“Trying to stay ahead of this curve keeps me up at night,” says Steven Hernandez, CISO of the Office of the Inspector General in the Health and Human Services Department.

The Race Is On to Protect Feds' Laptops and Mobile Devices

Endpoint protection is a priority for security professionals who need to lock down agencies' devices.

Staff who secure laptops and mobile devices never have the luxury of a good night’s sleep. But today’s environment provides more reasons than ever for IT professionals to toss and turn.

New threats — from infected email attachments to vulnerabilities in operating systems — target several types of endpoints at once. In addition, the choice of potential endpoint targets has never been greater; that now includes smartwatches, office lighting systems and connected refrigerators.

The situation has created a never-ending chase to secure agency devices and laptops.

As more smart devices connect to federal networks, more endpoints are vulnerable to attacks. A November 2015 study from Palo Alto Networks shows as many as 44 percent of endpoints are left unprotected.

“Digital innovation is occurring more rapidly than our ability to monitor the security of these environments,” says Steven Hernandez, CISO for the Office of the Inspector General at the Health and Human Services Department. “Trying to stay ahead of this curve keeps me up at night.”

Fortunately, as endpoint threats become more sophisticated, so do resources for defending against them. Security veterans say advances in technologies for identifying and blocking attacks, combined with updated strategies, can give agencies the weapons they need to fight international hackers.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Fully Use Existing Cybersecurity Tools 

Vincent Sritapan, program manager in the Department of Homeland Security’s science and technology directorate, says IT staffs face urgent issues on several fronts, from regulations to cyber sprints. Along with security, “they’re trying to maintain legacy IT and manage IT modernizations,” he says.

But to get the most out of their work, tech professionals should focus on security areas that can have the biggest impact, he says. This means starting with the basics, such as ensuring that anti-virus software is up to date and that IT teams activated all the key security features.

“Organizations often aren’t doing either of these things,” says Jon Oltsik, senior principal analyst with the Enterprise Strategy Group. “They’re ready to move on to new technology when they haven’t fully taken advantage of everything they already own.”

Staff should also regularly review who qualifies for administrative rights. The more users are granted privileges for accessing internal system controls, the more opportunities hackers have to illicitly obtain the information.

“In truth, very few users need those rights to do their jobs, but for historical or political reasons, too many users are given administrator access,” Oltsik says.

For years, encryption has been a go-to strategy for protecting endpoints, but security professionals caution that agencies could be vulnerable if they don’t fully implement the technology. For example, to minimize the number of user passwords, some IT teams limit encryption to specific containers or folders. But this creates a risk.

If hackers install a key logger, they can capture the sign-in information that would give them access to secure containers. In Hernandez’s view, this leaves agencies with one viable option. “The default position should be to encrypt the entire device,” he says.

To avoid password fatigue, the staff at HHS programmed the encryption platform with personal information verification card systems. “With single sign-on, there’s one less thing for end users to worry about,” Hernandez says. “The easiest path for end users to follow is also the most secure one.”

Agencies also want to use the latest mobile device management services from vendors such as IBM, Microsoft, Mobile Iron, Sophos and VMware to lock down mobile endpoints. These applications offer more control in limiting which systems endpoints can access. Many of these services also consider the hardware’s physical location or the sensitivity of the data in their operations.

Virtualization, Whitelisting Help Secure Endpoints 

The advent of bring-your-own-device policies and the wide variety of devices has also overwhelmed security professionals. This makes virtualized desktops an attractive option for enhancing security and easing management challenges.

“With a virtual mobile infrastructure, agencies can create and centrally manage end-user environments from the data center,” Sritapan says. “Also, no data stays resident on the devices.” IT staff can boost security with application whitelisting, which details specific programs that are safe to run on individual endpoints.

Whitelisting provides a proactive approach to securing our endpoints,” says Diane Phan, endpoint division chief at the Defense Information Systems Agency. This technique, offered by McAfee, Microsoft and Symantec, is part of a portfolio of endpoint security resources that has helped the agency reduce the risk of zero-day exploits and threats, she adds.

For help in creating a list of approved applications, Sritapan advises agencies to consult the National Information Assurance Partnership’s Common Criteria Evaluation and Validation Scheme. This public/private sector partnership tests commercial off-the-shelf products against national security standards and publishes its results.

Test Security Risks of New Technologies Iteratively 

Security professionals say an approach influenced by agile development methods offers another solution in an era of rapid innovation. When a new technology arrives, evaluate its security impact in an iterative process.

“Take a series of small steps with tests that use information that can safely be made public if any unexpected gaps exist,” Hernandez says. “Then, when appropriate, agencies can push the risk envelope with increasingly sensitive information, and eventually even critical data. At every step of the way, evaluate what risks the organization would have to accept when using the new technology, and then let the people who would suffer the consequences make informed choices.”

Ryan Donnell
Nov 02 2017