Misconfigured software poses significant security challenges
Several years ago, when John Gilligan was serving as the chief information officer at the Air Force, he experienced what he calls a major turning point in how he viewed security. Along with the other services, the Air Force was subject to annual penetration analyses by the National Security Agency, which tested the ease of infiltrating cyber defenses on military networks.
"The net result was our security was very easily penetrated in multiple instances," Gilligan said. The only relative difference between the outcomes for the services was in how quickly NSA was able to gain access to their networks -- "whether it was 30 seconds or 45 seconds. It was enormously frustrating," he said.
After the second such session with NSA, Gilligan asked the agency's lead analyst to offer recommendations for improving security.
"I'll never forget the briefing because their opening analysis was the following: It was misconfigured software that was the dominate area that NSA saw that was being exploited in attacks that they were sent in to clean up," he said. But it was the percentage of misconfigured software that really made an impression. "They said it was about 80 percent," Gilligan recalled Tuesday at a cybersecurity panel discussion Government Executive co-produced with the SANS Institute, a computer security training center. Nextgov is part of the Government Executive Media Group.
"Now this is a few years ago," said Gilligan, who retired from the Air Force in 2005. "But I would submit today that the statistic is not that different."
To improve security, federal agencies also have to improve the way they manage technology, he said. As president of Gilligan Group, a Virginia-based technology consulting firm, he said he's seen significant progress in the way agencies approach security. Through techniques such as continuous automated monitoring, some agencies have dramatically reduced their security risks and increased efficiency.
But a central challenge is IT culture itself. "From its origins [technology culture has] focused on individual management, decentralized ownership, and that really runs against what I would consider well-managed infrastructure," Gilligan said.