No time off for cybersecurity officials in 2023

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

More of the same. Only more so. That might be the best way to characterize the cybersecurity trends for 2023. To hear more about what to expect on this crucial front in 2023, the Federal Drive with Tom Temin spoke with the director of emerging security trends at the SANS Institute, John Pescatore.

Interview transcript:

Tom Temin
And you have been observing cybersecurity or practicing cybersecurity in one way or another for a very long time, at quite a few influential places, what can we expect in 2023. And I want to begin with the war in Ukraine now dragging on to close to a year. And we’ve heard a lot of possible fallout from that. What do you see on that front?

        Join us May 6 at 1 p.m. EST for Federal News Network's Industry Exchange Data where we'll explore how you can employ data to modernize your agency. | Register today!

John Pescatore
I think there’s two major areas, one that we highlighted was attacks on what I’ll call dual use technology, technology that the government specifically the military uses, but also private industry uses. So one, one example is certainly the GPS systems, the locating systems we all depend on for maps and many companies for routing their trucks and so on. I mean, that’s an obvious military target. But the one that happened more recently here was an attack on satellite communication systems that the Ukrainians are using. Russia attacked them brought them down. And then I believe Elon Musk, the CEO of who knows how many companies these days, but one of them is Starlink, which is another satellite communications company, he sent Ukraine a bunch of terminals to use, and the Russians promptly attacked the Starlink system. So that’s one issue, particularly GPS and any satellite communications, any other technologies, you might be using, for instance, cloud service providers that are on FedRAMP and others, they tend to have their own data centers to serve FedRAMP. But if a government agency is using commercial cloud service providers that aren’t going through, aren’t dedicated government data centers, those are things to look, look out for attacks, that you’re not the target. But you’ll be impacted.

Tom Temin
What’s the vector by which they get to communication systems?

John Pescatore
You would think it’s kind of hard to attack a satellite. But all satellites have to talk to a ground station, all ground stations have computers. So that’s the vector. You know, the unfortunate thing is, everywhere we go today, the two most vulnerable things are always there, people and software.

Tom Temin
Interesting. Wow. So we have actually then seen evidence of this, this has actually happened. It’s not just a potential already in 2022. Attacks on satellites.

John Pescatore
Yes, that’s on Starlink. And the other I forget the name of it, but the other satellite comm system, that was in use.

Tom Temin
Yeah, so that domain that the military has said is becoming a contested domain that’s really come about good, good insight to bring us here. You also mentioned this year from the sand standpoint, that rise of data backup ransomware attacks, and I think the key word is backup.

John Pescatore
Yeah, what we were pointing out there Johanna, is all work of sands was pointing out, I think it’s a very good thing to think about, because we’ve already seen those attacks. Basically, two things happen. One, when COVID happened, everybody rushed to let employees work from home and then started to worry about backing up data. So there were a lot of new backup capabilities added to support hybrid work. The second thing is ransomware attacks themselves pointed out, if you didn’t backup your data, when they stole your executables and encrypted them, you were stuck. So we saw a lot more backup systems put out to prevent ransomware attacks from succeeding. However, the bad guys are found out that a lot of those backup systems were rushed out weren’t configured securely, or were placed on top of other backup systems. So they began attacking the backup capabilities. So either encrypting the backup capabilities or finding out, look at that they did not protect their backups, we can steal their data from the backup systems. So really is sort of if you did rush out or deploy backup capabilities recently, whether it was due to the hybrid work and COVID, or whether it was due to reviews after ransomware attacks, make sure you’ve done that securely. Because once an attacker is in your backup system, not only can they steal your most important data, that’s why you’re backing it up. But also they’re on the inside of your network.

Tom Temin
The initial advice when ransomware first became a widespread phenomenon, the advice was, well, if you back everything up, you’re gonna be OK. But I guess the concomitant piece of advice is back it up in a way that’s offline, or that is encrypted and offline, maybe all of the above.

        Read more: Cybersecurity

John Pescatore
Yeah, definitely all of the above, but also making sure you know, how many backup systems you have out there and where the data is being stored. It’s kind of like you know, when they they cut down a tree, they can look at the tree rings and see back hundreds of years. If you look at the backup systems, you’ll find layers of them. Now there might be a mainframe based ones still in use from the early days of dumb terminals, then PC software client server backup systems. Now with people working at home cloud based backup systems, so quite quite often the data is backed up and it’s very nice to have backup data but if you have five copies and you don’t even know about for them, then the data is at risk.

Tom Temin
All right, we’re speaking with John Pescatore director of emerging security trends at the SANS Institute. And multi-factor authentication. Again, advice, everybody’s getting go away from passwords and use all these different tokens phishing resistance we hear coming into the lexicon, but you think that the MFA bypass attacks will explode? Tell us what you mean, there.

John Pescatore
Yeah, there’s another thing about sort of rushing out to do things. So first off, on the federal side, the Biden administration did a good thing. As soon as they came in, by the rush things like the IRS on to facial recognition and other very secure, what can be very secure techniques. But they had to back off very quickly, when they found out lots of issues had to be dealt with first. So the key thing is multi-factor authentication, is the single best security move we can make to replace reusable passwords with something else is the single best way we can avoid attacks, if we do it right. So for example, prior to some of the more modern approaches to multi-factor authentication, there when you get a cell phone message, and you have to enter that, and that’s pretty secure. If it’s done, right. The attackers took advantage of in last year of Microsoft, who had some holes in their system. So one key thing is multi-factor authentication done right means what happens if the cell phone’s broken, or if the authentication token is broken? What’s your fallback procedure? If it’s fall back to I call the help desk and tell them and they asked me a few questions and let me in, we’re back to phishing attacks can succeed, because that’s asking people what they know. And they’re very willing to give what they know away. We know that from phishing attacks, the more modern technologies that Google just today, Google announced their shipping support for this technology. And previously, Microsoft and Apple, called FODO2 that has features built in to fight phishing. That’s the phishing resistant you mentioned. So we’re looking forward to in 2023, lots of well thought out rollouts of multi-factor authentication using these new standards, hopefully, in the government as well. That will not fall prey to these bypass attacks.

Tom Temin
Phishing then, is that a way of saying man in the middle can’t happen in phishing resistance.

John Pescatore
Yeah, and generally the way man in the you’re right, and definitely the way man in the middle happens is by tricking a user into giving away their password, or their, my dog’s maiden name is so and so. So they can fake out the security questions and get in the middle. These newer technologies don’t use what you know, they use what you have your cell phone, a token, your piece of hardware, something like that, that if the bad guy has your cell phone, and you haven’t told anybody, you’re still at risk, but it’s so much safer than if they’ve just tricked you into giving away a password or a security question answer.

Tom Temin
And these hardware tokens, the Ubi keys, and there’s quite a number of them. Are they manufactured in the United States? Or do we have the issue that they’re made in China, like so much other cheap hardware?

John Pescatore
Yeah, you definitely have a mix. There are some being made in the U.S. And hopefully, that will increase with all the efforts to increase U.S. manufacturing. But there certainly are many others made in other countries. But I have to point out, we’re in a global world, we cannot say, we’re only going to buy things from on shore. You know, for example, over 10 years ago, the British government reviewed the big telecoms contract that was won by Huawei to upgrade the entire digital infrastructure of England. That was Huawei. And they didn’t say no, we can’t do Huawei. They required Huawei to fund the testing center that the U.K. man’s to test all the Huawei software to make sure it hasn’t been corrupted. So there’s, there’s other approaches beyond just banning things from other countries that I think are going to have to happen long term.

        Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app

Tom Temin
Well, even if something’s assembled here, you don’t really know necessarily where the chip came from. And that’s what matters, not the plastic shell and the connector.

John Pescatore
Yeah. And plus, you know, a lot of times we’re finding strange things in the food we eat in restaurants that was bought here and farmed here. So things can go wrong at any point in the chain. And testing is the only way we can be sure things are safe.

Tom Temin
And finally, what’s your sense of especially federal agencies, but organizations in general, are they gaining in the skills that they need in house to keep themselves cyber secure?

John Pescatore
SANS is obviously in the training business. And we’ve certainly seen the federal government doing some very cool things to increase the skills in its employees funding training, funding efforts to get more people into security, so that we can solve the hiring gap as well. But I also think there’s some really key things that FedRAMP is a great example of; FedRAMP is sort of the government was way out ahead and making secure cloud services available. But then you do need to upskill your people on the risks of cloud and how to do cloud computing securely. So I think there are some newer areas and certainly around multi-factor authentication, training the Make sure it’s done right. I think there are some newer areas I’d like to see the government take some steps forward in.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.