Duration: 1 hour
Cost: No Fee

If any single thing is true of cybersecurity, it’s that whatever you know today will need updating tomorrow. Cyber threats, attack vectors and prevention and mitigation strategies – organizations much constantly review them because the attackers constantly renew their own strategies for getting past defenses.

In the most recent two years, an expansion in remote work, coupled with a rise in the number and variety of remote access end points, has altered the cybersecurity scene for federal agencies across the board. Recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) aimed to help agencies implement NIST guidelines for protecting infrastructure by strengthening asset inventories, unauthorized access prevention, and network segmentation.

For the latest thinking going into 2023, Federal News Network asked a panel of cybersecurity practitioners for their strategies. The consensus: Continued cloud computing adoption and work towards zero trust architectures will stay at the heart of modernizing IT infrastructures for greater security.

Alan Hill, the chief information officer at the Federal Communications Commission, said his efforts would concentrate along two lines. One, updating network configurations pursuant to finer-grained segmentation to limit attacks. Two, dealing with IT technical debt, which requires inventories that cover older assets that lurk as vulnerabilities.

“You need to secure all the way through the entire stack,” Hill said, “from layer one all the way up to the application level layer seven.” He said that effort must include older code you might not realize is operating and, to the extent possible, move it to a secure cloud environment. Seeing and understanding all code, and its services and data interdependencies, has become a baseline need for rooting out potential vulnerabilities.

For Army Col. Joseph Hoffert, chief of the solution delivery and risk management executive divisions at the Defense Health Agency, cyber threats come double-barreled. Both DoD and healthcare networks are particularly attractive to malicious hackers. Of particular concern to the agency are networked medical devices. They often use older, unpatched operating systems that yield access to IT infrastructures.

“The attack interest and of adversaries gets exponentially greater when you put those two together,” Hoffert said of DoD and healthcare networks. His challenge is balancing the need to protect sensitive personal health data with accessibility to legitimate users such as the Veterans Affairs Department and the private sector health care providers that operate on behalf of the DHA.

Between critical infrastructure targeting and phishing-powered ransomware campaigns, potential attack surfaces have multiplied.

“The concept of the attack surface management is really critical,” said Bill Harrod, federal chief technology officer at Ivanti. It’s crucial to have a complete picture, he said, one that includes all user devices, internet-of-things sensors, and specialized items like medical devices. Securing all of this in a way that provides a good experience for authorized users, Harrod said, is equally critical.

Micro segmentation, Harrod added, can enable the organization to let people do their work easily yet provide strong authentication and access controls down to the transaction level.

Visibility directive

So important is attack surface visibility that CISA, late in 2022, issued a Binding Operation Directive, number 2301.

Aastha Verma, a CISA division branch chief, said, “This BOD is specifically about improving asset visibility and vulnerability detection on federal networks.” While CISA BOD’s typically apply to civilian departments and agencies, Verma said she’s optimistic that Defense agencies will also implement them.

The directive “takes the next step by establishing baseline requirements for [agencies] to identify assets and vulnerabilities on their networks. This is one way of gaining visibility to their exact asset inventory and by doing so, developing a plan to help them remediate where the risks are on their networks,” Verma said.

Whether civilian or military, the imperative for organizations to understand and mitigate risks to their IT infrastructure grows as their infrastructures become more hybrid and accessed by more remote users.

With multiple clouds, its own data center, and larger numbers of employees routinely remote, The Defense Health Agency had to meet the challenge of virtual private network (VPN) limitations, Hoffert said. He said the DHA established multiple pathways for traffic among these entities – and to and from the various other agencies it deals with – to avoid overloading its VPN.

He added, “We use comply-to-connect solutions that allow us to see each and every thing that as it connects to our network, and identify that and verify whether or not that is allowed to connect.”

Beyond control of connections in complex environments, said the FCC’s Hill, “it’s extremely important to know where your data flows occur.” That also why micro segmentation is so important, “to where we see the actual transaction of the workloads occur, and where they’re at, and apply the security on those workloads.”

Hill added, it requires care to move firewalls from the network to the application layers. “You have to be very deliberate in that process, making sure you understand your data flows, so you don’t break the mission.”

Solutions for security and reliable application delivery in hybrid, micro-segmented environments themselves need to be hybrid. Harrod said Ivanti officers both on-premise solutions not connected to the cloud as well as cloud-hosted security solutions that also run on mobile devices. Such a flexible approach helps minimize “hair-pinning” of traffic among devices, data centers and clouds, which adds cost and latency as well as a stretched out attack surface of data in transit.

Organizations must “be able to change the way we understand security,” Harrod said. “The perimeter has become so porous, with mobile devices and edge compute, that we really do come back to the application, even down to the transaction level, and being able to provide conditional access controls.”

Learning objectives:

• The current threat situation
• The hybrid environment
• Strategies for mitigating cyber threats

Please register using the form on this page or call (202) 895-5023.