It’s no exaggeration to say that cybersecurity has never been a priority for federal agencies.
Threats such as ransomware and threat actors such as adversarial nation states have agencies concerned about their data privacy and business continuity. New executive orders and increased public scrutiny further raise the stakes of hardening systems, networks and data repositories.
But while the threat of the day may change, the fundamentals of cybersecurity do not. Implementing and maintaining basic security hygiene can go a long way in protecting information assets, regardless of attack or attacker.
How do you overcome cybersecurity anxiety and lean into a plan? Here are five steps you can take to protect your agency for today and tomorrow:
1. Recognize real threats.
The news media tends to promote the latest threat. This can divert attention from real security priorities. For example, ever since ransomware forced the Colonial Pipeline to shut down in May 2021, agencies have been concerned about this type of attack. But ransomware is just a payload. The same tools and best practices that protect against a wide range of threats also protect against ransomware. With the right armor, ransomware is just another arrow to deflect.
Similarly, some cybersecurity vendors have created undue fear around zero-day vulnerabilities. A zero-day is a newly discovered vulnerability for which no patch is yet available. While zero-day threats continually emerge, they are not as common as many believe. Reports suggesting that a large number of breaches result from zero-day exploits, for example, typically include malware variants that antivirus software doesn’t yet recognize. But that’s not the same as a zero-day vulnerability.
The solution is to keep apps and protections up to date. Patch the software as soon as updates are available, and the risk of succumbing to a zero-day exploit will be reduced.
2. Control what you can.
You cannot prevent cybercriminals from developing and using new weapons. But you can control cybersecurity more than you think.
Many attacks succeed largely because victims fail to effectively lock the doors to their digital buildings. Defense-in-depth basics like user training, access management, encryption, and patch management offer excellent value for money and thwart the majority of attacks.
The Cybersecurity and Infrastructure Security Agency analyzed thousands of security vulnerabilities and found that many resulted from poor cloud configurations, unmanaged ports, and lax policies. In response, it published a Cloud Security Reference Architecture with recommendations for protecting data in the cloud.
Take-out? The greatest risk does not lie in a new vulnerability or a zero-day attack, but in a lack of basic precautions regarding patches, layered security and appropriate configurations.
3. Choose the fruits at hand.
Practice good safety hygiene. For example, develop and maintain robust security policies. Apply strict rules regarding removable media. Train users to avoid phishing scams. Take advantage of multi-factor authentication. Monitor network traffic flows. Quickly implement security patches across all apps and devices. Too many organizations leave gaps in one or more of these areas.
Plus, deploy threat monitoring for a real-time view of your environment. Cybersecurity vendors offer threat monitoring as a service at a reasonable cost. CISA also provides timely alerts on security issues as well as automated cyber threat indicators. Most computer systems have event logging capabilities that indicate potentially suspicious system activity. Make sure event logging is enabled. Just as important, make sure you have a process for acting on the threat intelligence you capture.
Finally, your agency should move towards a zero-trust security approach. With zero trust, users and devices are not expected to be trusted. Instead, every user or device is checked every time they attempt to access a system or data. The National Institute of Standards and Technology has published guidelines on achieving a zero-trust architecture.
4. Understand your operating environment.
Make sure your IT team fully understands your environment. He should know where your defenses are strongest. And it must continually monitor and test for weak points. This will give you a clear advantage over attackers.
It’s hard for attackers to get the information about your systems that your IT team already has. They must probe systems or find an entry point and move laterally. Either way, your security professionals can track this activity. And the better they know your operating environment, the more they will have the upper hand.
Similarly, you need to understand your digital supply chain. Hardware, cloud environments, cloud-based services, and commercial software all involve things that originate or exist outside of your organization.
Enterprise open source solutions can also build trust in your digital supply chain because they combine the innovation of the open source community with the robust quality assurance of established IT vendors.
5. Think like an attacker.
Finally, to effectively thwart attacks, you need to think like an attacker. This requires a change of mentality.
When your team designs a system or develops an application, it aims for a specific result: to optimize an internal process or provide a new service. Cybercriminals have a very different goal. They try to break your system or access data they are not authorized to see.
Thinking like an attacker can help you uncover hidden weak points. For example, when your development team builds an application, they consider typical inputs that will lead to the desired output. But for strong security, it’s also worth imagining inappropriate entries — all the ways a cybercriminal might try to gain access, move around your network, and steal data.
Some agencies hire experts specifically for this task. A “red team” can identify potential attack vectors before a system is designed, rather than adding protections after weak points are integrated. This is a key goal of DevSecOps, an approach to application design and development culture that embeds security as a responsibility throughout the IT lifecycle.
Cyberattacks won’t go away, but they’re not the boogeyman they often appear to be. With robust security hygiene and a zero-trust mindset, you can effectively protect your information and prevent more of those sleepless nights.
Michael Epley is Chief Architect and Security Strategist, North American Public Sector, for Red Hat.