Even though Cybersecurity Awareness Month has ended, it’s important to keep the discussion about securing government networks going year-round.
While the need for cybersecurity has not necessarily changed, the ways cybercriminals operate have become far more sophisticated than ever before. With the ongoing COVID pandemic and the upcoming holiday season likely to keep Federal employees working from home, the attack surface for malicious actors is massive, and the need to secure government networks and data is more important than ever.
To understand more the threats and challenges facing government agencies and what they can do about it, GovCyberHub reached out to Don Maclean, Chief Cyber Security Technologist at DLT, A Tech Data Company.
A frequent contributor to the GovCyberHub, Don is responsible for formulating and executing DLT’s cybersecurity portfolio strategy and often shares his perspective on government cybersecurity risks and priorities.
Here is what he told us:
GovCyberHub (GCH): Don, we just came out of October and out of Cybersecurity Awareness Month, it goes without saying that cybersecurity is an issue year-round, but looking at the state of the industry at the present, what are some of the biggest risks facing the government today?
Don Maclean: The current trend is supply-chain risks. The SolarWinds attack has made that very clear. Those attackers were able to penetrate the supply chain and pollute, or infect, the software that many organizations downloaded as a patch, which meant it was installed on many machines, each of which played a role in extending the hacker’s reach.
This really turned the whole concept of frequent patching on its head. We previously operated under the assumption that keeping your system updated was one of the easiest ways to prevent intrusions. Now we need to have a conversation about what other steps to take.
Another big risk is ransomware, which can really take on many different forms. Sometimes malicious actors simply encrypt their victim’s data, other times they steal data and threaten to release it, which is a gift that keeps on giving since they can just continually threaten to release the data.
There is also the pervasive risk of attacks on the ability of a system to operate. DDoS attacks are particularly egregious when they are brought to bear on healthcare systems, especially now during COVID. Finally, there’s always the perennial phishing attack that works to exploit the weak chain in cybersecurity.
The biggest risks I see are supply chain attacks, but there are still tremendous risks associated with the cyberattacks we have seen many times before. Ransomware, DDoS, all of those can just as easily infect a network through a vector like a phishing attack.
GCH: Would you say that is the order of potential risk? Supply chain first followed by ransomware, DDoS, followed by phishing?
Don Maclean: Yes, though that is more for the government. Ransomware is having a bigger effect on private industry and the general public. But, in the government, by nature of its size, supply chain attacks provide a larger risk.
GCH: Looking out over the last year and a half to two years, we’ve seen many high-profile attacks on both government and industry. Focusing on the public sector, would you say that the government is more vulnerable than they were this time last year? Does the ongoing remote workplace migration explain this in part or whole?
Don Maclean: Work from home has complicated the cybersecurity picture, and the hybrid model of work looks like it is here to stay at least for the foreseeable future. However, the mandate to start implementing Zero Trust architecture will go a long way to mitigating large numbers of those attacks.
“Something as simple as leaving your computer on can create a vulnerability if an employee’s child comes in and accidentally clicks on a suspicious link.” – Don Maclean
In the hybrid work model, we are removing the physical barrier that is used to help physically separate a network from potential intrusion. In the old “moat-and-castle” approach it was “outside bad, inside good,” which is not how a good cybersecurity plan is implemented anymore. That model was on the way out long before COVID but work from home obviously accelerated that process.
However, that loss of control has opened agencies and organizations up to new potential attack vectors. Something as simple as leaving your computer on can create a vulnerability if an employee’s child comes in and accidentally clicks on a suspicious link. Also, the increasingly sophisticated attack methods that are out there can get into a home network far easier than an office network.
I would say that COVID and the move to remote work have made life very difficult, and cybersecurity is no exception, but the model was already undergoing significant disruption before the pandemic.
GCH: Are there any new or unique attack vectors that Federal agencies or organizations should be aware of?
Don Maclean: We are not seeing anything unique per se, more just exploitation of the situation. We see scams based around COVID, we see increased phishing attempts, ransomware software finding weak spots in home networks, and DDoS attacks on hospitals.
I’m not aware of anything unique now, but these are bad actors, they adjust to their circumstances, and they will exploit whatever they can to find a victim while trying and make some money. They’re criminals and they will take advantage of any situation they can.
