Dangers of Software Customization ExposedIgnorance is Not Bliss When Programs Get Tailored
"After software is introduced into an enterprise, it almost immediately begins to get customized by the user, and especially over the lifecycle of a piece of software, the people who are customizing that frequently don't know what they are doing," Robert Lentz said in an interview with GovInfoSecurity.com (transcript below).
"What ends up happening is you continue to then create more problems, you lose control of the software even more than when you first had it, and as a result, you now have a situation where you have got a leaky ship on your hands with lots of vulnerabilities that could be sources of attack vectors for the adversary," said Lentz, who retired from government service last year after spending most of the first decade of the 21st century as the Defense Department's deputy assistant secretary of defense for information and identity assurance.
The solution isn't not to customize software, Lentz said, but to implement a rigorous process to assure security standards are met as soon as the software is installed.
In the interview with GovInfoSecurity.com's Eric Chabrow, Lentz also addressed the:
- Failure of an organization's top leaders from recognizing the strategic importance of IT security;
- Benefits of an enterprise approach to cybersecurity; and
- Need to adopt the latest information security technology.
Before moving to the Pentagon, Lentz spent more than a quarter century with the National Security Agency in the areas of financial management and technical program management. He is a graduate of the National Senior Cryptologic course at the National Cryptologic School, Federal Executive Institute and the Resource Management course at the Naval Postgraduate School. He earned a bachelor degree in history and political science from Saint Mary's College of Maryland and a master degree in national security strategy from the National War College.
ERIC CHABROW: A year ago, you characterized 2009 as a tipping point, saying the reality is that bad guys are going to be in our networks and officials have to figure out how the best way to detect and contain the threats. How has the situation changed in the past year?
ROBERT LENTZ: Well, the situation really hasn't changed that much except I think awareness at the leadership level is much higher. Leaders in many of the key sectors are more sensitive to cyber threats, but in reality there is only a small percentage that are really walking the talk.
Not very many really understand it at a very sophisticated level and unfortunately we really aren't galvanized around putting in place the right architectures, the right standards, the right technologies and as we called it within the Department of Defense when I was there, tactic, techniques and procedures, to be able to deal with it. We are just limping along hoping government and also outside government since I left made that point in 2009.
CHABROW: Why do you suspect that there are people who talk the talk but they don't necessarily walk the talk?
LENTZ: It's a combination of problems. The first one, of course, is resources. The reality is that people are still hoping that we can accomplish good information assurance on the cheap - with relatively in some cases - some of the better companies modest amounts of money and a lot of other companies and enterprises a small amount of money. They still look at it as a purely IT problem and not really a problem that really can very easily take over the entire operations of a company or an enterprise so it really needs to be much bigger than the way it is being treated.
The second reason is governance. It is still problematic that people who are in the security line of business, or the cybersecurity field, or not really in most cases at the boardroom. They are not sitting beside the CEOs and the chief financial officers are going back to that first point and as a result being not in the boardroom they really are not involved in the day-to-day decision making, strategically and tactically. In lacking that visibility and influence of the boardroom, there is an inconsistency in terms of overall governance.
CHABROW: I was covering a hearing in Congress in which Greg Wilshusen, who covers IT security issues for the GAO, and others were saying something like 90 percent of IT could be secured if people would just follow processes. Now people at the hearing, and I don't think Wilshusen would disagree that there is still a need for additional funding, said a lot could be done that isn't being done (without additional funding). Do you agree with that?
LENTZ: No, I don't completely agree to that. I do agree with the point that we could do a lot more if we just follow policies and processes, if he means by processes he really means policies to a large degree, I think we can accomplish a lot. But, as we said from the beginning, a good information assurance cybersecurity strategy is one that has to be done via technology, via policy, good people, education and training, strategies and good operations/processes. So all of those have to work together and you can't do one without the other.
I always go back to the analogy; I think cybersecurity is very much like the automotive industry in its evolution. You could almost write a parallel column just on its evolution and the only difference is the automotive industry had decades to deal with the kinds of safety issues that were plaguing the industry in the '60s and '70s, and we don't have that time period because technology and the threats are moving 10 times faster, if not 100 times faster.
The reality is, if we just had good policies, people put on their seatbelts and people followed the speed limits and people stop at intersections and people pay attention to turning on their signals, and all of these good safety features, yeah, we would all have a lower accident rate and a lower fatality rate, but that still wouldn't cure the problem. You need to put better technologies in place, in many cases to take the human out of it because you have to move faster and you have to act quicker.
So it's people false hope to go ahead and have better cybersecurity just by following different policies. You need to invest in new technologies and at the same time you need to invest in training people and getting that education pipeline going.
CHABROW: Okay, so for cybersecurity, what are the technologies and where should the money be spent?
LENTZ: Like the old architectural saying of defense in depth, one of the architectural nuances that we started to adopt in DOD while I was still there is a play on that a little bit; we called it defensive breadth, which is really implementing a wide range of technologies and techniques and processes and quality improvements across all aspects of the architecture.
To one degree, we continue to attack the problem as if the bad guys we can prevent them from getting in completely and the reality is that's not the case anymore. We have to realize that preventing the bad guys from getting in is an impossible dream so we have to be able to come up with a dynamic defense capability in architecture and we have to implement these tools and technologies to not only have better situational awareness in a much quicker fashion, much further out in the network.
You have to have that situational understanding so you can be proactive in terms of understanding where attacks are coming from and from understanding what attacks are occurring inside the network and deal with them accordingly, to include in a very important part is containment of those attacks. It is absolutely critical that we continue to invest in the latest technologies to give us an advanced warning in the advanced persistence on the network to be able to contain and in some cases eradicate these threats and these vulnerabilities before they occur.
The other important nuance, which is a very, very important one, is that we continue to focus on the network layer, when in fact there is so much more that we can do in a proactive fashion and a preventative fashion just by doing good software assurance.
One of the things that we have always talked about, again to that point of not walking the talk, about good application security from the beginning, good code reviews and good parody at the code level, we just are not doing that. We decentralized that responsibility so much that there is so much customization going on, even with critical missions, that as a result we really don't have a solid foundation at all for which to add a lot of these other technologies onto the network layer, but the reality is your foundation is as weak as can be and/or it makes it awful difficult to be able to fight that war just at the network layer.
There needs to be a lot more emphasis at the application level, on top of putting those other techniques I was talking about, up and down the, as you call it the ISO stack, from the physical network layer all the way up to the applications level and working up and down. And, you have to be able to make all of those capabilities dynamic in real time.
CHABROW: When you were talking about customization and it sounded as if you felt that might not be a good thing when it comes to information security. Can you explain that?
LENTZ: What frequently happens is when software is produced, many people are under the view that when software comes into an enterprise that first of all you have got to make sure that software coming in is, in fact, meeting the security standard that you are looking for.
What ends up happening is that after a software is introduced into an enterprise it almost immediately begins to get customized by the user, and especially over the lifecycle of a piece of software, the people who are customizing that frequently don't know what they are doing and they sometimes contract out to third parties to do that customization and they aren't held to a certain standard and they oftentimes don't know what they are doing.
What ends up happening is you continue to then create more problems, you lose control of the software even more than when you first had it, and as a result, you now have a situation where you have got a leaky ship on your hands with lots of vulnerabilities that could be sources of attack vectors for the adversary.
You have to be able to start by implementing very, very good secure software from the beginning with a rigorous process and then you have to follow that up by implementing the cybersecurity architectures that are the most advanced that we know about today and will be constantly changing and being modified as we understand the attack vectors. And then those things working together with a well-educated and well-trained workforce can make a difference.
CHABROW: The answer is not necessarily not to customize but to have processes in place to assure that safe cybersecurity is being implemented as these applications are modified?
LENTZ: That's right. As they are being fielded and as they are being modified, you have to make sure you have a rigorous process that all the checks and balances are being put in place to make sure it is still meeting those security standards that you hopefully put in place right from the beginning.
CHABROW: And the cost in that is having sufficient people along the way to assure that's what's happening, in addition to training people to do it?
LENTZ: It is a combination of training people to do it; it is a combination of having the right processes; you could have third-party resources available to do that as long as those third-party resources are certified and are held accountable; and you have to have the most advanced techniques to be able to do that.
You know the state of the art in this area is improving every day just like it is in the other areas of cybersecurity, and you have to make sure that you are using an as automated technique as possible because obviously the challenge is that it costs money and it costs time. None of us have that in complete availability, so you have to implement it as smartly as you possibly can.
But it has to be done; that's why I am a big supporter when I was in DOD and we put in a three-tiered process dealing with mission critical systems and applications and services, and mission essential was the second tier and then administrative mission support was the third tier, and you have to, at minimum, even though it is important to cover all of those areas because the adversaries will seek to exploit the lower level to get to the higher level, but at minimum you have to make sure you lock down the upper tier or you are just asking yourself for greater risk and trouble.