By DANIEL FRIEDMAN
October 31, 2006
WILLIAMSBURG, Va. From the Chinese government to homegrown hackers,
groups are increasingly targeting agencies networks, data security
The Chinese are in half of your agencies systems, Alan Paller, research
director of the SANS Institute, told attendees Oct. 30 at the Executive
Leadership Conference, which is held here by the American Council for
Technology and the Industry Advisory Council.
Paller cited 2005 reports that hackers using servers in China stole
designs for an aviation mission-planning system for Army helicopters,
and, on one night in 2004, found vulnerabilities in computers at the
Defense Information Systems Agency, the Naval Ocean Systems Center in
San Diego, the Army Information Systems Engineering Command at Fort
Huachuca, Ariz., and the Army Space and Strategic Defense Installation
in Huntsville, Ala. Paller said officials believe the attacks were
sponsored by the Chinese government.
And the problem extends to civilian agencies, he argued. The State
Department said last July that hackers in China had broken into its
computers in Washington and abroad.
The Washington Post reported Oct. 6 that Chinese-based attackers in
search of information had forced the Commerce Departments Bureau of
Industry and Security, which regulates the export of dual-use technology
to states including China, to shut down Internet access for more than a
month. The bureau also replaced hundreds of computers.
It has become clear that Internet access in itself is a vulnerability
that we cannot mitigate, Acting Undersecretary of Commerce Mark Foulon
said at the time.
Paller argued that many information security metrics established by the
Federal Information Security Management Act do not measure how well
agencies protect data.
Agencies must report the number of systems for which they complete
reports on security vulnerabilities, but most reports are written by
consultants and never read by top managers, Paller said.
Agencies are also required to count the number of officials who complete
security awareness training, but do not have to measure what skills they
acquired, he said, citing an example where trained employees fell for
phishing exercises. Phishing involves e-mails, often apparently
forwarded by by co-workers, which invite employees to click on links to
download security patches supposedly from companies like Microsoft. Such
e-mails often orgininate from hackers seeking sensitive data.
A better metric is used by New York State, which continually tests how
many employees are fooled by phishing attempts, Paller said. Give the
boss that data and see how fast behavior changes, he said.
Other officials at the conference recommended assigning responsibility
for data security not just to information technology officials but to
managers of divisions where data could be stolen. Steve Malphrus, staff
director for management at the Federal Reserves Board of Governors, said
that a culture of risk management at the Fed means managers are
accountable for risks in their department.
Managing risk cannot be an afterthought, Malphrus said. IT has to be an
important part of managing the enterprise. Its the managers
responsibility. If they make a mistake, they take a salary hit.
Officials said data can also be vulnerable at the personal level.
Individuals can intentionally or accidentally give away sensitive
information. For that reason, agencies should consider prohibiting
access to Web sites like MySpace.com and to blogs, said Secret Service
Special Agent Kyo Dolan.
Visit the InfoSec News store!