6 steps to secure systems for sequester
- By William Jackson
- Apr 16, 2013
The details of how the budget sequestration will be implemented and who will be sent home from work and for how long still are being worked out, but it is likely that everyone — including IT administrators and cybersecurity professionals — will share in the pain.
“We do not see any immediate impact” on cybersecurity, said Jody Brazil, president and CTO of FireMon, an enterprise security management company. “In [the Defense Department] we see no impact whatsoever; cybersecurity is still a priority. In the other agencies it is less certain.”
Attorney David Z. Bodenheimer, who heads up the homeland security practice at the D.C. law firm Crowell & Moring, called cybersecurity “one of the last safe harbors from sequestration.” While most other areas are subject to hiring freezes and furloughs, it is one area where hiring is still going on. “But it doesn’t mean cybersecurity will be unscathed,” he said.
Even if IT departments do not take the full brunt of the budget cuts, risk profiles will change as personnel leave, accounts sit unused and workflows shift. Mobile devices in (or out) of the hands of furloughed workers will have to be dealt with and insider threats from overworked or unhappy employees could increase.
Industry experts offer some advice with how to prepare for the impact.
1. Update systems now
Managing change, configuration and patching on IT systems is always a challenge and is not going to get any easier when furloughs begin.
“These things are not automated to the point where they can withstand the impact” of a reduced workforce, Brazil said.
“These activities will be almost centrally delayed, if not cut from the budget,” Bodenheimer said. “If you don’t have a full team to continue patching, upgrading and monitoring the systems, security is going to be degraded,” Bodenheimer said.
On the positive side, Brazil said the federal government’s focus on cybersecurity has improved over the last two years. But holes in network defenses will continue to be holes. Paying attention now to patching and updating now will not necessarily prevent future problems, but it could help make dealing with them less demanding.
2. Establish remote access policies for furloughed workers
Strictly speaking, furloughed employees probably should not be accessing agency networks and accounts. But nobody wants to come back to the office to thousands of unanswered e-mails or to face unprepared some new crisis that has been brewing. “It’s human nature,” said John Bordwine, Symantec’s public sector CTO.
“I would anticipate that even with empty desks, they will continue to check the network from time to time,” Bodenheimer said.
So make it explicit just what is expected of furloughed workers, what is allowed in the way of remote access while off the job and how information will be given to workers during their furloughs. Then put access rules in place to enforce these policies. This should make it easier to keep tabs on who should be and who is accessing resources.
3. Put idle accounts into a protected state
It probably does not make sense to shut down or de-provision accounts that are temporarily idle, but unused accounts can increase risks if not monitored. “Put the accounts in a protective mode,” in a separate domain or router environment so that they can be monitored and managed separately, Bordwine said.
Router and firewall rules can help to segregate accounts, and with fewer people around to monitor traffic it could make it easier to spot improper traffic. And don’t forget to keep an eye on outgoing traffic as well as incoming, especially for data that is leaving the network. “That should be a red flag,” Bodenheimer said.
4. Adjust workflows
Many jobs are automated, with paperwork and approvals being forwarded digitally to the proper people at each stage of a task. When links of this chain are missing, workflow can be interrupted unless additional workers are given access to others’ accounts, which can create risks. Use temporary delegations in apps to ensure that work keeps flowing without changing permissions for all of the people who are out of the office, said EMC chief security officer Dave Martin.
5. Consider mobile devices
After you determine policies for remote access while off the job, consider what you are going to do about the mobile devices used for this access.
If the agency issues the device, these might be sequestered as well — taken away as the employee leaves for a furlough. That can prevent improper use, but don’t forget that that patches and software updates need to be current before they reconnect to the network if this is not done automatically upon connection.
BYOD is a different issue. It’s hard to take away personal devices, so decide whether access will be blocked and what should be done with agency data already on the devices. Wiping and restoring this data could be impractical and time-consuming, but the burden of managing these devices during furloughs could increase whatever solution is decided upon.
6. Remember the insider threat
Threat profiles will change as the work environment changes, and with the increased pressures of forced furloughs the insider threat can increase, through either malicious activity or carelessness.
Unhappy workers assigned additional tasks because of the furloughs can “become somewhat cavalier” in their jobs, increasing the risk of mistakes, warned Tom DeSot, CIO of Digital Defense. Workers dissatisfied with their unpaid leave might also be tempted to take out their frustration by blocking access to resources, changing or deleting information or even stealing data.
In addition to monitoring the perimeter for improper access, administrators will have to remain vigilant for improper behavior inside the enterprise as well, said Martin.
William Jackson is freelance writer and the author of the CyberEye blog.