Certifiably trusted: Security assuranceAs the calendar flips to fall, the Beltway remains embroiled em·broil tr.v. em·broiled, em·broil·ing, em·broils 1. To involve in argument, contention, or hostile actions: "Avoid . . . in a bitter health care reform debate. Stubborn lawmakers from both sides of the aisle are butting heads to determine whether government should fund a public option designed to insure the tens of millions of Americans without coverage.Rob Housman wants to provoke a similar conversation on Capitol Hill. Except Housman, who founded the nonprofit, Washington D.C.-based Cyber Secure Institute (CSI CSI Crime Scene Investigator CSI CompuServe, Inc. CSI Commodity Systems, Inc. CSI Commodity Systems Inc. (Boca Raton, FL) CSI Crime Scene Investigation (CBS TV show) CSI Christian Schools International ) last year, is championing something else that he believes government must step in to reform: the assurance levels of security and other IT products.It is a cause that is not receiving even a fraction of the focus in Congress that health care is, but it is one in which Housman believes all Americans are similarly vested. His organization is trying to shake up the status quo [Latin, The existing state of things at any given date.] Status quo ante bellum means the state of things before the war. The status quo to be preserved by a preliminary injunction is the last actual, peaceable, uncontested status which preceded the pending controversy. by pushing government organizations and critical infrastructure providers – such as power plants and water companies – to deploy the “best available” technologies to fend off today's sophisticated and targeted attacks.“Right now, what we have is market failure,” says Housman, executive director of the CSI, a research and advocacy group. “Nobody knows who's being hacked, for the most part. There are no standards in place. Technology manufacturers make wildly exaggerated claims about the security of their systems. When you have market failure, the government, at least at some level, has to step in and correct it, and I think that's where we're at.”Housman, the former assistant director for strategic planning Strategic planning is an organization's process of defining its strategy, or direction, and making decisions on allocating its resources to pursue this strategy, including its capital and people. in the Office of National Drug Control Policy The Office of National Drug Control Policy (ONDCP) was established by the National Narcotics Leadership Act of 1988 (21 U.S.C.A. § 1501 et seq.) and began operations in January 1989. during the Clinton administration Noun 1. Clinton administration - the executive under President Clinton executive - persons who administer the law , says the IT security marketplace is fundamentally flawed. Buyers of technologies are not demanding the most robust products and, as a result, manufacturers are creating solutions that cluster somewhere in the middle – reliable enough to stop the average script kiddie An amateur who tries to illegally gain access to a computer system using programs (scripts) that others have written. Although they may have some programming skill, script kiddies do not have the experience to write programs that exploit vulnerabilities. , but not nearly advanced enough to deter the most advanced attacks. (Consider Heartland Payment Systems Heartland Payment Systems, Inc. (NYSE: HPY) is a payroll service provider and the 6th largest credit card processor in the United States specializing in small to mid-sized restaurants and retail merchants. Founded by Robert O. , TJX or anonymous reports in April that foreign spies penetrated the U.S. power grid.)As a result, end-users are left devoting precious time and resources to “bolting on” security and patching flawed IT systems after the fact, instead of implementing a thoroughly tested solution from the start, Housman says.“The technologies that we rely on today are certified, in essence, as insecure against the threats we face, which is why we have these constant problems,” he says. “If you're talking about federal systems or critical infrastructure, our role is to push for more secure and cutting-edge technologies that can defend us from sophisticated, intentional, well-funded attempts to penetrate.”That means CIS Cis (sĭs), same as Kish (1.) (1) (CompuServe Information Service) See CompuServe. (2) (Card Information S is targeting not only policy-makers, but also average Americans – the ones who entrust organizations with their sensitive data (or to keep their electricity on). “We're trying to make people aware that most of the systems we rely on today are completely and totally insecure,” Housman says.Organizations, both public and private, are hamstrung by a seemingly endless array of compliance demands drafted to protect against a breach. But only in federal government are entities required to purchase certified IT solutions to meet those mandates and safeguard their networks. The National Information Assurance Partnership (NIAP See Common Criteria. ), managed by the National Security Agency, conducts these product evaluations on behalf of some 20 government agencies. Products are graded on an Evaluation Assurance Level The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. (EAL EAL English as an Additional Language EAL Evaluation Assurance Level EAL Eastern Airlines EAL Emergency Action Level EAL Environmental Analysis Laboratory EAL Evidence Analysis Library (American Dietetic Association) ) of 1 to 7, which assess their conformance to Common Criteria (Common Criteria for Information Technology Security) An international standard process for defining security objectives and for evaluating compliance with those objectives. The Common Criteria have largely replaced the Trusted Computer Security Evaluation Criteria (TCSEC), the Canadian , an international standard that measures the security of IT systems. The tests essentially examine how well IT offerings stack up against what the vendors claim. Roughly 1,200 products have been evaluated since the standard was created in 1999.All mainstream IT products – including ubiquitous platforms, such as Microsoft Windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. – only have achieved an EAL 4 certification, due to the extreme time and cost involved. Santa Barbara Santa Barbara (săn'tə bär`brə, –bərə), city (1990 pop. 85,571), seat of Santa Barbara co., S Calif., on the Pacific Ocean; inc. 1850. , Calif.