NSA official stumps for information sharing

Sager, the chief of the vulnerability analysis and operations group in the NSA's Information Assurance Directorate, has been in the business of finding and fixing vulnerabilities for 30 years. He said that the major difference between today's security landscape and that of the 1970s is the ability to share data and ideas with a large community of practitioners.

"When I started in 1977, it was a government monopoly business. The government cared about security, the government controlled the technology, knew what the bad guys looked like and could pay for the technology," Sager said. "We could overwhelm the problem with technology.

Special Black Hat coverage Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

Like many security professionals, Sager said he and his team have faced the challenge in recent years of trying to translate important security and vulnerability concepts into plain English for business leaders, technology buyers and end-users. Sager's group spends its time identifying and trying to fix software and network vulnerabilities, but making those efforts understandable to the rest of the organisation can be difficult. However, doing so is vital to the success of any security's professional's efforts, Sager said.

For more information Private sector should learn from government insecurity Group gives government low marks on data protection Federal government pushes full-disk encryption HSPD-12 proving to be a struggle for government agencies

To that end, the NSA began working with other information security groups in the Department of Defense -- as well as in the government at large -- to develop methods for sharing vulnerability information, reporting and remediation. His group, along with teams from the Department of Homeland Security, the National Institute of Standards and Technology (NIST) and other agencies, developed a model called the Information Security Content Automation Program , which is a method for using open standards and tools to automate vulnerability management and assessment. It includes a number of checklists and a specific protocol for information sharing.

The group also puts on a number of events throughout the year to train security professionals in the use of the program.

Sager urged security practitioners to make the effort to share information with their peers and with their executive teams.

"This is a business that's been about folklore and reading Bugtraq," he said. "We're too big for that now. We can't do that anymore. The key for me has been linking geeky security stuff to other business areas."