LAS VEGAS -- Few government organizations have the aura and mystique of the National Security Agency, and it's...
The NSA is the most secretive of the country's intelligence agencies, and its rare that any of its officials speak publicly. So the speech by Tony Sager that kicked off the Black Hat USA Briefings Wednesday offered a rare peek behind the curtain at Fort Meade's vulnerability information-sharing program.
Sager, the chief of the vulnerability analysis and operations group in the NSA's Information Assurance Directorate, has been in the business of finding and fixing vulnerabilities for 30 years. He said that the major difference between today's security landscape and that of the 1970s is the ability to share data and ideas with a large community of practitioners.
"When I started in 1977, it was a government monopoly business. The government cared about security, the government controlled the technology, knew what the bad guys looked like and could pay for the technology," Sager said. "We could overwhelm the problem with technology.
Like many security professionals, Sager said he and his team have faced the challenge in recent years of trying to translate important security and vulnerability concepts into plain English for business leaders, technology buyers and end-users. Sager's group spends its time identifying and trying to fix software and network vulnerabilities, but making those efforts understandable to the rest of the organization can be difficult. However, doing so is vital to the success of any security's professional's efforts, Sager said.
To that end, the NSA began working with other information security groups in the Department of Defense -- as well as in the government at large -- to develop methods for sharing vulnerability information, reporting and remediation. His group, along with teams from the Department of Homeland Security, the National Institute of Standards and Technology (NIST) and other agencies, developed a model called the Information Security Content Automation Program , which is a method for using open standards and tools to automate vulnerability management and assessment. It includes a number of checklists and a specific protocol for information sharing.
The group also puts on a number of events throughout the year to train security professionals in the use of the program.
Sager urged security practitioners to make the effort to share information with their peers and with their executive teams.
"This is a business that's been about folklore and reading Bugtraq," he said. "We're too big for that now. We can't do that anymore. The key for me has been linking geeky security stuff to other business areas."