It’s not an exaggeration to say that cybersecurity has never been more top of mind for federal agencies.
Threats such as ransomware and threat actors such as adversarial nation states have agencies worried about the confidentiality of their data and the continuity of their operations. New executive orders and heightened public scrutiny further raise the stakes on hardening systems, networks and data repositories.
But while the threat du jour might change, the fundamentals of cybersecurity do not. Implementing and maintaining basic security hygiene can go a long way in protecting information assets, regardless of attack or attacker.
How do you overcome cybersecurity anxiety and lean into a plan? Here are five steps to take in order to protect your agency for today and tomorrow:
The news media tends to hype the latest threat. That can distract from true security priorities. For example, ever since ransomware forced a shutdown of the Colonial Pipeline in May 2021, agencies are uneasy about this manner of attack. But ransomware is merely a payload. The same tools and best practices that protect against a wide range of threats also protect against ransomware. With the right armor, ransomware is just another arrow to deflect.
In a similar way, some cybersecurity vendors have created undue fear around zero-day vulnerabilities. A zero-day is a newly discovered vulnerability for which a patch isn’t yet available. While zero-day threats continually emerge, they’re not as common as many people assume. Reports suggesting that a large number of breaches result from zero-day exploits, for instance, typically include malware variants that antivirus software doesn’t yet recognize. But that’s not the same as a zero-day vulnerability.
The solution is to keep applications and protections up to date. Patch software as soon as updates become available, and the risk of succumbing to a zero-day exploit will be reduced.
2. Control what you can.
You can’t stop cybercriminals from developing and using new weapons. But you can control more about cybersecurity than you might think.
Many attacks succeed largely because victims fail to effectively lock the doors to their digital buildings. Layered, defense-in-depth basics like user training, access management, encryption and patch management deliver a lot of bang for the buck and thwart the majority of attacks.
The Cybersecurity and Infrastructure Security Agency has analyzed thousands of security breaches and found that many resulted from cloud misconfigurations, unmanaged ports and lax policies. In response, it has issued a reference architecture for cloud security with recommendations for data protection in the cloud.
The takeaway? The greater risk lies not in a novel vulnerability or a zero-day attack, but in a lack of basic precautions around patching, layered security and proper configurations.
3. Pick the low-hanging fruit.
Practice sound security hygiene. For instance, develop and maintain robust security policies. Enforce strict rules around removable media. Train users in avoiding phishing scams. Take advantage of multifactor authentication. Monitor network traffic flows. Promptly implement security patches across all applications and endpoints. Too many agencies leave gaps in one or more of these areas.
In addition, deploy threat monitoring for a real-time view across your environment. Cybersecurity providers offer threat monitoring as a service at a reasonable cost. CISA also provides timely alerts on security issues as well as automated cyber-threat indicators. Most IT systems come with event-logging capabilities that show potentially suspicious system activity. Make sure event logging is turned on. Just as important, make sure you have a process for acting on the threat intelligence you capture.
Finally, your agency should be moving toward a zero-trust approach to security. With zero trust, users and devices aren’t assumed to be trustworthy. Instead, every user or device is verified every time it attempts to access a system or data. The National Institute of Standards and Technology has issued guidelines on achieving a zero-trust architecture.
4. Understand your operating environment.
Make sure your IT team understands your environment inside and out. It should know where your defenses are strongest. And it should continually monitor and test any weak points. That will give you a distinct advantage over attackers.
It’s difficult for attackers to gain the insights into your systems that your IT team already has. They have to probe systems or find an entry point and move laterally. In either case, your security pros can track this activity. And the better they know your operating environment, the more they’ll have the upper hand.
In a similar way, you need to understand your digital supply chain. Hardware, cloud environments, cloud-based services and commercial software all involve elements that originate or exist outside your organization.
Enterprise open source solutions can also promote confidence in your digital supply chain as they combine the innovation of the open source community with the robust quality assurance of established IT providers.
5. Think like an attacker.
Finally, to effectively thwart attacks, you need to think like an attacker. That requires a change in mindset.
When your team designs a system or develops an application, it aims for a specific outcome: optimizing an internal process or delivering a new service. Cybercriminals have a very different goal. They’re trying to break your system or access data they’re not authorized to see.
Thinking like an attacker can help you uncover hidden weak points. For instance, when your development team creates an application, it considers the typical inputs that will lead to the desired output. But for stronger security, it should also imagine improper inputs – all the ways a cybercriminal might try to gain access, move through your network and steal data.
Some agencies hire experts specifically for this task. A “red team” can identify potential attack vectors before a system is designed, rather than adding protections after weak points have been built in. This is a key goal of DevSecOps, an approach to application design and development culture that integrates security as a shared responsibility throughout the IT lifecycle.
Cyberattacks won’t go away, but they’re not the boogeyman they often seem to be. With robust security hygiene and a zero-trust mindset, you can effectively protect your information assets, and avoid more of those sleepless nights.
Michael Epley is chief architect and security strategist, North America Public Sector, for Red Hat.