What do Swiss cheese and cybersecurity have in common?
You’ve got to overlap the holes if you want complete coverage.
“Everything’s a layer of Swiss cheese when it comes to defending networks,” said John Forte, deputy executive for the Homeland Protection Mission Area at John Hopkins University Applied Physics Laboratory, during a March 28 Akamai government forum in Washington, D.C. “A hacker is going to find that hole and figure out how to get in. Think like a hacker as you defend; and all of the ways that you could be looking to defend your network should be taken that next step further to say how do I make that adversary’s time on all of my attack vectors really complex.”
An organization’s or agency’s adversary is going to be reading the same cookbook for infrastructure defense, Forte said, so when it comes to keeping them out, it’s all about “how do you mix it up a bit, how do you make the adversary pay?”
“Figure out ways to inject those into your infrastructure for sound cyber hygiene,” Forte said, “and to use everything that that brings to offer, to better inform on how you’re going to defend the infrastructure.”
Awareness of your architecture
Roger Barranco, director of global security operations at Akamai Technologies, said knowing your infrastructure is key to basic cybersecurity.
“If you don’t know your infrastructure, you can’t protect it,” said Barranco, who joined Forte during a panel on surviving a cyber hack. “Talk to your security professionals, say ‘what are you seeing out there, am I protected from that.'”
Rod Turk, deputy CIO and CISO at the Commerce Department, also touched on the importance of knowing your system’s architecture, but also said that “basic blocking and tackling” can do a lot of good toward protecting your system.
Turk said federal agencies have lagged behind the ongoing march of technology. Fortunately, many cyber attacks are launched from malware that’s not all that sophisticated, and in fact have patches already available.
“You’ve got to load those patches, you’ve got to make sure your operating systems are up to date,” Turk said. “The major companies involved in operating systems do not want to tell you there’s a flaw in their software. That’s like a recall for an automobile. When they come out and they put a patch in place and they tell you there’s a vulnerability, that’s a foot stomper.”
That’s not to say Commerce immediately loads a patch each and every time, Turk said. The various components and functionalities under the department require extra time to make sure they’re compatible; however, “you need to be able to load those patches as quickly as possible.”
Meredith Somers talks about this story on Federal Drive with Tom Temin
“Get the vulnerability remediated, because I would tell you you could probably prevent north of 90 percent of those exfiltrations if you just take care of those things,” Turk said.
Planning ahead is important, Turk said, using the example of a farmer sharpening his scythe. Prepping the harvesting tool isn’t a waste of time, Turk said, because while the farmer might not be cutting hay at that moment, the basic maintenance will make it easier once he sets to work.
At the Federal Emergency Management Agency, it’s the end users who can often be the biggest vulnerabilities.
Wade Witmer, deputy director for FEMA’s Integrated Public Alert and Warning System Division, said his biggest challenge is training the user base, since his division is largely dependent on the information systems and infrastructure at other agencies and organizations.
Emergency operations centers often are not staffed by government employees nor are they cyber practitioners, Witmer said. They’re local emergency center operators, who rotate shifts on a 24-hour schedule, and who will find workarounds if a security feature is blocking their jobs.
“Security that doesn’t allow them to do their mission is a big problem, and they quickly will go around whatever it is,” Witmer said. “Making it easier for them, making them more aware of that is a big deal. In the short term, it’s more education, outreach and watching what industry and federal partners are doing. In the long term, I want to get completely out of the infrastructure business. The only thing that matters for public alert warning is credibility of the message, a guarantee that who sent that is somebody that’s recognized and who they know, and that that message didn’t change while it got there.”
So while it might be better to sharpen a scythe ahead of a harvest, priming your cyber tools at any point in your defense is better than never.
“After you’ve started, then it is wasting time,” Witmer said, “but at least you’ve got it a little sharper for the next one.”