And the Pentagon gets it.  As Mark Orndorff, Defense Information Systems Agency (DISA) program executive officer for information assurance and network operations, shared in a Military Information Technology story, “The whole focus is about having global situational awareness so we, (the Department of Defense, DoD), know exactly what’s on the network, the readiness posture of everything on the network, and the network-alerting information to help us fight through an attack.”

This strategy stems from DISA’s 2009 award-winning deployment of a host-based security system (HBSS), the largest IT security deployment within the DoD, which took an important step to monitor, detect, and counter against known cyber-threats to for more than five million DoD host platforms, such as servers, desktops, and laptops.  The underlying technology and integral component of the DISA HBSS solution is McAfee’s Host Intrusion Prevention Systems (HIPS), providing signature and behavioral protection, and a system firewall.

By striking this workable DISA balance, McAfee’s technology was awarded a $9.7 million services agreement today with Northrop Grumman Information Systems for fielding and deployment of HBSS for the Secret Internet Protocol Router Network  (SIPRNet).

With this investment, the U.S. Air Force has enhanced its cyber security infrastructure through its worldwide deployment of HBSS, providing superior, comprehensive threat protection for every system at every level.  They get it.

First, we recommend that the management efforts involve only “trusted products” sold by “trusted suppliers” in the process. In this case, providers vetted by the DoD Data-at-Rest-Tiger Team (DARTT).  Second, USB thumb drives should have the following layers of protection, creating multi-layers of safety:     

• Scan data for malware, as data is entering and exiting
• Built-in encryption chips that covert everything to code and can be unencrypted only by a correct password, the right fingerprint or both
• Tamper-proof, so information self-destructs in anyone tries to defeat the encryption or disassemble the drive
• Assign a unique serial number to each issued drive so network operators may set specific restrictions on what each drive will and won’t do

Thirdly, education must take place.  Users need to understand how security helps them be more productive and empower them to work safely. McAfee Device Control includes capabilities to help accelerate this education process through intelligent notification and feedback directly to users as they make use of USB devices.  By taking an educated approach, the DoD can coach their users on the right steps to keep data safe.

The big question: How do you balance productivity with security?

It is this question, as it pertains to the Pentagon’s evaluation of social media, that Vago Muradian, host of This Week in Defense News, and I spoke about last week.

Speaking with Vago Muradian, host of This Week in Defense News

Amidst this time of national adaptation and rapid innovation, one thing is clear – we can’t sit still. The Pentagon has moved rapidly to create policies and implement safeguards which are doing a better job protecting personnel and infrastructure than private industry. They are an interesting case study – especially in the evolving world of social media – and one that industry should learn from. After all, we share a similar goal: use technology to achieve the mission at hand, not hinder it.

Recently, I had a chance to speak with Federal News Radio about evolving concerns at the Department of Defense (DoD) over network security and, in specific, the U.S. Marine Corps’ decision to enact a one-year ban on social media sites such as Facebook, Twitter and MySpace. 

There’s no question the concerns are legitimate.  For all the positives they can enable, the use of social media channels also raise the likelihood of security breaches occurring in a network setting.

With that said, it remains to be seen whether the Marine Corps’ recently announced ban represents a sustainable policy. 

Whether you refer to them as millennials, digital natives, generation Y, or just “young,”  the reality is that more and more of today’s military personnel grew up with the Internet and have woven social media and Wed 2.0 applications into their daily lives in a way that will be difficult to curtail.

For now, via the one-year ban, the Marine Corps is weighing its options on how to address this challenge — one that it knows is not going to go away.

USMC may find the U.S. Army’s approach to the same conundrum enlightening.

Rather than institute a ban that could be difficult to implement — let alone sustain — the Army took a different approach.  Instead of banning the use of social media sites, they acted to control the means by which personnel can access them. 

In order for a service member site access a social media site from .mil computer, he or she must do so via an approved, secure portal. In addition to keeping all data safe this approach also enables the Army to block sensitive information — such as GPS coordinates or other classified information — from being distributed, whether deliberately or in error.  

So, at this stage, we’ve got one service branch seeking to address the issue via a ban and another finding a solution via a secure access approach.  It will be interesting to see where DoD lands on the issue.  Hopefully, they’ll pursue a model that is close to the latter, rather than the former.

In this context, security is about education. Social media sites are here to stay and a balance is achievable between access and security. With the right policy, people and architecture, military personnel can access social media sites like Facebook, Twitter and MySpace while addressing and safeguarding DoD privacy, network security and bandwidth management issues.

As for McAfee products that can help: McAfee Network Data Loss Prevention (DLP) and McAfee Host Data Loss Prevention both help control flow of sensitive information. Host DLP plugs into the HBSS framework that is being deployed under mandate across all DoD.

McAfee Web Security Appliances and McAfee Email Security Appliances protect against malware being introduced into government networks through mediums such was social media sites.

To ensure that sensitive information remains secure, the CMVP developed the FIPS 140-2 data encryption standards, requiring cryptographic modules to meet specific criteria and undergo rigorous testing. Validation is required before any vendor can offer encryption products to government entities, and because the FIPS-140-2 standard ranks among the most difficult to achieve, it is also often required by financial institutions and global organizations who handle sensitive data. McAfee recently earned FIPS 140-2, Level 2 validation.

Significantly, Level 2 validation requires tamper-evident features to prevent physical access to the cryptographic modules within the firewall appliance. This means that Government agencies required to use FIPS 140-2, Level 2-validated products are now able to use McAfee Firewall Enterprise to defend their networks. While remote access for government employees has increased efficiency for federal agencies, it has also exposed them to more threats, such as viruses, spam, spyware and worms. The FIPS validation was created to address these threats by requiring a higher level of performance from cryptographic modules used in federal government agency networks. McAfee Firewall Enterprise allows agencies to support network access for remote users, while ensuring networks are further protected by integrated anti-virus, intrusion prevention, and URL filtering.

One of our customers expressed the significance of this, “When protecting sensitive data, government agencies need to have a minimum level of assurance that a product’s stated security claim is valid. FIPS 140-2 is considered the benchmark of validation, and U.S. Federal agencies not only rely on that validation but are required to get it,” said William David Powers, Ph.D., Project Director for Force Management System, US Army.

This validation adds to the list of awards and certifications for the McAfee Firewall Enterprise including Common Criteria EAL4+ with US Department of Defense Application-level Firewall Protection Profile, as well as IPv6 through JITC. For customers who depend on their networks to protect life and property, these validations help them know they are protected, and we are excited to be able to announce this news.

Why wasn’t the data encrypted and how good is a policy if not followed by those that have access to confidential data? Maybe it’s time for a little automated policy enforcement to offset our human flaws. Isn’t this why data loss prevention technologies were created?

Actually, in both cases, basic security policies were violated by humans to create the breach. Maybe a little extra employee training around information security is also in order…

These two incidents could have happened just about anywhere. They just caught my attention as they came up in the same briefing. In our cars we have lights and noises that go off when we don’t fasten our seatbelts but there are still people that get tickets for not wearing them. Even automation can only go so far.

How do you ensure the keepers of the really important data use it according to policy and actually follow the policies? And how do you know when they don’t – before you end up in a news brief?

There are a lot of bad people out there trying to get access to our data. Let’s not make it any easier by just handing it over.

Encrypt and control!

McAfee specifically tested the I-2700 and M-6050 IPS sensors, however, due to the common framework, firmware and functionality, the certification was extended to the entire Network Protection product line.

The testing was performed and certified based upon the DOD IPv6 Generic Test Plan and the National Security Agency’s (NSA) IPv6 test plan. This certification deems the McAfee Network Protection products, formerly Intrushield, as IPv6 capable and listed on the Unified Capabilities Approved Product List.

This is great news not only for our DOD and US civilian agency customers, but also for our customers in Europe, Japan and other regions that are or will be transitioning to an IPv6 environment. You can now make the transition with a product certified to securely support both your IPv4 and IPv6 network environments.

Let’s begin, In case you couldn’t place the reference in my title, just go back in time to the 1939 classic “Wizard of Oz” as Dorothy is traveling with the Scarecrow and Tinman and they become fearful and start chanting “Lions, Tigers, and Bears OH MY!” Just before the cowardly Lion jumps out from the bushes and makes his appearance in the movie. Now, jump forward to 2008 and imagine that your today’s leadership chanting “YouTube, Facebook, and MySpace OH MY!” You quickly go to your browser and go to Google, in hopes of finding a solution to prevent all bad content from entering into your domain even though you’re not sure what the word “bad” means as its purely subjective and even political which makes everything shades of grey! McAfee, HELP!!!!!!!!!!!!

Now that I have had my fun, let’s get to the point, shall we? As I travel across the United States I am repeatedly asked how McAfee is addressing applications and services such as YouTube, Facebook, and other applications that are blurring the line of today’s acceptable use policies because, in many cases, they are delivering business content. This paradigm change is a result of Web 2.0 and the shift from centralized content creation to the control of the end user for a more personalized experience. In years past, organizations could rely on white lists and blacklists to limit security, legal, and productivity risks in efforts to comply with technology acceptable use policies (AUP), but those days are gone!

