Greater Malware Threats Demand Greater Federal Agency Vigilance
Information technology security is an unending challenge for both the private and public sectors. Private sector firms have their own security protocols and commercial motivations to ensure security -- as well as the obligation to meet appropriate government regulations.
Federal agencies not only have to worry about operational difficulties that stem from security breaches, but also about meeting the requirements of the Federal Information Security Management Act of 2002 (FISMA). The act requires federal departments and agencies to perform periodic security assessments; provide information security training to employees and contractors; and implement policies and procedures to reduce security risks to an acceptable level.
IT vendors supplying hardware and software to federal agencies also have to be aware of FISMA requirements and other government-related security measures.
A currently vexing federal security issue is detecting and stopping malicious attacks on computer networks. Malware, or malicious code, is a common tool for breaching computer networks. The National Institute of Standards and Technology (NIST), an agency within the U.S. Commerce Department, has just issued a draft updated guidance document for dealing with such attacks.
NIST issued the guidance in response to a FISMA directive to the agency to continuously assess and develop federal IT security standards. NIST is seeking comment from the IT community -- both public and private -- on the guidance.
"Malware threats in the past tended to spread quickly and were easy to discover," said Karen Scarfone, a contributor to the NIST draft. "But today's malware threats are stealthier, specifically designed to quietly, slowly spread, gathering information over extended time frames and eventually leading to loss of sensitive data and other problems," she said.
NIST's draft on Intrusion Detection and Prevention Systems (IDPS), describes software that has become a necessary addition to the security infrastructure of many organizations. IDSPs record information about observed security-related events, notify security administrators of the events that should be analyzed further, and produce reports for evaluation. The draft addresses four types of IDPS technologies: network-based, wireless, network behavior analysis and host-based.
NIST's general recommendations call for federal agencies to do the following:
- Adopt an approach to malware prevention based on the attack vectors that are most likely to exist within their operating environment;
- Implement awareness programs that include guidance on incident prevention, including the ways that malware enters and infects hosts and the importance of users in preventing incidents;
- Develop vulnerability mitigation capabilities to help prevent malware incidents including security automation technologies with checklists, patch management and "host hardening" measures;
- Utilize measures to detect and stop malware before it can affect its targets, including the use of antivirus software; intrusion prevention systems, firewalls, content filtering and inspection; and application white listing.
In addition, federal agencies should alter the defensive architecture of their hosts' software to help mitigate incidents that still occur. This includes using isolation techniques such as browser separation and other segregation measures. All federal agencies "should have a robust incident response process capability that addresses malware incident handling," NIST said.
Don't Forget Desktops and Laptops
"IDPS for wireless is an important type for all organizations to have because of the growth of mobile devices and employees' desire to use their own wireless device for work," said Scarfone.
While many agencies and companies are going mobile, it is still critical to protect desktops and laptops, NIST said in releasing a separate draft of malware guidance addressing such computers. It gives background information on the major categories of malware that afflict desktop and laptop computers, and it provides practical guidance on how to prevent malware incidents, and on what to do when a system is infected.
The NIST guidance updates for IDPS, desktops and laptops should not result in major changes in agency procurement of IT solutions, but should simply serve as awareness documents related to increasing malware threats.
"NIST is a non-regulatory agency and does not require or track agency cybersecurity implementations," Murugiah Souppaya, research associate at NIST's computer security division, told the E-Commerce Times.
"Based on our discussions with agencies and the results of the open comment period, we hope to validate our understanding that adopting the new guides will not lead to overhauls of existing systems," he said.
NIST hopes to get feedback from a wide range of government, commercial and other organizations.
"This helps to validate that our recommendations are sound for all organizations, regardless of sector, size, or composition," Souppaya said.
Smaller Targets Curb Attacks
One industry source likened NIST's approach to that of general guidelines for good health: a prudent diet and regular exercise, with the NIST documents both informative and useful at a basic security level.
"I think the recommendations start from the wrong end of the problem," Tim Keanini, chief research officer for nCircle, told the E-Commerce Times.
"While intrusions are inevitable and agencies need to detect them, making the target surface as small as possible prior to intrusions is a far more important strategy because it raises costs to attackers, making intrusions far more difficult," he said.
"To be successful, malware has to find a point of entry. While it may seem like we can never completely secure every possible way to exploit a machine, the sad news is that most malware attacks exploit well known, easily detectable vulnerabilities," Keanini added.
"This means that we need to become far more diligent about security basics and put at least as much focus into about shrinking the target surface through automation as we do in detecting and responding to threats," he explained.
"Targeted attacks that leverage advanced malware and 'weaponized malware' are on the rise and getting more sophisticated by the day," Andrew Hoerner, director of product marketing for the network security business Unit at McAfee, told the E-Commerce Times.
A proactive approach to network security is preferable to a reactive approach, he agreed. "By the time the attack code crosses the wire, it is too late."
In terms of the NIST initiatives, McAfee supports a proactive, collaborative approach between the private and public sectors that utilizes the strongest strategies and action plans to address cybersecurity, Hoerner said.
"We believe information sharing and, ultimately, codifying federal requirements can help meet both current and future challenges in these areas," he concluded.
NIST is seeking comment on the malware draft documents by Aug. 31.
"Hardware and software must work together in order to have an effective defense," Keanini said. "Vendors can supply the technology, but unless the agency's IT security staff understands the guidance, implements the technology appropriately, and strives to constantly refine and adapt their security processes to combat evolving threats, the security features in hardware and software don't mean very much."