TRENDING:

Hacking to Secure Government IT Security

Civilian Agencies Eye Red-Team Testing Eric Chabrow (GovInfoSecurity) • June 5, 2009    
Hacking to Secure Government IT Security
The idea of employing red teams to test vulnerabilities of IT systems in civilian agencies is being kicked around a lot at both ends of Pennsylvania Avenue, as the government seeks better ways to secure information systems.

But several experts question whether there are a sufficient number of properly trained IT security folks who can perform these friendly hacks. "That will be one of the challenges as we move forward," says former Air Force CIO John Gilligan, who as a consultant remains active in working to secure government IT. "We are going to have to find ways to leverage the skill base, expand the skill base that we have, to be able to deal with this."

The military and intelligence communities have employed red-team testing for years, and have developed their own teams, such as those housed at the Vulnerability Analysis and Operations Group at the National Security Agency. The group recruits about two-thirds of its red team members from the military.

"Our workforce is a mix of military and civilian, all government employees; we do have some contract help in some of the infrastructure and pool development" says Tony Sager, the group's chief. "That makes us an anomaly in the DOD and the intelligence community, that we are entirely government employee and military, uniformed or civilian."

But as FISMA reform moves through Congress and President Obama builds his new White House cybersecurity team, and the demand for better ways to judge IT security safeguards, the government will need to establish stopgap approaches if it wants to begin widespread red-team testing in civilian agencies.

In the short term, Gilligan says, civilian agencies may seek advice and perhaps some manpower from the NSA, Defense Department and the few civilian departments that maintain red teams as well as retain the services of the handful of IT security contractors that offer this service. And, if contractors are employed, vet them closely, Gilligan says. "Not all of the people's qualifications are equal," he says. "I think a mix of leveraging the current capabilities we have in DOD and other federal agencies like the Department of Energy, Department of Justice and DHS, and perhaps using those organizations to help bring in and augment with some contractors, carefully selected makes perfect sense."

We have posted our separate interviews with Sager and Gilligan. You have the option of listening to the podcast recordings or read the transcripts.

The Good Hacker
Tony Sager, chief a National Security Agency group that conducts red-team assaults, explains the complexities of conducting friendly attacks on government IT systems.

From Audit Guidelines to Red Team Attacks
Retired Air Force CIO John Gilligan explains how the Consensus Audit Guidelines and red-team assaults work well together to safeguard government IT systems.

Little Known Red-Team Facts
The amount of preparation to conduct a red-team assault could boggle the mind.

Previous
From Audit Guidelines to Red Team Attacks
Next
Air Force Taps Cyberspace Commander

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.