October 29, 2012
Information Security at the United States Department of Defense
The U.S. Department of Defense (DoD) Information Security policy is managed by the Defense Information Systems Agency. DISA, one of five Combat Support Agencies designated by the Secretary of Defensei, administers “command and control (C2)” functions, information sharing effectiveness, and global operational information infrastructure projects, while providing support to force warfighters, national-level leaders, and coalition friendly forces across a wide range of undertakings. DISA’s perception is to “provide information superiority in defense of the United States.”
A Security Technical Implementation Guide (STIG) is a systematized secured installation and maintenance approach to computer hardware and software. DISA which designs configuration documents in support of DoD, had first coined the phrase under instructions by DoD.
This instruction obligates that “all information assurance (IA) and IA-enabled IT products incorporated into DOD information systems shall be configured in accordance with DOD approved security configuration guidelines”. This mandate provides that recommendations delineated in STIG checklists, will ensure DOD environments address those security requirements.
A desktop computer configuration is an example where STIGs would be beneficial. Most OS (operating systems) are not inherently secure. This leaves them open to criminals (i.e., and computer hackers and personal identity thieves). STIG’s explain how to minimize network-based attacks, and preventing system access when the attacker is present at the device. STIGs also describe maintenance processes (for example: vulnerability patching and software updates).
Developed STIGs might cover the design of a corporate network, covering configurations of routers, firewalls, domain name servers and switches.
STIGs contain technical procedures to "lock down" information systems that would become susceptible to a malicious attack. DISA’s Field Security Operations (FSO) has been performing a an important function in enhancing DoD's security systems posture by implementing Security Technical Implementation Guides (STIGs) since 1998.
Hacktivism (a compound of hack and activism) is the use of computers and computer networks as a means of protesting to promote political ends. It’s not just e-commerce and media that are potential victims of hacktivism. Governments from all over the world are beefing up their efforts to avoid being the victims of political and terrorist groups who want to steal state secrets and cash, and bring down internal networks. Every day the U.S. and others are the victims of targeted attacks from cyber terrorist groups—including Al Qaeda. DoD has begun taking a proactive approach to cyber security, recognizing that hacktivists are no longer low-level hackers breaking in “for fun,” and are now serious, high-level operatives like Anonymous, with deep-pockets, advanced skills and little concern for consequences.
The most important step any agency or business can take to avoid being the victim of a hacktivist is to take a proactive approach to security. Many wait until there is a problem—the site is under a DDoS attack, or a security breach has been identified—to react.
Thwarting hacktivists attacks requires diligence beforehand to fend off the persistent attackers. For example, developing security protocols for using the cloud and properly vetting potential vendors and other users can help prevent security vulnerabilities. There need to be strict controls on BYOD (bring your own device) policies and use of social media, as well as network level protocols such as advanced firewalls and encryption. Most importantly, organizations need to recognize that the ever-changing landscape of hacktivism requires an ongoing…