In today’s digital age, technology is rapidly advancing—making it easier for federal government agencies to better serve their constituents and assist their internal workforces in streamlining and facilitating agency workflows and processes.
However, these technological leaps have created a massive amount of agency data, which is unfortunately creating new attack vectors for malicious cyber actors to breach critical data and information that sit within federal networks and databases.
Since the COVID-19 pandemic shifted a majority of federal employees to remote work, agencies have adopted and implemented various kinds of cybersecurity solutions to protect their sensitive data.
To have a secure environment, agencies must think about how to detect potential cyber threats, create a plan of action to automate a response during cyber attacks, and how to go about properly and efficiently implement these security solutions so they can maximize the cyber postures of their agencies networks.
The importance of a cyber crisis management plan
When thinking about the sensitive data that’s held within federal agency databases and networks, it is important to think about the risks that are posed if that data was compromised or lost. Federal agency databases typically hold years’, and sometimes decades’, worth of sensitive data.. This can pose a huge threat to federal agencies if that data is accessed by individuals outside of the agency.
When agencies only have one form of security protection, it leaves them vulnerable for hackers to exploit. There are various forms of cybersecurity breaches, but the most common forms include phishing, malware, password attacks, man-in-the-middle attacks, and denial-of-service attacks.
Because of the wide-ranging methods a hacker can implement to access agency data, it is crucial for agencies to develop a cyber crisis management plan. The purpose of this plan is to establish the strategic framework in order to prepare for, respond to, and begin to coordinate recovery from a cyber breach.
The most successful way to protect agency data is to look at the data and account access from both a hacker’s and agency employee’s point of view. Once the hacker accesses the accounts through phishing, for example, they then become a network user. In order to accomplish both of these points of views, agencies can perform what is called a penetration test.
A penetration test, also known as a pentest, is where an agency performs an authorized simulated cyberattack on a computer system to evaluate its cybersecurity posture. Agencies are able to check every attack path a cybercriminal may be able to exploit to gain access from within the network.
One thing to remember for any agency, however, is that effective cyber defense is a long game that requires continuous strategic investment.
Six priorities to keep agency data protected from new risks
When implementing a cyber crisis management plan, it’s important to look at the following six key factors in order to keep agency data protected from a cyber attack. These six forms of protection work together as a unified form of defense.
1.) Having a well-configured firewall
When developing a well-configured firewall, agencies must think about what programs are running, the processes that are executed within the system, and how these are communicating with the network.
When looking at a phishing attack for example, the phishing message is sent to the user’s computer and the user clicks on the message—causing this phishing attack to be executed within their system. Now there is something within the user’s system that starts to relay sensitive information back to the hacker.
In this case, the hacker can easily gain all of the user’s information with a simple click. This is why it is imperative to create access blocks to agency programs within the firewall and check that the firewall is not misconfigured.
2.) MFA and conditional access
Multi-factor authentication (MFA) is a widely used form of protection that federal agencies use to secure their data. This requires the user to have a two-step form of identification to access an account, computer, or mobile device.
The misconception with this form of user security is that MFA is a failproof way of protecting data. However, this is not the case. If a hacker has access to an agency workstation, for example, they have the ability to access password information that is either stored within the browser or the cookies within that computer—allowing them to bypass the MFA and gain access.
In order to combat this access from happening, agencies can implement conditional access policies. This allows agencies to create fine-grained controls over how MFA is applied during authentication to Microsoft services such as Microsoft 365 and Azure.
3.) Network segmentation and SMB signing
Network segmentation is a security technique that divides a network into multiple segments, also known as subnets, and each subnet acts as its own small network.
Network segmentation allows greater control over who is allowed to access certain programs, allows the user to set rules within the infrastructure to limit traffic to the network, and reduces security incidents by segmenting one network into multiple— making it harder for the hacker to access the entire network.
Creating subnets is a great form of securing data, but it unfortunately still has gaps where hackers can still find a way to access data. Network segmentation coupled with server message block signing (SMB signing) is a more successful way of providing data protection.
SMB signing is a feature within Windows that provides authentication and message integration protection for transmissions using SMB. This provides protection from man-in-the-middle and message relay attacks.
4.) Whitelisting
A whitelist is a cybersecurity strategy where the user creates a list of email addresses, IP addresses, domain names, and applications that are allowed access to the network while denying all others.
The user is able to deny and block unusual code extensions, MFA bypassing, subnet access, and much more by creating a specific list of who and what is allowed to access their network and data.
5.) Configuration Audit
Much like a pentest, a configuration audit is the process of checking every facet of the network for vulnerabilities that hackers can use to exploit and gain access to sensitive data.
When performing a configuration audit, it is important for agencies to look at it from a hacker’s viewpoint and identify where they can penetrate and access agency networks and data. Through this viewpoint, agencies should practice shortening the time a hacker is able to stay within the network.
Agencies should also access and review their old protocols and default settings within the network to see if there are any anomalies. These protocols and default settings could be years old and may be leaving a wide-open gap within the agency’s user security protection.
The more frequently an agency is able to perform audits, the better its chances are of responding to cyber-attacks through its monitoring capability.
6.) Monitoring privileged accounts and identity misuse
When looking at service accounts or other accounts that have access to the agency’s network, it is imperative to look at what they are used for. There may be identities within the network infrastructure that have been overused or misused—leaving a window open for hackers to access that data.
Service account passwords within the network have access to accounts both online and offline. Some of these accounts are known as privileged users and have administrative access to critical information. These users sometimes have more access than an agency will realize— making it critical to know if these user accounts have been used more than they should have.
Agencies should be frequently monitoring their user account activity to make sure there are no anomalies within these accounts, and ultimately, protect themselves against any incidents that could occur from the misuse of these accounts’ credentials.
