In cyber warfare, as in all warfare, there are two types of players: those on offense and those on defense. While offensive abilities are fairly ubiquitous, defense is another matter entirely. With six hacks since April 2013 targeting OPM and its contractor’s personal information, the need for robust defense strategies for big data protection is clear. It is up to agencies to develop strategies to mitigate vulnerabilities and catch security threats before they occur.
Here, Mav Turner, Director of Product Strategy for Security at SolarWinds, shares how agencies can take a back to basics approach for implementing policies around monitoring and network and application segmentation to improve defensive strategies and protect big data.
Tell us about today’s cyber security landscape and particularly the impact on federal agencies.
Today’s cybersecurity landscape continues to be stormy. The number of attacks continues to rise, but organizations are still lagging in their ability to defend against these attacks. Attacks leveraging known vulnerabilities are still the most successful way to breach an agency and users are not getting the message. The impact on federal agencies is going to continue to be significant. Many federal agencies continue to underestimate the value of the data they have and that the costs to attackers are low, both in terms of real cost and the impact of deterrents.
Although it is important to point out that law enforcement has made noticeable progress in prioritizing, identifying, and pursuing cyber criminals. Federal agencies have been ramping up their cybersecurity efforts for years, but I wouldn’t say that the tide has quite turned in favor of the good guys. The bottom line is that adversaries only need to find one way in, and agencies need to defend all entry points, limit and repair damage caused by breaches, and identify and remove any footholds established by the attackers.
One of the more significant attacks in the federal space were the cyber-attacks on OPM. What were the key takeaways from this incident?
There are several key takeaways from the OPM attacks. The first is that the breach originated through contractor systems, which emphasizes that federal networks and systems are only as secure as their weakest link. Agencies need to pay attention to their supplier chains and segment their networks to reduce access and risk. The second take away involves smart cards. It’s my understanding that the only OPM systems that weren’t compromised were the ones that implemented dual-factor authentication. This has led to stronger enforcement of prior mandates to utilize dual-factor authentication across the board for federal agencies.
Understanding the current landscape we are in today, what advice would you give to agencies that are developing their own cyber warfare defense strategies?
The first thing I’d say to this question is that federal agencies are not on their own here. NIST has been partnered with DOD, the Intelligence Community and the Joint Task Force for years, to develop and provide significant guidance on how to secure their systems. For example, Special Publication 800-53, which defines a process and a risk management framework to guide agencies to increase their security, and Special Publication 800-53a, which defines the controls in detail.
It comes down to three questions:
- What security controls are needed to mitigate the risk of using IT in the execution of your mission?
- Have these security controls been implemented?
- How confident are you that the controls were implemented effectively?
Agencies should have a clear plan encompassing: what to monitor and how; automated software patching; procedures that should be followed in case of a breach; a roadmap for capabilities you would like to add to your team; and more. The plan should address actions needed before, during and after a breach. It should be a “living document,” continually updated as necessary and shared with those who assume any sort of control or management of security protocols.
At SolarWinds, you advocate a “back to the basics” approach to defense strategy. Can you explain the components of a “back to the basics” strategy and give some tips on how agencies can begin implementing this type of strategy?
Agencies need to patch their systems to eliminate risk from known vulnerabilities. They need to continually educate their employees and track progress of employee engagement in preventing attacks. Agencies need to implement dual-factor authentication and eliminate shared passwords, especially for privileged accounts. They need to monitor their networks for threats and breaches and have an incident response plan to contain, eradicate and recover from attacks when they occur.
Anything else to add?
I think we all agree that the only way to completely eliminate vulnerabilities is for systems and networks not be connected. And, since this isn’t feasible, the next best thing is to raise the barrier to entry high enough that the cost to attackers is so high that they go elsewhere. When an attack is successful, we have to be able to detect and respond before the damage is done. The best way to position your agency is to have the right mix of people, process, and technology.