Bloomberg Government regularly publishes insights, opinion and best practices from our community of senior leaders and decision-makers. This column is written by Monzy Merza, Director of Cyber Research and Chief Security Evangelist at Splunk.
Just over a year ago the Office of Personnel Management revealed it had suffered two breaches that compromised the personnel records and security clearance information for approximately 22 million people, a group that not only included federal employees and contractors but their family and friends as well. Since then, sensitivity to cybersecurity incidents has been substantially higher across the federal landscape, with agencies looking to avoid enduring the loud and public criticism OPM still faces today.
Responding to the OPM breaches, Federal CIO Tony Scott initiated a month-long Cybersecurity Sprint calling on all agencies to evaluate and address security problems. This program yielded some positive results, including immediate improvements in authentication practices. Federal civilian agencies increased their use of strong authentication practices for privileged and unprivileged users by 30 percent during the sprint.
OPM has taken positive steps over the past year by improving its authentication practices, deploying new cyber tools to protect networks from malware and viruses, and increasing cyber awareness training for staff to combat phishing and other attacks. However, one point that is not discussed enough is the need for agencies to step back and refocus on sound fundamental practices.
The OPM incident made headlines last year. But every government security breach, big or small, is a reminder that agencies need to continually enhance their efforts toward building a stronger security foundation. In other words, regardless of whether a breach has occurred, all government agencies would benefit from focusing on some fundamental security practices.
There are four basic practices:
1. Multi-factor authentication – Authentication was rightly identified as focus area following the OPM breaches. Passwords can be cracked or guessed so single-factor authentication isn’t effective for protecting against today’s threats. Multi-factor authentication typically involves both knowing something (like a password or pin number) and physically having something like an ATM card or a fob like many people use to access their work or apartment buildings.
2. Configuration management and patching – One of the most common instances that leads to security incidents is the failure of agencies to patch known vulnerabilities in their systems. Many times, vendors will acknowledge a vulnerability was discovered and release a patch so customers can ensure their systems are protected. However, often times agencies aren’t efficient in moving to address the vulnerabilities, leaving them open to potential threats. Additionally, agencies should have a solution in place to regularly monitor systems and ensure they are running the most updated versions of applications.
3. Up-to-date security instrumentation – Another fundamental step agencies can take is ensuring the cybersecurity tools in place are implemented and updated properly. A government agency may have the right solutions in place, but feature updates for improved performance or added coverage must be applied frequently to ensure full operation. In some cases, the tools are deployed correctly but they are not using the most recent detection signatures. For example, technologies like network intrusion detection systems, anti-virus, next generation firewalls and threat intelligence services are frequently updated by the vendors – sometimes daily. It is important to stay up to date to detect the latest threats.
4. Visibility across departments – Breaches are blindsiding- when they happen, immediate attempts to validate or verify the information by the target organization often fail due to a lack of visibility into the networks, applications and data sources. Agencies can often see what’s happening within their individual departments, but many lack the broader, enterprise-level visibility necessary to effectively deal with today’s threats. Agency departments undoubtedly have visibility gaps in their smaller silos too. As such, they need to invest in technologies that provide holistic visibility, allowing them to better communicate with each other when sharing potential threat information.
Cybersecurity Process Improvement
On top of the cyber basics, government agencies also need to focus on processes to enhance their approach to security. For instance, many agencies still lack a comprehensive incident response plan. The National Institute of Standards and Technology (NIST) has released a number of framework documents to help guide agencies with their strategy and approach to security.
One of these documents is the Computer Security Incident Handling Guide, which offers NIST recommendations on how agencies can establish reliable processes for improving cyber operations with a plan that outlines steps for identification, detection, response and remediation of threats. This guide explains how effective incident response requires creating response polices, developing specific procedures for incident handling and reporting, setting up a structured team of people and establishing clear rules and lines of communication for the incident response team to communicate with each other and the rest of the organization.
Further, government agencies need to start viewing compliance as a starting point for security rather than the end goal. Compliance requirements and regulations are meant to be the minimum standards, but organizations should strive to build on compliance initiatives to enhance protections for networks and systems.
Lastly, security professionals must understand that every resource and piece of data intelligence could be valuable to security. With that in mind, improving security isn’t just about evaluating your own systems; it’s also about establishing a procedure for gathering and using information from outside resources as well. This is especially important today as public and private sector organizations face similar security challenges. There is an opportunity for each side to learn from each other.
The Path Ahead
The threat landscape continues to evolve and government organizations will continue to be the target of future attacks. All government agencies, federal and state and local, should regularly evaluate and seek new ways to strengthen security practices. However, adding new security tools for the sake of doing so isn’t going to work. There needs to be a larger, more strategic approach taken to guide security decisions across organizations. As agencies create enterprise-wide plans for approaching cybersecurity, strong security technology fundamentals are the best start to building a resilient cyber security posture.
The opinions presented in this column are those of the author and do not necessarily reflect the opinions of Bloomberg Government or Bloomberg LP.