For many IT executives, one of the best ways to improve cybersecurity is by placing greater emphasis on assessing policies and practices in terms of risk. Many also believe that it’s critical to ensure the strength of the IT architecture.
This was one of the central themes of a report produced late last year by the Center for Strategic and International Studies (CSIS), a Washington think tank. Authored by a commission of 40 top IT executives and containing more than two-dozen recommendations, it was intended as a roadmap for the new administration. It emphasized how all enterprises are interconnected, or how they all “live in an aquatic environment, where everyone needs to demonstrate good cyber hygiene,” according to Tom Kellerman, one of the report’s authors.
For Kellerman, vice president of security awareness at Core Security Technologies, a Boston-based vendor of security testing software solutions, there are two main routes to strong IT architecture. First is regulator testing, such as software vulnerability assessments; second is by ensuring that software, applications, and systems are highly secure at any project’s outset. Fortunately, there’s a growing amount of guidance to help with the latter.
The New York State Office of Cyber Security conducts frequent software and application vulnerability assessments to detect coding, configuration, and other weaknesses, says William Pelgrin, its director. But the office also has been placing a growing emphasis on software and system assurance, and it has begun to do so earlier in the process.
Pelgrin, also an author of the CSIS report, titled Securing Cyberspace for the 44th Presidency, plans to incorporate a recently published list of the top 25 “most dangerous” coding errors into future project contracts. Vendors and other service providers will need to show that any project software has been tested against at least a majority of the list’s vulnerabilities, he says.
Published by the SANS Institute of Bethesda, Maryland, with input from more than 30 leading IT companies and organizations, the list will help organizations with the kind of prioritization that’s crucial to risk management, which involves knowing an organization’s unique risks and how much effort to spend mitigating each, Pelgrin says.
The SANS list will help educate software engineers, says Pelgrin, who also heads the Multistate Information Sharing Center, formed by the federal government to promote interstate and intergovernmental cybersecurity information sharing. Many vulnerabilities are caused by mistakes or insufficient knowledge, he says.
Bob Maley, CISO of the Commonwealth of Pennsylvania, is less sanguine about the new list. It could be temporarily valuable, “but is likely to change too often.” He says that systemwide IT integrity is better served with broader best-practice guidelines.
This past year, his office instituted a process it calls Commonwealth Application Certification and Accreditation, or CA2. Modeled on a Department of Defense program, it is an extensive list of security controls broken into subject areas. These areas range from application development and configuration to identity and access management to business continuity. Security and testing best practices accompany the list.
CA2 is helping Pennsylvania integrate cybersecurity into its overall business processes, says Maley. Guidelines require that a source-code analysis be conducted on applications before projects commence, but that has not always been done. Now when his office releases a Request for Proposal, there is a large security-related line item, he says.
Maley is also conducting tests. In the past year, his office created a position dedicated to penetration testing and Web application scanning. His office is becoming more proactive, he says. “We used to conduct [tests] whenever someone had time or in response to an incident.”
For many organizations, risk management still pales in significance to compliance and to passing regular audits. But, says Pelgrin, “we need to change the culture.” He and others could be making headway.