Justice's next level of protection

 

Connecting state and local government leaders

IT security program focuses on database vulnerabilities.

A key element of the Justice Department's security program is managing vulnerabilities in its IT systems. According to director of IT security Dennis Heretick, when it comes to compliance with the Federal Information Security Management Act, this is even more important than implementing operational controls.'Vulnerability management has been the emphasis of our program,' Heretick said. 'That is what FISMA is all about. What are your weaknesses, and what can you do about it?'The department started with network and configuration scanning, using tools such as FoundScan from Foundstone Inc. (now a division of McAfee Inc.) and the open-source Nessus scanner, managed by Tenable Network Security Inc. of Columbia, Md. This year the department is expanding its scanning capabilities to assess application security, beginning with database software.Two Justice offices, the FBI and Office of Justice Programs, already had been using the AppDetective scanner from Application Security Inc. (www.appsecinc.com) of New York. Other offices in the department were making plans to use it, Heretick said. 'We expanded that with an enterprise license' this summer, he said. 'We've started scheduling our training now.'AppDetective is AppSecInc's flagship product. It is a network-based scanner that can work with other tools such as FoundScan, but it is specialized for identifying and fixing database'rather than network'vulnerabilities. Heretick said he had been aware from the beginning of the need for application-level assessments, but the network and security configurations came first.'There is so much to be done, we had to prioritize,' he said.AppDetective performs two primary functions: discovery and assessments. 'You need to know your inventory before you can secure it,' Heretick said.Application discovery is more than a formality, even for databases that can cost up to $1 million a year to maintain, said AppSecInc's vice president of marketing Ted Julian.'In almost any organization we are in, they usually find a significant number of databases they were not aware of,' Julian said.Organizations change over time. People leave, and detailed knowledge of assets can be lost. Auditing organizations that keep track of resources tend to be centralized, while the rest of the enterprise is decentralized, allowing some valuable assets to fall into the cracks. But just because a database doesn't appear on an inventory list doesn't mean that it's an orphan. Somebody is usually maintaining the program, and it's likely to contain valuable data that requires protection.Once an inventory has been created, App-Detective performs automated penetration tests and inside audits. Penetration tests are done from a hacker's-eye point of view, with no access privileges required for the device. 'If we can see it, we can assess it,' Julian said.AppDetective also performs an inside audit of databases and their applications to assess security levels. The scanner supports most common databases, including MySQL, Oracle, Sybase, IBM DB2 and DB2 on Mainframe, Microsoft SQL Server, Oracle Application Server and Lotus Notes/Domino. The company recently announced it was seeking Common Criteria certification for the software through the National Information Assurance Partnership. Testing will be performed by Science Applications International Corp. in its Columbia, Md., lab.AppDetective can run as a standalone product, with licenses costing $900 for each database scanned. For scaling in larger enterprises, the App- SecIncConsole provides centralized management and reporting for the scanner.Reports rank vulnerabilities according to level of severity, with detailed information and links to vendor patches or data on workarounds. Automated routines are also available to fix common problems such as changing or shutting down default passwords and accounts. 'We build the scripts, and the administrators can plug in their own values,' Julian said.The FBI and Justice programs began using the database scanner in 2004. Those infrastructures must have been more tightly managed than most, for few unknown databases were uncovered.'I don't think there were any surprises,' Heretick said. 'There were vulnerabilities.'AppDetective was able to spot them well enough to convince Heretick to get an enterprise license. He'll also be implementing the $10,000 console for management as AppDetective is rolled out through the department. As training on the scanner progresses, Justice will pilot it throughout the department.Vulnerability scanning and assessment is not a one-time event. Because of the dynamic nature of networks and the time needed to correct problems, repeated if not continuous scans are necessary to keep track of vulnerabilities and track progress in remediation.The ability to document remediation and security postures is helpful in meeting FISMA certification and accreditation requirements, Julian said.Heretick said vulnerability assessments during system development will be valuable for creating secure systems.Database application security is not the end of the security road for Justice, Heretick said.'There are other things still on the radar, such as Web applications,' he said. 'The list of things you have to do never stops.'He said work has begun on Web application vulnerability assessment tools, but nothing has been selected for an enterprise license.

Database security

Challenge: Getting the Justice Department's FISMA performance grade out of the basement requires tools to automate the compliance process as much as possible. Key to this is the ability to perform vulnerability assessments of critical IT systems and fix the vulnerabilities as they are found. What's more, Justice needs to document progress and processes for FISMA's certification and accreditation process.

Solution: Justice was already using tools to scan its network for holes and assess security configurations. Application security was the next logical step. The department began with an enterprise license for AppDetective, a database application security-scanning tool already in use by the FBI and the Office of Justice Programs. Administrators are now being trained on the new tool, which will be phased in across the enterprise.

Mission benefit: AppDetective automatically performs application discovery to identify database resources. It then performs penetration testing and audits to identify vulnerabilities. Problems are ranked according to severity, and the software provides information about fixes. Some fixes, such as closing down or changing default accounts and passwords, can be automated.

Lessons learned: It is still early in the implementation process, but introducing a new technology into the database mix will require care, said Dennis Heretick, Justice's IT security staff director. 'You have to work with the implementation to create a workable schedule.' You also should start small and grow, he said. Justice will begin with pilot projects and expand from there. 'Otherwise you make a lot of mistakes all over the place, rather than in one small area.'

That is what FISMA is all about. What are your weaknesses and what can you do about it?' Dennis Heretick, Justice Department

Zaid Hamid















































NEXT STORY: ForeScout ActiveScout 100

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.