[ISN] Insider Threat

From: InfoSec News (alerts@private)
Date: Fri Nov 02 2007 - 00:21:44 PST


http://www.governmentexecutive.com/features/1107-01/1107-01s1.htm

By Jill R. Aitoro  
Government Executive  
November 1, 2007  

Controlling who gains access to what on computer networks is vitally 
important and devilishly hard. Success stories can help.

In February 2001, the FBI arrested one of its own veteran 
counterintelligence agents, Robert Philip Hanssen, for providing 
classified information to Russia and the former Soviet Union. Hanssen 
gave up more than 6,000 pages of documents, most of which he pulled from 
the FBI's own computers.

Such an audacious breach might seem impossible in this post-Sept. 11 era 
of system lockdown, but the conditions that permitted it persist.

The FBI continues to have major weaknesses in its critical computer 
network. It still fails to properly identify and authenticate users or 
consistently configure network devices and services to prevent 
unauthorized insider access, the Government Accountability Office 
reported in April (GAO-07-368).

And the FBI isn't the only agency with vulnerable networks.

GAO also found in September that the Veterans Affairs Department, which 
reported two high-profile security breaches in 2006, has not fully 
completed 20 of 22 IT security recommendations that its inspector 
general made a year ago. VA failed to adequately restrict access to 
data, networks and facilities or to ensure that only authorized changes 
and updates to computer programs were made, according to the report 
(GAO-07-1019).

The same story has played out across government: The absence of proper 
security processes and technologies allows computer users to wander 
through agency networks virtually unimpeded. Most inside users have no 
malicious intent; a few have interests that range from criminal to 
prurient. So far, few have had espionage in mind. But the inability to 
control access to sensitive data creates holes for nasty insiders and 
outsiders to slip through. So much so that Input, a Reston, Va.-based 
research firm, expects federal agencies will spend nearly $350 million 
on technology to manage identity and access in 2008.

In the first six months of 2007, 26 percent of all data breaches with 
the potential for identity theft hit the government sector. It was 
second only to the retail sector in the number of identities exposed on 
its systems, security vendor Symantec found.

The cause of such lapses isn't a lack of proper technology. Rather, 
"agencies have to start looking at programs holistically," says Karen 
Evans, administrator of e-government and information technology at the 
Office of Management and Budget. "They should be looking at how they can 
reduce risk and still allow people to access information and services."

Homeland Security Presidential Directive 12, issued by President Bush in 
2004, has raised awareness of the importance of identity management. 
HSPD 12 requires an identity credential for every federal employee and 
contractor who logs on to a government network. Though it will control 
who can log on, once a user is online, the ID does little to regulate 
access to the drives, files and databases in the network, critics say. 
It's like having a security guard check visitors' identities at a 
building entrance, but failing to control where people go once inside.

Government networks are notoriously complex and unknown holes are hidden 
throughout. The Information Systems Security Line of Business, the 
e-authentication presidential initiative and the 2002 Federal 
Information Security Management Act provide hints about how to control 
access once users are logged into a system, but agencies must determine 
the best approach.

Some have rolled out their own initiatives to safeguard data. Examining 
these efforts provides tips and guidance for other agencies. Here's a 
look at three lessons learned by agencies trying to manage identities to 
control where users go on a network.


Lesson 1: Consolidate

Access Control

Traditionally, access controls exist at the level of software 
applications, such as a Web portal developed in Oracle's business 
software suite, for example. But application-based controls create a 
fragmented environment that is a nightmare to manage and can open 
numerous doors for unauthorized users.

"Agencies have a patchwork of processes and technologies that they have 
put in place over many years to provide access control to their critical 
data," says David Troy, the identity management solutions practice 
leader at EDS, an IT systems integrator headquartered in Plano, Texas. 
Without centralized management, changes in access rights have to be 
entered individually into each software application and security tool on 
the system. "The result is very lengthy delays for providing or changing 
access rights, and an inability to remove those rights in a timely 
fashion, if at all."

By taking a centralized approach to identity management, Troy says, 
agencies can automate and accelerate the process. The Housing and Urban 
Development Department offers an example. Until this year, the 
department relied on e-mail to inform managers which employees or 
contractors had access to which networks, files and databases. Because 
neither workflow procedures nor approval processes were automated, the 
system was unwieldy and imprecise. "It was difficult to get any real 
picture of where accesses were because processes were all over the map," 
says Patrick Howell, HUD's chief information security officer.

The department hired EDS to develop an automated identity management 
system, now dubbed the Centralized HUD Account Management Process. EDS, 
relying on Unicenter Service Desk from Islandia, N.Y.-based business 
software vendor CA, developed a single entry point for managers to 
submit new accounts, modify existing accounts, and approve or revoke 
access to HUD business applications. The system allows the department to 
ensure that only authorized users gain access to sensitive information.

When a new employee or contractor is hired, a user ID must be generated 
and stored in the active directory record and e-mail account. A manager 
routes a request for access to a security officer in charge of the 
specific application that the employee or contractor needs. No steps can 
be skipped in the routing process, and each task manager's actions can 
be audited to check who approved what when. The audit allows for strict 
oversight.

An employee or contractor with an account can get access rights to 
another area on one of HUD's networks only by logging on to the HUD 
intranet, entering data about his or her role and explaining why access 
is needed. If the request is approved, a custom work order is generated. 
"There has to be a system to help manage the huge number of systems and 
users and the continual churning in rights and levels of access 
required. Without that system, you just continuously chase after 
problems," Howell says.


