Risk
3/15/2013
11:05 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Next Steps In Data Center Security

Government agencies face a growing number of cyber threats. Here’s what federal IT teams can do to protect their systems, networks and data.

InformationWeek Government March 18, 2013 InformationWeek Green
Download the entire March 2013 issue of InformationWeek Government, distributed in an all-digital format (registration required).


Secure The Data Center When IT security is a focal point of the State of the Union address, as it was in President Obama's February speech, government IT pros had better take notice.

Foreign adversaries are "seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems," the president warned. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

Federal government data centers are at the center of this discussion. The systems and databases within those data centers house everything from the personal information of U.S. citizens to law enforcement case records and classified intelligence.

Federal agencies have been shoring up their data center defenses for years, but much more needs to be done. Security experts report not only a growing number of attacks, but also successful breaches. Throwing money at the problem isn't the answer, nor is it an option. The federal IT budget remains flat and sequestration, which went into effect March 1, triggered across-the-board cuts. Federal CIO Steven VanRoekel, in a February interview with InformationWeek Government, warned that sequestration could cause agencies to lose momentum in their efforts to improve cybersecurity. Agency CIOs have to be smart and selective in how they invest their limited resources.

"The problem is much bigger than it was three or four years ago," says Omar Khawaja, head of product marketing for data center operator Verizon Terremark, which provides hosting and cloud services to federal agencies. "You've got more threats, more vulnerabilities and the assets are more critical than ever before."

Shortly after the State of the Union address, Mandiant, a security vendor, released a report that traced a Chinese hacker group, dubbed APT1 and suspected of "economic espionage" against at least 141 companies and government agencies over seven years, to a district in residential Shanghai that's home to a unit of the People's Liberation Army. It was the most detailed in a growing body of evidence that the Chinese military may be involved in probes of U.S. computer systems. The New York Times, Google and Apple all reported security breaches at about the same time.

Federal agencies are targets, too. In February, the Department of Energy revealed that online attackers had penetrated its network and obtained personal information on hundreds of employees and contractors. The department's Joint Cybersecurity Coordination Center and federal law enforcement agencies are investigating the incident. In a memo to employees, DOE recommended that they encrypt all files and emails that contain personal information, including files stored on hard drives or on the shared network.

The Department of Defense, even with its U.S. Cyber Command operations, remains vulnerable as well. The Defense Science Board, a civilian committee that provides scientific and technical advice to the Pentagon, said in a report this month that the DOD isn't prepared to defend against sophisticated international cyber attacks. The report pointed to "inherently insecure architectures," inadequate intelligence and the sheer limits of technology in defending against emerging cyber threats. It encourages the DOD's CIO to work with the military branches to create an enterprise security architecture that includes minimum standards to ensure a "reasonable" level of defensibility and increase the probability that attacks are detected.

Robust data center security starts outside the brick-and-mortar building. Verizon Terremark serves federal customers from a 30-acre complex in northern Virginia that's protected by 12-foot beams, DOD-approved fences, blast-proof walls and motion-sensor cameras. But it's the systems, software and processes inside the data centers used by government agencies -- some owned and operated by contractors, others by the agencies themselves -- that are the urgent focus of federal IT teams.

To read the rest of the article,
download the March 2013 issue of InformationWeek Government.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
John Foley
50%
50%
John Foley,
User Rank: Apprentice
3/18/2013 | 3:51:33 PM
re: Next Steps In Data Center Security
Three key takeaways from this article: 1) More money isn't the answer given the fiscal situation. The feds have to come up with ways to defend against new threats across many fronts, but there will be no blank check. 2) The only way to get your arms around the big and growing threat landscape is to make it "smaller." 3) New, innovative approaches are needed. I would add that all three points are interrelated.
JacksonShaw
50%
50%
JacksonShaw,
User Rank: Apprentice
3/21/2013 | 6:52:32 PM
re: Next Steps In Data Center Security
Certainly a proper identity and access management strategy would be useful to the feds too. At the end of the day "brick and mortar" provisioning and de-provisioning are pretty important. In today's age - and especially for the feds - ADAPTIVE authentication and authorization are hugely important. Someone located in Washington DC trying to access a resource should receive a different response from the systems than if they the same person was trying to access that same resource from China (for example). Maybe they need to use their smartcard or one-time-password device or maybe they just aren't allowed. We need to tie all this stuff together.

Jackson Shaw
Dell
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?