Cybersecurity Challenge: Is Your Network Safe? (Probably Not)

Posted by Alexander Wolfe on August 17, 2009

Recent criticism of the National Institute of Standards and Technology's (NIST) cybersecurity guidelines for federal agencies raises the logical question: if government networks are at risk, how can I possibly ensure that my operation is protected? One place to start is the IT Security Essential Body of Knowledge from the United States Computer Readiness Team (US-CERT).

First, the back story. There are always recommendations, lists and guidelines floating around. Most of the time this stuff is boilerplate, and we all realize there's a big gulf between what some working-group committee puts down on paper and what you can accomplish, practically speaking, in the real world. Not to mention the time and budget issues (as in, there's never enough of either).

Yet this subject kept bubbling up for me as I read the slew of government cybersecurity stories over the past few weeks. First came the resignation of White House acting Senior Director for Cyberspace Melissa Hathaway on August 4. Shortly thereafter, US-CERT Readiness Team Director Mischel Kwon submitted her resignation a few weeks ago, too. Then the Department of Homeland Security's National Cyber Security Center said it would deploy a wiki to foster cybersecurity collaboration among federal agencies.

But the biggie was the report from the Cyber Security Institute, which raised alarms about whether government systems are adequately protected from new threats like cybercriminal mobs from Russia or the Chinese military.

This time around, I don't think the alarmists are crying wolf. The threat from organized cybercriminals is real. Also, the protection lapses of government networks are probably duplicated by most commercial setups. This spurred me into surfing around to see if I could find any "lessons learned," which are broadly applicable. So here are two:

An interesting site called Technolytics has posted a white paper entitled "The Second Stimulus Package: Focusing on Protecting Critical Infrastructure Cyber Protection" (get the pdf  here). I don't know what stimulus has to do with anything, but the paper makes a very good point about the presence of obsolete equipment in a network and how that can caused increased security risks. Software updates and patch management for older systems is a problem. Probably many operations don't even bother with this stuff.

We all know this line of thinking. Say, for instance, I've got an old Windows NT workstation that is chugging away. I'd rather not touch it, because if I do, I know it's gonna "break" and then what do I do? Replace it? Upgrading random pieces of old equipment is asking for a game of network pick-up-sticks. (Pull one thing out, something else breaks.) Plus, there's usually no budget for this stuff.

OK, so the second doc I found, which is the point of this post, is the US-CERT's IT Security Essential Body of Knowledge (get the pdf here). It's one of those broad competency frameworks intended to set a skills baseline for security practitioners. The 51-page document reads much like you'd expect from a government tome. The only thing missing was a "this page intentionally left blank," which actually is the one good idea I've always thought should've carried over to civilian documentation.