Cyber Attacks Happen: Build Resilient Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
08:30 AM
Rutrell Yasin
Rutrell Yasin
Connect Directly

Cyber Attacks Happen: Build Resilient Systems

You can't stop all attacks or build the perfect defense system. The higher-level objective is resilience.

Read the rest of the story in the new issue of InformationWeek Government Tech Digest (free registration required).

Every week, billions of cyber-events batter government networks. Millions of these attacks hit at network speed, and thousands succeed, as reported by the Homeland Security Department's US Computer Emergency Readiness Team. The US Navy alone was attacked almost 1 billion times in 2012. Although security analysts strain to counter these breaches, mostly with manual processes, it's likely terabytes of data are stolen.

Given this dynamic landscape, you might think federal CIOs are getting more resources to defend against mounting cyberthreats. They're not. Money and security expertise are in short supply, meaning agencies need to innovate. First and foremost, they can no longer take a piecemeal approach to information security. A holistic strategy that incorporates real-time risk management and continuous monitoring is the only way to go.

To help agencies build these more-resilient systems, the National Institute of Standards and Technology, in collaboration with the Defense and Homeland Security departments and private sector intelligence communities, has come up with security controls that focus on mobile and cloud computing, application security, the insider threat, supply chain security, and advanced persistent threats. NIST lays out these controls in its Special Publication 800-53 Revision 4. Released earlier this year, Rev 4 represents the most comprehensive update to this publication since the document's inception in 2005.

Most federal employees understand the urgency. They see the fallout from attacks, such as the recent Department of Veterans Affairs breach that exposed thousands of veterans' personally identifiable information via a software glitch. They hear that Chinese hackers penetrated the databases of the federal government's Office of Personnel Management, which contains files on all federal employees, including those who have applied for top-secret clearances.

[Windows for federal employees just got easier. Read 'Windows To Go' Device Wins Federal Cryptographic Certification.]

So it comes as no surprise that more than half of the respondents to InformationWeek's 2014 Federal Government IT Priorities Survey say cybersecurity/security is the top priority in their agencies. Seventy percent rate security as "extremely important," with another 16% viewing cyber-security/security as "very important."

Federal managers want to know "how to stop the bleeding," says Ronald Ross, project leader of NIST's FISMA Implementation Project and Joint Task Force Transformation Initiative. You can't stop all attacks or build the perfect defense system. The higher-level objective is resilience. "What does it mean to have an adequate degree of resilience in a modern information system that supports critical missions?" Ross asks, in a question that's neither rhetorical nor unique to federal agencies. State and local governments as well as private sector companies are struggling, too -- anyone with valuable information and using very complex high-end technology is subject to the same types of threats.

Resiliency means "becoming healthy after something bad happens," says Bret Hartman, VP and CTO of Cisco's security business group. "That is a good way to think of security because it's impossible to stay healthy all the time." Agencies should consider the attack continuum and which technologies they need in place before an attack occurs, during an attack, and after the attack to do systems remediation. This last area is still maturing and is where the biggest challenge lies today, Hartman says.

Time for better cyber "hygiene"
To address resiliency in federal government, NIST and its partner agencies are focusing on two tracks: improving "cyber hygiene," and designing IT system architectures that can bounce back from damage and contain attacks. A good way to view cyber-security, says Ross, is to have a way to address areas "above the water line," such as known patching and maintenance, and those below the water line -- problems you can't see that could cause trouble and inflict serious damage without warning.

Cyber hygiene focuses on tasks that security administrators deal with daily, such as promptly updating operating systems and applications with the latest security patches or making sure all operating systems and network devices are configured properly to close down attack vectors that could be exploited. IT must also assemble and maintain a complete inventory of everything on the agency's network and the information it has to protect.

With NIST 800-53 R4, the government is starting to address security below the water level, too. Specifically, we're talking about contingency-planning types of controls, which allow agencies to define alternate processing capabilities, storage sites, and communications plans in case of a natural disaster, like a hurricane, or a cyber-attack. "We have contingency plans in place and run those exercises as frequently as we need to, so when the event happens, we can move smoothly into that backup scenario," Ross says.

Read the rest of the story in the
new issue of InformationWeek Government Tech Digest
(free registration required).


Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
7/30/2014 | 8:14:10 PM
Re: Practical thoughts on cyber security.. Kudos!!
@[email protected]: there's probably not a single source of blame for the cyber security challenges we're facing, although I'd agree that lapses and negligence as well as the point that @DMRomano makes about companies simply not understanding the value of cybersecurity all play into it.

Can you tell us more about what your company is doing to overcome administrative lapsess and negligence within its own security practices? Any examples of how you've addressed these issues would be helpful to all of us who are concerned about security in our own oganizaitons.  
User Rank: Strategist
7/30/2014 | 8:04:36 PM
Re: Practical thoughts on cyber security.. Kudos!!
@Zaious: complacency is indeed the biggest mistake a company (or government organization) can make when it comes to cyber security. I'm not sure what scares me more: the risk of personal data being compromised, or the risk of compromise to the SCADA systems that support our electric grid, water supply and natural gas piplelines. The former costs lots and lots of money if breached; the latter could cost lives.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll