Army adds depth to net security

The Army last month awarded a contract to Harris Corp. for security assessment software and maintenance services on 1.5 million Army workstations worldwide, adding another layer to the service's "defense-in-depth" strategy.

Harris' Security Threat Avoidance Technology (STAT) Scanner provides network administrators with an analysis of security vulnerabilities, details about the risk level of each vulnerability and remediation of detected weaknesses.

Enterprise reporting features will enable officers to monitor the security of all systems under their command, said Rich Caliari, director of product strategy for STAT at the Melbourne, Fla.-based company.

Under terms of the contract, STAT Scanner will be used to detect vulnerabilities in active-duty and reserve Army computer networks. The contract requires Harris to provide maintenance for three years, and numerous systems are scheduled to be covered, including:

n Strategic networks, including post, camp and station computers.

n Tactical networks.

n Mobile Subscriber Equipment networks (a microwave radio system).

n The Army's Tactical Internet, including direct applicability to the Warfighter Information Network-Tactical.

STAT Scanner searches for vulnerabilities in Microsoft Corp. Windows NT, 2000 and XP, and Linux and Unix operating platforms, assessing more than 1,400 network security vulnerabilities and automatically repairing many, Caliari said.

John Pescatore, research director for Internet security at Gartner Inc., said vulnerability assessment scanners do a "great a job of identifying what hackers are doing." He said Harris' STAT Scanner is "one of the better ones," along with similar offerings from Sanctum Inc., KaVaDo Inc., Stratum8 Inc. and Qualys Inc.

Harris customized the Army's version of STAT Scanner to include the information assurance validation alerts and bulletins (IAVAs and IAVBs), which the service's team researches and publishes regularly.

Lt. Col. John Quigg, branch chief for the network security improvement program under the Army's director for information assurance, said the IAVA plug-ins made the Harris tool unique and very useful.

Army personnel have five days to acknowledge receipt of an IAVA, and up to 90 days can pass from the initial announcement to the fix, although most are handled within a month, Quigg said. The service must move quickly because once vulnerabilities are found, "hackers put out a toolkit to exploit them."

"It's Army policy that if you find an IAVA, you stop what you're doing and fix it immediately," he said. "Otherwise you're going to get hacked."

Quigg said the Harris product is one of many scanning tools the Army uses with the goal of automating "as much as we can to allow system administrators to concentrate on the many other things that they are required to do. Our approach is a defense-in-depth using many different tools."

Jack Spencer, a defense analyst with the Heritage Foundation, a think tank based in Washington, D.C., said that the Army's defense-in-depth strategy for computer networks was "typical, sound military thinking" and mirrors the Defense Department's layered approaches to ballistic missile defense and other areas.

***

How it works

Harris Corp.'s Security Threat Avoidance Technology (STAT) Scanner initially provides administrators with a list of the machines that they are responsible for on the network. The administrator then selects machines that he or she would like to be searched for vulnerabilities.

STAT Scanner looks for susceptible files, outdated registry settings, patch locations and numerous other vulnerabilities and then either automatically fixes them or reports back to the administrator with step-by-step instructions on how to respond, said Rich Caliari, Harris' director of product strategy for STAT.

STAT Scanner can automatically fix small vulnerabilities, including configuration problems such as password policy expiration times, but larger problems, such as the need to install a service pack for Microsoft Corp. Windows, result in a step-by-step report that administrators can follow to fix the problem.

"Anything that can be done on the back-end and is seamless to users...is basically three buttons pushed" — select, scan and fix, Caliari said. "It's an easy-to-use tool."

A single software license for 10 machines costs $1,000, with an unlimited license that will scan as many machines as an administrator needs priced at $12,500, he said. The Army has multiple bases and multiple administrators and, therefore, has purchased numerous copies.