Statement of
Edward Roback
Chief, Computer Security Division
National
Technology Administration
Before the
House of Representatives
Committee on Government Reform
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
“Locking Your Cyber Front Door – The Challenges Facing Home Users and
Small Businesses”
Chairman Putnam, members of the Subcommittee, thank you for this opportunity to testify today on our perspective regarding the challenges facing home users and small businesses in better securing their systems and information. I would like to address the questions you asked in your invitation to testify and tell you about the numerous cybersecurity activities underway at NIST. Many of these can assist small businesses in implementing better security controls.
NIST has had a long-standing role in working effectively with industry and federal agencies in ensuring the protection of sensitive information and information systems. Our research helps protect the confidentially, integrity, and availability of information and system services. Helping to ensure secure flow of business-related information is essential to the functioning of our economy and indeed to our democracy. Our broader work in the area of information security is, generally speaking, applicable to a wide variety of users – from small business to the large agencies of the Federal government. Let me start by quickly reviewing our responsibilities in the area of information security.
NIST’s Current Statutory Responsibilities
The Cyber Security Research and Development Act of 2002 assigned to NIST the following key responsibilities:
- Establish a program of assistance to institutions of higher education that enter into partnerships with for-profit entities to improve the security of computer systems;
- Institute a program to award post-doctoral research fellowships to individuals seeking research positions at institutions engaged in cybersecurity research;
- Develop checklists establishing settings and option selections that minimize security risks associated with federal government computer hardware or software systems;
- Support and consult with the Information System Security and Privacy Advisory Board, which has the mission to identify emerging issues related to computer security, privacy, and cryptography; and
- Conduct intramural cybersecurity security research.
The Federal Information Security Management Act (FISMA) of 2002 assigned NIST the following responsibilities:
- Developing IT standards and guidelines for the security of Federal systems;
- Conducting research to identify information security vulnerabilities and developing techniques to provide cost-effective security;
- Assessing private-sector policies, practices, and commercially available technologies;
- Assisting the private sector, upon request; and
- Evaluating security policies and practices developed for national security systems to assess potential application for non-national security systems.
With these broad legislative mandates in mind, let me now share our views on the issues posed by the Subcommittee.
Home users and small businesses face an enormous challenge in protecting their computers, which are connected to the Internet. These systems are operated in environments where there is normally not full knowledge or understanding of all of the potential security risks, created by connecting to the Internet. Indeed, the risks to our systems are so complex and pervasive, that we cannot reasonably expect small businesses people to become experts in this area. In addition, home users and small businesses, like all organizations, want to embrace and have available the latest advances in technology to make their tasks easier. For example, many may have no idea that their computers, if unprotected, can be used as zombies to launch distributed denial of service attacks. Many may not understand that sensitive information, residing on their machines, may be accessed and otherwise misused potentially resulting in great harm. Even if they have taken steps to minimize the opportunity for inappropriate access by investing in firewall technology and virus protection software, they may not have correctly installed, managed or updated those capabilities. They also face the challenges of trying to determine what security configuration settings should be in place for their systems (given their risk environments) – and then how to actually “turn on” those settings.
We are all experiencing receipt of an overwhelming amount of SPAM e-mail and unfortunately, although filters are available to assist in identifying and blocking SPAM, the spammers continue to find ways to circumvent these solutions. In large organizations, we are certainly better positioned both from a staffing and budget perspective to put very strong formal processes in place to monitor and manage our environments in order to make them more secure. SPAM is more than an inconvenience. SPAM may also deliver viruses or worms or have fraudulent intent. Phishing schemes, the Internet version of social engineering to fool individuals into divulging personal financial data such as credit numbers or social security numbers, have become pervasive. Uninformed home users and small businesses may become victims.