GCH: Looking ahead, what do you recommend that government agencies and organizations prioritize to improve their security stature in 2022?
Don Maclean: Zero Trust. We toss that phrase around a lot and for good reason. A Zero Trust approach assumes that you’re going to be attacked, or you are already under attack. Consequently, I would prioritize incident response knowing that ransomware is likely, a breach is likely, a supply chain attack is likely. Attacks are growing in sophistication and breadth, so being able and ready to respond is a major priority.
“Agencies should prioritize a solid incident response plan and make sure that you can get back in business quickly both in theory and in practice.” – Don Maclean
Part of that priority is to make sure that any response is effective. Do you have backups? Do they really work? Is there a failover system? I’ve implemented many failover systems in my previous lives that were supposed to work but when the time came and an emergency hit, they failed to perform as intended. Testing a system before needing it can and will save an agency from a large headache one day.
Also, make sure your crucial systems are properly backed-up. Everything your agency needs to know and be aware of needs to be ready fast to respond to any inevitable incident. This is part of the short-term applications of a Zero Trust approach, but that is more of a long-term strategic goal. An agency can’t just buy Zero Trust; it has to be baked in.
Agencies should prioritize a solid incident response plan and make sure that you can get back in business quickly both in theory and in practice. I encourage everyone to try and “gamify” their incident response in practice. Doing so can help make incident response training a bit more enjoyable for all participants and help them be prepared when the inevitable breach comes.
GCH: How does gamifying the incident response process help an agency prepare for a cyberattack?
Don Maclean: I can’t name the agency, but I worked with one that wanted to nail down their incident response plan. I made the entire rehearsal into a game that helped get people excited for the entire process.
“That’s like an entire building saying, ‘Can we run that fire drill again? We want to clear the floor faster this time.'” – Don Maclean
In the past, rehearsal involved a person being sat down in a room and asked a question. “Do you know this number? What do you do in this case?” it was a good way to have people tick a box on a form to say, “Yeah I was here and I paid attention,” before walking out of the room and forgetting everything they may have just been told.
When we turned it into a game, however, we had a lot more buy-in. We created a board game and we pitted two teams against each other. IT people, stakeholders, anyone who might play a role was invited to play, and we had them compete over who was the fastest to get back online. Everyone got very engaged, and they kept asking to play again and again because they were mad they lost. That’s like an entire building saying, “Can we run that fire drill again? We want to clear the floor faster this time.”
Gamification is a great way to get people engaged in the incident response plan. If an agency is serious about the Zero Trust mentality, if they are serious about having a robust and prepared workforce, if they are serious about their incident response, I’d recommend giving it a try.
GCH: Where can agencies and organizations learn more about what it takes to build a robust cybersecurity plan? Are there any resources that you’d point them towards?
Don Maclean: We’ve already spoken about it a lot but the Zero Trust approach is significant. There is an executive order outlining all the expectations and deadlines that an agency should know about mandating its use.
Probably the most relevant document, and I’m a bit of a nerd so I know the exact document, is SP800-207, from the National Institute of Standards and Technology (NIST). It describes how to implement the framework for a Zero Trust architecture. That is a good starting point, but I’d encourage agencies to go deeper.
“There are a lot of people and entities out there trying to target Federal agencies, but there are always resources, companies, and people like us at DLT that can help prepare them for anything.” – Don Maclean
There is also a Department of Defense document on Zero Trust that is very helpful. It is long and a bit dense, but it is worth reading. The National Security Agency has put out guidance on Zero Trust implementation. I don’t know if it’s still open for public comment at this time but check that out. Outside the government, you can look at how Google implemented Zero Trust, through BeyondCorps, which is a great, real-world application.
I recommend reading and digesting all these other documents and resources and then figuring out how they can all come together. For instance, the NIST document, while it is very good, clear, and straightforward, doesn’t discuss encrypting data in place, which is a critical element of Zero Trust. Take what is best and makes sense to you and find out what fits your security paradigm.
There are a lot of people and entities out there trying to target Federal agencies, but there are always resources, companies, and people like us at DLT that can help prepare them for anything. Reach out to anyone in the cybersecurity industry and they can help, that’s what we’re here to do.
To learn more about how companies like DLT are helping prepare Federal agencies for the most pressing cyber threats with Zero Trust, click here.