USAID gets quick fix for vulnerabilities

Before February, the U.S. Agency for International Development's network was scanned for vulnerabilities monthly, after which its systems administrators in 80 nations were sent reports about the vulnerabilities that were found. But because the vulnerabilities were old news by the time they were detected, the reports often were of little help, said Phil Heneghan, USAID's information systems security officer. Moreover, staff members didn't know which vulnerabilities to fix first, and they still had to research fixes. Since February, when systems integrator Open System Sciences installed nCircle's vulnerability management system, USAID has been getting near-real-time vulnerability identification and prioritization that tells systems administrators what to fix first. The agency also got more specific reports and quick access to fixes, Heneghan said. "We were not very effective at remediating, because the data wasn't timely enough," Heneghan said. "Now we are basically reporting in real time to all of the people who need to know." Also since February, the agency's network vulnerabilities have decreased dramatically."Since we implemented the tool, we have gone from a 'C' to a low 'A' as an enterprise," Heneghan said, referring to the monthly grades given to 85 USAID units. The system is made up of secure appliances that continuously scan every one of the 15,000 nodes on USAID's network, and then report into a central console that has a secure database. The numerical scores it generates are based on the number of similar vulnerabilities, their severity and the length of time the vulnerabilities have been on the network, said Abe Kleinfeld, president and chief executive officer of San Francisco-based nCircle Network Security Inc."Unless you have technology that scans all the time, you don't know when new vulnerabilities are being introduced, even though you may be running the latest version of anti-virus software," Kleinfeld said. The system also assigns trouble tickets to individuals responsible for fixing vulnerabilities. When the ticket is closed, the system scans the device again to ensure the problem has been corrected, he said.What distinguishes nCircle from competitors, such as Foundstone Inc. and Qualys Inc., is its emphasis on passive scanning to gain as much information as possible about the nodes that are connected to the network and what is running on them, said Mark Nicolett, an analyst at Stamford, Conn., IT research firm Gartner Inc."Other vendors tend to rely more on active scanning," Nicolett said. The customer schedules active scans. The system costs $14 and up per node, plus $4,500 per appliance and a 25 percent maintenance fee, which includes vulnerability updates within 24 hours of their identification, Kleinfeld said. Newington, Va.-based Open System Sciences and USAID considered five other technologies before deciding on nCircle, said Bill Geimer, director of information assurance for Open System Sciences and program manager of the USAID project."At the time, nCircle was the only one that had an enterprise focus and continuous scanning. It's the only one that scales and prioritizes numerically," he said. Heneghan and Geimer also said they chose nCircle's system because it could be managed centrally. USAID's routers, firewalls and domain servers around the world are controlled from sites in Maryland, Virginia and Washington. In-country staff control desktop computers and printers. Implementation did have a few difficulties, Kleinfeld and Geimer said. USAID's network operates in some countries that don't have sophisticated IT infrastructure; therefore, the system had to be tweaked to run on low bandwidth, Kleinfeld said. "Sometimes you want to schedule scans for times when there is lighter traffic on the network. You want to be a background capability, not something that takes up all the bandwidth," Kleinfeld said. Some operations staff members questioned whether the scans disrupt network operations. So far, the system has disrupted only one operation, a voice-over-IP phone system, Geimer said."We are working with the vendor of the voice-over-IP system and nCircle to figure out what the problem is," he said.The system produces reports that are sent to systems administrators and security managers immediately after scans are run. Many staff members have begun logging into the system server every day to see if a new scan was run, and find out how to fix new vulnerabilities, Heneghan said. "Before, they had to go searching for the fix. That was a major problem, because a lot of these vulnerabilities are kind of esoteric. Now the tool just gives it to you," he said.In addition, about 90 top agency executives get monthly, one-paragraph reports that outline the risk associated with the equipment and applications they are responsible for. Those reports grade the risk on the "A" to "F" scale."We are talking to the executives in a language they understand," Heneghan said. "We are not geeking them to death, saying you have a Sasser buffer overflow. In a short period of time, it's gotten popular enough that our bureaus now ask for the report." nStaff Writer Gail Repsher Emery can be reached at gemery@postnewsweektech.com.