Federal cybersecurity efforts outpace private sector

The federal government is one step ahead of private sector companies when it comes to computer security, an industry expert said Tuesday.

Federal agencies typically know where their technology security problems lie, while private companies are unaware of their vulnerabilities, said Jim Gerretson, director of operations for information assurance at ACS Defense Inc. ACS is one of 27 prime contractors on a series of information security contracts administered by the General Services Administration.

But the government shouldn't rest easy, said Gerretson in a presentation before industry and government information security personnel. "The federal government's biggest problem is resources. There is not enough investment in security," he said. "The government is in bad shape when it comes to information security- but then it knows it is."

The federal government is also particularly vulnerable to hackers because of its vast number of legacy systems. "This makes agencies more vulnerable because they don't keep these systems patched [with security software] as well," Gerretson said.

Gerretson outlined the different types of hackers that agencies currently face in his presentation.

Amateurs, with little experience and technical know-how, are at the bottom of the hacker food chain, he said. Casual hackers who have no particular political agenda are next. These hackers "are very good and just feel like [hacking] for fun and not profit," said Gerretson.

Hackers who engage in corporate espionage are at another level, and could include disgruntled employees. "Some employees will take steps to damage systems or steal information," Gerretson said. A newer type of hacking that is on the rise is "hacktivism." These hackers engage in cyberterrorism to bring down organizations with which they don't agree.

Gerretson outlined the basic method hackers use to gain illegal access to computer networks. First, they engage in intelligence gathering to find basic information about a computer network. Then they study the network to identify individual systems and probe those systems for weak spots.

The next step is the attack. "All they try to do is get a toehold," Gerretson said. If an attack is successful, hackers proceed to advance through the layers of a network, moving to systems that give them more access to information. Once they get what they want, they cover up the system path they took during the hack. This means altering basic activity logs in each system.

Gerretson cautioned federal agencies, saying many hackers use what is known as "social engineering" to get what they want. Hackers take advantage of help desk and technical support staffs by posing as new employees and requesting passwords and user names over the phone. "We've found over the years that almost 80 percent of the time you can get a password [by calling the help desk]," he said.

To fight hackers, agencies must first understand the threats that come with using the Internet and operating a network, said Gerretson. Agencies should conduct threat assessments, tests designed to find security holes and deficiencies. Once holes are found, sufficient resources must be earmarked to take care of the problems. This assessment and earmarking of resources is an ongoing task, he said.