How the State Dept. Cut IT Risk by 90 PercentState CISO John Streufert Explains Its Risk Scoring Program
By John Streufert
In my role as the chief information security officer of the Department of State, I have become intimately familiar with the benefits, shortcomings and promising opportunities to build upon the current Federal Information Security Management Act of 2002. Our goal is to ensure system security for diplomacy, while continuously improving the return on investment for each dollar spent on cybersecurity.
The passage of the FISMA served as a game-changing event for the federal agency community.
Whereas, the Health Information Portability and Accountability Act applies to medical information and the Privacy Act of 1974 applies to personal information, FISMA applies to all information used by or on behalf of the federal department and agency. The establishment of a holistic information security program and the responsibility of accounting to oversight entities, including Congress, served as a valuable check in determining the health of an agency's information security program.
The federal cyber landscape has changed over the past five years. The implementation of federal cybersecurity has typically been implemented through manual processes and compliance checks which have competed with the need to implement Web 2.0 technologies in a secure manner.
Meanwhile, our cyber problems have dramatically escalated in severity and frequency. In a typical week, the department blocks 3.5 million spam e-mails, intercepts 4,500 viruses and detects over a million external probes to our network.
Since 2008, the number security related tickets has more than doubled, while malicious code attacks increased by 47 percent. The volatility of changes to security sensitive settings has been equally problematic.
In October 2009, the Office of Management and Budget launched CyberScope, a secure, data collection platform for reporting that allows research and analysis across federal agencies. Additionally, Vivek Kundra, the federal chief information officer, has formed an interagency task force charged with developing metrics for information security. The National Institute of Standards and Technology has revised certification and accreditation Special Publication 800-37 to increase its emphasis on continuous monitoring, including a recommendation for the use of automation to obtain more timely, cost-effective, and efficient monitoring results. The goal is to give senior leaders better information on the security state of their information systems with which to make risk-based decisions.
For its part, in fiscal year 2009, the State Department began supplementing FISMA compliance reports and studies with a Risk Scoring Program scanning every computer and server connected to its network not less than every 36 hours on eight security factors and twice a month for safe configurations of software.
Risk Scoring Program
The Risk Scoring Program utilizes best practices such as the 20 most critical controls known as the Consensus Audit Guidelines, a collaborative effort between government and industry, which we have mapped against the way the department is being attacked. To assess vulnerabilities, the department utilizes the National Vulnerability Database and the Common Vulnerability Scoring System from NIST and the Department of Homeland Security where scanning tools tag specific risks with point values from 0 to 10, with 10 being the highest vulnerability. For each risk found, an online catalog of security related software flaws offers a help kit for the resolution of that particular vulnerability. When the problem is resolved risk points are deducted and a higher score for the technical team and organizations is computed no matter where they are located across the world. To this point, State Department risk scoring program has implemented the sub-set of the 15 Consensus Audit Guideline controls that are susceptible to automated verification.
In the first year of site scoring ending July 2009, overall risk on the department's key unclassified network measured by the Risk Scoring program was reduced by nearly 90 percent in overseas sites and 89 percent in domestic sites. Scores have been relatively stable since then. Notwithstanding this reduction to date, the department has decided to make it three times more difficult to achieve the same grades by the end of FY 2010 as part of an ongoing commitment to continuous improvement.
These methods, however limited, have allowed one critical piece of the department's information security program to move from the snapshot in time previously available under FISMA and its related authorities to a program that scans for weaknesses on servers and personal computers - continuously; identifies weak configurations - each 15 days; recalculates the most important problems to fix in priority order - daily; and issues letter grades (A+ to F) monthly to senior managers tracking progress for their organization the last 30 days. It is the State Department's objective to expand automated verification to as many Consensus Audit Guidelines and NIST 800-53 controls as possible and to all infrastructure and applications as soon as possible, limited only by available resources.
The various risk score reports tabulate risk scores by region, compare progress overseas to domestic sites and create an enterprise-wide summary for senior management of the department. In short, the details empower administrators with targeted, daily attention to conduct remediation and the summaries empower executives to oversee most serious problems.
Layered Approach to Risk Management
In addition to the Risk Scoring program, the department's layered approach to risk management includes several other noteworthy initiatives.
