April 10, 2006 By Max Peterson
Like any program designed for a long-term engagement, agency and technology leaders must focus on building holistic security systems within every initiative, IT or otherwise. While using one of the following best practices is certainly better than leaving a system unprotected, it is not enough to win the IT security war. A combination of all three guidelines provides a solid foundation for a successful battle.
On today's IT security battlefield, there is a constant struggle to stay on top of new and existing threats. Government and industry security professionals can no longer draw a line in the sand, confident that their systems will keep threats at bay on a network's perimeter. Threats can now occur at the network level, application level and even at the data level.
With the proliferation of zero-day attacks -- the malicious exploitation of previously unknown vulnerabilities -- and the expectation of zero hour patches, security professionals are persistently racing against time. Systems must employ progressive IT security -- from signature-based approaches to outbound traffic monitoring software -- and be scalable enough to handle threats as they arise.
But even the most progressive technology is no substitute for block-and-tackle execution. Much like the Cold-War scramble drill for Air Force pilots, the daily, weekly and monthly patch exercise must be run with clockwork efficiency and minimal tolerance for failure. Until we have software without flaws and phase out every legacy application, patch management is going to be the key process in security management. Make sure your team does it well.
Find and Equip Skilled Lieutenants
The best security system in the world won't to function without skilled cadres of security professionals, and agencies must investment to keep them on the cutting edge of threat management. The National Security Agency, with the support of the Department of Homeland Security, make a significant investment in IT security professional education annually by supporting the NSA's National Centers of Academic Excellence for Information Assurance Education. The program provides certification to undergraduate and graduate schools that meet its criteria for information assurance education.
Students receiving scholarships from the program are required to work with the federal government after graduation equal to the length of their scholarship terms. In this situation, everybody wins. Students receive top security education and financial assistance, and the federal government gets highly trained employees to keep IT systems safe.
State governments should work with local Infraguard chapters -- an information sharing program involving the FBI, academia and the IT industry -- to identify successful academic programs, and attend seminars and networking events to recruit skilled IT security professionals.
After finding these individuals, hire them. Encourage and enable them to stay up-to-date. And if your ranks aren't deep enough, consider augmenting in-house expertise with contractor support. You don't want to fight this battle understaffed.
Information assurance, while a major factor in IT security success, is only part of the educational equation. Software development training is also a necessity in the development of well rounded security professionals. Many of today's threats stem from inefficient and unsecured software programs, and if the software can be shored up, the threats will decrease. Like lieutenants managing troops in combat, trained security professionals can stay abreast of new threats and vulnerabilities, and remain aware of changing IT battlefield conditions.
Once a secure system is in place and educated security professionals are at the helm, the battle is not over. Just as our military conducts calculated simulation, training drills and war games to prepare troops for battle, IT security managers and agency leaders must conduct calculated and regular security checks of all systems. Leaders must have a proven failsafe plan to combat potential threats, assigning specific IT security personnel to manage specific tasks. This plan should not be a written exercise, but rather like a game of Battleship, where threats are detected through regular, vigorous testing.
The modern-day equivalent of "air raid" drills, these vigilant test threat environments will enable security professionals to uncover potential flaws in a system before an adversary does. Once a flaw is discovered, security professionals can work to decrease the impact of an identified threat and the time required to repair it. As the old adage goes, practice makes perfect.
Complacency Is the Enemy
Defending a system during the IT security cold war is not easy. The enemy is swift, crafty and ever changing; as soon as security professionals identify and patch one vulnerability, the opposition will find another. To triumph in the IT security cold war, government and technology leaders must make a concerted effort to create secure systems, educate security professionals and proactively search for security flaws through routine testing.
You may use or reference this story with attribution and a link to