Experts anticipate that cybersecurity will be just as large of a challenge and a priority for government networks in 2022 as it was last year. Ultimately, as government agencies have embraced digital transformation initiatives that have fundamentally altered how they operate, malicious actors have adopted more sophisticated attack methods and leveraged the increasingly digital nature of government operations to execute more successful and impactful cyberattacks.
With both experience and opportunity, malicious actors have launched several high-profile attacks against critical supply chain infrastructure and shown that every organization should expect to be targeted.
To better understand the state of government networks in 2022, GovCyberHub recently spoke with Chris Roberts, Senior Manager for Sales Engineering and Federal Technology Director at Quest Software.
During our discussion, Roberts, whose career has been dedicated to helping the government safeguard its network security, noted that there are two main threats facing government networks in 2022: fatigue and apathy. “Those two have always been the enemy in any secure environment,” Roberts explained. “Whether it’s a forward base in a war, the literal walls and moat of a castle, or a modern cybersecurity policy for a federal agency.”
This fatigue and apathy are likely to become even more prevalent since cybersecurity professionals are unlikely to have any reprieve from the near-constant threat of cyberattacks. According to Roberts, “Barring any significant breakthrough treaty negotiation with our overseas adversaries, they will continue to barrage us with attacks, whether directly or through their proxies against critical infrastructure.”
So, what can organizations do to build robust government networks in 2022? Thankfully, Roberts has devised four tenets that organizations can adopt when looking towards their future. Each tenet is designed to address the modern challenges and threats facing government IT, and to help revitalize a beleaguered IT industry looking for new ways to combat an ever-present threat.
Thou shall know your data
The first revolves around understanding exactly what data is in your network, and who has the permissions to access it. Government agencies are unique from many other organizations in that they handle, on average, much more sensitive information than others.
This data is often the target of malicious actors, and they have developed ways to gain access by taking advantage of a hybrid work system. “Threat actors today are now keenly aware of what I call the trust factor or getting a potential soft spot to trust their access request,” Roberts told GCH. “That soft spot could be a user or a device or an API, that can be tricked into trusting their fraudulent request for access.”
As a result, phishing attempts against organizations and employees have increased and become more sophisticated, “they’re more intense with their use of social engineering, compromised credentials, and false certificates than ever before.” Roberts noted that even traditional methods of quickly verifying the trustworthiness of websites are no longer satisfactory, “Ironically, anyone can host a ‘secure’ HTTPS site, that lock at the beginning of a URL doesn’t mean it is safe.”
All this means that identity verification will remain one of the most important factors if used properly. It can prevent unauthorized access and reveal suspicious activity when it occurs. “Identity is a core part of any solid perimeter for an organization as users, devices, machines, and APIs all depend on it,” and using Multi-Factor Authorization to validate all network activities and data access requests provides that extra layer of security. “Know your data, if you know where your data is, what it is, and who wants to access it, your organization is that much better,” said Roberts.
Thou shall know your nodes
Tenet two is all about nodes, specifically about understanding how they represent potential threats to the security of the entire system. In a year that was defined by several high-profile attacks, it should be noted that most of them were caused by intrusions from outlying nodes. “Attacks like the Colonial Pipeline breach, the Saudi Aramco breach, and Stuxnet breach, reveal that threat actors can move from a virtual incursion into the physical supply chain, and each had elements of ransomware, data exfiltration, and, most importantly, device compromises,” Roberts said.
These attacks highlighted that cyberattacks can now have broad and far-reaching impacts on the real world, and that government networks in 2022 must address the vulnerabilities that hybrid work presents. “Organizations need to be more offensive when testing their defenses, they need to ping, scan, punch their networks and approach these drills as if you were in a sub under the ocean’s surface and running silent and deep is the difference between life and death.”
Tests like these, according to Roberts, help organizations get an idea about where their nodes are and what they must defend against attacks. Hardening nodes that are likely to be the victim of a phishing attempt or a forced intrusion can mean the difference between a single compromised device and an entire supply chain shut down.
“Some organizations don’t understand which devices are connected to their networks,” Roberts noted that in such cases, “those organizations won’t be able to secure those devices.” However, if they know their nodes, organizations approach their security much more effectively, “with that knowledge, organizations can apply the wisdom of good InfoSec practices and protect what matters most in those environments.”
Thou shall know your APIs
A key part of cloud-native architecture is the use of APIs for data access, identity verification, and network management, and this is good. The use of APIs increases the ability of cloud environments to enable employees to work across the hybrid environment, but it also increases the surface that can be pinged, scanned, and punched by malicious actors. “Using APIs means that organizations need to know not just their device footprints. But also, all the interconnections that access the service layers or control planes,” Roberts told GCH.
To understand how far-reaching an organization’s APIs are, Roberts poses these questions as an excellent starting point, “What are you running in AWS? VMs? What is in your Azure environment? What are your partners using and what APIs do they have?” Those questions are especially relevant today as the ramifications of the Log4j vulnerability continue to provide a potential security threat for a wide array of users. “While Log4j was not an intentional hack, it is an example of a vulnerability that can introduce cascading security threats from the entry point of a major network access point on secure servers,” Roberts noted.
All this to say, APIs are not just useful pieces of software, but highly important parts of modern IT. They are crucial, but they also present an easy threat vector, as such Roberts notes that security teams need to know what APIs are interacting with their networks. “APIs are hooked into your networks and your critical services depend on them; they must be approached as part of the potential attack surface.”
Thou shall know your users
Finally, users represent one of the few completely uncontrollable variables in a secure system. Roberts notes that many organizations are working to harden their networks, and this has resulted in threat actors looking for other avenues to exploit to gain fraudulent entry. “As penetrating known systems and networks becomes more a challenge, threat actors will start to expand exponentially to less hardened devices in the IoT space. Simply putting a device behind a firewall without having the means to protect its APIs and access will not be an acceptable InfoSec practice in 2022,” warned Roberts.
Instead, organizations should understand how social engineering efforts have evolved to target users. Often these efforts look for soft spots that allow them to gain even the most tenuous foothold and then explore how to exploit it. Roberts notes that this has already begun to weaken some Multi-Factor Authentication solutions, noting that “in the hybrid environment, mobile numbers are becoming more common meaning that MFAs based on SMS networks have the potential to be compromised.”
To Roberts, government networks in 2022 needs to embrace the ongoing push for the zero trust approach to protecting data, nodes, APIs, and even users. “We might be playing whack-a-mole forever,” Roberts said, “but we can put into place more resilient forms of network armor to protect what matters most.” Ensuring that an organization knows their users, and more importantly finds ways to continuously verify their identity, provides that armor excellently.
To learn more about how Quest is working to bolster government networks in 2022, click here.