Few government organisations have the aura and mystique of
the National Security Agency, and it's well-earned. The NSA is the
most secretive of the US's intelligence agencies, and its rare that
any of its officials speak publicly. So the speech by Tony Sager
that kicked off the Black Hat USA Briefings offered a rare peek
behind the curtain at Fort Meade's vulnerability
information-sharing programme.Sager, the chief of the vulnerability analysis and operations
group in the NSA's Information Assurance Directorate, has been in
the business of finding and fixing vulnerabilities for 30 years. He
said that the major difference between today's security landscape
and that of the 1970s is the ability to share data and ideas with a
large community of practitioners.
"When I started in 1977, it was a government monopoly business.
The government cared about security, the government controlled the
technology, knew what the bad guys looked like and could pay for
the technology," Sager said. "We could overwhelm the problem with
technology.
"Those days are gone. Now, we're in the game, we're in the fight.
The way we think about the vulnerability problem is as a
full-spectrum problem."
Like many security professionals, Sager said he and his team
have faced the challenge in recent years of trying to translate
important security and vulnerability concepts into plain English
for business leaders, technology buyers and end-users. Sager's
group spends its time identifying and trying to fix software and
network vulnerabilities, but making those efforts understandable to
the rest of the organisation can be difficult. However, doing so is
vital to the success of any security's professional's efforts,
Sager said.
"When I started in this business, you could make a good living
poking holes in people's products," he said. "The time has come for
us to translate that into actionable intelligence. It changed
because we started talking about things like registry settings that
operational people care about, and business problems that the
leaders cared about."
To that end, the NSA began working with other information
security groups in the Department of Defense -- as well as in the
government at large -- to develop methods for sharing vulnerability
information, reporting and remediation. His group, along with teams
from the Department of Homeland Security, the
National Institute
of Standards and Technology (NIST) and other agencies,
developed a model called the Information Security Content Automation Program
, which is a method for using open standards and tools to automate
vulnerability management and assessment. It includes a number of
checklists and a specific protocol for information sharing.
The group also puts on a number of events throughout the year to
train security professionals in the use of the program.
Sager urged security practitioners to make the effort to share
information with their peers and with their executive teams.
"This is a business that's been about folklore and reading
Bugtraq," he said. "We're too big for that now. We can't do that
anymore. The key for me has been linking geeky security stuff to
other business areas."