The new federal cyber security czar has his work cut out for him. But he can make huge strides if he first focuses on the ten security issues listed below.

This week the White House appointed Howard A. Schmidt to the Executive Office of Policy. He will serve as President Obama’s Cyber Security Coordinator. Schmidt has worked with the White House before. He joined President George W. Bush’s team after 2001’s 9/11 attacks –  to focus on multiple security issues, and he previously directed the Security Strategies Group at Microsoft. Schmidt’s resume is loaded with other security-related jobs, such as director of the cyber crime special investigations unit of the Air Force, chief information security officer at eBay, and special agent work at the Army reserves. He looks like the right person for the job.

Now, with hundreds of hackers trying to break into U.S. government systems every day, there are some very pressing issues facing anyone who steps into the role of Cyber Security Czar. But the starting points are evident.

Our ten suggestions for where Schmidt should focus his immediate attention are as follows. Fix these, and you will have slammed the door on the most pressing security issues faced by government agencies today.

1) Get configuration management under control. All firewalls, hubs, servers and client machines on a network need to be managed and controlled by properly setting each device’s configuration. Such configuration can include the management of security features, control of changes made to hardware and firmware, software additions, changes, patches, user accounts, password settings, and even documentation and port access control. There are three looming security issues related to configuration management. The government, like many other organizations, is not doing the best possible job managing these issues (listed below)

a) Patches and updates need to be handled as soon as possible, especially those which address a security hole.

b) Once a machine’s settings are finalized, a baseline of those settings need to be recorded. It’s best when automated solutions can be used to detect configuration chances across a network, and (we hope) automatically re-set the configuration, or at least to notify managers that the settings have been changed. EMC’s Ionix network configuration manager and IBM’s Tivoli Change and Configuration Management Database are two examples of this type of solution.

c) IPv6 is coming. Internet Protocol version 6 will slowly replace version 4 over the next several years. The expansion will not be rapid, but some machines will need to operate in dual mode and this introduces security issues -- because of the different types of data packets the machines will handle. Proper configuration of dual mode machines is a must.

2) Launch a new "social engineering awareness" campaign. Employees are their own worst enemies when it comes to security. In this context, social engineering means a non-technical kind of intrusion that uses human interaction and outright trickery to get people to break normal security procedures. Despite rules and warnings, people still click on dangerous attachments, visit compromised Websites and install unauthorized software. Some may even provide information over the phone or email without realizing they are sharing important security information. A renewed awareness campaign should launch as a reminder of security best practices, with buy-in at every level of the government. But this is not a one-time thing. Via regular meetings and updates, employees need to be constantly made aware of every new trick that’s being used against them.

3) Use hackers to catch hackers. This year’s U.S. Cyber Challenge events are excellent examples of  how hacker talents can be corralled and put to productive use, allowing the government to discover both common and uncommon exploits. China has reportedly been holding similar events for several years. These events, often with cash prizes awarded to the top hackers, also help the government discover some of the best and brightest white-hat hackers whom they might be able to hire for security assistance. But don’t stop there. Every few months there are new issues, new exploits and new hackers who understand where the new holes are, and how they can be exploited and fixed. Open the checkbook, find the best people and close some security holes. It could be cheaper in the long run.

4) Make better use of white lists and black lists. This one seems simple, but it’s not. Internet traffic into or out of a government agency’s gateway, firewall or proxy servers can be controlled by white lists (sites that are okay to visit) and black lists (sites that are blocked or banned because of known issues). The problem is that checking packet traffic against these lists can slow that traffic down, and no white or black list can ever be all-inclusive. Also, if you block too many sites then government workers won’t be able to get their jobs done. There are companies out there who help develop black lists which can be imported on a regular basis. Cisco’s IronPort SenderBase is one such example. The trick is to allow traffic to pass quickly to trusted sites, allow those known bad sites to be blocked, and then concentrate on evaluating the large “gray list.” Think of a gray list as those sites that are not yet blocked, but not yet fully trusted either. Access can be controlled to gray areas with warnings, probes and extra filters. 

5) Control the zombies. Zombie is the nickname given to software that is secretly installed on someone else’s system. Like a bad B movie, zombies are set to wake up at a certain time with instructions to do something. Often those instructions are to send thousands of data packets to some specific address to overwhelm that site, or to launch pop-up windows or some other mischief. Many times people don’t know they are hosting zombie software until it becomes active. A number of things can help control zombies. This includes blocking pop-up windows on Web browsers, protecting Web sites against iframe injection attacks (often addressed via configuration management), keeping virus and malware software up to date and doing system scans to look for hidden zombies, using egress filtering (see below) and more. If the government can get the zombie issue under control, it can strip out a lot of bogus network traffic.

6) Lock down the servers. Agencies should know exactly what their servers do. Once that’s established, they can keep the servers from doing most other functions. This sort of management usually must be done on a machine-by-machine basis, and it can take a lot of time. But it really makes a difference. Close off all ports that are not used. Disable all unnecessary or outdated user accounts. Remove unused software. Set rules for which machines the server is allowed to communicate with, then block all other IP addresses if possible. Allow no other software to be installed. Think of this as closing and locking all the shutters on a house. It’s extra work, but it keeps things safer. Agencies should consider making it mandatory.

7) Use egress filtering. Extending the use of the white, black and gray lists mentioned above, government agencies also can institute egress filtering. This is a way monitoring and possibly restricting data packets which are outbound from one network to another. It’s a way of keeping unauthorized or malicious traffic from leaving a network or a specific part of a network. This can be very important when machines have been compromised to launch botnet or “zombie” attacks against other machines. Focusing mostly on the transport layer and session layer can help limit the number of packets that need to be inspected.

8)Thin clients are your friend. Managing every personal computer that’s sitting on every employee’s desktop is a huge task. Just ask a typical federal agency helpdesk. Thin client machines put most of the software, logic and controls on the server rather than the desktop. Employees using client machines log onto the server to do their work. The upside is fewer machines to manage, fewer patches to install and fewer problems with viruses and malware. The downside: Most end-users prefer PCs to thin clients because PCs have more local control and compatibility. Plus, PCs will work even when network connectivity is down. Thus migrating employees to thin clients is more of an employee management issue than a pure tech issue, and the question must be decided by each department. But thin client solutions are worth investigating. By the way, thin client laptops can help solve other issues too. Business continuity improves, because employees can take their work anywhere, especially in emergencies. And if a thin client laptop is lost or stolen, fewer data breaches occur because most data and applications are stored on a server rather than the laptop.

9) Pattern recognition for network traffic must be improved. Too often a security issue is uncovered only because a watchful Website or network manager notices a spike in traffic from a certain country, IP address, or application. These types of patterns can often be recognized by special network appliances which can be configured to recognize new patterns and bring them to the immediate attention of system administrators. In some cases such appliances can be set to automatically shut down access for certain types of traffic. Zyrion Business Assurance Services and NitroSecurity’s data management architecture are two examples of this type of solution.

10) Use new laws and lawsuits to go after spammers and malware installers. Many spammers and malware installers are hiding in plain sight. They use vague wording and legal gray areas to either sneak their emails and software onto people’s computers, or they allow third parties to pass through their sites, while claiming that they should not be held accountable for how other people use their services. But proof of bad deeds is the first step toward establishing a legal solution to address specific security issues. Proceed cautiously, but rapidly, to make this happen, using all legal means at the government’s disposal.

After these 10 issues are addressed, the new cyber czar might then want to turn his attention to these two other long-term issues.

·       A future version of the Internet protocol (perhaps IPv7) might be able to address the problem of improperly addressed data packets. Today any packet dropped anywhere on the Internet will be delivered to a target server if the “To:’ packet is addressed properly. That makes it easy for hackers to spoof the ‘’From:” address. Let’s try to close this loophole. Governments can have significant influence on future IP standards.

·       A central security coordinator needs to be "diplomatically insistent" when it comes to implementing security fixes. Keep in mind that security always needs to be balanced with the need to conduct day-to-day business. A government agency that no one can reach may be secure, but it’s also useless. Yet, these types of operational issues can’t become the excuse for never fixing security holes. A government-wide security administrator needs to carry a big stick. And a smile.