Risk
3/15/2013
11:05 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Next Steps In Data Center Security

Government agencies face a growing number of cyber threats. Here’s what federal IT teams can do to protect their systems, networks and data.

InformationWeek Government March 18, 2013 InformationWeek Green
Download the entire March 2013 issue of InformationWeek Government, distributed in an all-digital format (registration required).


Secure The Data Center When IT security is a focal point of the State of the Union address, as it was in President Obama's February speech, government IT pros had better take notice.

Foreign adversaries are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," the president warned. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

Federal government data centers are at the center of this discussion. The systems and databases within those data centers house everything from the personal information of U.S. citizens to law enforcement case records and classified intelligence.

Federal agencies have been shoring up their data center defenses for years, but much more needs to be done. Security experts report not only a growing number of attacks, but also successful breaches. Throwing money at the problem isn't the answer, nor is it an option. The federal IT budget remains flat and sequestration, which went into effect March 1, triggered across-the-board cuts. Federal CIO Steven VanRoekel, in a February interview with InformationWeek Government, warned that sequestration could cause agencies to lose momentum in their efforts to improve cybersecurity. Agency CIOs have to be smart and selective in how they invest their limited resources.

"The problem is much bigger than it was three or four years ago," says Omar Khawaja, head of product marketing for data center operator Verizon Terremark, which provides hosting and cloud services to federal agencies. "You've got more threats, more vulnerabilities and the assets are more critical than ever before."

Shortly after the State of the Union address, Mandiant, a security vendor, released a report that traced a Chinese hacker group, dubbed APT1 and suspected of "economic espionage" against at least 141 companies and government agencies over seven years, to a district in residential Shanghai that's home to a unit of the People's Liberation Army. It was the most detailed in a growing body of evidence that the Chinese military may be involved in probes of U.S. computer systems. The New York Times, Google and Apple all reported security breaches at about the same time.

Federal agencies are targets, too. In February, the Department of Energy revealed that online attackers had penetrated its network and obtained personal information on hundreds of employees and contractors. The department's Joint Cybersecurity Coordination Center and federal law enforcement agencies are investigating the incident. In a memo to employees, DOE recommended that they encrypt all files and emails that contain personal information, including files stored on hard drives or on the shared network.

The Department of Defense, even with its U.S. Cyber Command operations, remains vulnerable as well. The Defense Science Board, a civilian committee that provides scientific and technical advice to the Pentagon, said in a report this month that the DOD isn't prepared to defend against sophisticated international cyber attacks. The report pointed to "inherently insecure architectures," inadequate intelligence and the sheer limits of technology in defending against emerging cyber threats. It encourages the DOD's CIO to work with the military branches to create an enterprise security architecture that includes minimum standards to ensure a "reasonable" level of defensibility and increase the probability that attacks are detected.

Robust data center security starts outside the brick-and-mortar building. Verizon Terremark serves federal customers from a 30-acre complex in northern Virginia that's protected by 12-foot beams, DOD-approved fences, blast-proof walls and motion-sensor cameras. But it's the systems, software and processes inside the data centers used by government agencies -- some owned and operated by contractors, others by the agencies themselves -- that are the urgent focus of federal IT teams.

To read the rest of the article,
download the March 2013 issue of InformationWeek Government.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
John Foley
50%
50%
John Foley,
User Rank: Apprentice
3/18/2013 | 3:51:33 PM
re: Next Steps In Data Center Security
Three key takeaways from this article: 1) More money isn't the answer given the fiscal situation. The feds have to come up with ways to defend against new threats across many fronts, but there will be no blank check. 2) The only way to get your arms around the big and growing threat landscape is to make it "smaller." 3) New, innovative approaches are needed. I would add that all three points are interrelated.
JacksonShaw
50%
50%
JacksonShaw,
User Rank: Apprentice
3/21/2013 | 6:52:32 PM
re: Next Steps In Data Center Security
Certainly a proper identity and access management strategy would be useful to the feds too. At the end of the day "brick and mortar" provisioning and de-provisioning are pretty important. In today's age - and especially for the feds - ADAPTIVE authentication and authorization are hugely important. Someone located in Washington DC trying to access a resource should receive a different response from the systems than if they the same person was trying to access that same resource from China (for example). Maybe they need to use their smartcard or one-time-password device or maybe they just aren't allowed. We need to tie all this stuff together.

Jackson Shaw
Dell
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report