Safety from the Fringe to the Center
Despite progress, a comprehensive assurance solution for sensitive IT data remains elusive.
Hank Hogan - Homeland Security Today
For those hoping to find a present under the tree, Jim Gerretson has a bit of advice. Don’t expect a simple solution for IT-related security challenges. Gerretson is chief executive officer of Gerretson, LLC, a Laurel, Md.-based firm that provides information assurance services to the intelligence community and civilian agencies. “There simply is not anybody that can come up with a single product or technology that’s going to protect you,” he said.
The issue is the breadth of the problem. A typical site might have a mix of Windows, Mac and Unix-based desktops, not to mention networks and peripheral devices. The only answer is defense in depth and multiple solutions.
Two examples can be found in offerings from General Dynamics’ C4 Systems of Scottsdale, Ariz., and Unisys Federal of Reston, Va. The first is a National Security Agency-certified smartphone, while the second involves border-crossing technology.
Although primarily intended for the military, the Sectéra Edge smartphone solves a problem facing some homeland security personnel. They need to securely communicate voice and data traffic while interacting with others who don’t have the same level of clearance. During a manmade or natural disaster, for example, they may have to interact with first responders one moment and then communicate over the secure Homeland Security Data Network the next. These dueling needs have often been met through the use of multiple devices, but the new smartphone simplifies things.
“With a single key press, users can actually switch back and forth between those domains. All the data is separated, so there’s no danger of mixing classified information inadvertently onto the unclassified network,” said Tom Liggett, the device product manager.
The smartphone also protects data at rest, through encryption after a timeout or upon power off. The device became available this spring at a price tag of several thousand dollars.
Another example of meeting an IT security challenge arising from the periphery can be found in the hardware being installed as part of the Western Hemisphere Travel Initiative (WHTI). G. Michael Rodgers, the Unisys program manager, noted that WHTI will deploy systems at 39 high volume ports of entry, with a goal of providing timely information to border crossing officers so that security can be tightened without impacting the flow of traffic.
In accomplishing this, license plate readers, sensors, vehicle counters, radio frequency identification subsystems, computers and other equipment will be installed across multiple lanes. The computers, said Rodgers, are built to minimize the security risks.
“This computer has two sides to it. It’s a split personality,” he explained.
One side is firmware-based. It handles the control and sensor, along with the optical character recognition needed to read the license plate. The other side is essentially a standard Windows based computer with built-in safeguards against tampering.
A characteristic of a networked world is that the periphery isn’t a physical demarcation. Roger Thornton, chief technology officer at Fortify Software of San Mateo, Calif., notes that the simple act of making a system accessible can open it up to attack.
“The best example of this would be home banking,” he said. “When you point your browser at the home banking system, you are going right through the perimeter and dealing with some of the most important machines they have in their environment.”
While an outsider can’t log into such machines, a home banking customer can interact with them. A cleverly formulated malicious input for a name field could then potentially get the system to do what an attacker wants.
Fortify’s solution is found in tools that examine applications for known vulnerabilities. The tools do the examination in an active and passive manner, with the former suited to testing before deployment and the latter useful in monitoring transactions as they happen after deployment.
A final example of meeting a security challenge comes from Trusted Computer Solutions of Herndon, Va. The bulk of the company’s business centers on information sharing tools for various three-letter government agencies, said Chief Operating Officer Ed Hammersla. The company’s latest products attempt to solve the problem of the insider who goes bad, whether it’s someone with the highest clearance, a vendor with limited access or a botnet that had been dormant but is now active.
The first product locks down Linux operating systems (OS), with other OS versions planned. According to Hammersla, operating systems are shipped in their most wide-open configuration because this makes for the easiest setup. The company’s software automatically takes the OS to a recommended and more secure setup, thereby depriving the rogue insider of some tools.
The second product plugs another set of holes through an appliance that sits on the network and learns what is normal. The device can then detect when something unusual happens, such as a consultant plugging in a laptop and spreading a virus. The system can even spot benign changes, such as when someone from an accounting firm goes through a company’s regular network and not a hub set up specifically for use by auditors.
“It’ll alert you when things happen that are different,” summed up Hammersla. Now, these examples of defense in depth are not a single shiny present. However, when used together, they could make for a nice gift in meeting IT security challenges.Hank Hogan is HSToday’s IT correspondent.
Techpreneur partners with Navy veteran to go after federal contracts
IT Industry Veterans Launch Gerretson LLC
New Firm Targets Federal Information Assurance Opportunities
Safety from the Fringe to the Center
A Veterans Administration Certified SDVOSB