After site shutdown, EPA seeps back onto the Net

[William Knowles <wk () C4I ORG>]

http://www.gcn.com/vol19_no22/news/2572-1.html

August 7, 2000

With a new firewall, stronger management and restoration criteria,
80 percent of site is back online

By Christopher J. Dorobek
GCN Staff

Nearly five months after the Environmental Protection Agency had to
sever its connection with the Internet due to security concerns, the
agency is taking information assurance more seriously, the EPAs
information technology security chief says.

But EPA must institutionalize security practices to avoid a serious
breach, said George A. Bonina, director of EPAs Information Security
Staff, who joined the agency in January.

EPA shut down its Internet connection in February after an audit by
the General Accounting Office found serious security problems [GCN,
March 6, Page 1].

Only 80 percent of EPAs systems are again providing Internet links,
Bonina said. Systems that are still offline are more complex to
effectively secure. They include those that support dial-up
connections and passive outbound File Transfer Protocol services, he
said.

Since the shutdown, EPA has worked to change its attitude toward
security, he said. The agency used to consider all information
available unless there was a specific reason it should not be public,
he said. Now, information must be considered secure unless officials
determine it should be made public, he said recently during a
presentation to the Federal Webmasters Forum in Washington.

We were not asleep at the switch, Bonina said. The agency had
conducted risk assessments and implemented advisories from the CERT
Coordination Center at Carnegie Mellon University, he said. EPA had
also installed strong security for its mainframe environment and had
created private networks for confidential business information. The
agency had a firewall between its public access servers and the rest
of the EPA network, and it had planned to install a more robust
firewall and an intrusion detection system, he said.

In fact, after GAO conducted the in-depth audit of the agencys
security practices, it told the EPA that the agency had an effective
security plan on paper, Bonina said. It wasnt until GAO conducted
penetration tests that the holes became apparent.

The EPAs problems developed because technological changes surpassed
the agencys ability to secure its data, he said.

The agencys business has changed since the 1970s and 1980s, when EPA
focused on implementing and enforcing environmental laws. In the late
1980s and early 1990s, the agency began giving the public access to
environmental information.

The Emergency Planning and Community Right-To-Know Act required EPA to
publish information about toxic releases. The theory was that if the
data were available publicly, companies would be more likely to cut
toxic releases. The result has been a dramatic reduction in the amount
of toxic material being released into the environment, Bonina said.

Changes in EPAs business practices mirrored the evolution of its IT
shop. From the 1970s until 1990, the agency used comparatively secure
mainframes, essentially forming a virtual private network, he said.

In the early 1990s, EPA started the transition to a client-server
architecture. The agency has nearly 2,000 servers around the country,
many of them at EPAs National Computing Center in Research Triangle
Park, N.C.

EPA joined the Internet arena in the mid-1990s, making its information
accessible to anyone in the world.

EPA officials expected the results of the GAO audit to be bleak, but
the findings were severe, Bonina said. GAO auditors easily gained root
access to EPAs network.

GAO said EPA had ineffective perimeter defenses, inadequate system
access controls, weak network and operating system controls, poor
password protections, and weak security planning and risk assessment.

Down she goes

EPA decided to disconnect the agency from the Internet, Bonina said.

EPA quickly set out to put its new firewall in place. At the same
time, the agency established clear criteria for restoring service:
protect its confidential business information, meet financial and
legal obligations, restore employee productivity, and re-establish
public access.

EPAs senior management identified the highest priority systems and
services, and the IT staff focused on that list.

The agency also implemented more stringent management practices for
passwords and server administration, and established a formal risk
assessment process, he said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".