Securing enterprise-wide computer networks is one of the most important and daunting challenges faced by modern day security managers. The task can be made even more difficult in the public sector, which has limited resources in many cases and has to secure a treasure trove of data and systems from hackers.
The threats from cyberspace are numerous. Last month, a hacker who said he just wanted to prove a point about how vulnerable the country’s critical infrastructure facilities were to cyber-attack posted diagrams of the sewer system in Houston, Texas, online. In retaliation for what it felt were unjustified arrests of Occupy Boston demonstrators, the hacktivist group known as "Anonymous" in October obtained and released the email passwords and user names of 1,000 Boston police officers.
In this "At the Frontline" interview, Michael Dent, chief information security officer for Fairfax County, Va., discusses the challenges involved with securing computer networks in the public sector and shares his thoughts on the cyber security landscape.
With the regularity that city and county governments are experiencing data breaches these days, what are some of the biggest challenges you face in securing Fairfax County’s computer networks?
The biggest challenge that we have right now is probably managing our mobile devices. There are so many different kinds that are out there. The technology is so much easier now for users to be able to bring in their own personal devices and hook them to our network or try to gain access to things like our exchange systems using active sync. That’s probably the biggest risk that we have now.
Given the budget constraints that local governments are under across the country, how have you been able to provide the security measures that are required to keep sensitive information in Fairfax County safe?
I find the best way to start that, for people in our position like CISOs, is you’ve got to understand the business that you are protecting and the malicious activity that goes on out there. We build security around the different businesses that we have such as HIPPA and PCI. We’ve done a pretty good job, I think, of getting to know the businesses out there and bringing them in and finding out what they’re requirements are for both day-to-day operations, all the way to the law that governs over their business.
How big of a threat have these so-called "hacktivist" groups like Anonymous become to local CISOs like yourself and how do you prevent them from breaking into your network?
I am firm believer of defense in depth. We have built a very robust architecture and we utilize the safe blueprint… in that we’ve segmented out our network, according to the business and according to the needs. We’ve got multi-faceted DMZs (demilitarized zones) that are out on our perimeter… and we’ve segmented off. Being a local government, we have to provide for our public libraries, our parks and recreation facilities, the teen centers and things like that, so we’ve been able to segment that Internet traffic away from our business traffic. For instance, most of our HIPPA data is all protected via an internal DMZ that we’ve built special security around. Anything that deals from a PCI standpoint, we’ve built a specific DMZ that protects it. There’s multiple layers that any of these groups that are out there, if they want to get to it, they would have to get through multiple layers. There are millions of attacks against our website daily. We see them, we know what they are and if anyone is successful past the first layer, by the time they are at the second layer we’ve got alarms and mitigation points in place that will let us know and then we can defend even more.
How much of a challenge is it to get government officials to realize the cyber security dangers that they face and how do you get them to "buy-in" to investing in network security technology?