Security services to the rescue

As agencies begin to free themselves from the burden of Year 2000 remediation,

many will focus on the next big blip on management radar screens: securing

federal networks from external and internal threats.

For many agencies, the first step toward operating secure networks is to

invest in security assessment software technology. Such tools, like scanners,

are designed to probe network systems and report on system vulnerabilities.

Although it's a reasonable approach to locating security glitches, there is a problem.

"The products just give you raw data," said Mary Stassie, vice president of secure solutions development at Wang Government Services Inc. "It really is the combination of experience and training and translation that is meaningful

to a customer."

Now, a growing number of security vendors and service providers are lining

up to offer that kind of higher expertise. They are armed with an array of services that span from helping agencies with the basics, such as developing general security policies, to the more complex work of building comprehensive

security solutions.

Rich Baich, security delivery manager for Network Associates Inc.'s federal

practice, said agencies need to identify potential risks to networks even

before any security products, such as intrusion detection and antivirus

software, are put in place.

As part of its service offering, Network Associates begins by examining

an agency's potential physical security risks, such as telephone connections

that may reside in an unlocked location. The firm also reviews an organization's

mission to assess how attractive a target its networks are for hackers,

he said.

"If you're a government agency, you're considered to be on the high level

of possible intrusions," Baich said. "You're automatically considered to

be high risk."

Next, the company can evaluate an agency's security policy and test agency

hardware and software to make sure it conforms with the agency's stated

security policy. Network Associates also can work with agencies to train

employees about conformance to security policies.

"If it's not configured properly, and if it's not configured to conform

to policy, then you're wasting your time," Baich said. "The cherry on top

is giving your people the knowledge, the constant knowledge. If you don't

do that, all it takes is three to four months and you're behind the power

curve."

Robert Cooney, manager of the open systems integration and network technology

department for the national capital region of the Space and Naval Warfare

Systems Command (Spawar), said information assurance soon will replace Year

2000 as a top priority for the agency. Although security assessment tools

provide a critical function, they need to be accompanied by services. The

point was driven home recently to Spawar officials after they ran a scanner

over their networks.

"We got these voluminous reports that went on ad nauseam about the holes,

but it wasn't real good about [outlining] how to fix these things," Cooney

said. "There are literally hundreds of servers in this building. The typical...project

leader wasn't as sophisticated as far as security assessment. It all kind

of fell back to the security experts. They couldn't handle all the work.

You hear this cry from the field, 'What do we do about it?'"

In addition, Cooney said, security assessments should be accompanied by

a return on investment analysis to compare the cost of a fix to the potential

cost of an attack. "You need to do the risk analysis and then an ROI," he

said. "How much is it worth to protect this stuff?"

John Negron, manager of U.S. government sales for Axent Technologies Inc.,

said his firm's security assessment services business has doubled in the

past year, and said network security management is a sound investment for

agencies.

"Management of security on a network is the biggest return on investment

today because the cost of implementing a solution that enables you to validate

that you have a sound security implementation is not much," Negron said.

Many security assessment vendors offer services to help agencies triage

the vulnerabilities often identified by network security scanners. Cisco

Systems Inc. works with agencies to identify the severity of problems and

to plug holes, said Joel McFarland, product line manager in Cisco's security

Internet services group. "We provide a very robust reporting capability...that

says, 'Here's all the problems...here's what you should do about them,'

" McFarland said.

In addition, Cisco provides follow-up services to its clients to identify

emerging new threats that its security team has identified so that agencies

can continually update their security solutions.

Wang Government Services also offers services to accompany its scanner products,

said Mike Kociemba, the firm's manager of secure systems. Before Wang ever

touches a customer's network, the service provider examines an agency's

security requirements and how they translate into policy and procedure.

"The world is moving much more toward risk management," Kociemba said. "It's

no longer feasible to prevent all types of security incidents from happening."

Paul Green, Wang's senior security engineer, added that experienced professionals

are critical to the security equation by analyzing the output from network

scanners, identifying false positives and noting patterns that tools may

not recognize. For example, a scanner may find a hole, but because a security

team has assessed the entire architecture, it would know that a firewall

or some other mechanism would cover the weakness, he said.

Wang also offers a service via its advanced technology lab, which can mimic

an agency's network configuration and test products in an interoperable

environment. This service can eliminate security weaknesses often created

when an agency integrates new technology with legacy systems.

When selecting a vendor for security services, Matthew Kovar, a senior analyst

at The Yankee Group, recommends doing your homework. Most vendors offer

comparably good services, but some are better, for example, at addressing

particular operating system vulnerabilities. When your agency's security

is at stake, you want to make sure to hire the most qualified provider available.

Harreld is a free-lance writer based in Cary, N.C.