The
vulnerability of any one small business may not seem significant to many other
than the owner and employees. However, over 95 percent of all
In
the special arena of information security, vulnerable small businesses also run
the risk of being compromised
for use in crimes against governmental or large industrial systems upon which
we all rely. Most small businesses
cannot afford an extensive security program, or often even hire a single full
time expert. Nonetheless, they confront serious security challenges and
must address security requirements based on identified needs. The difficulty
for these organizations is to identify cost-effective security mechanisms and
obtain training that is practical and feasible for their environment. Such
organizations also need to become more educated consumers in terms of security,
so that their limited security resources are well applied to meet the most
obvious and serious threats.
Hardware and software purchased by small
businesses and home users today is frequently installed without making any
changes from the original configurations delivered by the vendor. Unfortunately, in most cases, these
configurations have not been optimized for security. This puts home users and
small businesses at risk and they need to better educate themselves about
security features and what the implications and risks are associated with
poorly configured systems. Given the
state of software insecurity today, vendors are frequently issuing security
patches for their products. Users need
to be aware of the importance of these patches, where to get up-to-date
information about these patches, and procedures for installing them. I would point out that the efforts of the DHS
US-CERT are particularly germane here. Lessening the burden on home users and
small businesses must include greater efforts on the part of Government working
with the IT vendor community in order to deliver more secure products to IT
consumers.
In that regard, Mr. Chairman, I’d like to
share with you some of the work NIST is doing to support security improvements
in this area.
NIST has formed a partnership with the Small
Business Administration (SBA), and the Federal Bureau of Investigation’s
InfraGard program to sponsor workshops and on-line support for small businesses.
This Co-sponsorship, which began in FY2002, has just been renewed this year.
Because our experience shows that it is often very difficult for a small
business to spare a person even for a half-day workshop, we have built a
We have also provided briefings to
organizations at various events engaged with small businesses to publicize
these available resources such as the Association of Small Business Development
Centers, The National Entrepreneurial Conference and Expo, SBA’s Senior Corps
of Retired Executives, and the American Association of Community Colleges where
many small business owners may hire students. We also placed security tips in
the SBA Solutions Newsletter, which reaches more than 14,000 business owners.
Another area in which NIST has provided assistance is through its Manufacturing Extension Partnership’s eScan Security Assessment Tool. The eScan Security Assessment provides the small business with a diagnostic tool designed to assess the electronic security infrastructure of a small business and provide an action plan for improving it through a set of recommendations to correct many security problems.
The eScan Security Assessment measures how well a business performs in these critical security areas:
· Strategies & Tactics for Virus Protection
· Physical Environment Security
· Contingencies for Mechanical Failures
· Security Policies & Procedures
· Internet and eCommerce Security
· File Permission Security
· Back-up Policies and Procedures
· Contingency Planning
· Miscellaneous Security Issues
· Operating System Security
· Wireless Security
· International eCommerce Concerns
The NIST MEP Centers are available to conduct the assessment and/or assist the company in solving their security issues. The eScan Security Assessment is available online at http://escan.nist.gov/sat/index.nist.
But in addition to these specific efforts, we
believe that home users and small businesses can benefit greatly from a broad
range of initiatives that we have undertaken. NIST continues to take strides
toward securing the nation’s infrastructure and support all users of
information technology (IT) through its development of tools, standards,
metrics and guidance.
Security Guidelines and Standards
We continue to develop standards and guidelines in support
of our Federal responsibilities. Many of
these are also used, on a voluntary basis, by organizations in the private
sector. Hundreds of thousands of copies
of our guidelines have been downloaded from our
We recognize that the guidance, as written, has not been tailored for use by home users and small businesses, however, we are considering the development of a series of guidance which could be tailored for better usability by this group of users. The presentation would take the form of quick reference guides reinforcing good security principles and practices for specific IT components (Web, email, etc.).
A sample of some of our recent guidance releases is listed below:
- Wireless Network Security: 802.11, Bluetooth, and Handheld Devices;
- Security Guide for Interconnecting Information Technology Systems;
- Security for Telecommuting and Broadband Communications;
- Guidelines on Electronic Mail Security;
- Guidelines on Securing Public Web Servers;
- Systems Administration Guidance for Windows 2000 Professional;
- Guidelines on Firewalls and Firewall Policy;
- Procedures for Handling Security Patches;
- Contingency Planning Guide for Information Technology Systems; and
- Risk Management Guide for Information Technology Systems.
See http://csrc.nist.gov/publications/nistpubs/index.html .
Network Security
Mr. Chairman, I’m very pleased to note that at NIST, we are aggressively working on development of robust, resilient, agile networks as defense against the kind of distributed denial of services (DDoS) attacks cited in your invitation letter.
NIST’s efforts in Internet security research are focused on both near term objectives of expediting significant improvements to the security and integrity of today’s Internet technologies, and longer term objectives such as exploring the use of quantum information theory to develop ultra-secure networking technologies of the future.
Our near term research is directed at working with industry and other Government agencies to improve the interoperability, scalability and performance of new Internet security systems and to expedite the development of Internet infrastructure protection technologies. NIST staff is actively working with the Internet Engineering Task Force (IETF) to design, develop, standardize and test new protocols that will make authentication, confidentiality and integrity services inherent capabilities of all networks based upon Internet technologies. NIST has taken leadership roles within the IETF in the specification of public key infrastructure, network layer security and key management technologies. Working shoulder to shoulder with industry, NIST is contributing technical specifications, modeling and analysis results, research prototypes and test and measurement tools to the IETF community to expedite the standardization of ubiquitous Internet security services and to foster the rapid development of commercial products.
Another area of focus for our near term efforts is the research and development of technologies to protect the core infrastructure of Internet. NIST is working with the IETF and other government agencies to devise means to protect the control protocols and infrastructure services that underlie the operation of today’s Internet. NIST’s research and standardization efforts in this area include: extensions to the Domain Name System (DNS) to add cryptographic authentication to this most basic Internet service, and the design and analysis of protection and restoration mechanisms to improve failure resilience of core switching and routing infrastructures. Our future work in this area will focus on improving security and resilience of core Internet routing protocols.
Looking further into the future, we see the potential for new computational paradigms to threaten the mathematical underpinnings of today’s cryptographic systems. In response, NIST is conducting research in the use of quantum information theory to devise ultra-secure network technologies that are not dependent upon today’s cryptographic techniques.
Wireless
With the trend toward a highly mobile workforce, the acquisition of handheld devices such as Personal Digital Assistants (PDAs) is growing at an ever-increasing rate. These devices are relatively inexpensive productivity tools and are quickly becoming a necessity in today's business environment. Most handheld devices can be configured to send and receive electronic mail and browse the Internet. However, as handheld devices increasingly retain sensitive information or provide the means to obtain such information wirelessly, they must be protected.
Our efforts to date have focused on improving several aspects of security: user authentication, policy enforcement, and wireless communications. For user authentication we have developed a framework for multi-mode authentication that allows more than one authentication mechanism to contribute to the verification of a user’s identity. For example, a biometric, such as voice input, may be required in combination with a security token, such as a smart card, before a user is permitted to access the contents of a device. In addition, we have invented a visual means of authentication that not only is easier than passwords for users to authenticate, but also significantly more powerful, and we have contributed updates to an open source code initiative that allow smart cards to be used on certain handheld devices.
For policy enforcement, we have developed a system that requires users to present a policy certificate to a device, as a means of moving from a restricted processing environment to one in which the privileges accorded a user via the policy certificate are enabled. Policy rules govern such things as application usage, file access, and communications interfaces, including wireless communications. This mechanism allows organization policy controls to be asserted on handheld devices, which typically are at the fringes of an organization’s influence, and was designed to tie in with emerging Public Key Infrastructures.
For wireless communications, we have developed a highly-regarded publication on Wireless Network Security, aimed at reducing the risks associated with 802.11 wireless local area networks and Bluetooth wireless networks that are commonly used with handheld devices.
Security
Awareness and Outreach
Timely, relevant, and easily accessible information to raise awareness about the risks, vulnerabilities and requirements for protection of information systems is urgently needed. This is particularly true for new and rapidly emerging technologies, which are being delivered with such alacrity by our industry.