-based Green Hills Software, which sells operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. to the military, is only one of two providers that has obtained EAL 7 certification (Tenix is the other).Housman says all government organizations and critical infrastructure providers should deploy products that meet EAL 6 or 7 certifications, meaning they offer the “presence of both sophisticated threat agents and high-value resources,” according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. NIAP.“Technologies that meet those requirements are what we ought to be using for the things that matter,” Housman says.But Shaun Gilmore, NIAP's technical director, says most IT makers seek to achieve an EAL 4, at most, because that designation is the highest level that is mutually recognized by NIAP and the 26 countries that use Common Criteria. In addition, he admits, the sheer cost and time spent for Common Criteria evaluation is a turn-off for vendors wanting to go to market quickly.EALs beyond 4 require all code to be “semiformally or formally modeled” to “make sure, mathematically, there are no flaws in the product,” Gilmore says. “A complicated product is not going to be able to achieve an EAL 7 within a reasonable time, scale or cost.”Carol Saulsbury Houck, director of NIAP, agrees. “The mass commercial market isn't out there for a high [EAL] level,” she says. Santa Clara Santa Clara, city, Cuba Santa Clara (sän`tä klä`rä), city (1994 est. pop. 217,000), capital of Villa Clara prov., central Cuba. , Calif.-based McAfee, one of the world's leading IT security firms with 2008 revenue of $1.6 billion, has 12 major product lines that regularly go through Common Criteria evaluation. Greg Brown, the company's senior director of product marketing, says EAL 4 is the “recommended standard for purchasing products.”“If it takes three months to do EAL 1, it takes 10 years to do EAL 7,” Brown says. “[Customers] would never be able to buy products. The deeper you investigate the integrity of the products, the more information you need to evaluate.”Yet some wonder whether the lower EAL designations hold any value at all. According to NIAP, EAL 4 certifies protection against “inadvertent or casual attempts to breach the system security.” David Kleidermacher, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of Green Hills, said earlier this year at the Embedded Systems Embedded systems Computer systems that cannot be programmed by the user because they are preprogrammed for a specific task and are buried within the equipment they serve. Conference in San Jose San Jose, city, United States San Jose (sănəzā`, săn hōzā`), city (1990 pop. 782,248), seat of Santa Clara co., W central Calif.; founded 1777, inc. 1850. , Calif., that EAL 1 to 4 certifications are “essentially meaningless and have wasted immense amounts of money and time,” according to a story in Military and Aerospace Electronics magazine. But even if Housman's group reaches its goal of getting federal requirements to force certain organizations to deploy only the “best available” technology that the market produces, as judged by NIAP, organizations still would be reliant on human beings to implement and deploy the products effectively, experts say. Without properly configured solutions, even the most hardened technologies could fall down to a hacker attack.“We really don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. what it takes for a system to be secure,” says Ravi Sandhu, founder and executive director of the Institute for Cyber Security at the University of Texas at San Antonio The main campus is situated on 600 acres (2.4 km²,) at the intersection of Interstate 10 and Loop 1604 near the northern edge of San Antonio, Texas in Bexar County. The university is also one of the UT System's fastest growing schools, maintaining a 12. . “You can still deploy them incorrectly. Just deploying products that have achieved a certain level of security doesn't mean your overall system is going to be secure. Let's say you buy a product that does encryption. Encryption can be very strong and resistant to cryptographic attacks, but if you don't manage the keys, your overall system can be compromised.”But Housman says he believes manufacturers are capable of producing IT that can overcome configuration shortfalls. Today's technologies should “make up for your mistakes,” he says. “It should be so secure you can't screw it up.”And flawless deployment is not enough on its own anyway, he says. “Even if every end-user does everything perfectly, even if there are no configuration mistakes, even if it was properly installed – if you are using an insecure technology, you're going to get penetrated.”Aside from forcing organizations to use certain technology, Housman is relying on change within the C-level suite to demand inherently secure products. But that may run counter to today's bare-bones mentality, in light of the troubled economy and focus on compliance demands, says John Kindervag, senior analyst at Forrester. The bonuses of many security managers are tied to how many budget lines they can keep off spending plans, he says. Plus, security teams are incentivized to fulfill compliance regulations first and, if there is any money left over, worry about countering the most serious threats to a network.“We have bigger problems. Unless companies are forced to do it, they won't put good security in,” Kindervag says. “They want the easy way out and they want it to be cheap. They don't even know or care if it's secure. They want the impression of security. Hope is the greatest threat mitigation strategy in many large organizations: ‘We just hope we don't get hacked. We're guessing the odds are in our favor.'”An overhaul comingThe organizations that best protect their infrastructure from cyberattack are the ones most skilled at evaluating risk, Sandhu says. After all, certifications simply provide insight into the security of an individual technology. They do not take into account the unique environments in which the products are deployed.“You have to have context before you can say something is secure,” Sandhu says. “At the end of the day, security is about risk management and risk mitigation at the system level. We have to take that point of view that we can't reduce it to the effectiveness of individual products. There's more to maintaining an automobile than saying you should use oil that has this rating.” But NIAP, in response to frequent criticism, believes it at least can offer some help ridding products of vulnerabilities and requiring the development of more trusted IT.Phil Dunkelberger, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Menlo Park Menlo Park. 1 Residential city (1990 pop. 28,040), San Mateo co., W Calif.; inc. 1874. Electronic equipment and aerospace products are manufactured in the city. Menlo College and a Stanford Univ. research institute are there. 2 Uninc. , Calif.-based encryption maker PGP (Pretty Good Privacy) A data encryption program from PGP Corporation, Palo Alto, CA (www.pgp.com). Published as freeware in 1991 and widely used around the world for encrypting e-mail messages and securing files, PGP is available for commercial use and as freeware for Corp., likens Common Criteria to data security guidelines, such as PCI (1) (Payment Card Industry) See PCI DSS. (2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). . “They're snapshots in time,” he says. “You can be fully compliant one day and, with the evolving threats that are out there, be out of compliance the next day.”Common Criteria has a number of drawbacks, he says. They include the lag time and high cost – it often takes 12 to 24 months for a product to be evaluated and a test could run as high as $1 million per product. That means smaller companies that might produce a best-of-breed solution cannot sell to government because they cannot afford to be evaluated, which, experts say, threatens innovation.The main qualm qualm n. 1. A sudden feeling of sickness, faintness, or nausea. 2. A sudden disturbing feeling: qualms of homesickness. 3. that McAfee's Brown expresses is that Common Criteria gives no consideration to the threat protection capability of the product in question. Instead, the framework allows the vendor to define the protection profiles against which the evaluation is conducted.“There is no mechanism in the government certification world to give consideration to that vendor protection capacity,” Brown says. “In order to provide protection, you have to understand the threat landscape. That's an ongoing investment. Products have to be designed so they can leverage the research you're doing.”NIAP's Gilmore says his organization plans to get away from the existing model. Instead of the vendor providing what it wants to be evaluated, NIAP would offer them a set of requirements, depending on the type of technology, against which they must be evaluated. That way, the manufacturer “can't exclude things we think are critical.”“We're working with industry to develop protection profiles to represent what is achievable for that product type,” Gilmore says. “We're going to say, ‘Here's our profile that we developed within industry that we think is achievable.' And if industry buys into that early, at least we know it's not unreasonable.”In addition, with version 4 of Common Criteria due out at the end of next year, the partnership hopes to find a way to lower the time and cost that vendors must invest in the process. More importantly, perhaps, is NIAP's plan to also conduct additional tests that seek to discover product vulnerabilities.“We've tried to make tweaks,” Gilmore says of the standard. “You get to the point where you can't keep making minor tweaks and have a significant impact. You can't look at a product like you used to when you're talking about millions of lines of code The statements and instructions that a programmer writes when creating a program. One line of this "source code" may generate one machine instruction or several depending on the programming language. A line of code in assembly language is typically turned into one machine instruction. and ever-increasing complexity.”Even with the planned changes, there still is nothing forcing government and other industries to deploy the best of the best, as is Housman's objective. He admits he faces an uphill climb. Most corporations are averse to government regulations. And buying more reliable IT products likely will cost more. But he contends that organizations would be willing to foot the additional expense, especially if they realize that money lost to a data breach would trump any inventory purchase. The CIS is committed to “shaking up the world of cybersecurity,” Housman says. “If we can go to the moon, we can a make a secure cyber system.” 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion