Security Steps

Confronting existing and potential security vulnerabilities doesn't have to make a CIO the bad guy.

by / October 28, 2003
It's much easier to take steps to secure any network when there's money available to do so, and Greg Jackson, CIO of Ohio, has the luxury of working with $3.5 million over the next two years to secure Ohio's wide area network.

He needs to worry about 4,500 T1s or better throughout the state running off the state's WAN, and it's a network that's shared with K-12, the public library system and state agencies. The state's effort to harden its defenses is called the e-secure Ohio program.

"Since so many audiences are utilizing that network, one of our concerns is the security of the transactions happening over the network when it comes to state agencies and fiscal information," Jackson said. "We have been granted the funding to actually secure the network and to deploy virtual private networks to deploy our fault-management mechanisms, configurations, accounting mechanisms, performance measurement systems, security measurements to make the network in general more secure, more robust and more dependable moving forward."

Jackson said he used part of the money to conduct a security assessment of 14 state agencies (out of a potential 23 agencies total) to gauge their level of security and their vulnerability to outside malicious hackers. Agencies didn't have to spend a dime, but they needed to be convinced that it would be in their best interest to be assessed.

"The outcome of the assessments were theirs alone," he said. "We didn't receive the details of any of their vulnerabilities. We did receive generic information across the enterprise that was not identifiable to any specific agency, so we could get a sense of how good or bad things were out there. That approach seemed to work very well, and we had more agencies sign up than we expected."

A Free Pass
The level of vulnerability in some agencies was surprising, he said, especially when the firm the state hired to perform the assessment gave their final report.

"Some things were so weak that one of the analogies they used was that if you were standing in a room and you touched a window, the window just fell out of the wall," he said. "They also said that as soon as they ran the first of many planned scans in a couple of areas, their networks went down immediately. I was surprised that we were that vulnerable in some areas."

Jackson said the security assessments, performed in October 2002, saved the state a lot of grief later when the Sobig and Blaster worms hit. Still, the biggest lure Jackson said he had in persuading agencies to volunteer for the assessment was to not lower the boom on them when the results came out.

Jackson said he told agencies that during the first year, he wanted to give them a chance to get their houses in order because security vulnerabilities had not been a primary focus previously and because he realized it wasn't fair to launch into attack mode on agencies.

"But I also told them, 'I can't promise you we're going to do this the second year,'" he said, adding that he and his colleagues are still deciding whether to give agencies that cloak of anonymity for the next assessment, which is scheduled for this fall.

One problem is that assessments that publicly call out agencies for their failure to act in a particular way also air out dirty laundry, which then sets the stage for plenty of small political battles. Deciding whether to fight these battles or air dirty laundry is something that every CIO will approach differently.

Participating in the security assessments is currently voluntary, he said, though there is discussion to make participation mandatory.

The looming question is what happens if an agency fails to address its security vulnerabilities. Jackson said the idea of the state's Office of Homeland Security issuing certifications to agencies is currently being kicked around.

"We would take the information on which agencies were certified to the Office of Budget and Management and to the Legislature, and they can make whatever appropriations decisions they want," he said. "We're just right now trying to gather some data on what the certification criteria would be."

Ohio is also looking at different models of incident response teams to gauge which type of team would best fit the state's IT landscape. One is a "volunteer fire department" model, he said, in which everyone does their regular job until something happens, then the volunteers come together to help agencies when needed. The other model is a standing, dedicated fire department.

Ohio hasn't decided what model to go with because the state lacks data on the number and level of severity of incidents that agencies face, he said, so a survey is being prepared for agencies to collect that type of data.

"We don't want to pay for a standing fire department if there's only one fire a month," he said.

Tiered Approach
Colorado is taking a hard look at security and risk through its Colorado Information Security Program, said the state's CIO, Leroy Williams, which was started in January.

Part of the program is setting a Information Security Task Force, composed of CIOs from state agencies and other personnel with a security slant, to address policy issues, said Harley Rinerson, Colorado's chief information security officer, and at the ground level, the state is creating an Information Security Operations Center (ISOC).

The state will also use an accreditation model to accredit agencies as to their compliance with the task force's security standards.

"Right now, agencies will be grandfathered until we get the assessments, the audits and baselines going," Rinerson said. "In the future, we will accredit each department and then come back and continually assess them."

The task force itself has been meeting since January, and Colorado has been establishing security officers in individual agencies, as well as making sure agencies are properly staffed with security administrators.

Mostly, Rinerson said, agencies are looking for leadership that makes sense, that's inclusive and allows people to have input into the policies that impact how they do their jobs.

"It's really a matter of building trust from a cross-departmental perspective, making sure you foster that trust, and paying attention to their issues and their problems," he said.

Making Cents of Security
To Williams, an important tool in helping agencies do their part of the overall Information Security Program is portfolio management, and Colorado has formally adopted portfolio management evaluation criteria as part of how the state does business.

"There are two dimensions -- the business perspective and the technology perspective," Williams said. "We evaluate, on the front end, these requests for new projects. They need to clearly demonstrate a business value, a business benefit. We perform an assessment in terms of the technology characteristic. Is it something we've done before? How hard is the implementation? Are you in compliance with the architecture standards, etc.

"Based on those metrics we capture, we then score each of the projects, and if they don't pass muster, it allows us to have some real open dialog over whether we should be pursuing this project," he said.

In addition to this type of enforcement mechanism, Williams said he will go to the state legislature to seek more accountability for the position of chief information security officer.

"We're going to look at ways to put some more teeth into the position," he said. "We need to give that position more credibility and also the authority to say, 'If you don't comply, we're disconnecting you from our network because you're putting the rest of the community at risk.' The policy piece is absolutely critical to effective security."

In a busy world, security sometimes languishes on agencies' back burners, and Williams views it as his job to prod agencies to move security and risk management to the front burner.

"We are absolutely competing against people's time, attention and certainly for their resources," he said. "It's incumbent on us to be able to articulate why it's critically important for the state to move in direction A, B or C. If we're not able to do that, we're not being successful as technology leaders. I know that the money is out there. I know that the resources are out there.

"I also know that the reality is that, oftentimes, it takes a catastrophe for people to really move on these issues, and that's just how we are as a nation," he said. "But where we can really proactively have the conversation is by saying, 'Incrementally, if you invest in managing these types of risk, here's the return. Here's the value.' People are starting to get that."
Shane Peterson Associate Editor