Government Computer News
Justice’s next level of protection
IT security program focuses on database vulnerabilities
Digg
De.licio.us
Slashdot
Technorati
Inside the project
Database security
Challenge: Getting the Justice Department’s FISMA performance grade out of the basement requires tools to automate the compliance process as much as possible. Key to this is the ability to perform vulnerability assessments of critical IT systems and fix the vulnerabilities as they are found. What’s more, Justice needs to document progress and processes for FISMA’s certification and accreditation process.
Solution: Justice was already using tools to scan its network for holes and assess security configurations. Application security was the next logical step. The department began with an enterprise license for AppDetective, a database application security-scanning tool already in use by the FBI and the Office of Justice Programs. Administrators are now being trained on the new tool, which will be phased in across the enterprise.
Mission benefit: AppDetective automatically performs application discovery to identify database resources. It then performs penetration testing and audits to identify vulnerabilities. Problems are ranked according to severity, and the software provides information about fixes. Some fixes, such as closing down or changing default accounts and passwords, can be automated.
Lessons learned: It is still early in the implementation process, but introducing a new technology into the database mix will require care, said Dennis Heretick, Justice’s IT security staff director. “You have to work with the implementation to create a workable schedule.” You also should start small and grow, he said. Justice will begin with pilot projects and expand from there. “Otherwise you make a lot of mistakes all over the place, rather than in one small area.”
“Vulnerability management has been the emphasis of our program,” Heretick said. “That is what FISMA is all about. What are your weaknesses, and what can you do about it?”
The department started with network and configuration scanning, using tools such as FoundScan from Foundstone Inc. (now a division of McAfee Inc.) and the open-source Nessus scanner, managed by Tenable Network Security Inc. of Columbia, Md. This year the department is expanding its scanning capabilities to assess application security, beginning with database software.
Two Justice offices, the FBI and Office of Justice Programs, already had been using the AppDetective scanner from Application Security Inc. (www.appsecinc.com) of New York. Other offices in the department were making plans to use it, Heretick said. “We expanded that with an enterprise license” this summer, he said. “We’ve started scheduling our training now.”
AppDetective is AppSecInc’s flagship product. It is a network-based scanner that can work with other tools such as FoundScan, but it is specialized for identifying and fixing database—rather than network—vulnerabilities. Heretick said he had been aware from the beginning of the need for application-level assessments, but the network and security configurations came first.
“There is so much to be done, we had to prioritize,” he said.
AppDetective performs two primary functions: discovery and assessments.
“You need to know your inventory before you can secure it,” Heretick said.
Application discovery is more than a formality, even for databases that can cost up to $1 million a year to maintain, said AppSecInc’s vice president of marketing Ted Julian.
“In almost any organization we are in, they usually find a significant number of databases they were not aware of,” Julian said.
Organizations change over time. People leave, and detailed knowledge of assets can be lost. Auditing organizations that keep track of resources tend to be centralized, while the rest of the enterprise is decentralized, allowing some valuable assets to fall into the cracks. But just because a database doesn’t appear on an inventory list doesn’t mean that it’s an orphan. Somebody is usually maintaining the program, and it’s likely to contain valuable data that requires protection.
Once an inventory has been created, App-Detective performs automated penetration tests and inside audits. Penetration tests are done from a hacker’s-eye point of view, with no access privileges required for the device. “If we can see it, we can assess it,” Julian said.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [happiness]](/images/1105logo_website.gif "Government Computer News [happiness]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
