Cyber security gets short shrift, say federal info tech managers.A recent survey of federal information technology managers suggests that many government agencies are poorly prepared to cope with cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. attacks. The survey paints a grim picture. It cites misdirected priorities in cyber-security programs and substandard substandard, adj below an acceptable level of performance. quality in the software provided by commercial vendors. This analysis, published by a government contractor A government contractor is a private company that produces goods or services under contract for the government. Often the terms of the contract specify cost plus – i.e., the contractor gets paid for its costs, plus a specified profit margin. , Intelligent Decisions Inc., was based on interviews with 25 of the total population of 117 federal agency chief information security officers. "We were surprised" by the results of the survey, said Harry Martin, president of Intelligent Decisions. Across the board, federal chief information security officers ranked "patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique " as their number-one security concern-pointing to shortfalls in the quality of commercial network-security products. Patch management software is used to protect corporate networks from Internet-based attacks. Microsoft Windows See Windows. (operating system) Microsoft Windows - Microsoft's proprietary window system and user interface software released in 1985 to run on top of MS-DOS. Widely criticised for being too slow (hence "Windoze", "Microsloth Windows") on the machines available then. operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , particularly, have many security holes, experts note. Hackers often exploit this vulnerability to steal information or program computers to distribute spam E-mail that is not requested. Also known as "unsolicited commercial e-mail" (UCE), "unsolicited bulk e-mail" (UBE), "gray mail" and just plain "junk mail," the term is both a noun (the e-mail message) and a verb (to send it). email. Every time a new Windows problem is discovered, Microsoft issues a "patch" to fix it. In companies or government organizations with many computers, it is difficult to ensure that the latest patch is installed on every computer, especially since Microsoft now releases patches on a bi-weekly basis. Patch management software can make a cyber-security manager's job easier, because it automatically pushes out patches to every computer in a corporate network. Many software companies, including Microsoft, are getting into patch management software and targeting the government market. Federal IT managers in the survey expressed dissatisfaction with the quality of the products available. "It is clearly time for private industry to get serious about software quality," said Martin. The study also reveals a class divide among federal IT security officers-with those who control less than $500,000 on one side, and those whose annual budgets exceed $10 million on the other. "Half a million doesn't buy you a whole lot in today's IT security world, particularly for a large agency," he noted. The security "have-nots" are loaded down with administrative tasks and unable to address "strategic security management functions," noted Ted Ritter rit·ter n. pl. ritter A knight. [German, from Middle High German riter, from Middle Dutch ridder, from r , director of cyber-security at Intelligent Decisions. These officers devote 45 percent of their time to compliance paperwork associated with the Federal Information Security Management Act, which requires government agencies to protect their networks. Just 22 percent of their time is dedicated to security management functions, such as architecture development, inventory control and vendor collaboration. The security "haves" spend 27 percent of their time on FISMA FISMA Federal Information Security Management Act of 2002 FISMA Federal Information System Management Act compliance reporting, and almost 50 percent on strategic security management functions. Information security officers who control less than $500,000 annually consider the most important products and services to their agency to be network security, firewalls, intrusion detection See IDS and IPS. , prevention systems, authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. devices. Officers who control more than $10 million cite authentication-encryption devices, biometrics The biological identification of a person. Examples are face, iris and retinal patterns, hand geometry and voice. Increasingly built into laptop computers, fingerprint readers have become popular as a secure method for identification. for user log-on authentication and security information management tools as the top concerns. Among the agencies with large IT budgets is the U.S. Air Force, which, like other government organizations, has struggled with network security breaches and patch management issues. About a year ago, the Air Force chief information officer, John M. Gilligan, went to see Microsoft's top executive, Steve Ballmer, to try to negotiate a software contract that would address security concerns. The Air Force is the largest buyer of Microsoft enterprise software. Last month, Gilligan announced he had signed a $509 million, five-year deal with Microsoft that consolidates multiple support contracts for the entire Air Force and automates the installation of patches to ensure that every one of the service's 525,000 workstations is protected, he told reporters. Internet-based attacks have become all too common, said Gilligan. "As we become more dependent on networks, disruptions become costly," he said. "We were spending more money patching and fixing than buying new software ... The deal with Microsoft automates the patching." While Microsoft software dominates Air Force networks, Gilligan noted that vulnerabilities also have been found in Cisco, Linux, Open Source and Oracle systems. "We have discovered them at the rate of one per day," Gilligan said. Not all are serious, but at least two per week, he added, are caused by computers that have not been patched. The current patching process is both inefficient and ineffective, he said. "When we find a fix, it could take months to get it installed ... Patches often are installed manually. We have to test it many times to ensure it doesn't disrupt our standard configuration." Under the agreement with Microsoft, the Air Force Network Operations Command, at Barksdale Air Force Base Barksdale Air Force Base is a United States Air Force base across the Red River from Shreveport. Louisiana and near Bossier City, Louisiana, that was established in 1933. , La., will pre-test patches on about 2,000 workstations. Once the testing is completed, the patching will be pushed to all 525,000 workstations. Although Gilligan predicts the new setup will better protect Air Force networks, he acknowledged that that there are no mechanisms in place to hold software manufacturers accountable for disruptions. "There are no set metrics metrics Managed care A popular term for standards by which the quality of a product, service, or outcome of a particular form of Pt management is evaluated. See TQM. for how to measure software performance," he said. Nonetheless, the Air Force expects that, in the long run, the arrangement with Microsoft will pay off. "If we can get a good handle on the patch management and automation, our experts can focus on countering more sophisticated threats. I don't see patches as the end game." |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion