Bull's-Eye Photo by Dan Coogan

IT security keeps CIOs awake at night. The sheer number of threats and potential for damage can be overwhelming, and in many cases has overwhelmed organizations and governments. Denial of Service (DoS) attacks and subsequent closure of most of the electronic infrastructure in Estonia last year revealed just how reliant government has become on technology, and therefore more vulnerable.

The laundry list of security threats continues to grow, placing increasing pressure on CIOs to cover a multitude of bases. The use of portable devices, combined with DoS attacks, botnets, hackers, phishing, malware and Web application vulnerabilities, is enough to make an insomniac out of anyone in charge of IT security.

The latest Symantec Government Internet Security Threat Report found that government was the top sector for DoS attacks in 2007. The government sector also topped the list for the number of identities exposed and was second highest for the number of data breaches that could lead to identity theft. The United States was the top country of origin for attacks that targeted the government sector, accounting for 21 percent of the total worldwide, according to the report.

"Governments store a lot of citizen information, and the attacks have changed to become much more targeted toward finding personal information," said Gartner analyst John Pescatore. "They are targeting state government, in particular, since there is a lot of citizen and government employee information. These targeted attacks are a major trend change from three years ago, where there were more broad and random attacks that hit everyone differently."

Emergence of the CISO

The sheer number of sources that need coverage has brought to the forefront the importance of the chief information security officer (CISO) as an essential part of a CIO's security strategy. SecureState, a security-consulting company, believes it's essential in 2008 for organizations to shift security resources and decisions to higher-level decision-makers who can manage risk effectively. Several Fortune 500 companies hired their first CISO in 2007, and other organizations and governments are following suit, the company said.

Network security is the primary reason to have senior-level IT officials. However, another pressing reason is compliance with federal, state and private-sector IT security laws and regulations. Government IT security managers must comply with a host of federal IT security laws, including the Health Insurance Portability and Accountability Act (HIPAA), CAN-SPAM Act of 2003, Gramm-Leach-Bliley Act, the U.S.A. Patriot Act, Children's Online Privacy Protection Act (COPPA), the Identity Theft and Assumption Deterrence Act of 1998, and state-mandated laws.

In times of shrinking budgets, many smaller municipalities -- and even some larger organizations -- either don't have the resources or don't prioritize for proper IT security.

"Generally [smaller municipalities] are underfunded and understaffed; there's not a perceived need, and they may think they have it all down," said Steve Marchewitz, vice president of business development of SecureState. "It's true with any organization -- the smaller they are, the less likely they are to have proper security, from small banks to credit unions that have virtually nothing. When you get down to small municipalities, sometimes they can only afford one part-time IT guy who tries to keep everything up and running."

While many governments continue to push consolidation methods forward, many still function like a silo, making comprehensive IT security programs difficult to implement.

Arizona established a statewide, information security and privacy office last year within the Government Information Technology Agency, which created a CISO position for the state. While Arizona was behind other states that already had senior-level IT security positions, the state used lessons learned from other states to create a comprehensive, statewide security plan.

Arizona's new IT security office mandated that every agency have an IT security officer and a privacy officer. State officials believe the combination of professionals focused on security and privacy allows them to cover the many bases of IT security.

"We think it's an essential part of our strategy to improve information security of the state to provide to agencies both security and privacy officers," said Arizona CIO Chris Cummiskey. "We deal with increasingly complex environments as more state agencies bring more things online, and it's important we resolve issues as best we can by helping agencies with such things as training and awareness."

Portable Data

One of the biggest IT security issues for government CISOs is the protection of secure data from portable sources, such as laptop computers, PDAs, BlackBerrys, phones, flash media and other mobile devices containing sensitive information. In the second half of 2007, the primary cause of data breaches in governments that could facilitate identity theft was the theft or loss of a computer or other medium on which data is stored or transmitted, according to Symantec.

"Right now, the biggest threats to governments are data breaches," said Jim Russell, Symantec's public sector vice president. "These breaches can [threaten] national security [with the] loss of everything government maintains, including national security records and a lot of other information."

The publicized theft of a laptop from a Department of Veterans Affairs employee in 2006, resulting in the exposure of personal information of 26.5 million veterans, was one of many accounts where government agencies lost data from remote devices.

After incidents of laptop loss by federal agencies in 2006, Office of Management and Budget Deputy Director Clay Johnson III issued a security checklist, created by the National Institute for Standards and Technology, recommending four actions: Use encryption when carrying agency data; use two-factor authentication provided by a device that is separate from the computer; ensure that users re-authenticate after 30 minutes of inactivity; and verify that sensitive data is purged within 90 days if no longer required.

"Protecting mobile data and portable data is the top issue in my operation because that security breaches and ID theft," said Dan Lohrmann, Michigan's CISO. "If you don't know where data is, that's one of the main security problems."

Data-encryption software is now seen as essential as anti-virus software for governments. Data-encryption software allows users to partition off part of a hard drive, creating a safe haven for data and files that is user name and password protected. With data encryption, if a laptop or other portable device is lost, stolen or misplaced, the data will be safe, secure and inaccessible to unauthorized users

Lohrmann has created a list of 10 security nightmares. No. 1 is the changing culture of IT security, which includes getting the necessary funding and executive support for compliance and budget cuts. His No. 8 security nightmare is portable devices, including the configuration control, asset management and other traditional disciplines that are difficult to enforce with portable devices. Michigan has a data-encryption policy for all portable devices that contain sensitive data and is moving toward full data encryption for all portable devices, Lohrmann said.

Lohrmann estimates that the Michigan network is attacked by 249,649 e-mail spam and viruses each day -- an estimated 91 million in 2006 -- as well as 18,986 scans, 31,121 Web defacement attempts, and 8,693 Internet browser compromise attempts. Lohrmann espouses a training culture within Michigan to help government employees understand security vulnerabilities. With 30 full-time IT security personnel working under him, Lohrmann conducts periodic enterprisewide risk assessments to find out: "Do you know where your data is?" This includes a penetration test to identify potential problems and where data-breach holes exist. Assessing an environment for potential vulnerabilities is an important, proactive approach to security, Lohrmann said.

"There needs to be comprehensive security plans, based on assets that need to identify where the outside predators are invading networking and endpoints," Russell said. "Once that's done, it's important to establish a continuity of operations to prepare once something goes down."

Having proper security protocol doesn't necessarily prevent human error, as Her Majesty's Revenue and Customs realized with the loss of personal information -- including bank information -- of about 25 million individuals in the United Kingdom last year. The incident has been called the worst data leak of the Information Age.

CDW-G, a networking/security specialist company, has seen increasing interest in network access control as additional network protection. Network access control software runs a "health check" on a computer before it connects to a network. The check validates if the computer meets company IT standards, including updated versions of anti-virus software, patches or malicious code infections.

CDW-G has seen organizations utilizing technologies, such as Iron Key, that allow users to surf the Internet through an encrypted tunnel, ensuring that sensitive information can't be accessed. Wireless IT security is also an emerging trend, since wireless networks can be vulnerable to hackers.

"Lots of schools have implemented this, since many of them have laptop programs, and they want to prevent anyone else accessing the network, such as someone sitting in a parking lot accessing the network and trying to send files," said Chris Schabel, CDW-G network and security specialist.

Web Application Security

While many governments have already adopted e-government initiatives, having an online presence makes government more prone to Web vulnerabilities. Gartner estimates that 71 percent of all vulnerabilities reported worldwide during the fourth quarter of 2007 were related to Web applications, including servers and browsers, which represent a 3 percent increase over the previous quarter. Compromised Web sites are the main methods through which botnet propagation occurs, and botnet software propagates through malicious links to unsafe Web sites and other Web-based applications.

"The real threat for us right now is botnets," said Mark Weatherford, Colorado's former CISO. "Botnets are so hard to stay in front of because their methods to compromising systems change. It's not a simple virus or worm, but embedded pictures and key logs that gain access to computers and compromise them."

For SecureState, Web-application security is the top IT security trend. In June, the latest Payment Card Industry's (PCI) Data Security Standards (DSS) will become mandatory. The PCI DSS is forcing organizations that process credit card payments through the Web to comply with new security standards to prevent fraud, hacking and other security vulnerabilities and threats. Any company or government agency that processes, stores or transmits credit card payment data must be PCI DSS compliant by June or risks losing the ability to process credit card payments and will be audited or fined.

The adjustment for many organizations has been substantial, since only 65 percent of level No. 1 merchants (those that process at least 6 million transactions per year) reported being fully compliant, according to Visa's 2007 compliance report. Levels No. 2 through No. 4 are 55 percent compliant. The rigid credit card guidelines are forcing organizations to revamp their Web-application security.

"A real key message that is nongovernment-specific but part of the global security landscape, is the increased focus on the Web as a medium for malicious activity," said Ben Greenbaum, Symantec senior security response researcher. "By actively leveraging the Web as a primary application for intrusion through trusted sites, hackers can leverage vulnerabilities to compromise thousands of individuals."

Virtual Security Officers

As the trend toward outsourcing and growth of managed services continues, more core business components, including security, are being managed by outside companies. Some companies offer Virtual Chief Information Security Officer services that build an IT security program within an organization. Vendors such as CA offer IT governance management to increase the value of funding for IT security.

Outsourcing security functions can be risky and the "globalization of security," where companies outside the United States provide cost-effective IT security, makes U.S. companies vulnerable to new threats, according to SecureState.

"What's happening is [outsourcing companies] are not coding securely, and in general, a lot of IT security is being outsourced overseas," Marchewitz said. "Those organizations are not following best practices for secure coding, allowing hackers to access and bypass firewalls."

While endpoint security and perimeter security are high on the list of IT security essentials, Enterasys offers network security as an additional source of IT security. By monitoring network traffic, network security prevents malicious code from entering a system. The company also provides network access control, which scans any computer or portable media device before it accesses a network.

Governing Security

IT security has become an essential aspect of effective governance with the sheer amount of confidential information held in computer databases, the number of threats networks face, and compliance requirements. By following security best practices, using an assortment of security software, and identifying potential security holes, CIOs and CISOs can effectively secure networks. It's key for security managers to get proper security measures implemented at the beginning of any new project, Gartner's Pescatore said. The hurried implementation of electronic-voting machines that were vulnerable to tampering is one such example, Pescatore pointed out.

"Security is not just to run around at endpoints and try to keep the bad guys out," Pescatore said. "Successful IT security managers say, 'Let's build security in everything we're doing, to keep the bad guys out.'"

For SecureState, part of a successful IT security plan is to use common sense by starting with the basics from any number of security best practices: keeping security programs current and performing basic IT security maintenance, such as updating patches.

"We see a lot of breaches where people were not thinking things through," Marchewitz said. "They have a firewall and haven't updated their patches in two years. One of the easiest ways to access a network is to go through a system where patches aren't updated."

As the number of teleworkers increase along with the use of laptops and other portable devices, including the development of ultra-wideband, a new wireless technology similar to but faster than Bluetooth, the threat of data loss is expected to continue to grow.

Regulations also will continue to grow, affecting both the private and government sectors and forcing more organizations to develop unified security programs, according to SecureState. Like Arizona's approach, unified security measures should develop a comprehensive approach that will address security, privacy and other regulatory requirements besides performing basic security protocol.

"At the end of day, the most important priority of the CIO or government leader is protecting the information that is vital to the success of government services being delivered," said David VanderNaalt, Arizona's CISO. "I would recommend everybody take a step back and decide what the priorities are. If you're gathering Social Security numbers, names and medical information, you have to have a security measure to prevent loss, and that takes resources. I would say probably one of the most important things a government does is protect citizen information."

Chandler Harris  |  Contributing Writer