Last month, the worldwide IT community recognized and celebrated Cybersecurity Awareness Month, a time where cyber professionals from around the globe reflected on the cybersecurity landscape from the past year and explored how to make online ecosystems more safe and secure for all who use them.
From the SolarWinds, Kaseya, and Colonial Pipeline attacks, to President Biden’s landmark Executive Order on securing our nation’s cybersecurity infrastructures, this year was full to the brim with lessons to unpack and learn from as we enter 2022.
To examine the past year’s cybersecurity challenges, what lies ahead in 2022, and how federal agencies can best prepare their organizations’ IT infrastructures against rising threats (old and new), the GovCyberHub sat down with Quest’s Federal Technology Director, Chris Roberts.
Here is what he had to say:
GovCyberHub: How has the threat landscape changed and evolved since the last Cybersecurity Awareness Month, one year ago? Are government agencies and private enterprises facing higher cyber risk this year than last year? What has changed?
Chris Roberts: Something that’s changed is the mode of operations that most of us live under. We used to be primarily in what we called “control perimeter zones.” That is, the majority of us worked in offices, so it was very easy to protect those parameters because we had extensive firewalls, extensive security scanning procedures, badged access, etc. It was a very controlled environment, so there was a well-defined physical perimeter.
“Every time your phone pings to see exactly what Wi-Fi spots are available… it can enter a database where you can go search and see exactly which devices are connected where across the entire landscape. That is very frightening.” – Chris Roberts
Today, the perimeter has changed for most organizations because of remote work. People now work at home, in their cars, at local coffee shops, or wherever they happen to be. And most of us now use devices that are not controlled within the firewalled perimeters of our organizations. That means that we now have a threat landscape that doesn’t just include my device, but every network I attach to.
So fun fact: every time you walk into a public place with a Wi-Fi-enabled connection and your phone is on, your phone pings to see exactly what Wi-Fi spots are available. That means it also potentially records your MAC address, which means it’s in a database somewhere. As a matter of fact, there are databases where you can go search and see exactly which devices are connected where across the entire landscape. That is very frightening.
“We now have to think of the perimeter beyond the typical physical environment of a corporate network, where the network now extends to basically wherever your employee or resource actually happens to be.” – Chris Roberts
So, think of a threat actor. They now have this wealth of knowledge about devices like where they are and how they’ve connected in the past. And that’s one of the dangers of actually having unused Wi-Fi connections on a mobile device, whether it be a laptop, a phone, tablet, etc. Because now they can actually impersonate those networks and gain access to a corporate network, for instance. That’s why you see a lot of organizations now moving to not just VPNs, but containers also. So, your phone, in general, connects. But then on your phone, there’s a container that only has the corporate applications that you’re going to use to access networks.
That’s the biggest change I’ve seen. We now have to think of the perimeter beyond the typical physical environment of a corporate network, where the network now extends to basically wherever your employee or resource actually happens to be.
GovCyberHub: The past year has seen what appears to be an increase in cyberattacks against government agencies and U.S. critical infrastructure. What are the most predominant cybersecurity threats facing federal agencies? What are the motivations of these attackers? And why does it seem like attacks have been more commonplace or more successful against these organizations in the past year?
Chris Roberts: Commonplace is an interesting word. These attacks have been happening since we’ve had networks. I remember when we first designed the internet. On the DARPA, the first communication networks, there was no security on those networks. Those IP addresses were shared by institutions that shared common goals. They were usually educational institutions or military research facilities. There was no need for security because everyone was on the same network.
The minute it became public, where IP addresses, mail servers, and all these things were hosted by ISPs, managed service providers, and now cloud providers like Amazon and Microsoft, security became even more important.
“What threat actors do now is they simply keep databases, whether it be on the dark web or on the open Internet, to see exactly what devices have which vulnerabilities.” – Chris Roberts
“Commonplace” happens simply because of the sheer number of devices that are interconnected. And everything has to have security. Consider the devices in your home, like your Nest thermostat, your smart water sprinkler control system, or your smart TV. Not just the devices you can see, but a lot of things you cannot see have an IP address. They’re commonplace. And attacks are complex because you have all these threat vectors and access points that you can ping and see exactly what the vulnerabilities are.