Yes Dorothy, McAfee has developed a new technology called Artemis (Greek Goddess of the Hunt), which is “always-on” providing real-time protection. But there is no Emerald City when it comes to responsible Internet use. In fact, if we continue with the “Wizard of Oz” analogy, technology is often compared to the Great Oz but further discovery reveals him as a mortal man with ordinary powers.

It’s time for management to step up and take a leadership position and quit looking for the Ruby Slippers of technology to force acceptable and/or appropriate Internet usage. Start by educating your users on today’s Internet risks, provide them with all the tools necessary to provide an acceptable level of risk while using the Internet, remind them of your companies AUP, and communicate to them that because they can access a Web site doesn’t mean that’s appropriate or approved. But most important; provide leadership by managing employee behavior and making them accountable for their activities. Most employees are respectful of the company’s position on Internet use, but they have to be educated, reminded, and managed so that they aren’t allowed to make poor choices because silence often translates to agreement or approval.

With Kansas in my vision and the sound of “Auntie Em” calling me home I will leave you with this: innovation will continue and technologies will improve at light speed and the future holds great promise as the security industry matures and consolidates. But, regardless of the improvements, no invention will ever prevent the need for individual responsibility while using technology.

I’m “off to see the Wizard, the wonderful Wizard of Oz!”

The one item that has not received the same press and focus as FDCC scanning and workstation compliance is the explicit definition stating: “The provider of information technology shall certify applications are fully functional and operate correctly as intended on systems using the Federal Desktop Core Configuration (FDCC).”

McAfee not only has certified Policy Auditor as a FDCC scanner, but we have also incorporated the self certification testing as defined by OMB for all of our enterprise host based security tools.

During our normal QA process, these products will be tested to ensure they maintain the integrity of the FDCC configurations. This will include the initial certification as well as the on-going re-certification for major product releases.

This initiative, coupled with what we hope to be the same initiative from other application vendors, should add value to the FDCC directive for increasing workstation security in the federal government.

As one of the key security vendors to the US government with a full suite of security products and solutions, we see this self certification requirement as necessary to helping ensure our customers meet the full compliance measurements of FDCC.

For the complete definition of these requirements, you can see the OMB memorandum here:

http://www.whitehouse.gov/omb/memoranda/fy2007/m07-18.pdf

I have often heard, and been told, there is a difference between security and compliance. This is true but also doesn’t the measurements of compliance generally establish the products and methods we deploy to ensure security and thus also our compliance?

How often has an agency or bureau implemented a product or method of security based upon a single compliance mandate? Once implemented, how does this new product or method get integrated into the compliance reporting?

Even if we back out the methods and specific policies, quite often we see a myriad of security based products we have implemented to maintain our commitment to mandates, regulations and overall compliance.

Seeking a solution
So, how do we view compliance at a higher level that allows us to implement functionality and policy instead of point products and methods that provide little to no integration into our well thought-out compliance reporting plan? The answer is not a simple one and may require procuring products with broader capabilities around IT security, policy definition and compliance reporting as integrated functionality.

Why should we have to separately report on FDCC compliance for a set of our hosts, when actually a common operating environment for our operating systems should be a foundation of our overall end node security plan? Should we not be integrating the FDCC scan into our host based scanning policies, our host based security auditing policy and our host firewall policies? Maybe we can even utilize some of these policies to define our Network Access Control for our managed systems to ensure full and “continuous compliance” before allowing them onto the network and periodically afterwards? Then we can start defining the other technical requirements from FISMA, PII, HIPAA, OMB mandates and agency based policy into our integrated continuous compliance plan.

Once we determine we have non-compliant devices, shouldn’t we have the capability to remediate against those devices, re-scan and have a defined workflow to audit them as now compliant against the various technical requirements from numerous policies, mandates and regulations? A product that is focused on only one measure of compliance has little to do with a comprehensive plan.

As we are beginning to define our high-level compliance plan, we should also determine how other security events and our prevention or handling of these might effect our compliance reporting.

Do we have the right network security in place to support our plan? Can we adequately report on network security events and how we handle these events as integrated components into our overall security plan? How do we define if these events require any remediation to our end node devices and if these events could have negative impact on our compliance reporting? Again, there are many attributes to network based security and these do not directly correlate to compliance. However, network based attacks, if not prevented, can inject the capability to lose confidential information protected by regulation. This does indeed have a negative effect on our compliance functionality. What about our e-mail and the risk of Web based traffic on the network and end node devices?

Of course, there is much to IT security compliance than just those issues previously listed. There are many non-technical requirements, and the process definition we must also integrate into our compliance reporting.

I have purposely raised many questions and not provided the answers, as there are many ways to solve these items. The key point is to determine what level of “compliance” is adequate and how to build this into your security framework. The most important question is how to define a continuous compliance plan that benefits from your security strategy.