We actively support information sharing through our conferences, workshops, web pages, publications, and bulletins. Finally, we also have a guideline available to assist agencies with their training activities and are an active supporter of the Federal Information Systems Security Educators’ Association.
We sponsor the web-based Computer Security Resource Center
(CSRC) to provide a wide-range of security materials and information to the
community and link to the
Security Assessment Guideline and Automated Security
Self-Evaluation Tool (ASSET)
The Chief Information Officers Council and NIST developed a security assessment Framework to assist agencies with a very high level review of their security status. The Framework established the groundwork for standardizing on five levels of security and defined criteria agencies could use to determine if the levels were adequately implemented. By using the Framework levels, an organization can prioritize agency efforts as well as evaluate progress.
NIST Security Practices Web Sites
NIST operates the Federal Agency Security Practices (FASP) website to identify, evaluate, and disseminate best practices for CIP and security. The site contains many agency policies, procedures and practices; the CIO pilot best practices; and, a Frequently-Asked-Questions section. Agencies are encouraged to share their IT security information and IT security practices and submit them for posting on the FASP site. Over 100 practices are now available via the site.
In accordance with tasking to NIST under FISMA, we are now expanding the service to share security practices from private-sector organizations.
Both of these sites may be of particular interest to small businesses.
IT Product
Security Configuration Checklists
NIST is now in the process of developing IT product security checklists that provide settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the Federal Government. Vendors, agencies, and other reputable sources can use the template to construct and submit checklists that will populate a NIST public web-based repository. Within the next month we plan to publish a draft security guideline on checklist construction.
Closing
In summary, Mr. Chairman, the challenge facing home users and small businesses is greater than it has ever been. If they are to maximize all of the capabilities and efficiencies offered by emerging technology while minimizing risk to their systems and information, more must be done. Training efforts must be increased and more must be done in the areas of secure configuration settings, product benchmarks, outreach and research. Today, systems in homes and small businesses are part of a larger infrastructure. Those who have motivation to do harm normally will seek out the weakest link. Certainly, there is a high potential for malicious activity against these non-secured or poorly secured systems. As troubling as this is, of equal concern is the potential for accidental unauthorized disclosure of sensitive information or breach of privacy due to weak security controls on these systems.
We believe that some of the initiatives we’ve shared with you today, demonstrate our commitment to better national cybersecurity and recognize that more must be done by home users and small businesses to protect their information security.
Thank you, Mr. Chairman for the opportunity to present our views today regarding security challenges facing home users and small businesses. I will be pleased to answer any questions that you and the other members of the Committee may have.
Edward A. Roback
Chief, Computer Security Division
Information Technology Laboratory
National
Mr. Roback serves as Chief of the Computer Security Division
(CSD) at the National Institute of Standards and Technology (NIST) supporting
the agency’s responsibilities to protect sensitive Federal information and
promote security in commercial information technology products. NIST-CSD
also leads the implementation of NIST’s responsibilities under the Federal
Information Security Management Act of 2002 and the Cyber Security Research and
Development Act of 2002. These efforts include work in the area of
security standards, testing, e-authentication, studying security issues with
emerging technologies, and developing security guidelines for Federal
agencies. Mr. Roback heads NIST’s participation on the NIST/NSA Technical
Working Group and serves on the Committee on National Security
Systems. He chaired NIST’s algorithm selection committee for the
Advanced Encryption Standard and served as Executive Secretary of the “Computer
System Security and Privacy Advisory Board.” He has also served on the
U.S. Inter-agency Working Group on Cryptography and the
Prior to joining NIST in 1989, he worked at the U.S. Department of State’s
Office of Information Systems Security. As a Presidential Management
Intern at the Department, he concentrated on the development of systems
security policy for the Department’s classified and unclassified systems.
He also participated in the computer security evaluation program, leading teams
to evaluate computer security of classified and unclassified systems at U.S.
Foreign Service missions worldwide. Mr. Roback received his M.A. at
the