Cyber-Terrorism Threats Without Budget Impact." The list of actions is broken into four categories: procedure reviews and audits; improved procedures; communications and training; and software updates and system controls. All address policy and what can be done in-house.

Because there is no need to fund the actions, agencies can implement any, or all, of the cyber-security initiatives at will, according to a department spokesman.

The state of Washington published a similar, more detailed list of information technology security standards. Although the list wasn't intended to propose cost-free security, many of the standards can be met at no cost. "The list is not what some people may think of as pure technical standards, like what encryption levels do you use," said Jeff Scheel, a consultant who worked with the state. "They're really more standards of how a security program should run in a state agency."

Most are simple ideas, such as restricting the non-business use of e-mail and limiting the size of e-mail attachments. But simple doesn't suggest ineffective. "You want to do the 80/20 rule," said Steve Petchon, a managing partner of Accenture. "You want to do the easy things that will get you a long way."

Petchon said 80 percent of security problems can be solved with 20 percent of the effort. Winkler thinks it's even easier.

"Getting people up to the common knowledge will get rid of 99 percent of the problems," he said. "Security is 95/5. With 5 percent of the effort you could solve 95 percent of your problems."

Scheel said one of the biggest weaknesses he sees in government agencies is a lack of awareness that can cause vulnerabilities, such as workers who write down passwords on a piece of paper and slip them under their keyboard, or leave a workstation logged on.

"People know how to lock the doors and windows of their house or their car. For some reason they don't know how to do it on their computer," Winkler said.

Experts say agencies too often look at the cost of security as a separate line item, an extra cost, instead of simply the cost of owning computers.

"Look at California this way: They obviously have a huge fleet of automobiles," said Winkler. "It would be unheard of -- they would be criminally charged if they went ahead and didn't perform scheduled maintenance on their vehicles that they had to maintain. And they don't [with computers] and that's why there's a problem."

A Simple List

Security efforts can be as simple as following a basic password change policy: change passwords every six months or so, and make passwords difficult to guess by using upper and lower case and special characters or numbers. "Simple policies that can be reiterated quickly," said Petchon.

"Basic password lockdown, updating the systems' software on the workstations and on the servers are two things I think that a lot of government agencies tend not to have," he said, adding that getting operating systems on the client and server machines up to current release is also recommended. "There's always patches coming out for Internet Explorer or Microsoft Outlook and just keeping those patches up to date closes a lot of security holes."

Another common problem revolves around system administrator passwords. Petchon said some consumers don't change the standard administrator's password that came from the vendor. He said the password should be changed every 60 days or so and access should be limited to just a few administrators.

Petchon and Accenture recommend agencies start with a risk assessment and a vulnerability assessment, which can take two to three months. During that time they can also begin to implement basic security measures, such as the ones Washington and California have made available.
Jim McKay, Justice and Public Safety Editor Justice and Public Safety Editor