3 keys to managing cyber risk in state, county and city agencies
- By David Egts
- Nov 09, 2020
COVID-19 systemic stresses have made state and local organizations an easy target for industrious hackers. Earlier this year, city governments urged Congress to provide additional cybersecurity funds in the wake of rising threats. More recently, the Treasury Department issued a warning for businesses and schools to be wary of potential ransomware attacks as risks continued to rise.
These attacks raise a serious question: How can agencies uphold an effective and proactive security posture while balancing all of the other priorities and challenges they’re facing? From remote working to staff shortages, agencies must stay on top of escalating threat levels while making do with less.
Here are three key strategies agencies can employ to navigate through these security challenges and protect the organization.
1. Know what you have
Maintaining an accurate inventory of all applications is the first step in developing a solid security posture. After all, agencies can’t protect what they don’t know they have.
Taking an inventory of approved purchases is relatively straightforward, but the tricky part comes in ascertaining software that people have downloaded without traditional purchase orders.
While IT managers are likely aware of the dangers posed by shadow IT, they also can’t afford to ignore the potential risk that comes from developers pulling in code from random source code repositories. Even the most sophisticated developers can be tricked by scams like typosquatting, where a bad actor copies a popular library, renames it with a slight misspelling that the developer is unlikely to notice, and adds a backdoor that allows the hacker to install malicious software, including ransomware, cryptocurrency mining tools and a host of other malware.
Relying on trusted library repositories and container registries from commercial vendors can be a safer play. By using curated repositories, such as container health indices, security teams can offer a safer toolset for innovation with components confirmed to be valid and actively developed. This balances security governance with developer productivity by giving developers a vetted toolset they can use to create innovative applications.
2. Use what you have
In addition to not knowing about all of the software being used within their organization, IT managers may not be aware of the security functionality available in the software that they do know about. Software may already include built-in tools for identity management and application-allow listing, which can automatically place controls over which applications can be run on the network. Agencies can create security policies to immediately flag or block non-sanctioned applications.
There are also online capabilities that developers may not have given much thought to pre-pandemic. For instance, instead of needing to requisition a powerful workstation for home office use, which could take a long time given supply chain constraints, developers can instead use a traditional laptop and web browser to write code, just as they would use a browser to compose and send emails. With open source projects like Eclipse Che, all of the heavy lifting of builds and code management is done server-side, which can eliminate the need for a powerful workstation and keep sensitive agency code and data in the government data center.
In short, when taking inventory of the overall software stack, IT managers should be sure to take a close look at all the available features and services. There’s a good chance that much of the technology to protect the agency network is already available in existing tools.
3. Automate what you have
Most cybersecurity incidents are the result of human error. Hackers understand that people are the weakest links in cybersecurity chains, and they will leverage that advantage, particularly during times of high stress and crisis.
Automating security can help minimize the potential for accidents by taking human beings out of the loop. Through processes like infrastructure-as-code and DevSecOps, developers can shift security left so it's an inherent part of their development processes, rather than something tacked on later. Shifting left gives a nod to security being everyone’s responsibility, including DevOps team members. Automating security throughout development can also minimize how long it takes to validate security, which can accelerate getting applications into production.
After applications are deployed, agencies can arrange for systems to scan for anomalies that could present problems -- for example, a misconfigured or unpatched system -- and have those issues automatically remediated. In the event of an intrusion, the system can be quarantined for forensic analysis, and IT staff can quickly provision a fresh, new system to take its place. The new system will already be locked down to spec and ready for production.
Automation is especially powerful today when working in a remote and scaled-back environment. Not only can it help protect networked devices, it can help agencies gain greater efficiencies and cover the security bases so they can spend more time focused on more pressing or strategic initiatives.
It’s very likely local governments and businesses will always be under threat from cyberattacks. The wealth of citizen and customer information they house makes them too tempting a target to financially driven hackers. Agencies should take steps now to protect that information and create a solid security posture that can help fortify the organization for years to come.
David Egts is chief technologist, North America Public Sector, Red Hat.