The ongoing war Russia forced upon Ukraine has added to the sense of urgency federal cybersecurity officials feel. It might be difficult to attribute the daily string of attack attempts to that region, federal practitioners have noted the use of cyber warfare by Russia.

Rather than focus about attribution, agencies are refreshing efforts to understand their range of vulnerabilities, their attack surfaces. And they’re updating policies and procedures to ensure protection extends not only to devices accessing their networks, but also to the applications and services enabling users to access.

On a panel discussion hosted by Federal News Networks, Robert Wood, the chief information security officer (CISO) at the Centers for Medicare and Medicaid Services (CMS), emphasized the need to take an expansive view of what constitutes the agency’s attack surface.

“The second you start putting all your focus on the asset discussion, specifically, things can get really complicated quickly,” he said. Hardware includes government-furnished and user-owned equipment of nearly every description. Users include employees, contractors, subcontractors, and the vast network of health care providers that interact with CMS systems.

Wood said that in another way to view the attack surface “you could take a very services-centric approach and say, with everything that’s connecting to your single sign-on, you build your security controls there.”

He added, “I’m in favor of stacking more control and more security closer to the thing that I want to protect. And then to the extent possible, identifying things that are connecting into the environments.”

At the Export-Import Bank of the United States, CIO Howard Spira takes a similar approach. He said the issue came up in Ex-Im’s preparations for its Federal Information Security Management Act (FISMA) audit.

“I noticed a substantial amount of revisions to policies and procedures to move beyond the notion of an asset as an additional physical asset,” Spira said, “to a notion of an asset to be a number of services that we provide, that are not anchored in a physical device.”

Ex-Im is 25% of the way through a transition to a virtual desktop infrastructure, heightening the importance of a hardware-software view of the attack surface.

Tool deduplication

Sam Kinch, the director of technical account management at Tanium, noted that the more variated elements in the attack surface become, the greater the tendency for agencies to accumulate specific tools to deal with vulnerabilities.

“We look at assets as being a cross between network and IT network devices,” Kinch said. “It can be endpoints, it can be cloud based assets, virtual desktop infrastructure assets, mobile internet-of-things.”

He added, “There’s a plethora of devices that you could roll up under that asset category. I don’t think there’s any product out there that you would want to put all in one basket and go, ‘I’m going to protect all my assets with this.’”

Which brings up the issue of multiple tools, which can be expensive and difficult to manage. Kinch said, “We see a lot of problems from lack of de-confliction or coordinating between cybersecurity solutions.” For example, having both malware detection and anti-virus software on a given device can cause the two products to compete because the malware product may see the anti-virus as a threat. Operators must take care, Kinch said, to configure the products to avoid conflict.

At Ex-Im, Spira said, an effort to automate patching and otherwise updating its software, whether on the network or on end points, “takes a lot of risk off of the table.” That effort couples to “a very clear, unambiguous set of hygiene scorecards, that are put in front of all of the directorates on no less than a weekly basis.” A related initiative, he added, is a reduction in the number of cybersecurity tools. Spira said his shop is moving towards a smaller, best-of-breed tool set while developing deep expertise in the tools that do make the cut.

Wood said CMS has a similar program.

“I’m personally a big fan of the cyber defense matrix,” Wood said, “finding overlapping solutions  and … basically slashing away things to the bare minimum. That just makes things more efficient.

Kinch said such deduplication should be an important part of any cybersecurity program, especially if done in a risk management context.

“One of the things that we focus on a lot is trying to evaluate risk across the enterprise,” Kinch said. “And understand for the customer, what does risk do in terms of providing a number or a capability to make it easier for leadership to make decisions on what approach to take, where to prioritize their efforts, who’s the most vulnerable.”

He said this analysis is where the importance of end point protection comes in. Specifically, agencies need to know which end points are most vulnerable. Hackers can use weak endpoints to launch a so-called pivot attack, gaining entrance then switching directions within the network.