What threat actors do now is they simply keep databases, whether it be on the dark web or on the open Internet, to see exactly what devices have which vulnerabilities. That’s why we upgrade and update our routers at home. Hint hint, a lot of people don’t do this! But if you don’t upgrade your router and update its firmware, those vulnerabilities have been well published. So long before you realize something needs patching, the threat actors have already used, commercialized, or monetized that.
“That’s why performing even more diligent security practices across your organization becomes even more important. It is no longer just “set it and forget it”… Those methods are no longer just enough.” – Chris Roberts
The real reason that we started to see threats in the public sector and the commercial landscape is not just because of things like ransomware. That’s almost passe at this point. It is now data exfiltration. Hackers don’t just want to get into your network. They want to extract sensitive and important data and use that as leverage to make sure you either pay the ransomware or they use it to gain some commercial, competitive, or strategic advantage over your organization or nation-state.
There’s a lot of financial and geopolitical incentives to contain these types of attacks. That’s why performing even more diligent security practices across your organization becomes even more important. It is no longer just “set it and forget it.” I just can’t install a firewall or call up a vendor or say, “Well, I have two-factor authentication.” Those methods are no longer just enough. It is a combination of an entire zero trust architecture, from endpoint to servers to applications, that protects your endpoint and your entire network across the entire enterprise.
GovCyberHub: It is no secret that federal government agencies and their employees have undergone a mass migration to WFH and remote work settings. Has this exponential spike in remote work created new threat vectors for malicious cyber actors to exploit? And if so, how can agencies protect their IT infrastructures from hackers gaining access to these vulnerable pathways?
Chris Roberts: Let’s say for instance if you’re a typical knowledge worker working in a remote environment. You’re working on email and documents and typical fare. That’s a significant threat.
The real threat comes now that you have operators and administrators who also work remotely. Think of the Kaseya hack, for instance, where administrative controls were overrun. That means that someone actually wants access to what we call “keys to the kingdom.” Anytime somebody wants to get “God Mode,” they’re going after administrators.
Like I said earlier, the perimeter has changed. Previously, my administrators were behind a firewall and on a physical network or controlled wireless infrastructure where I knew every exact endpoint that was connected. I need the threat vectors of those endpoints. When my administrators go remote, I now have the potential threat where I have to figure out exactly how am I going to do privileged access management, access controls, or privileged session management that is to only provide an administrator credential when and if it’s needed. So, like just-in-time credentials to perform a specific task.
“Now that our administrators are also mobile, that’s the real threat to a lot of organizations… how are you going to do privileged access management, and how are you going to do session management for those super user credentials?” – Chris Roberts
And even when they’re doing that specific task, I need to have privileged session management. So only that particular administrator credential and only that particular session can execute the actual actions that need to happen. Whether it’s modifying a group policy in Active Directory or changing ports on a firewall, those types of things are very privileged actions. And then what applications can use those sessions.
So, if I’m just sending an email, that’s a typical SMTP port, on a mail server. But what if an application now wants to use that same port to send malicious information or a malicious email, or, worse, malware. That means that I have to manage and control that session, or even in some cases, record the session and monitor the behavioral analytics that are going across the wire.
So, it does change things, and it makes it more complicated. But now that our administrators are also mobile, that’s the real threat to a lot of organizations because they really haven’t thought through not just the simple things like two-factor multi-factor, but also how are you going to do privileged access management, and how are you going to do session management as well for those super user credentials in the organization?
GovCyberHub: There has been a lot of discussion around implementing zero trust frameworks across federal agencies’ IT infrastructures. In fact, zero trust was a predominant theme that came out of President Biden’s cybersecurity EO. How does zero trust differ from other cybersecurity frameworks that the federal government has implemented in the past? Why is zero trust important? And how much progress have federal agencies made in implementing zero trust frameworks?
