USAID gets quick fix for vulnerabilities

Project: Network Vulnerability Management System

Agency: U.S. Agency for International Development


? Open System Sciences, Newington, Va.

? nCircle Network Security Inc., San Francisco


USAID wanted to better understand the security vulnerabilities on its network, which spans 80 nations and is managed in the United States and abroad. The agency wanted faster reporting and remediation of those vulnerabilities and a solution that met federal information security reporting guidelines.


USAID's network operates in some countries that don't have a sophisticated IT infrastructure, so the system had to be tweaked to run on low bandwidth in some areas. Staff also spent significant time determining who gets reports generated by the system and how the vulnerability information should be presented to encourage quick fixes.


Systems integrator Open System Sciences implemented nCircle's vulnerability management system, which provides near real-time vulnerability identification and prioritization on a numerical scale that tells system administrators what to fix first and how.


Since February, when nCircle's vulnerability management system was implemented, USAID's network security has improved from a "C" grade to a low "A" grade. Security and systems managers are proactively seeking fixes to security problems, and executives are more engaged in security improvement efforts.

Bill Geimer of Open System Sciences is the USAID project's program manager.

Rachael Golden

Open Systems Sciences, nCircle offer agency continuous scanning

Before February, the U.S. Agency for International Development's network was scanned for vulnerabilities monthly, after which its systems administrators in 80 nations were sent reports about the vulnerabilities that were found.

But because the vulnerabilities were old news by the time they were detected, the reports often were of little help, said Phil Heneghan, USAID's information systems security officer. Moreover, staff members didn't know which vulnerabilities to fix first, and they still had to research fixes.

Since February, when systems integrator Open System Sciences installed nCircle's vulnerability management system, USAID has been getting near-real-time vulnerability identification and prioritization that tells systems administrators what to fix first. The agency also got more specific reports and quick access to fixes, Heneghan said.

"We were not very effective at remediating, because the data wasn't timely enough," Heneghan said. "Now we are basically reporting in real time to all of the people who need to know."

Also since February, the agency's network vulnerabilities have decreased dramatically.

"Since we implemented the tool, we have gone from a 'C' to a low 'A' as an enterprise," Heneghan said, referring to the monthly grades given to 85 USAID units.

The system is made up of secure appliances that continuously scan every one of the 15,000 nodes on USAID's network, and then report into a central console that has a secure database. The numerical scores it generates are based on the number of similar vulnerabilities, their severity and the length of time the vulnerabilities have been on the network, said Abe Kleinfeld, president and chief executive officer of San Francisco-based nCircle Network Security Inc.

"Unless you have technology that scans all the time, you don't know when new vulnerabilities are being introduced, even though you may be running the latest version of anti-virus software," Kleinfeld said.

The system also assigns trouble tickets to individuals responsible for fixing vulnerabilities. When the ticket is closed, the system scans the device again to ensure the problem has been corrected, he said.

What distinguishes nCircle from competitors, such as Foundstone Inc. and Qualys Inc., is its emphasis on passive scanning to gain as much information as possible about the nodes that are connected to the network and what is running on them, said Mark Nicolett, an analyst at Stamford, Conn., IT research firm Gartner Inc.
"Other vendors tend to rely more on active scanning," Nicolett said. The customer schedules active scans.

The system costs $14 and up per node, plus $4,500 per appliance and a 25 percent maintenance fee, which includes vulnerability updates within 24 hours of their identification, Kleinfeld said.

Newington, Va.-based Open System Sciences and USAID considered five other technologies before deciding on nCircle, said Bill Geimer, director of information assurance for Open System Sciences and program manager of the USAID project.

"At the time, nCircle was the only one that had an enterprise focus and continuous scanning. It's the only one that scales and prioritizes numerically," he said.
Heneghan and Geimer also said they chose nCircle's system because it could be managed centrally. USAID's routers, firewalls and domain servers around the world are controlled from sites in Maryland, Virginia and Washington. In-country staff control desktop computers and printers.

Implementation did have a few difficulties, Kleinfeld and Geimer said. USAID's network operates in some countries that don't have sophisticated IT infrastructure; therefore, the system had to be tweaked to run on low bandwidth, Kleinfeld said.

"Sometimes you want to schedule scans for times when there is lighter traffic on the network. You want to be a background capability, not something that takes up all the bandwidth," Kleinfeld said.

Some operations staff members questioned whether the scans disrupt network operations. So far, the system has disrupted only one operation, a voice-over-IP phone system, Geimer said.

"We are working with the vendor of the voice-over-IP system and nCircle to figure out what the problem is," he said.

The system produces reports that are sent to systems administrators and security managers immediately after scans are run. Many staff members have begun logging into the system server every day to see if a new scan was run, and find out how to fix new vulnerabilities, Heneghan said.

"Before, they had to go searching for the fix. That was a major problem, because a lot of these vulnerabilities are kind of esoteric. Now the tool just gives it to you," he said.

In addition, about 90 top agency executives get monthly, one-paragraph reports that outline the risk associated with the equipment and applications they are responsible for. Those reports grade the risk on the "A" to "F" scale.

"We are talking to the executives in a language they understand," Heneghan said. "We are not geeking them to death, saying you have a Sasser buffer overflow. In a short period of time, it's gotten popular enough that our bureaus now ask for the report." n

Staff Writer Gail Repsher Emery can be reached at

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB