Threat identification, continuous monitoring and security training will help the Defense Department mitigate its cybersecurity vulnerabilities.
An early 2019 report from the Defense Department Officer of Inspector General revealed just how difficult it’s been for federal agencies to stem the tide of cybersecurity threats. Auditors found that although DOD has made significant progress toward bolstering its security posture, 266 cybersecurity vulnerabilities still existed. While some of these vulnerabilities are decades old, the majority have only been discovered within the past year -- a sure sign of rising risk levels.
The report cited several areas for improvement, including continuous monitoring and detection processes, security training and more. If the Pentagon is to successfully patch its vulnerabilities and get ahead of escalating threats, it must take action in each of these areas.
Here are three strategies DOD can use to tackle those remaining 200+ vulnerabilities.
1. Identify existing threats and vulnerabilities
The OIG said DOD had been able to implement corrective action on previously identified weaknesses, indicating it been able to identify and address vulnerabilities that once plagued its networks.
Being able to do so effectively will become more difficult, however, as the number of devices and cloud-based applications on defense networks continues to proliferate. DOD is just as susceptible to shadow IT -- users downloading and using unsanctioned applications -- as any enterprise. And although government IT managers have gotten a handle on bring-your-own-device issues, a large number of undetected devices are still used on DOD networks. For example, the OIG report cited some armed services organizations that were unable to completely account for all the digital devices on their networks.
Scanning for applications and devices outside the control of IT is the first step toward plugging potential security holes. Apps like Dropbox and Google Drive may be great for productivity, but they could also expose the agency to risk if they’re not security-hardened. The IT team must be aware of their presence on the network so they can be properly scanned and monitored.
The next step is to scan for hard-to-find vulnerabilities. The OIG report called out the need to improve “information protection processes and procedures.” This includes keeping track of changes made to the system and making sure those changes are properly implemented. Most vulnerabilities occur when configuration changes aren’t properly managed. Automatically scanning for configuration changes and regularly testing for vulnerabilities can help ensure employees follow the proper protocols and increase the department's security posture.
2. Implement continuous monitoring, both on-premises and in the cloud
Once these baseline processes are established, the DOD should continuously monitor its IT systems. While the OIG report specifically stated that DOD must continue to proactively monitor its networks, those networks are becoming increasingly dispersed. It’s no longer just about keeping an eye on in-house applications; it’s equally as important to be able to spot potential vulnerabilities in the cloud.
DOD IT managers should go beyond traditional network monitoring -- checking for anomalies and potential red flags on its own networks -- and look more deeply into the cloud services they use. The ability to see the entire network, including destinations in the cloud, is critically important, especially as DOD becomes more reliant on hosted service providers. This expanded monitoring will help ensure data remains secure while in-flight and at rest.
3. Establish ongoing user training and education programs
Finally, a well-trained user can be the best protection against vulnerabilities, making it important DOD implement a regular training cadence for its employees.
Certainly, this strategy pertains to IT professionals at the security frontlines. For them, the training might mean a weekly scrum to discuss the latest security threats uncovered and network activity or changes. More formal quarterly trainings could inform teams of new security protocols and processes.
But training shouldn’t be relegated to just the IT team. A recent study indicates insider threats pose some of the greatest risk to government networks. As such, all employees should be trained on the agency's policies and procedures and encouraged to follow best practices to mitigate potential threats. The National Institute of Standards and Technology provides an excellent guide on how to implement an effective security training program.
When it comes to cybersecurity, DOD has made a great deal of progress, but there’s still room for improvement. By implementing these three best practices, DOD can build off of what it has already accomplished and focus on improvements.