Chris Roberts: Zero trust is, first and foremost, not a product. You can’t call Quest, Microsoft, Google, or Amazon and say, “Hey, I want that zero trust SKU to deploy my architecture in my network.” That doesn’t exist.
What zero trust does is provide an architecture framework. NIST has been working on this for quite some time. And even before we had zero trust, we had the least privileged access. And before that, we had access control on fixed things like file systems within network servers.
What zero trust does now is extend the model to not just access or control for a specific file. It gives us the ability to say, “Who has access to the network? Who is the person? What is their role? And exactly what privileges should they have based on their role, based on geography, where they are actually physically or virtually located. And what specific functions do they do in the organization?” For some, they are administrators with read/write access to files. Or some are administrators for the payroll application, or they’re administrators within the healthcare network of an organization.
“Zero trust provides security for my identity for endpoints, such as the devices that host that network, whether it’s a mobile phone, a server, a workstation, laptop, tablet, or an IoT device.” – Chris Roberts
So, depending on who I am, I have varying degrees of access to types of data, which plays into something called governance. Governance is, “How do I ensure who has access to what? When did they access it? And what did they access?”
So, zero trust provides security for my identity for endpoints, such as the devices that host that network, whether it’s a mobile phone, a server, a workstation, laptop, tablet, or an IoT device, as well as the data flowing across that network through those devices and moving to the applications themselves, the infrastructure, in general, and the entire network.
Zero trust, provides security architecture for everything that will either touch data or manipulate data, and determine exactly when and how someone should access data across the network. It’s a complete architecture. It’s not a product, but a series of solutions from multiple vendors that can provide you with a great zero trust architecture.
GovCyberHub: As 2022 approaches, what cybersecurity challenges do you foresee the federal government facing in the coming year? What should their cybersecurity priorities focus on in 2022?
Chris Roberts: The cybersecurity executive orders have given so much visibility to the issue, and also honestly, the executive orders typically follow the market. When we had SolarWinds, Kaseya, the Colonial Pipeline attack, and the list could go on and on… All of these things brought to the forefront that there are literal threats to not just our society, but things like our supply chain.
“There’s going to be a lot more attention to not just providing basic security but blow blowing out that zero trust architecture in earnest and making it a requirement across all federal agencies.” – Chris Roberts
When Maersk went down, that was shipping containers. When the Colonial Pipeline shut down, gas lines went around the block on the East Coast in the U.S. And Kaseya impacted networks. So, as we move forward into not just 2022, we must ask what are the threat vectors going to look like in the next one, five, and 10 year horizons. Because the stakes are going to get higher and higher.
You have to ask yourself, “How do our competitors actually know how to build products just like we do?” And the competitors can be either other commercial organizations or other nation-states. And then ask yourself, “How did they advance technology the way they do?” And a lot of it has to do with espionage and exfiltration of data.
There’s going to be a lot more attention to not just providing basic security but blowing out that zero trust architecture in earnest and making it a requirement across all federal agencies. It’s now not just the internal networks and the administrators and the professionals. It’s now the awareness of what is your threat to you personally, what is the threat to the organization you work for? And what is the threat to those you love, not just in your family but also in your community?
“Government plays a part, but I believe individuals, smaller institutions, small businesses, and large businesses have to do our part. So, I think the push for the next year and the years beyond is complete cybersecurity awareness for everyone.” – Chris Roberts
Security means enabling people to sleep at night. That means we all have to do our part. And it’s not just government. It’s not just the IT vendor community. It’s the citizens as well. So, we have zero trust for a technical architecture that needs to be some sort of citizen architecture or citizen call to action to make sure everyone understands what the risks are. And every time there’s a breach, every time I get one of those free credit reports offers from some vendor because there was a breach, it reminds me that we still have a long way to go.
And yes, government plays a part, but I believe individuals, smaller institutions, small businesses, and large businesses, whether it’s Walmart, Microsoft all the way down to the Kwik-e-Mart, have to do our part. So, I think the push for the next year and the years beyond is complete cybersecurity awareness for everyone who touches a network device or expects data to be available when and if they need it within their societies.