A series of high-profile network breaches illustrate the need for agencies to do the simple things consistently and well; you can't completely stop the breaches, but you can mitigate them, a DHS official says.
A continuing series of high-profile security breaches, capped by reports that the Google Gmail accounts of some government and industry officials have been compromised, illustrates the need for agencies to focus on the basics of cybersecurity, government security officials said June 2.
“Do the simple things well,” advised C. Ryan Brewer, chief information security officer of the Centers for Medicare and Medicaid Services. That includes understanding your network, monitoring it to provide near-real-time situational awareness, and enforcing configuration and patch policies that are prioritized based on vulnerabilities and risk.
The Homeland Security Department has been giving classified briefings on recent attacks to agency CISOs, said Matt Coose, director of the federal network security branch of DHS’ National Cybersecurity Division. He said the advice being given focuses on information security controls that already should be in place.
Coose, one of the speakers at a cybersecurity conference hosted by the Digital Government Institute, said DHS examines breaches to gain insights into new into new attacks and technologies.
“There aren’t very many of them,” he said. Most attacks use familiar exploits against well-known vulnerabilities. Although defenses against existing vulnerabilities and attacks never will be perfect, “you can improve,” he said. “It’s the best you can do.”
Advice offered at the conference focused on federal requirements for continuous monitoring of systems rather than periodic snapshot assessments of status. The problems of implementing continuous monitoring include discovering and identifying network components, and using the data being gathered to deal with risks and improve the enterprise security posture.
Despite the growing sophistication of attacks against high-value targets that have included RSA Security, Oak Ridge National Laboratory, Lockheed Martin, Google and several other government contractors that reportedly have been compromised, the vulnerabilities being exploited usually are well known and have patches available. In the recent spate of attacks, the attackers have evaded the first lines of defense by using phishing e-mail messages to get access to an end-user’s computer, and from there to a network.
Protecting a network against human vulnerabilities is difficult, officials agreed.
“Phishing e-mails are going to get through,” Coose said.
“People will click on them,” Brewer said. “But you can remove the low-hanging fruit and make it tougher for [the attackers] to move around” once inside the system by ensuring that systems are properly configured and patched.
Brewer said CMS had significantly improved its security posture with automated system monitoring, using the nCircle IP360 for vulnerability management.
“We’re scanning daily for almost 40,000 hosts now and we’re still rolling it out,” he said. Using a scorecard for administrators with A-to-F grading gives them incentive to improve patch status.
The Justice Department, which also is implementing enterprise-wide automated monitoring, is beta testing a security status dashboard for its 40 component agencies, said deputy CISO Holly Ridgeway. The dashboard would consolidate data gathered by the department’s security operations center on the software, configuration and connectivity of 20,000 end points on Justice networks.
Coose said that automated network monitoring still is in its first phase.
“Now we are heavily focused on vulnerabilities, and rightly so,” he said, because that is an area in which network administrators can make greater headway in fixing problems. He said that the second phase of monitoring also will look at threats and vectors for delivering attacks to produce a more complete picture of security status.