Government // Cybersecurity
Commentary
9/3/2014
09:06 AM
Vijay Basani
Vijay Basani
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Secure The Core: Advice For Agencies Under Attack

When facing state-sponsored attacks, perimeter security is never enough.

International espionage, Russian hacker mafias, Chinese generals moonlighting as cyber criminals, and a global plague of sophisticated, malicious intruders... sounds like a Clancy novel, doesn't it?

In fact, high-profile breaches by such nefarious actors are all too real. In just the last few months, the US Office of Personnel Management, the Government Printing Office, and the Government Accountability Office were breached by Chinese hackers, and records of background checks performed by US Investigations Services, a government contractor, were compromised in what looks like a state-sponsored attack.

State of urgency
The scope of the threats is massive and mutating; the US Director of National Intelligence has ranked cybercrime as a top national security threat. Given limited budgets and resources, prioritizing efforts and focusing on essential measures is paramount. In light of the multiple types and sources of attacks, cyber security teams are in a constant state of urgency. All of this can lead to a lack of focus. Panic-driven reactions, unclear compliance mandates, and lack of funding and expertise get in the way of effective cyber security implementation. High-visibility breaches prompt those responsible to make a big show of "fixing" the security lapses by investing in the "latest and greatest" technologies in an effort to provide reassurance to partners and clients.

This is rarely an effective response and isn't a prudent use of resources. Instead, there should be a return to basics, a common-sense approach that will effectively mitigate risks at a lower cost.

First, secure the core
Government agencies need to focus on the core of their infrastructure where the critical data actually reside. The top priority should be implementing stringent controls around access, user management, systems configuration, and data encryption. I believe that analysts often give insufficient guidance based on their bias for new and more "interesting" technology. It should be emphasized that inline network technologies are distinct from fundamental security controls, which should always come first.

[Homeland Security wants some new tools. See Wanted By DHS: Breakout Ideas On Domestic Cybersecurity.]

The core infrastructure should be prioritized over the network boundary; if the core is weak, critical assets are at risk, no matter how much money and time has been invested in fortifying the perimeter. In fact, Verizon's most recent Data Breach Investigative Report indicated that 90% of the cyber attacks surveyed could have been prevented if simple security controls had been implemented. PricewaterhouseCoopers' 2014 US State of Cybercrime survey similarly found that fewer than half the organizations surveyed took necessary precautions.

Focus on data security
The PwC survey noted that among government services, unauthorized access to information, systems, or networks was reported by 24% of respondents. This alarming statistic, in conjunction with the recent breaches of sensitive info, highlights an urgent need for stronger data protections. Initiatives aimed at securing the core should also focus on system configuration, user management, and continuous monitoring of all of these factors. In the universe of cyber criminals, personal data is as prized and hoarded as money. Critical data (intellectual property, personnel and financial records, sensitive communications, etc.) being collected and stored must be properly handled and encrypted. It is important to note that data residing on outside contractors' systems are particularly vulnerable and should be included in security mandates.

Systems configuration is at the heart of security
Likewise, it is imperative to ensure that any system that touches critical data is properly configured and aligned -- on an ongoing basis -- with the appropriate set of security controls. The continuous monitoring requirements are straightforward. Security controls include monitoring event data (log and activity data) and state data (configuration and vulnerability state). These essential controls examine system settings to ensure they are aligned with best practices as defined by DISA, NIST, SANS, etc. Monitoring systems (including network devices, data storage, and applications) continuously on a near real-time basis enables organizations to detect weak links in their core infrastructure where critical data resides. Implementations should include mechanisms to measure controls against standards, find the deviations, and take remedial action to correct them.

Finally, after taking steps to secure and continuously monitor the data and systems at the core of your computing infrastructure, it is then appropriate to address the network layer, implementing antivirus and antimalware, intrusion prevention, firewall, and other technologies that help protect the network and keep the bad guys out.

Propagate a security culture
The human component of security should never be overlooked; user access privileges must be consistently and continuously managed, supported by clear policy and enforcement. Building cyber security into the organizational culture and mission is crucial. Everyone who touches critical data or connects to your network -- from executives to entry-level personnel, contractors to supply chain vendors -- must be under a mandate to practice and monitor proper user behavior. Thoroughly educating all users about the potential consequences (to the individual and the organization) of careless online behavior is an affordable and effective front-line defense strategy.

The recent and ongoing pile-up of government agency breaches shines a floodlight on the frightening vulnerability of online storage and networks. As governments increasingly conduct their operations in the cyber realm, building strong defenses at the heart of critical data and communications systems has become an urgent matter of national security. Hunker down and focus on the basics, continuously monitor and remediate, and train all the good guys to be cybersecurity guards.

Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge. Get the new Flexibility Equals Strength issue of InformationWeek Government Tech Digest today. (Free registration required.)

Vijay Basani is CEO and President of EiQ Networks. He is a serial entrepreneur with a track record of building successful businesses delivering enterprise-class solutions. Before starting EiQ Networks, he founded AppIQ, an application storage resource management provider ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/4/2014 | 12:23:51 PM
Re: Buying into the Security Culture
You are correct - the weakest link is usually the user community, and is also the most difficult challenge to overcome. The key is to engineer their behavior through awareness training, and transform the organization's culture to include secure practices. Security awareness training is such a difficult task because there are so many different personalities involved. However, measurable training effectiveness can be achieved by delivering a message that becomes personal to the individual, so relating secure practices at work to their personal activities definitely helps. When you think about it, secure practices at work are really not much different from secure practices in one's personal life. When I deliver awareness training, I start with its implications on personal activities - online banking, shopping, social media, etc. That gets their attention all the time, and always results in lively discussion. Then I introduce corporate secure practices and demonstrate how those are not very different from the same ones I advocate they use in their personal activities. I think this method allows for better retention and effectiveness. Having said that, organizations should definitely have strong user controls in place, and should anticipate that users will attempt to circumvent them. When coupled with effective awareness training, the combination goes a long way towards the goal of transforming the organization's culture to include secure practices.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
9/4/2014 | 9:17:50 AM
Buying into the Security Culture
While I absolutely agree that one of the critical areas of security comes down to ensuring that everyone who has access to corporate resources understands their role in security, sadly this is still going to be the weak point of most organizations' perimeter defence.  Let's face it, employees are tired of hearing about security and are looking for ways to get around basic security controls so that they have, what they feel, is a balance of convenience and access.  The sad fact is that unless strong user controls are in place to dictate how data can be used and stored, and even ensuring that all the devices used to access the data (laptop, mobile, tablet) have the right security controls is still a huge gap for many organizations.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.