An assessment of how the US government is trying to improve security

Avecto, a firm specializing in Windows privilege management security, examines why the U.S. government is improving its internal security and how it is doing it.

The mood of the American people is changing, and changing fast. The president has recognized this and, while some may complain about the treatment of Bradley Manning, the WikiLeaks criminal, most are fed up to the teeth with the chaos which cybercriminals and hackers are visiting upon us. In April alone more than 1.5 million Visa and MasterCard accounts were compromised and the figure could be far in excess of that.

Late last year the White House announced it was taking a number of new steps to safeguard classified information and protect government computer networks against unauthorized disclosures, such as the release of thousands of pages of secret documents by WikiLeaks back in 2010.

FBI: Cyberattacks could shove aside terrorism as No. 1 threat to US

The executive order signed by President Barack Obama was the result of a seven-month review by his administration in which the White House sought to find a balance between security and the need for agencies to share classified information -- a weaknesses revealed by the Sept. 11, 2001, terrorist attacks.

Under the executive order, the government will create a special committee to coordinate information sharing and to ensure that agencies that use classified computer networks protect information. Each agency will appoint a senior official to oversee classified information and safety measures.

Already, several departments and agencies -- including the Pentagon and the Central Intelligence Agency -- have taken steps to control people's ability to place classified data on disks or removable memory devices, and have limited the number of users with permission to use such devices.

"Our nation's security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely," says President Obama's order.

The order mandates Attorney General Eric Holder and the U.S. director of national intelligence, James Clapper, to establish an "Insider Threat Task Force" to find ways to deter and detect security breaches.

Against the backdrop of existing government agencies, some critics have questioned if it is necessary to have yet another agency to deal with security matters. However, it is worth noting that it has been almost six years since the inception of WikiLeaks, yet the government has only just begun to identify methodologies to combat insider threats within the military. The bottom line here is that the government needs to move swiftly if it is to maintain credibility -- especially in an election year.

TECHIE POLITICS: What tech issues loom large for election 2012?

Earlier in 2011 the White House revealed language on new legislation directing private industries to improve computer security voluntarily -- and have those standards reviewed by the Department of Homeland Security.

The government -- all the way from federal to state, and down to city levels -- clearly has plenty of work to do to prevent insider attacks. In our view, it is about time the White House has caught up on ideas -- and technology -- that many corporate clients have known about for several years.

By establishing a least privilege environment it is possible to achieve an IT environment whereby everyone can still be productive, while at the same time remaining secure.

The White House, of course, may not be taking this route to better security for all the right reasons. There is an argument to show that it is simply looking to avoid another WikiLeaks Cablegate by creating more agency oversight -- and security -- for data stored on classified networks.

The executive order signed by President Obama creates a number of new inter-agency governing bodies that will work together to oversee the protection of classified information across federal agencies and departments. At the same time they will need to balance the needs of federal users that have permission to access it.

The order also makes federal organizations responsible for the sharing and protection of their classified information, as well as mandating that they designate a senior official to oversee these tasks.

In addition, agencies and departments must willingly provide information for independent assessments of their compliance with security policy and standards. They must also implement an insider threat detection and prevention program -- which is where the Insider Threat Task Force comes into play.

Additional to the task force, the executive order also sets up a series of committees to ensure agency compliance with the security measures and to facilitate interagency coordination. The Senior Information Sharing and Safeguarding Steering Committee will have overall responsibility for the new policies and be held accountable for department and agency compliance.

Senior officials from the Department of Defense (DOD) and the National Security Agency (NSA) will jointly act as a new Executive Agent for Safeguarding Classified Information on Computer Networks to develop technical policies and standards to protect classified information.

This Executive Agency will also be responsible for third-party assessments of agency compliance.

It's worth noting that, as officials were laying the groundwork for the new policies, the Insider Threat Task Force has been working informally since June of last year to clarify policies in several priority security areas. A number of departments and agencies already have standardized policies for removable media, limiting the number of users who are permitted to use such devices.

To boost their online identity management, administrators of classified systems have also enacted measures to strengthen online identity management policies and their ability to track information being accessed by these users.

So, will the executive order stop sophisticated attacks by complex and targeted malware such as Stuxnet and Duqu? We believe this is debatable, but the use of augmented security layers -- such as privilege management -- can greatly assist in this regard.

With effective privilege management, IT professionals can control who has access to specific applications running on the corporate IT platform, as well as the underlying data.

As a result, if the admin team, for example, only run their control and security software from within the network perimeter on known PCs, access to those applications can be locked down to specific on-network and even on-workgroup computers.

Then, even if account credentials are compromised by hackers or other external (and unwanted) agencies, they cannot use those credentials from the Internet as they would still have to gain physical access to the terminals used by the admin staff.

This least privilege security methodology in turn translates into a least risk scenario, since the attack surface of the network is significantly reduced.

In view of the looming elections, there is an argument that the Department for Homeland Security should take a leaf out of the security industry's best practices by adopting this least privilege approach. But just how should the White House go down this path?

Our observations are that the president needs to designate a senior official to oversee the project as well as implement an insider threat detection and prevention program on a multi-agency basis.

At the same time, the government and its agencies need to ensure their information is properly classified. They will also need to start researching -- if they have not already done so -- into the many types of DLP (data leak prevention) technology that are available to today's businesses.

Along with regular self-assessments of current security arrangements -- as well as not being afraid to bring in external advisers -- this cannot help but engender a positive approach to data security in all its various shapes and forms.

What the U.S. government is finding, in common with many large corporations, is that the final step to ensuring good security is to implement a policy of least privilege. Doing this is actually easier than many IT professionals assume. Recent research has found, when analyzing published Windows 7 vulnerabilities, that up to 57% were no longer applicable when admin rights were removed. This compares with figures of 53% for Windows 2000, 62% for Windows XP and 55% for Windows server 2003.

U.S. government departments should be happy with these statistics since it shows they can reduce the risk of data breaches by a huge factor just by making sure the operating systems are locked down with least privilege. After all, a standard user can do far less damage than an administrator -- and that is a lesson which all in the U.S. government have to learn quickly. We are all tired of reading the constant media stories about hackers and data breaches.

The tide has turned against the criminals in IT so let's keep it that way.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline