At the moment, mobile malware is winning. That’s because existing networks have not been architected with malware in mind, and the mobile environment is particularly vulnerable. Adversaries are using persistent and innovative approaches to get access to networks, and the only way agencies can tackle this is to secure the entire enterprise, including the device itself.
You need a strong device security architecture, encryption for both data at rest and in motion, and identity management and authentication solutions to secure mobile users. Two-factor authentication is the classic approach, but there are also biometrics and other ways you can approach identity management. The same way you determine who gets access to certain types of data in a corporate environment, you want to have a similar process in place for a mobile environment.
Mobile malware is best managed with non-signature based detection technology. Putting that technology at the network gateway allows you to isolate data and applications that are potentially suspect. We recommend that agencies develop end-to-end trusted mobility solutions that go beyond the gateway approach to include on-device malware detection and identity management. At Northrop Grumman, we’re developing innovative security solutions in the mobile data environment, leveraging ideas from our university consortium and developing them through our own technology investments to help advance technology quickly.
We’ve barely seen the tip of the iceberg with mobile malware. This will become a very lucrative area for attackers, because so many organizations are behind the curve when it comes to getting their infrastructure in place to deal with mobile attacks. The problem is that personal devices are coming onto their networks whether they allow them or not. If employees aren’t issued mobile devices, they will use their own.
Agencies need to start implementing policies to govern this mobile environment – to spell out which apps can use government data, which are banned outright for government use, and so on. And then they need to put the infrastructure in place to enforce those policies. For example, they want to review apps to see if they are carrying malicious payloads, doing unnecessary calls back to the Internet or linking to malicious sites.
The good news is that with today’s technology, agencies can build an infrastructure to address all of these issues.
In our business, we manage mission critical systems for our customers. As we see it, risk management is the ability to balance key elements of risk tolerance: the cost to implement security with the ability to effectively execute the mission. This is a delicate balance that can only be achieved by partnering with the customer to develop a deep understanding of their mission.
We’ve been doing this for more than 30 years, and it’s this approach that helps enable a meaningful enterprise risk assessment. To help customers and our security practitioners develop this understanding, we created the Fan™, a layered cyber defense approach that assesses risk at each level of the IT enterprise – the perimeter, network, applications, data and client. The Fan™ allows us to be agnostic to platform and architecture. Each agency has different IT architectures and missions, and they think about risk differently. This approach allows us to leverage a common view of the enterprise and to identify where risk exists in each customer’s architecture.
Understanding your complete risk posture is essential. It is the difference between being proactive and in a good defensive position, versus reactive.
Ultimately, risk management is about data. You need to identify your critical data, and you need to understand what the impact would be if that data were compromised.
Impact is a critical distinction. An organization might have a security solution that catches x number of attacks a day. But most of those attacks will be the type of malware that is being broadcast across the Internet. On the other hand, there is the hacker targeting a procurement officer in charge of a major contract award – perhaps hoping to gain a competitive edge by reviewing the bids submitted by other companies. If successful, that one attack could have a much bigger impact than the other 9,000 combined.
This is a primary reason why agencies need to adjust their thinking. Yes, it is critical to provide the security infrastructure to protect the enterprise. But they cannot protect everything – and they will in fact be compromised at some point — so they need to understand the risks associated with their different datasets and manage them accordingly.
The relationship is good, and it’s a critical one. This partnership is constantly improving through programs like the Defense Industrial Base cyber pilot. The cyber threat is still a new phenomenon to most, and the ability for agencies to implement even basic cybersecurity practices differs a lot. As we work collectively to get in front of the threat, building cybersecurity early in the acquisition lifecycle is imperative. Creating core cybersecurity criteria for evaluation will be important to establish within future acquisition documents. One area that still needs improvement is securing the supply chain. Government and industry need to work together to find better ways to leverage COTS in secure environments without compromising security.
The NIST cyber framework is a great step forward and very useful for communicating how to manage risk by establishing a detection baseline and aggregating and correlating the event data.
The relationship between government and industry has improved dramatically in the last five years. NIST and DHS have done a great job of reaching out to industry when developing security policies and guidelines. These exchanges of information, which are happening in multiple programs, are helping to solve some important challenges.
Still, the collaboration needs to improve. In particular, we need a quicker and more automated approach to sharing information on possible security incidents. Creating such a system isn’t an easy undertaking, especially with the high-level of sensitivity when it comes to the confidential nature of this information. And, we need to get it done before we end up with a major compromise of an agency network or a critical infrastructure, such as a power grid or water system.
The demand for cybersecurity experts far exceeds the availability of this critical talent. That’s why we have focused so much effort and investment into enhancing today’s workforce and in developing tomorrow’s talent. We created our own training program called Cyber Academy, a cyber education continuum for both internal and external customers. We also know the importance of reaching down to the middle and high school levels to get students excited about a career in STEM and cybersecurity. To that end, we’re entering our fourth year as presenting sponsor of the Air Force Association’s CyberPatriot program, the national youth cyber defense competition. We also partner with universities across the country to develop the cyber workforce. This includes funding the nation’s first cybersecurity honors program, the Advanced Cybersecurity Experience for Students at the University of Maryland, and the Cyber Scholars program and the Cync incubator at the University of Maryland, Baltimore County. We also created the Cybersecurity Research Consortium, which includes Carnegie Mellon, Massachusetts Institute of Technology, Purdue and the University of Southern California, and opened a cyber lab at Cal Poly San Luis Obispo.
We see our customers extending their training programs in cyber, and the workforce is growing. We also see the military academies offering cyber degrees. In total, there is much to do but I see the ranks of cyber-educated professionals increasing and ready to take on this critically important mission.
The state of the cyber workforce is a universal problem, not just in government. Recently, DHS, NSA (National Security Agency) and other government organizations have made some significant strides. For example, they have worked with schools to offer scholarships to students pursuing degrees in cybersecurity in return for a commitment to working in civil service.
We need to find other ways to get people to consider a career in cybersecurity. Young people go into police work because they are interested in solving crimes — why can’t we showcase some of the innovative things that are happening in cybersecurity and spark their interest in the field? Neither government nor industry has done well with that so far.
We also need to push similar kinds of initiatives further down the education stack, even in lower grades. To build the right workforce for the long term, we must get more students interested in cyber technology.
Commercial managed security services are not always suitable for a government application. We see a wide range of adversaries attacking government IT enterprises, and a managed security service may not have the robustness to address the range of threats targeted at a government agency. If such a service is used, you’ve potentially introduced a gap or vulnerability.
That said, as IT infrastructure becomes more centralized through cloud computing, managed security services play a natural role. Some areas of the Department of Defense are migrating to shared IT infrastructure models and will likely expand their internal managed service models, including managed security services. Again, risk management is key. We encourage them to think about the risk tradeoffs, and at the same time to expand their internal managed security models with a higher level of security.
We already see managed services playing a role in smaller agencies outside of the military or intelligence side of the government. But this is something that other agencies should start embracing, as they look to deal with an increasing volume of network anomalies and attacks.
Managed services can provide a much more effective and scalable response capability than what most agencies can build. In part, it’s because even an agency with good processes and a well-trained staff will only be able to see the small-scale attacks aimed at their organization. A managed security services provider, on the other hand, will be tracking threats and attacks across multiple agencies, giving them a much broader perspective of the cyber threat landscape. For many agencies, such expertise will be critical to helping them keep attackers out of the networks and systems.
8609 Westwood Center Drive, Suite 500, Vienna, VA 22182-2215 703-876-5100 © 1996-2013 1105 Media, Inc. All Rights Reserved.
8609 Westwood Center Drive, Suite 500
Vienna, VA 22182-2215703-876-5100 © 1996-2016 1105 Media, Inc. All Rights Reserved.