Tastes better than Tang

THERE ARE TIMES when it’s possible to look at the sorry state of computer security and wonder if this really is as good as it gets. But this isn’t one of those weeks; instead, I’m pondering a piece that ran earlier this month in Federal Computer Week describing how NASA is seeing results from its system-hardening program.

In a nutshell, the story begins three years ago, when NASA identified the “50 Most Wanted” — wanted eradicated, that is — holes in its computer systems, began scanning for the holes, and set a goal of improving the computer-to-weak-spot ratio from 1:1 to 4:1. I know that doesn’t mean every computer was an accident waiting to happen, but it still took nerve to admit that was the starting point.

As time went on and the original goal was achieved, NASA’s cyberpatrol expanded the scope of the scans to include less-pressing vulnerabilities. According to the FCW article, the agency’s computer-to-hole ratio has risen to 10:1 — an excellent result, but obviously not good enough.

There are some things we can all learn from NASA’s experience, and these are the first five that come to mind.

The job is never done. Just because you’ve wiped out the top N holes in your systems doesn’t mean that it’s Miller time. Expand the scope of your sweeps to include more obscure vulnerabilities — after all, you never hear or see the one that gets you.

Don’t be surprised when your first scan turns up a myriad of problems — most shops barely have the resources to keep up with Microsoft’s patch-of-the-week. Save the results, even if they’re ugly, so that you can point to impressive results in three months.

Don’t be afraid to reduce the scope of your initial effort to correspond with the resources at hand. If your CxO insists on eliminating 50 vulnerabilities in 50 days but doesn’t want to authorize the extra manpower, you’re being set up for a fall. Knock your rÈsumÈ into shape and get out before the script kiddies find your network.

Assume that you may have to come back and fix the same problems at a later date. Why? Simple enough: Sometimes patches don’t work or new software installations may reintroduce the hole. When you’re dealing with developers, it’s even tougher. They tend to wipe and reload computers with the closest software at hand, and unless they’re diligent, obsessed, or have been burned before, they might cut a corner by skipping a patch or three.

Celebrate your triumphs, but don’t get overconfident. You don’t want to be had by some pimply teenager from Taiwan the week after you’ve proclaimed a stunning victory over the forces of evil — because those forces may be reading your mail.

I hope that most of you won’t achieve the dramatic results that NASA did, but that’s only because I pray that you aren’t starting from a 1:1 position. If you are … well, then, good luck, amigo. You’re going to need it.