Nearing the finish line: What to expect from the cybersecurity sprint
- By Mark Pomerleau
- Jul 07, 2015
In mid-June, in the midst of a number of public and private sector high-profile cyber breaches, U.S. CIO Tony Scott announced a 30-day cybersecurity sprint, instructing federal agencies to immediately address information security and strengthen federal networks.
Now, as the sprint winds up, some wonder whether it will be enough to make a difference. “The cybersecurity sprint … is a good call to action,” Paul Christman, VP of Public Sector for Dell Software, told GCN, but “some of these problems are very, very challenging.” Still, he said, concrete steps must be taken immediately to bolster security down the road.
A few things that are likely to change after the sprint will be greater use of the Einstein 3A tool to scan for signs of attacks. Additionally, Internet-facing systems and applications will be properly patched and updated, and procedures for privileged user access will be revamped, according to a by Andy Kicklighter with Vormetric. “The rest will have to be ‘best efforts,’ reporting and planning,” he wrote.
In addition to the sprint, Scott also announced a Cybersecurity Sprint Team, which will make a 30-review of federal cybersecurity policies, procedures and practices and then make recommendations for a “Federal Civilian Cyberscurity Strategy.”
Among the key principles of that strategy will be protecting data, improving situational awareness, increasing cybersecurity proficiency, increasing awareness, standardizing and automating processes, reducing attack surfaces, strengthening systems lifecycle security, and controlling, containing and recovering from incidents.
While acknowledging that these items are a good starting point, Kicklighter believes that the top priority must be protecting the data that is the target of these attacks. “A detailed discovery process needs to identify where [threatened or targeted data] is, lock down the access to it at both system levels (OS and file systems) and from within applications, and then accounts with data access need to be watched,” he wrote in his blog. “This combination – which is best done with encryption, access controls to encrypted data and then monitoring of access patterns for accounts and users that have this access – is the best first step to take to limit the damage from penetrations to the network that will happen and then stop the extraction of data.”
Another priority is accelerating the implementation of multi-factor authentication, especially for privileged users.
“If you look at every single breach, there’s almost always… a privileged account [that] was compromised,” said Sol Cates, CSO of Vormetric. For Cates, the issue is not necessarily more stringent controls on who the privileged user is but rather on what a privileged user can do. Controls should be designed to mitigate the risk to the information system by certain privileged users and account types – not just the people, Cates said.
And for government, the issues are not always with authenticating the user, but rather with the way the authentication is passed to the applications. Indeed, two-factor authentication is simple enough that it’s even creeping into people’s daily activities.
“If we can do it on gas pumps,” which ask for a ZIP code after insertion of a credit card, “why can’t we do it for massive mainframe databases that contain tens of millions of identities?” Christman asked rhetorically. “The fact of the matter is we can.”
The challenge really becomes passing the two-factor authenticated credentials back to the applications, he said. “It’s the connective tissue between the card and the card reader in a laptop and passing those credentials in a secure manner back to these ugly old applications. That’s the tough mile.”
Going forward, Cates explained that procurement will pose a great challenge, echoing a sentiment expressed by several others in industry. “The procurement vehicles that [agencies] have are still very, very slow to get solutions in or solve the problems.”
While our adversaries are very fast and constantly trying to get behind network defenses, industry is innovating technology to get ahead of adversaries. But government’s procurement processes move much more slowly. “So I think it’s one of the challenges actually has nothing to do with technology, it has to do with how [agencies] acquire technology,” Cates said.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.