Government // Cybersecurity
News
7/25/2014
08:30 AM
Rutrell Yasin
Rutrell Yasin
News
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Attacks Happen: Build Resilient Systems

You can't stop all attacks or build the perfect defense system. The higher-level objective is resilience.

Read the rest of the story in the new issue of InformationWeek Government Tech Digest (free registration required).

Every week, billions of cyber-events batter government networks. Millions of these attacks hit at network speed, and thousands succeed, as reported by the Homeland Security Department's US Computer Emergency Readiness Team. The US Navy alone was attacked almost 1 billion times in 2012. Although security analysts strain to counter these breaches, mostly with manual processes, it's likely terabytes of data are stolen.

Given this dynamic landscape, you might think federal CIOs are getting more resources to defend against mounting cyberthreats. They're not. Money and security expertise are in short supply, meaning agencies need to innovate. First and foremost, they can no longer take a piecemeal approach to information security. A holistic strategy that incorporates real-time risk management and continuous monitoring is the only way to go.

To help agencies build these more-resilient systems, the National Institute of Standards and Technology, in collaboration with the Defense and Homeland Security departments and private sector intelligence communities, has come up with security controls that focus on mobile and cloud computing, application security, the insider threat, supply chain security, and advanced persistent threats. NIST lays out these controls in its Special Publication 800-53 Revision 4. Released earlier this year, Rev 4 represents the most comprehensive update to this publication since the document's inception in 2005.

Most federal employees understand the urgency. They see the fallout from attacks, such as the recent Department of Veterans Affairs breach that exposed thousands of veterans' personally identifiable information via a software glitch. They hear that Chinese hackers penetrated the databases of the federal government's Office of Personnel Management, which contains files on all federal employees, including those who have applied for top-secret clearances.

[Windows for federal employees just got easier. Read 'Windows To Go' Device Wins Federal Cryptographic Certification.]

So it comes as no surprise that more than half of the respondents to InformationWeek's 2014 Federal Government IT Priorities Survey say cybersecurity/security is the top priority in their agencies. Seventy percent rate security as "extremely important," with another 16% viewing cyber-security/security as "very important."

Federal managers want to know "how to stop the bleeding," says Ronald Ross, project leader of NIST's FISMA Implementation Project and Joint Task Force Transformation Initiative. You can't stop all attacks or build the perfect defense system. The higher-level objective is resilience. "What does it mean to have an adequate degree of resilience in a modern information system that supports critical missions?" Ross asks, in a question that's neither rhetorical nor unique to federal agencies. State and local governments as well as private sector companies are struggling, too -- anyone with valuable information and using very complex high-end technology is subject to the same types of threats.

Resiliency means "becoming healthy after something bad happens," says Bret Hartman, VP and CTO of Cisco's security business group. "That is a good way to think of security because it's impossible to stay healthy all the time." Agencies should consider the attack continuum and which technologies they need in place before an attack occurs, during an attack, and after the attack to do systems remediation. This last area is still maturing and is where the biggest challenge lies today, Hartman says.

Time for better cyber "hygiene"
To address resiliency in federal government, NIST and its partner agencies are focusing on two tracks: improving "cyber hygiene," and designing IT system architectures that can bounce back from damage and contain attacks. A good way to view cyber-security, says Ross, is to have a way to address areas "above the water line," such as known patching and maintenance, and those below the water line -- problems you can't see that could cause trouble and inflict serious damage without warning.

Cyber hygiene focuses on tasks that security administrators deal with daily, such as promptly updating operating systems and applications with the latest security patches or making sure all operating systems and network devices are configured properly to close down attack vectors that could be exploited. IT must also assemble and maintain a complete inventory of everything on the agency's network and the information it has to protect.

With NIST 800-53 R4, the government is starting to address security below the water level, too. Specifically, we're talking about contingency-planning types of controls, which allow agencies to define alternate processing capabilities, storage sites, and communications plans in case of a natural disaster, like a hurricane, or a cyber-attack. "We have contingency plans in place and run those exercises as frequently as we need to, so when the event happens, we can move smoothly into that backup scenario," Ross says.

