Security of State

Oct 1, 2006 12:00 PM, By SANDRA KAY MILLER

Next to the remnants of a 19th century crumbling stone barn foundation is a nondescript brick building on a hillside overlooking the Pennsylvania state capital of Harrisburg and the Susquehanna River.

In November 2005, Bob Maley stepped into the building in the new position of CISO (chief information security officer) for the Commonwealth of Pennsylvania. “In a nutshell, my position covers anything that has to do with cyber security, state government and the executive branch,” he explains.

Pennsylvania has long been a leader in e-government, offering a vast assortment of online services through the state's portal (www.state.pa.us). Residents have access to business, citizen, community, education and driver/vehicle services online. Maley is quick to point out that for e-government to be efficient, it has to be safe and secure.

Since taking the helm of the Commonwealth's cyber security, Maley and his team have put plenty of new state-of-the-art technical controls into place. “One of the things that is important to me as a CISO is understanding the risk that the Commonwealth is facing at any given time,” Maley says. Given the physical size of Pennsylvania — nearly 45,000 square miles — and the widespread nature of the network with approximately 80,000 users and several data centers, Maley has his work cut out for him. “It's a very difficult thing to do,” he says.

From his headquarters in Harrisburg, Maley and his team have put technologies in place to gather, correlate data and create network baselines so, at any given time, they have a high-level overview of the state's cyber security posture.

“On an hourly basis, there's probably a thousand pre-attack scans against our network that we see. That's a background that goes on every day that we're aware of but if something occurs outside of our baseline, it's brought to my attention,” Maley says.

When asked about events that make it to his radar, Maley replies, “For instance, if there's spike in pre-attack scans, we respond by taking a closer look at the details — are the attacks coming from a single location, where does it trace back to, what type of scan is it, are they looking for IP addresses, open ports, vulnerabilities, etc?” Depending on the severity of the attack and the level of risk, Maley and his team decide if there is a need to step up security or to watch and see what happens.

Maley has developed a baseline for the Commonwealth's network so he knows when attacks and scans reach abnormal levels. This lets him and his team respond quickly before significant damage can occur.

Being proactive is a big part of his department's security plan. Maley contends that, in order to prevent security breaches, you have to find out where the vulnerabilities are and remove them. Many of these vulnerabilities lie at the lowest level — the users.

“I'm used to seeing people do stupid things. It's human nature,” he says. In an effort to pre-empt common security issues such as malware, Maley's security controls include Internet content filtering technologies. “We put controls in place that prevent users from visiting certain Web sites. It's an industry fact that certain sites have tons of spyware so we don't allow that type of material in. This helps to protect citizen data,” Maley says.

While the physical and logical security for the Commonwealth are separate entities, Maley has put forth a major effort over the last nine months to bring about an atmosphere of information-sharing throughout all agencies responsible for security throughout the state. “Given the size of the state's government, we have really stepped up communications with all the agencies responsible for security — Department of Homeland Security, Pennsylvania Emergency Management Agency (PEMA), as well as the Capitol and State Police.” The Commonwealth's network also interfaces with other agency networks such as JNET (the state's Department of Justice), county and township governments and local law enforcement agencies.

As a former law enforcement officer, Maley stresses the importance of being able to correlate information for security reasons. “Being able to share information within disparate grids within the Commonwealth is extremely important. For example, an event that is happening at one agency may not mean anything to them, but if you correlate it to an event that is happening on the network at the enterprise level, that may indicate an attack of a more widespread nature in it early stages,” he explains. By having a bird's-eye view of the state's network, extensive information sharing with other agencies and the ability to correlate information, Maley says that he and his team can react faster to cyber threats.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue