Alexander Wolfe

Network Computing Blogger


Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Cybersecurity Challenge: Is Your Network Safe? (Probably Not)

Posted by Alexander Wolfe
August 17, 2009

Recent criticism of the National Institute of Standards and Technology's (NIST) cybersecurity guidelines for federal agencies raises the logical question: if government networks are at risk, how can I possibly ensure that my operation is protected? One place to start is the IT Security Essential Body of Knowledge from the United States Computer Readiness Team (US-CERT).

First, the back story. There are always recommendations, lists and guidelines floating around. Most of the time this stuff is boilerplate, and we all realize there's a big gulf between what some working-group committee puts down on paper and what you can accomplish, practically speaking, in the real world. Not to mention the time and budget issues (as in, there's never enough of either).

Yet this subject kept bubbling up for me as I read the slew of government cybersecurity stories over the past few weeks. First came the resignation of White House acting Senior Director for Cyberspace Melissa Hathaway on August 4. Shortly thereafter, US-CERT Readiness Team Director Mischel Kwon submitted her resignation a few weeks ago, too. Then the Department of Homeland Security's National Cyber Security Center said it would deploy a wiki to foster cybersecurity collaboration among federal agencies.

But the biggie was the report from the Cyber Security Institute, which raised alarms about whether government systems are adequately protected from new threats like cybercriminal mobs from Russia or the Chinese military.

This time around, I don't think the alarmists are crying wolf. The threat from organized cybercriminals is real. Also, the protection lapses of government networks are probably duplicated by most commercial setups. This spurred me into surfing around to see if I could find any "lessons learned," which are broadly applicable. So here are two:

An interesting site called Technolytics has posted a white paper entitled "The Second Stimulus Package: Focusing on Protecting Critical Infrastructure Cyber Protection" (get the pdf  here). I don't know what stimulus has to do with anything, but the paper makes a very good point about the presence of obsolete equipment in a network and how that can caused increased security risks. Software updates and patch management for older systems is a problem. Probably many operations don't even bother with this stuff.

We all know this line of thinking. Say, for instance, I've got an old Windows NT workstation that is chugging away. I'd rather not touch it, because if I do, I know it's gonna "break" and then what do I do? Replace it? Upgrading random pieces of old equipment is asking for a game of network pick-up-sticks. (Pull one thing out, something else breaks.) Plus, there's usually no budget for this stuff.

OK, so the second doc I found, which is the point of this post, is the US-CERT's IT Security Essential Body of Knowledge (get the pdf here). It's one of those broad competency frameworks intended to set a skills baseline for security practitioners. The 51-page document reads much like you'd expect from a government tome. The only thing missing was a "this page intentionally left blank," which actually is the one good idea I've always thought should've carried over to civilian documentation.

However, it does contain some useful checklists, which you can use to inventory whether your practices are pointed in the direction they need to be to protect your network. Here's the one I thought was most useful, from section 2.7.3 under the heading "Implement" (Check out section 2.7 for a fuller list):

2.7.3 Implement

  • Prevent and detect intrusions, and protect against malware
  • Perform audit tracking and reporting
  • Apply and manage effective network domain security controls in accordance with
    enterprise, network, and host-based policies
  • Test strategic network security technologies for effectiveness

  • Monitor and assess network security vulnerabilities and threats using various technical and non-technical data
  • Mitigate network security vulnerabilities in response to problems identified in
    vulnerability reports
  • Provide real-time network intrusion response
  • Ensure that messages are confidential and free from tampering and repudiation
  • Defend network communications from tampering and/or eavesdropping
  • Compile data into measures for analysis and reporting.

OK, so it's a start. I'd be interested to hear whether readers think the cybersecurity threat is more serious today than previously, and whether something like the checklist above is useful.


Follow me on Twitter.

Write to me at alex@alexwolfe.net.

Related Reading

News

More News»

Most Popular

More Popular»

Commentary

More Commentary»

On the Web

More On The Web»

More data-protection Insights

White Papers

More >>

Webcasts

More >>


Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

DataProtection Reports

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers