March 9, 2007 • Volume 5 • Number 2

Attack-Based Metrics; Guarding Against A Digital Pearl Harbor

“We take a proactive view of the things that matter the most, what we call attack-based metrics,” says Dennis Heretick, Deputy CIO for Information Security at Justice. “They give you a chance to learn from experience what has been successful so at least you are mitigating those successful attacks first -- those things that would have that direct impact on the mission.”

Thwarting attacks are an everyday occurrence for cyber security professionals as they guard against a constant barrage of threats and avoid a "digital Pearl Harbor". 

“We have a swat team approach at Justice,” declares Heretick.  “We start with our cyber security assessment and management tool. It gives us a way to take the threats that we had and look specifically at the controls that mitigate those that have a direct impact on our mission.” The team then team then prioritizes those at the top versus those that don’t have a direct impact. More Heretick

Heretick’s made his comments during the Federal Executive Forum on Cyber Security broadcast on Federal News Radio. Watch Video/Listen To Audio

Hosting the panel was Jim Flyzik, former CIO at Treasury. Joining Heretick from government were:

Dr. Ron Ross, Chief Computer Scientist, NIST

“I think there’s a misconception that when you get all of your systems certified and accredited that everything’s OK. Then the next day you have a breach and then you wonder why it happened.”  More Ross

Patti Titus, Chief Information Security Officer, TSA

“One of the other challenges that we have which has been key to the success, it is a challenge, but it has been key to the success of TSA’s active security program, is we are a fully managed service organization. So our infrastructure is in that managed service environment.” More Titus

Phil Heneghan, CIO, USAID

“What I found when we shifted that risk (to the business owners), the resource issues sort of started to go away. Because when the CFO was confronted with accepting these risks, or not, the money appeared to do that. It’s the same with all these other systems. So again you are driving the business people and they are ready to bring the money to the table to avoid accepting these risks.” More Heneghan

And from the private sector.

John McCumber, Vice President, Symantec

“One of the other things that you’ll notice is in the last two years you haven’t seen the Washington Post or the New York Times publish a report on a wide-spread malicious code attack. It used to be something you’d see every six months. Now you see that has evolved and that the threat has evolved to become much more targeted. And you see that specifically in the empirical studies that we’ve done.”

Tim Kelleher Vice President, Enterprise Security Services, Federal Systems, Unisys Corporation

“And there is unsubstantiated speculation that that MS blast worm actually had a lot to do with the root cause of the 2004 blackout that hit the north east US and Canada. And I think something of that scale fits into the category of a digital Pearl Harbor. So that’s one end of the spectrum that says it has already happened. Clearly if that’s true, it can happen again. We do need to be diligent.”

More Digital Pearl Harbor

The Final Word from Moderator Jim Flyzik

We need to reframe the conversations and talk about risk and risk management and the need for agencies both within their own agency or corporation as well as looking at those who are dependent on the supply chains those you are working with and can you trust those other entities.

I think identity management techniques and things like that come into play as well as RFID tagging and so forth which are a whole other set of subjects that we can talk about some day.

I also heard a lot of very positive comments about proactivity; trying to push this idea that we’ve got to be more proactive in addressing these cyber security issues and vulnerabilities and identifying and getting out in front so I think we also heard from the last question that it’s probably not feasible to identify every known vulnerability and threat because as the technology changes so do the vulnerabilities and so do the threats.

So in order to be in a position to adjust or react to a major threat we need to be in a situation where we have resilience in place or back up and contingency plans.

Read Full Transcript

The Final, Final Word from Dennis Heretick... 

"Inside every old person is a young person wondering what the hell happened."