While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The seemingly endless network security battle rages on, but for agencies to properly defend themselves, IT leaders must change tactics and adjust key tools to make progress against external attackers.
Rather than protect weak spots, agencies should remove them. Here are three tips federal IT leaders can follow to reduce their attack surface:
Most agencies already require two-factor authentication. Any agency yet to take that step needs to do so immediately, as simple passwords do not provide adequate protection. Why? The easiest thing for an attacker to steal is a password, allowing them to use lateral movement and privilege escalation to turn a low-level account with no privileges into a domain administrator.
Agency IT leaders can select from a wide range of two-factor systems, but the system focus should be on completeness rather than security.
While some experts still debate the overall security two-factor authentication provides, even the least secure two-factor system is miles ahead of the longest password. The reason is simple: Passwords are easy to steal; two-factor authentication isn’t.
But even with two-factor authentication, attacks still happen, including pass-through and theft of soft tokens.
Some IT managers have focused two-factor authentication on high-priority users: executives, privileged IT staff and application managers. With the increasing number of privilege escalation attacks, that’s not good enough. To reduce the attack surface in a meaningful way, agencies must ensure no passwords can ever be used to access the network.
IT managers with Windows systems should also remove local (nondomain) administrator accounts and run periodic password guessing attacks against their own networks. Remember: It takes only a single unprivileged user within a Windows network to compromise everything.
Core applications, such as enterprise resource planning systems, support both the business and the customer while attracting the majority of attention from IT.
That said, collaboration tools such as file shares, instant messaging, electronic mail and conferencing systems have an amorphous but omnipresent role in every agency and should receive attention as well.
These tools aren’t tied to a line of business or specific task but often serve as great repositories of sensitive information. Because they are not typically monitored carefully by security teams, the tools often fall behind with security updates, making them attractive to hackers.
Large file shares within collaboration tools are particularly attractive to hackers employing ransomware. Agencies should closely monitor any collaboration tool that includes file shares, including both Windows tools and external tools such as Box or Dropbox. The same is true of email and conferencing systems, instant messaging tools and video and audio teleconferencing products. IT managers should look for encryption, strong security models and authentication integrated with enterprise directory systems.
Changing these tools can be challenging — but better control will help reduce social engineering attacks, prevent scavenging by intruders (and malicious insiders), help with regulatory compliance initiatives and improve knowledge management.
Agencies already migrated to Microsoft’s Office 365 suite should leverage the operating system’s built-in capabilities as much as possible, even if this means giving up some special features. The enterprise focus, integrated unified security model, and modern encryption and auditing all add up to a more secure environment.
Microsoft’s Windows networking has served as a foundation for organizational networks for years. Easing administration with tools such as group policies, an autoconfiguring distributed authentication system, and integrated single sign-on, Windows and the Microsoft domain system have been great enablers for IT.
Those systems also have become enablers for attackers, creating security vulnerabilities. IT managers can reduce the problem, starting with proper configuration and internal firewalls.
Many of the Windows security vulnerabilities are present in older versions of Windows networking, or are a result of insecure practices with these older protocols (such as single-part host names). To maintain compatibility, Microsoft enables these older protocols.
IT managers should follow Microsoft’s own recommendations for secure configuration and root out and eliminate older Windows server and client systems.
Enforcing isolation of critical Windows components and tightly controlling communications flows in data centers with internal firewalls is another way to stem current — and future — bug exploits. Data center firewalls don’t have to be complicated and advanced; they simply have to be fast and reliable.
Critical infrastructure systems in the data center should be behind individual firewall ports, whether virtual or physical, so that all flows in and out are controlled. This applies to domain controllers, name servers, authentication stores, and log servers. It’s true that the organizational crown jewels might be stored in a database server, but if the infrastructure that makes the database work is compromised, then everything is lost.
Attackers will start with common elements — things found in most organizations, such as Windows domain controllers — long before they start to delve into application servers and database engines. Remove the option for an initial foothold, and the security of everything on top improves.
While agencies may not be able to follow all of these steps, they serve as a guide for rethinking cybersecurity. While much progress has been made in security, government must never stop improving.