Employing specialized tools, NSA is conducting deep inspections of classified networks regularly, "hunting" down hackers who are roaming federal networks, and blocking their ability to gain access to data and networks, Debora Plunkett, director of NSA's Information Assurance Directorate (IAD), said at a recent cybersecurity conference. (Sheila Vemmer / Staff)
The National Security Agency is expanding efforts to foil cyber-adversaries.
Employing specialized tools, NSA is conducting deep inspections of classified networks regularly, "hunting" down hackers who are roaming federal networks, and blocking their ability to gain access to data and networks, Debora Plunkett, director of NSA's Information Assurance Directorate (IAD), said at a cybersecurity conference last week.
But such state-of-the-art tactics go only so far in protecting federal networks, Plunkett said. The majority of vulnerabilities threatening federal networks can be easily prevented by the employees who use those networks, she said.
Eighty percent of malicious attacks on government computers can by addressed through good security hygiene, she said: keeping anti-virus software up to date, using complex passwords that are frequently changed, designing systems with effective security features built in, and monitoring vulnerabilities continuously.
"We've been working hard to convince folks that you've got to do the hygiene," Plunkett told a conference audience of federal employees and information technology contractors. "It's about culture and practice."
Tackling the other 20 percent — malicious attacks — is the hard part.
"We've got to get to a point of being able to anticipate what might be coming and to develop the capability to defend against it," Plunkett said. IAD is partnering with the intelligence community to give it a head start in understanding the capabilities and intentions of attackers, especially those from foreign countries, and use that information to anticipate what is to come and how to defend against it.
Other strategies IAD is employing to combat attacks include:
• Trust engineering, a relatively new field that aims to configure relatively untrusted network components into reasonably trustworthy systems.
• Operational testing to determine network security. Technical experts try to penetrate systems to identify vulnerabilities and determine if the proper controls and procedures are in place, said an IAD spokesperson.
• Intrusion analysis of the network. Already, Plunkett has seen an increase in agencies requesting this analysis to advance security improvements.
• Hunting for adversaries on a network on a routine basis.
IAD is charged with providing products and services to protect national security systems at the Defense Department and other government agencies.
More than a year ago, the agency started three pilot projects to demonstrate the efficacy of using commercial components and solutions to securely exchange secret-level information with law enforcement and foreign partners of federal security agencies.
One is testing the security of an Internet-based network that enables the exchange of intelligence information — classified at the secret clearance level and below — between law enforcement first responders and a secret-level Homeland Security Department network called the Homeland Security Data Network. The aim is to grant wider access for state and local law enforcement organizations to classified threat information using a network that is secure but not as expensive and exclusive as more high-tech and robust networks.
Another pilot helps U.S. Southern Command share classified information with a partner country using the Internet protocol security, which includes encryption and data authentication.
A third demonstration project provides a secure, wireless connection to a secret network. All are expected to be completed within the next year.
Plunkett said agencies must continue to rely on layered defenses, known as defense in-depth, to protect their networks. This includes such measures as automatic vulnerability detection, automated patch management, frequent checks to ensure network defenses are in compliance with federal standards, and sensors deployed throughout a network to monitor security in "near real time." Putting automation in place, when possible, can reduce human error.
By using sensors to monitor threats in "near real-time," agency security teams can take response actions immediately, as needed. "Immediately is probably a word that's not quick enough in this context," Plunkett said. "You have to be able to detect and preposition both decisions and action" to thwart an attack before if can penetrate the infrastructure.