Read the rest of the story in the
new issue of InformationWeek Government Tech Digest
(free registration required).

 

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/30/2014 | 8:14:10 PM
Re: Practical thoughts on cyber security.. Kudos!!
@Ajr@m: there's probably not a single source of blame for the cyber security challenges we're facing, although I'd agree that lapses and negligence as well as the point that @DMRomano makes about companies simply not understanding the value of cybersecurity all play into it.

Can you tell us more about what your company is doing to overcome administrative lapsess and negligence within its own security practices? Any examples of how you've addressed these issues would be helpful to all of us who are concerned about security in our own oganizaitons.  
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
7/30/2014 | 8:04:36 PM
Re: Practical thoughts on cyber security.. Kudos!!
@Zaious: complacency is indeed the biggest mistake a company (or government organization) can make when it comes to cyber security. I'm not sure what scares me more: the risk of personal data being compromised, or the risk of compromise to the SCADA systems that support our electric grid, water supply and natural gas piplelines. The former costs lots and lots of money if breached; the latter could cost lives.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
7/30/2014 | 3:41:29 PM
Bigger and faster
With the motif of keeping up with the competition typically being the cheif motivator of many organizations nowadays, infrastructure security is often overlooked for the sake of expediency. 
nomii
50%
50%
nomii,
User Rank: Ninja
7/27/2014 | 4:19:41 AM
Re: Practical thoughts on cyber security.. Kudos!!
@Zaious I agree with you there as this war has no ends. It is same that one develops some measures the other develops its counter measures and then the developments of counter counter measures are there. I think we need to act proactively but all the old bases also needs to remain covered with still progressing further.
zaious
50%
50%
zaious,
User Rank: Ninja
7/27/2014 | 1:02:46 AM
Re: Practical thoughts on cyber security.. Kudos!!
The people who think, "We have a fool proof system, we are safe" they get breached. Rather, there are people who think "We are good, but we need to keep evolving, as the attackers are" -they stay safe and the are cautious. Building a wall is not the only defence, we need to keep track how tall the intruders are getting.
nomii
50%
50%
nomii,
User Rank: Ninja
7/26/2014 | 5:50:55 PM
Re: Practical thoughts on cyber security.. Kudos!!
@Aj@rm I believe that not all these attacks are due to administrative lapses but they are made by highly professional people and with advanced knowledge and resources. I feel that with making tough administrative restrictions we can only correct basic level lapses but major attacks cannot be controlled without advanced level safety procedures.
nomii
50%
50%
nomii,
User Rank: Ninja
7/26/2014 | 5:45:39 PM
Re: Resilient Sysems
@MDMConsult14 I agree with you. I simply fail to understand why these systems are made prone to interference and attacks. Why these highly sensitive systems are not made to operate in stand alone mode with only transfers through portable devices. This will definitely restrict their movement but also keep them safe from attacks as well.
Ajr@m
50%
50%
Ajr@m,
User Rank: Strategist
7/25/2014 | 10:33:15 AM
Practical thoughts on cyber security.. Kudos!!
Great article Rutrell a very pragmatic view of the state of web security and cyber space. As you've mentioned a holistic approach is what is required going forward, most of the breaches today are a result of  basic administrative lapses and negligence which can be corrected with minimal effort and technology. I work with McGladrey , readers of this article may find this whitepaper on web application security interesting. @ http://mcgladrey.com/content/mcgladrey/en_US/what-we-do/services/risk-advisory/risk-bulletin/two-common-web-application-attacks-illustrate-security-concerns.html?cmpid=030syn  
MDMConsult14
50%
50%
MDMConsult14,
User Rank: Moderator
7/25/2014 | 8:49:23 AM
Resilient Sysems
Absolutely. Planning ahead and building technologies that will prepare organizations to both compete and precent security concerns is smart. The right systems are resilient and can weather the tough times and prevent attacks.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.