US Army to centralise network security scanning

The US Army has announced a major new initiative designed to help the service get its arms around vulnerability analysis and...

The US Army has announced a major new initiative designed to help the service get its arms around vulnerability analysis and automated patch management for more than 1.5 million workstations around the world.

Through a multimillion-dollar contract with Harris, the Army will deploy the company's Security Threat Avoidance Technology (STAT) Scanner vulnerability assessment tool worldwide, including in all post, camp and station networks, tactical networks, mobile subscriber networks and the Army Tactical Internet.

The Harris tool is the latest addition to a group of scanning tools that the Army uses, said Patrick Swan, a spokesman for the Army's chief information officer.

"Our goal is to automate as much as we can to allow systems administrators to concentrate on the many other things that they are required to do," said Swan. He added that part of the goal of the Harris deployment is to centralise global monitoring at the Pentagon to provide an overall view of the Army's global network risk posture. "Our approach is a defense in depth using many different tools," he said.

Word of the Army programme comes as the SANS Institute, a research organisation for systems administrators and security managers, is close to completing a "consensus list" of the highest-priority vulnerabilities detected by the most popular automated scanning systems.

The tools include those offered by Internet Security Systems (ISS), Symantec and the National Institute of Standards and Technology, as well as Nessus shareware. Harris' STAT Scanner has not been added yet but likely will be in the near future, said Alan Paller, director of SANS.

"The shortcut to improved security [is] universal, repeatable monitoring," said Paller, adding that NASA uses ISS Scanner to keep tabs on vulnerabilities. "The Army is now trying Harris STAT. The big difference is that NASA picked the most critical vulnerabilities rather than looking at all 2,000. The latter always leads to overload and lack of action. NASA's approach works."

SANS is also working on a site certification program based on the consensus vulnerability list, Paller said. Weekly updates will make the service "enormously useful" to administrators who are increasingly becoming buried under the large volume of scan reports, not knowing which of the problems... are actually important," he said.

A potential difference between the Army's program and one appropriate for a business lies in the level of risk that individual systems face, said Richard Hunter, an analyst at Gartner.

"It's unclear what level of analysis is being done beforehand to determine appropriate levels of security for particular systems," said Hunter, referring to the Army's roll out of STAT Scanner. "In most businesses, it's a waste of resources to protect every system to the maximum extent possible. Some systems just aren't that mission-critical."

Read more on Network software