The department maintains a 24x7 network watch program that guards against the external penetration, compromise, or misuse of the department's cyber assets.
Analysts stationed at our network monitoring center serve as continuous sentries for inappropriate network activity based on intrusion detection system signatures, reports from the firewall team and other sources. The analysts perform preliminary assessments to confirm the nature and source of suspicious network security events. Those matters deemed significant are escalated to the computer incident response team for in-depth analysis and corrective action.
The computer incident response team serves as the department's main clearinghouse for reporting computer security events and incidents occurring on department and foreign affairs agency networks. Computer incident response team analysts track all reported actions through completion and coordinate incident response actions with all stakeholders including the department's security units, Department of Homeland Security's United States Computer Emergency Readiness Team and law enforcement entities.
This team of technical analysts performs essential coordinated information sharing as defined in NIST Special Publication 800-61. In addition to the reporting requirements found in this publication, Department of State actively communicates on emerging phishing attack threats realized by the Department of State to help other agencies avoid becoming victims of these same phishing scams. Department of State also utilizes, in partnership with U.S.-CERT, the situational awareness initiative Einstein 2 by analyzing and reporting on events detected through this program.
To combat increasingly sophisticated cyber attacks, the department's Cyber Threat Analysis Program provides overseas posts and department management with indicators and early warnings about potential cyber incidents. This team of technical analysts performs essential in-depth assessments of network intrusions and helps coordinate the department's response to sophisticated cyber attacks.
They also work closely with the law enforcement and network defense communities to develop both a comprehensive threat picture and possible remediation measures. In addition, they perform proactive penetration testing and network forensic analysis to detect and resolve significant threat issues.
Moreover, the cyber threat analysis team has developed a strong information sharing capability by routinely briefing other federal agencies on pressing threat data and offering technical assistance and best practices information in an effort to help mitigate risks to federal networks. In addition, they participate in multiple working groups and information sharing organizations designed to enhance coordination among the government's cyber defense teams.
The Global Security Scanning program of the department serves multiple essential purposes covering all of its domestic and overseas locations. Electronic tools perform functions that include confirming what is connected to department networks; assuring that computers, network and software are in the safest configuration of setting, locating system vulnerabilities that need correction and collecting evidence for cybersecurity investigations. Global scanning is complimented with computer security officers supporting security regionally and locally for overseas posts as "boots on the ground."
Consequences for Cyber Misuse or Abuse
The department's Cybersecurity Incident Program was formed to address consequences for acts of cyber misuse or abuse by individuals. The program enhances the protection of the department's cyber infrastructure by raising overall cybersecurity awareness and providing managers with the ability to hold individual users accountable for acts of cyber misuse or abuse. The department, like all parts of the federal government, needs to balance the benefits of cyber space for mission effectiveness, with the personal responsibility every employee is asked to demonstrate when using government cyber resources.
The Cybersecurity Incident Program applies to all department system users and defines two different categories of incidents: "infractions", where failure to comply with a specific department policy exists but does not result in actual damage to the department's cyber infrastructure and "violations", where failure to comply with a specific department policy exists and results in damage or significant risk of damage to the department's cyber infrastructure.
In addition to the types of incidents that lend themselves to detection, the department's network monitoring and inspections alert key department officials to risks when they occur. Upon notification of an incident, an investigation is undertaken incorporating several department organizations charged with gathering the information necessary to ensure a prompt and appropriate response to the cyber event, while protecting the rights of the accused.
Since the Cybersecurity Incident Program was established in 2007, 14 users have been cited for infractions and 227 users have been cited for violations.
For those found to have committed an infraction or violation, the consequences available to the department range from a letter of warning, suspension of network access or further disciplinary action.
Other Federal Activity
The Department of State is involved in multiple government-wide efforts that share its IT security solutions with other departments and agencies. The most widely use product is an annual IT security awareness course offered to other federal organizations as a Center of Excellence under the information system security line of business. So far, this offering has been delivered to 33,255 federal employees outside the State Department. The State Department is also active in multiple projects with the interagency Committee on National Security Systems working on developing common standards for risk studies and authentication of users on networks.
The department's policies, technology, business processes and partnerships in place continue to evolve and meet the continuing challenges of the security threats in the cyberspace environment.