From Audit Guidelines to Red Team Attacks
Interview with Former Air Force CIO John Gilligan, Part 2Earlier this year, Gilligan - president of the consultancy Gilligan Group - led a consortium of federal agencies and private organizations in developing the Consensus Audit Guidelines that define the most critical security controls to protect federal IT systems and coauthored the influential Commission on Cybersecurity for the 44th Presidency report from the Center for Strategic and International Studies, a Washington think tank, that's helping shape federal government IT security policy.
In this second of a two-part interview with GovInfoSecurity.com Managing Editor Eric Chabrow, Gilligan explains the importance of the Consensus Audit Guidelines and how so-called red teams are critical in identifying vulnerabilities in government IT systems.
In the first part of the interview, Gilligan explains the importance of core configuration, and the challenges the government faces in expanding the program to other types of information and communication technologies.
Gilligan spent a quarter century in the government workforce, and also served as CIO of the Energy Department.
ERIC CHABROW: You led a consortium of public- and private-sector IT security experts who wrote the well-received consensus audit guidelines that were released earlier this year. Why are they important, and will they be widely adopted by government agencies?
JOHN GILLIGAN: That is certainly our objective that federal agencies would adopt the guidelines. The implementation of FISMA (Federal Information Security Management Act) often had tended to focus on paperwork artifacts for evaluating the adequacy of security. A lot of government managers became very frustrated that they were, in many cases, not really improving the security of their environments, in trying to comply with the expectations set by OMB and how to reflect their compliance with FISMA.
There is a really strong and growing recognition that the security challenges that we have require us to prioritize and to focus. There are a lot of fundamental challenges to trying to achieve significant improvements in our security, and you can't do everything at once. What we did, in the development of the, we are now calling it the "20 Critical Controls for Effective Cyber Defense," and then as a subtitle, "The Consensus Audit Guidelines." But the 20 critical controls were intended to be just that. We assembled individuals who were knowledgeable in the attack patterns, and defending against those attacks. We developed what would identify the controls that would be effective against those attacks. It just turned out the list expanded to 20, but 20 wasn't the number we were necessarily seeking.
Our very strong advice is to focus on these control areas first, not to say that there isn't the need for other control areas, or we would expect that the critical controls would continue to evolve, and as you get these 20 in place, and have a proven record of not only being able to have the controls, but having the automated implementation and enforcement, then you can move on to other things. Since these controls are linked to and effective against the attacks we are seeing, it just makes common sense to focus your energy on mitigating the attacks that we are seeing today. I think that is why they have been well-received.
The State Department has done a wonderful job I taking the 20 critical controls and mapping them against their historical logs of attacks, to see how well they align, kind of as an independent check. It turns out they align very nicely with their attack patterns, that is the controls are effective against the attacks that they have actually seen over the last couple of years, and they have then extended this to say, "Alright, let's focus on developing measures and a dashboard that would allow us to get visibility of how effective are we in implementing these controls." They've got very enthusiastic about it because it gives them a focus rather than trying to cover everything. They said, "Well, let's focus on these areas and see what the benefits are over time, in terms of reduced success of attacks."
The biggest inhibitor to the consensus audit guidelines is the fact that the FISMA legislation, the guidance that has been issued by the National Institute of Standards and Technology (NIST) and then reinforced by the Office of Management and Budget to make a guidance actually mandatory, and the guidance is very comprehensive. The federal agencies are now in a bit of a quandary, saying, "Well, I've got the FISMA, and the NIST guidance that was produced to help us deal with FISMA. OMB. in the past. has said now it's all mandatory, and it's very, very comprehensive. What should I do? I think this consensus audit guidelines, 20 critical controls, really makes more sense for me, but am I going to find myself crosswise with those who are assigning grades to federal agencies?
What we are doing now is working with the leadership in OMB and the Federal CIO Council community to have them exposed to this, get their comments, and then through the State Department, we are looking for other pilot implementations, to fairly quickly get a level of confidence that would, we hope, encourage OMB to say, "Alright, take the 20 critical controls, and let's focus our attention on those, sort of like the State Department has done."
CHABROW: To move on to a different area, what has been your experience with red reams, and how can they be efficiently implemented throughout government to assure IT security?
GILLIGAN: The red teams that are actually out there, testing the effectiveness of the security implementations, are enormously valuable. I, generally, put far greater emphasis on their reports than I would reports that would be done, for example, based on analytical bases of analysis of looking at the security, based on certification and accreditation documents, etc. And, the point being is that the systems and networks that we have are so complex that it is almost impossible, on an analytical basis to be able to assess the security. You really need to do hands-on.
As you do hands-on, you follow the attack patterns that we are seeing from the outside, or from the even on the inside, and your red team members are kind of mimicking those attack patterns, then you get a pretty good sense of how good are you, and being able to defend those types of attacks. That gives us, today, the highest correlation to how good your security is.
The downside with the red teams is you are somewhat dependent on the skill of the individuals. In the Department of Defense, we rely very heavily on the National Security Agency, because they were so darned good, and we had the Air Force Information Warfare Organization, and they were quite good, as well. But, not all organizations in the federal government really have that skill level. That will be one of the challenges as we move forward, because the trend will be, in the near term, to kind of move in this direction, across the government, and maybe even in industry. We are going to have to find ways to leverage the skill base, expand the skill base that we have, to be able to deal with this.
Longer term, the hope is - and partially what we are seeing and advocating in the 20 critical controls is - you want to automate a lot of things. There are automated capabilities that are now being available. There is a project that was co-developed by the National Security Agency, the National Institute of Standards in Technology and the Mitre Corp. that goes by the title S-CAP, Security Content Automation Protocol. It's really a fairly complex set of protocols, databases and configuration interfaces that allow you to implement in a compatible way in automated tools the types of checks that you would want to implement to be able to test for lockdown configurations, to do asset tracking and management, download patches, etc., and pull together scans, vulnerability scans from across perhaps multiple tools that will be used in different parts of your enterprise.
As those capabilities are more routinely integrated into automated tools, then the red team, the penetration type analysis can be more focused, because there are a lot of things that you will be able to validate through automated tools that are actually hands-on and testing the systems in a very rigorous and a continuous manner. We have a need to really use this type of red team evaluation to get a more true sense of how good our security is.
CHABROW: Looking at red teams, do you foresee an interdepartmental or interagency organization that would provide these kinds of services, or should each of the agencies develop their own teams?
GILLIGAN: In the short term, the Department of Defense probably has enough organic capabilities within the various parts of the departments, DISA (Defense Information Systems Agency) has a strong cadre of expertise, the services do. Clearly, the National Security Agency has probably got the biggest cadre. The Department of Defense, which is by size about half of the federal government, reasonably well address with current capabilities, the challenges in the civil sides of government, where you have some capabilities in the Department of Homeland Security, the Department of Energy and Department of Justice, but other agencies really have just not had that expertise.
In the short term, my personal recommendation would be that capabilities in the Department of Defense, to include the National Security Agency, augment and help the other federal agencies to begin to develop their rich capability, and be able to do red teaming. I think there are some contractors that are capable of doing this, but not a lot, so you need to be a bit careful in going to contracted support, because, as I indicated, not all of the people's qualifications are equal. There are some that are quite good. I think a mix of leveraging the current capabilities we have in DOD and other federal agencies like the Department of Energy, Department of Justice and DHS, and perhaps using those organizations to help bring in and augment with some contractors, carefully selected, I think makes perfect sense.