In helping the in-laws clear out some junk from their house, I discovered a door through the basement to the back yard. For some reason, I never realized the house even had that door. The yard backs up to woods that are pitch dark at night. The door itself is half-window, and the wooden frame into which it is set was badly rotted.
What a security vulnerability this door is, I thought. I’d be creeped out at night knowing that hidden door was down there, easily pushed in with one good kick. I advised the ‘rents to hire a carpenter to rebuild the frame and replace the door with a solid steel one equipped with a good deadbolt lock. One less way for a burglar to get in.
Federal agencies have thousands of such doors, metaphorically speaking, providing easy access for hackers into their networks.
CIOs in and out of government refer to the cybersecurity guidelines published abundantly by the National Institute of Standards and Technology. NIST says one way to reduce your vulnerability is to reduce what it calls your attack surface. Find this advice somewhere in publication 800 something-or-other, probably 53. Read it — it’s about the average length of Hillary Clinton’s memoirs and Donald Trump’s Art of the Deal.
Tech staffs have a number of ways to reduce the attack surfaces of their networks. Automatic logoffs, for instance, button up machines when careless users go home and leave their machines running. Another: Make sure you include copiers, which are connected to the network and have hard drives with lots of document information, in your continuous monitoring plans. Blocking access to malware-rich websites also helps.
But lots of potential for reducing the attack surfaces lies in getting rid of forgotten and unknown devices that remain connected. That’s if you can find them. You can, but it takes work. Devices have a way of moving in and never moving out.
Case in point: The Transportation Department. At a briefing earlier this week, CIO Richard McKinney told the story of hiring a services contractor to discover everything connected to DOT’s multiple networks. He described it as mapping the infrastructure. McKinney said the exercise revealed hundreds of mobile and fixed location devices of which the IT staff was totally unaware. Each one represented a potential hacking intrusion or unauthorized access.
McKinney said this of the discovery: “It was so sobering.” Probably as sobering as my investigation of my father-in-law’s house: Seven hammers, nine identical pairs of scissors, six suitcases gone moldy, two broken coffee makers packed neatly in their original packaging. That junk was at least inert. Not so real live electronics with Ethernet ports or WiFi.
For DOT, the results of the survey presented an easy way to reduce the attack surface. Disconnect and get rid of the devices. In round two, McKinney said he’ll hire another contractor to discover all of the active and unused applications lurking on the network.