Baking Security into the Configurations of Department of Defense Systems: Radical security improvements while lowering costs
WASHINGTON, Oct. 31, 2011 /PRNewswire-USNewswire/ -- The SANS Institute announced today that the U.S. Central Command, the CIOs of DoD, U.S. Air Force, U.S. Army; and the Department of Defense Joint Consensus Working Group have jointly won the 2011 U.S. National Cybersecurity Innovation Award for baking security into the configurations of computers deployed to the war zones and ultimately to all DoD computers.
Between 2003 and 2005, the U.S. Air Force Chief Information Officer (CIO) pioneered the concept "baking security in" to the hardware, software and services the government procures. Trying to add it after systems are developed and deployed is a failed strategy, according to the commission. The Air Force has demonstrated why and how such an approach works - and more important, how it has resulted in tighter security for its networks.
The CIO transformed the procurement process for personal computers and personal computer software to ensure the safe configurations was installed as the standard for more than 500,000 Air Force desktops. Resulting in centralizing the management of security and standardizing security settings, shorten the time to deploy critical patches from 57 days to just 72 hours, reduce the costs of patch testing and help-desk support, reduce system administrators' workloads, respond faster to new threats, and save hundreds of millions of dollars.
To extend the success of the Air Force's initiative, the Department of Defense CIO established a Joint Consensus Working Group, which includes the Air Force, Army, NSA, Defense Intelligence Agency (DIA), and DISA. The resulting Universal Gold Master Disk (UGM) was first adopted by U.S. Central Command J-6 under Brigadier General Brian J. Donahue, and has yielded many benefits such as:
1. Systems get into the fight faster because the soldiers don't have to reconfigure the systems after the software is installed.
2. Systems are significantly safer because they are configured — out of the box — to withstand most common attacks.
3. Systems require significantly less system administrator time reducing the load on (and chances of errors by) recruits without a lot of experience.
4. Systems can be patched much more quickly without concern for incompatibilities, so they can respond fast to new threats.
5. Systems with the UGM enable easier interoperability because they share common operating characteristics.
By baking security into its systems and its buying power, the Air Force generated huge security improvements, more operational flexibility and savings. Using standard configurations allows commercial and government software developers to reduce the time and cost devoted to testing upgrades, maintaining a complex system and certifying products are secure.
Centcom J-6, along with the DoD, Army, and Air Force CIO's and their teams and the DoD Joint Consensus Working Group win the 2011 National Cybersecurity Innovation Award in Eliminating Security Weaknesses that Allow Targeted Cyber-Attacks To Succeed and their solution results in a consistent infrastructure across the enterprise that can be changed dynamically in response to actual or potential threats.
About the National Cybersecurity Innovation Awards
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies who have developed and deployed innovative processes or technologies which are innovative in that it has not been deployed effectively before, can show a significant impact on reducing cyber risk, can be scaled quickly to serve large numbers of people, and should be adopted quickly by many other organizations. Nominations included most senior government officials involved with Cybersecurity as well as those from major Cybersecurity Information Sharing and Analysis Centers (ISACs). Corporations and individuals, including SANS instructors also nominated innovations and each nomination was tested by the SANS Institute research department. More than 50 nominations were received and 14 were selected.
About SANS Institute
The SANS (SysAdmin, Audit, Network, Security) Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 175,000 security professionals around the world. A range of individuals from auditors, network administrators, to chief information security officers are sharing lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.
The SANS Institute is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center. More information can be found at www.sans.org.
SOURCE SANS Institute