Lesson 2:

Train, Train, Train

Identity management means more than a smart card standard for entering 
buildings and networks. It also includes detailed policy and oversight 
to enhance collaboration among employees and contractors within and 
among agencies.

The goal is a secure validation process that makes it easy for users to 
move through a network to quickly access information. But agencies' 
disparate systems and requirements frequently make negotiating networks 
arduous and complicated. For example, one agency might define a Top 
Secret security clearance differently from another, making it difficult 
to clearly specify in a user's profile where he or she is permitted to 
go within a network.

"If there are three entities that have to speak to one another, they 
need to bring the network to the lowest common denominator in terms of 
access," says Ray Bjorklund, chief knowledge officer at McLean, 
Va.-based market research firm Federal Sources. "But what if that 
impacts the success of the collaboration [because] classified 
information is suddenly not available? Those are the types of issues 
that are holding up progress. The 'need to know' issue comes into play. 
How do you deal with policy and the cultural change?"

That's the quandary the Health and Human Services Department faces. HHS 
must share data not only within the department and with other agencies, 
but also with private health care organizations. In May 2001, Jared 
Adair, then deputy chief information officer of the Health Care 
Financing Administration (now the Centers for Medicare and Medicaid 
Services), told Congress about the challenges Medicare faced.

"By law, Medicare fee-for-service claims are processed by about 50 
private sector insurance companies that each have their own business 
processes and variations in the use of Medicare claims processing 
software, which we are responsible for overseeing," she said. "From a 
technology standpoint, such decentralization requires that we transmit 
data with contractors to ensure that we bring together up-to-date 
information on eligibility, enrollment, deductibles, utilization and 
other potential insurance payers. We also must share eligibility and 
managed care enrollment data with the approximately 540 managed care 
plans providing services to Medicare beneficiaries."

To balance the need for access with the conflicting need to secure data, 
CMS developed custom training tools for managing who can see and use 
data and ensuring that government personnel and business partners 
followed proper procedures. Users must participate in computer- based 
training when initially issued a CMS user ID and then every year when 
their IDs are certified.

The CMS Information Security Program policy governs operation and 
safeguarding of information systems; the Business Partners System 
Security Manual addresses information security for those in the private 
sector. Ongoing program memos also provide day-to-day operating 
instructions, policies and procedures to ensure everyone follows proper 
protocol.


Lesson 3:

Develop in Phases

Methods of identity management are almost infinitely variable. Some 
require two-factor authentication with a common access card and personal 
ID number. Others require a biometric iris scan. The frequency with 
which the system checks digital certificates - the blocks of data used 
to uniquely identify people over networks - might be standardized across 
an agency or managed by the group assigned to a specific area on the 
network or even at the employee level.

IT managers must figure out how to manage such details and be willing to 
adjust along the way. For example, the Defense Department used to save 
all revoked employee certificates in a database application against 
which the network could check new users. As the list grew, so did the 
demand for bandwidth. With help from contractor BearingPoint, Defense 
moved to online certificate verification, easing the burden on the 
system.

"HSPD 12 set a lowest common denominator - a background check tied to a 
credential or identity," says Gordon Hannah, managing director of the 
Public Services Security and Identity Management Group at BearingPoint, 
an IT consultancy based in McLean, Va. "That establishes a baseline 
level of trust. With the technical capability there, policy becomes the 
bigger issue. Agencies need to think in terms of a phased [rollout] with 
solid change management principles. At the end of the day, this is a 
fairly large undertaking that touches everyone."

Defense issued smart cards over three years, followed by a phased 
approach that started with digital signatures on e-mail. The digital 
signatures then could be used as master keys for gaining access to other 
applications on the network and encrypting data sent over the Internet. 
Controls on the back end were then able to establish groups with common 
attributes. Defense will take a similarly gradual approach to adopting 
HSPD 12 IDs, issuing replacement cards to employees only when the ones 
they hold expire. That allows Defense to transfer and supplement data 
maintained on the cards in installments. Iris scans and fingerprints are 
among the additional identifiers that Defense expects to store on HSPD 
12 smart cards.

Similarly, the Navy implemented identity management with single sign-on 
capability that allows individuals to access multiple computer platforms 
and applications after being authenticated once. The department first 
rolled out single sign-on to the Space and Naval Warfare Systems 
Command, which manages Navy IT systems, to improve secure communication 
between ships and shore bases. The Navy now is extending single sign-on 
through the Navy Knowledge Online Web site, which serves more than 
480,000 officers and enlisted personnel.

The step-by-step approach was born of caution, says Robert Carey, the 
Navy's chief information officer. "The larger issue is not getting 
liquored up about cool technology, but [instead] making sure it 
adequately meets the need of the stated requirement." ID managers also 
shouldn't lose sight of the limitations of the current system in their 
zeal to implant new methods, he says.

Identity management is complicated. Implementation should be gradual and 
strategic, moving from application to application to determine the 
sensitivity of the information in each, and person by person to 
determine what information needs to be made available to whom. In the 
long run, OMB's Evans says, agencies should weigh what they're trying to 
accomplish against the level of risk they're willing to manage.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Fri Nov 02 2007 - 00:29:41 PST