Five Steps to Take for Safer Government Networks This Cybersecurity Awareness Month

In our last article on the GovCyberHub, we featured part one of our two-part Cybersecurity Awareness Month-focused conversation with Tina Thorstenson of CrowdStrike. Tina is acutely in-tune with the cyberthreats facing public sector organizations, as she previously served as the Deputy CIO and CISO at Arizona State University.

In part one of our discussion, we talked about the threats that government organizations are facing today and if public sector organizations are safer this year than they were in October of last year.

In the second part of our conversation, we talk about some of the ways in which cyberthreats are leveraging the ongoing COVID pandemic and other world events to launch cyberattacks, and Tina shares five key steps that government organizations should be taking this Cybersecurity Awareness Month to protect themselves and their data.

Here is what she had to say:

GovCyberHub (GCH): In our last discussion, I asked if agencies were more secure this year, and you responded that it’s hard to tell because – while cyber postures are improving – cyber threats are evolving and leveraging some of the unique situations we’re facing today. What cybersecurity challenges are public sector organizations facing this Cybersecurity Awareness Month that may be new or unique?

Tina Thorstenson: We’re in uncharted territory. Adversaries are keenly attuned to our environments and they’re after one of a few different things – money, distraction, credentials, or intellectual property. The uncertainty, fear and confusion in today’s environment can be leveraged to get access to critical systems.

For example, as the COVID-19 pandemic moved across the globe, we could see the threat levels increasing and moving in lockstep with the progression of the pandemic. Another example is the ongoing presidential election, which offers more opportunity for attacks and misinformation and disinformation campaigns that cause distraction.

People are concerned about these things, and they’re looking for reassurance and information. This need for information can be leveraged by adversaries, who will standup malicious sites or send malicious links to individuals looking for updates and guidance on these important health and societal issues.

To combat this, it’s increasingly important that every new technology we roll out includes security from the start. If you look at applications development, we’ve seen the evolution of DevOps to DevSecOps, and there’s a reason why security is in the middle. It’s essential to have that included in the process from the start and throughout.

It’s also essential for organizations to discuss what is happening to them and how it is happening so that internal teams and individuals have the much-needed context to combat the next threat.  Additionally, we need to share externally so we can learn together as an industry and get better. It’s important that we’re sharing information in real-time.

GCH: Looking forward, what are some of the things that government organizations should be looking to change or implement in the coming year to help make them more secure? What should their security priorities be in 2020-2021?

Tina Thorstenson: There are five things organizations can focus on that I believe are paramount right now. First off, focus on IT health and visibility – or what some call hygiene. It’s a simple idea that involves knowing what your assets are and who is trying to access them. If you don’t know what all of your assets are, it’s impossible to take steps to secure them. It all starts with visibility.

Next, embrace two-factor authentication (2FA) for all user accounts across the organization. This simple point can get agencies out of a lot of trouble by mitigating potential attacks before they even start.

Third, look for ways in which to simplify technology architectures. There are emerging next-generation players in the technology and cybersecurity markets with solutions and technologies that can enable organizations to manage, secure and handle their infrastructures differently and more efficiently than was possible in the past.

These technologies allow them to secure their infrastructure with fewer solutions, which means less complexity and fewer things to integrate. In my role as CISO at ASU, I was overseeing 60+ different systems and applications, all with a security component requiring far more coordination than was optimal. Adopting an IT simplification initiative which we did to help reduce complexity in solutions and vendors is critical.

Fourth, train your people. These are not just technology issues; these are issues that require people to effectively mitigate.  Tell stories of what worked and what didn’t so your team and everyone in your larger community can learn and adapt.

Finally, leverage frameworks, pick your favorite from the NIST frameworks to the CMMC (Cybersecurity Maturity Model Certification) framework. CMMC is not a net-new concept in terms of controls, but rather a new layer that aggregates many of the things many love about NIST or alternative framework, and then adds a third-party assessment to help organizations understand their current level of maturity.

GCH: Are those priorities universal across the entire government, or are they different based on the government sector? For example, how are those priorities similar or different between civilian federal agencies and, say, military organizations?

Tina Thorstenson: For the most part, these are universal priorities. Any adjustments to these across the government, and from organization to organization, really comes down to their appetite for risk, which – in a perfect world – is proportionate to their maturity. Obviously, the agencies that have implemented 2FA have checked that box – they’re done. But these five priorities still stand true across all sectors of the government and across all organizations – public or private sector.

GCH: CrowdStrike recently released its 2020 Threat Hunting Report. What does this report include? Is there a particular takeaway or insight from the report that would be interesting to government agencies or other public sector organizations?

Tina Thorstenson: This is a particularly fascinating report from our OverWatch analysts. Our OverWatch analysts uncovered and reconstructed real-world adversary activities and motivations. This CrowdStrike team was able to help organizations prevent more than 41,000 potential breaches in the first half of 2020 alone.

I think that one of the key findings for this year is that “hands-on keyboard” intrusion activity exploded in the first half of 2020 surpassing activity seen in all of 2019.

The second key finding was that eCrime increased in volume and reach. The effects of the pandemic, which presented an expanded attack surface as organizations rapidly adopted a remote workforce model, created opportunities for adversaries to exploit the pandemic concerns through pandemic themed social engineering strategies. 

Finally, the report illustrates that intrusions are on the rise for many industries, including academia and healthcare – which should be of concern for organizations in those industries.

For additional information about the cyber threats facing public sector organizations, click HERE to download a complimentary copy of the 2020 Threat Hunting Report.