Leave information-asset protection up to the geeks. Tap their creativity.
The structure of your security operations center [is important]. Don’t have too many leaders or too many high-level executives. It really should be the nerds, the geeks and the young people.
Christina Raftery, Lead Information Systems Security Officer, FBI
That’s the latest message to managers from top government security experts at a time when federal systems are under relentless cyber bombardment. A proactive strategy is part and parcel of information security, and it’s the techies who really know how to do this stuff, said Christina Raftery, lead information systems security officer for the Federal Bureau of Investigation’s Los Angeles field office. Create an environment in your security ops center that’s conducive to learning, she advised: Set up a security lab, give them pen testing tools and “Let people play … and see what they’re up against.”
“I’ve seen reactive approaches and watched things fall apart,” said Raftery, who has also held IT security positions at the Homeland Security Department and the Federal Emergency Management Agency. “The structure of your security operations center [is important]. Don’t have too many leaders or too many high-level executives. It really should be the nerds, the geeks and the young people. That’s where you’re going to have a foundation [for your security operations]. The lab environment is an extremely important key to this.”
At one major federal agency, officials are letting their security techies do just that. “Given the fact that we’re such a small group, we need to be dynamic and creative,” said a security executive at the agency, who asked not to be identified, citing security considerations.
Using Core Impact Pro, penetration testing software from Core Security Technologies, the agency’s security team is able to replicate attacks across networks, Web applications, end-user systems, wireless networks and network devices in its security lab. Because the tool automates the process, only three security specialists are needed to conduct penetration testing of the agency’s 7,000 IT assets.
Going phishing for social engineering flaws
On the client side, the pen test team each quarter replicates social engineering attacks, such as phishing and spear phishing campaigns, against unsuspecting end users at the agency.
In conducting mock phishing attacks, the team selects a random sample of end users, anywhere from 200 to 1,000 employees, and then sends out a “nifty email, something that looks like LinkedIn or Facebook,” the executive said. “When a user clicks on a link, it automatically responds back to the Core Impact server, which then directs the user to a training site,” which educates the user about the dangers of phishing attacks. Users who are fooled by the mock emails are routinely included in the next quarterly exercise.
The team’s mock emails are painstakingly designed to appear authentic. “We’ve gotten so sophisticated that we actually poison our [domain name system] so nothing leaves the complex but the domains look legitimate,” the executive said.
The exec offered the following recommendations for using penetrating testing:
- Start with end users. “Even if you have very good, in-depth defensive security, end users can be your weakness. Take the data you gather from penetration testing and filter and dice it to prioritize fixes for the most critical vulnerabilities.
- Work with your pen test software vendors and help them understand what you and other government agencies need to protect systems. For example, extensive input from the agency in this story helped Core Security Technologies design a new product, Core Insight Enterprise, real-world security testing software for large environments.
- Demonstrate due diligence to Federal Information System Management Act auditors by sharing the results of your internal pen tests. Touting your proactive efforts to build and maintain security controls will help establish a level of trust and make for a more collaborative -- rather than adversarial -- relationship with your FISMA auditors.
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.