The Public Eye with Eric Chabrow

Red Teams: Not an End-All

Red Teams: Not an End-All

Red-team hacking of government systems requires hard, meticulous work. And lots and lots of planning.

As Congress mulls legislation to require civilian agencies to use red teams to hack federal IT systems to identify vulnerabilities, I turned to Tony Sager, chief of the National Security Agency's Vulnerability Analysis and Operations Group, to find out how effective red team assaults are in identifying vulnerabilities. Sager's group assesses vulnerabilities of IT systems within the military and intelligence communities.

The takeaway from our talk: 1, Extensive negotiations between the red team and agency identify the specific vulnerabilities to be tested; 2, red team is labor intensive, requiring the work of about a dozen highly qualified individuals; and 3, red-team hacks are part of the solution to identify vulnerabilities, not an end-all.

"We try not to think of things like red and blue as abstract things, they're part of a process of improvement," Sager says. "Just getting a red team report doesn't mean that the wisdom of the ages is revealed to you, that all of a sudden, life is good.

"You need to think about it as part of a data point, to help improve the security of this. I would emphasize ... that there's a lot of planning. The more upfront work you do to negotiate the objectives, the more valuable the output would be in the end."

In the next few days, we'll post the audio of my conversation with Sager.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.