CURRENT ISSUE

Military Information Technology - August 2010 - Issue 14.7

Issue 14, Volume 7
August 2010

KMI MEDIA GROUP
WEBSITES


SUBSCRIPTION SERVICES

INDUSTRY INTERVIEW: U.S. Department of Homeland Security

Attention: open in a new window. PDFPrintE-mail

Steve Cooper, ForeScout

Steven Cooper
First CIO
U.S. Department of Homeland Security 
 


Steven Cooper served as special assistant to President Bush and senior director for information integration in the White House Office of Homeland Security in 2002, and as the first chief information officer at the Department of Homeland Security in 2003. In this interview, Cooper discusses the importance of the Access Control Security Technical Implementation Guides (STIGs) developed by the Defense Information Systems Agency (DISA), the Federal Information Security Management Act (FISMA) Federal Information Processing Standards (FIPS) developed by the National Institute of Standards and Technology (NIST), and the new Consensus Audit Guidelines (CAGs) developed by the SANS (SysAdmin, Audit, Network, Security) Security Training Institute.

Q: Who developed the SANS CAGs and what purpose do they serve?

A: In February 2009, a group of U.S. government agencies—NSA, US-CERT, various Department of Defense computer security groups—and the SANS Institute put out a list of “top 20 controls” that was subsequently published as the CAGs. John Gilligan, who chaired the effort, has been a pillar of the community for years. Allen Paller, with the SANS Institute, was very helpful in support of our early information security efforts at DHS and has helped in the development of this list.

The CAGs’ first recommendation is that companies keep a dynamic inventory of authorized and unauthorized hardware accessing their networks to reduce network attacks via unprotected systems. Having a whitelist and inventory of authorized and unauthorized software is also high on the list. The CAGs are scheduled to undergo pilot implementations this year and have a “high probability of becoming a common set of controls” for private industry.

Q: Why is “Inventory of Authorized and Unauthorized Devices” at the top of the control list?

A: Without an inventory, you cannot hope to proceed. I strongly feel that any security effort, or for that matter most any IT effort, has to start with an accurate understanding of what the ground truth is. That is totally dependent upon an accurate inventory of your networks, attached devices— including wireless—and all hardware and software in use.

Q: How do the CAGs compare with the DISA access control STIG?

A: The CAGs state you must take inventory of authorized and unauthorized devices. The DISA STIG for access control takes it a step further and states that device access must be controlled at the switch port: “Network ports should be both physically and logically secured to prevent unauthorized access to the DoD enclave”; and “Both unclassified and classified networks require the implementation of a logical network port security solution.” Not all NAC solutions are alike, so you need to be sure that if you are implementing a NAC solution, it meets this fundamental requirement outlined in the STIG.

Q: Don’t all access control solutions provide this capability?

A: Unfortunately, no. Some NAC solutions require the deployment of 802.1X to provide port base access control. Many organizations have yet to deploy it or are not in a position to deploy it, and therefore look to fulfill the STIG requirement using port-based solutions that are not 802.1X-dependent.

Q: So the key is to control access at the switch port?

A: Yes. The key is to do it in a scalable way without blowing your operations budget. Agencies can meet this requirement through “port-based security,” whereby an individual asset is associated with a specific switch port. This type of security is extremely resource-intensive to maintain, because the network administrator needs to manually modify switch configurations anytime a device is added or moved. Also, the drawbacks of this approach are highlighted in the DISA STIG: It is very easy for someone to spoof an individual machine address and connect to the network, thus bypassing this type of solution.

Q: Are there products or educational resources that can help IT staff embrace and apply these recommendations today?

A: Absolutely. In fact, the Army has an approved product list that identifies the access control products that have been tested, proven and certified to work “as advertised.” It’s called the Army Information Assurance Approved Products List [AIAAPL]. One such tool is CounterACT from ForeScout Technologies, a NAC appliance that does many of the things described above [and other things, as well].

Q: If our readers want to learn more, where can they go?

A: For military, I’d start with the AIAAPL “recommended list of products.” IT staff are asked to trust and use only those solutions that have been certified and added to the list, so this will save you some time. I also recommend visiting sans.org to learn more about these latest security controls. And, of course, the DISA STIGs and FISMA FIPs documentation offers a wealth of information. Both can be found on the Web at http://iase.disa.mil/stigs/stig/index.html and http://csrc.nist.gov/groups/sma/fisma/index.html. ♦

Back to Top

 

 
 

Upcoming Industry Events


 

What's New

2010 DISA CONTRACTS GUIDE

DISA Contracts Guide 2010

Click Here to Download It