IT modernization is the foundation upon which government security rests. The need for updated and properly integrated systems drives funding requests and agency spending. However, these initiatives may also introduce vulnerabilities by expanding network footprints and creating integration challenges among vendors and services. The advent of the Internet of Things, cloud storage and other external services result in an increasingly blurred network perimeter, making it difficult to apply traditional perimeter-based security controls.
As government agencies increase their digital transformation and modernization efforts, they must choose multilayered security solutions that not only provide an effective defense against modern threats but also keep an eye toward the future. Agencies adopting a defense-in-depth approach to cybersecurity will find themselves well-positioned to combat these future threats.
For example, an agency may wish to harden its endpoints against external intruders while making sure that routine patch management activities close security weaknesses within the network. At the same time, agency cybersecurity teams should monitor user behavior and other patterns of activity on the network, watching for anomalies and outliers that may indicate insider misuse or external attackers.
Here is a rundown of the essential infrastructure elements that agencies can use to create an adaptive cybersecurity strategy.
The Basics Feds Need to Guard Against Sophisticated Threats
Malware protection: As many security threats arrive via malware vectors, agency cybersecurity teams should ensure that they are taking proactive, detective and reactive steps to protect systems against malware-borne threats. These controls should include deploying frequently updated anti-virus protection on servers, endpoints and network gateways. Agencies should also consider the use of advanced botnet and malware detection tools that incorporate threat intelligence information and provide a robust defense against evolving threats.
User training: Cybersecurity starts and finishes with the user. No matter how robust an agency’s cybersecurity controls, a single mistake by an end user can undermine those efforts, providing attackers with access to sensitive information or granting them a foothold on internal agency networks. Combating these efforts requires regular security awareness training that helps users understand the threats facing the agency and their individual role in protecting the confidentiality, integrity and availability of government information and systems. These efforts should include a particular focus on phishing and spoofing attacks.
Network monitoring: Network activity is one of the most important sources of information for cybersecurity teams seeking to maintain situational awareness and identify active threats. Network monitoring activities fit into two major categories: passive and active. Passive network monitoring simply captures network traffic as it travels from point to point and monitors it for unusual activity. Active network monitoring actually manipulates network traffic by injecting test activity onto the network and observing its performance. This also plays an important role in network troubleshooting and performance monitoring.
Network access control: In addition to regularly monitoring network activity, agencies should consider the implementation of network access control technology that regulates devices allowed to connect to the network. NAC technology permits agencies to require user and/or device authentication prior to granting access to wired and wireless networks as well as VPN connections. NAC solutions also provide posture-checking capability, which verifies that a device is configured in compliance with the agency’s security policy before it is allowed on the network.
Feds Can Restrict Access to Agency Networks
Once the basic steps have been implemented, agencies must move to a second layer of security:
Endpoint protection: Once a device is permitted on the network, agency IT teams should ensure that it remains secure over time. Endpoint protection technologies extend beyond traditional anti-virus software to provide additional security tools, including automated patch management and application control. Patch management ensures that the operating systems and applications installed on devices receive current security patches; application control technology limits the software that may run on a device by either blocking prohibited software or only allowing preapproved software.
Next-generation firewalls: Agencies already use network firewalls to build perimeters between networks of differing security levels — in particular, separating an internal network from the public internet. Firewalls operate based on rules that allow administrators to define authorized traffic and block anything that doesn’t match those rules.
Next-generation firewalls (NGFWs) enhance traditional firewall technology by providing administrators with additional flexibility. While traditional firewalls are limited to rules based on network characteristics, such as IP addresses and ports, NGFWs provide additional context, allowing administrators to create rules based upon the identity of the user, the nature of the application, the content of traffic and other characteristics.
Secure web gateways: Malicious websites are a significant source of security incidents. Users are tricked into visiting a malicious link and then either fall victim to password phishing attacks or have malware installed on their systems. Secure web gateways offer a solution to this problem by providing administrators with an opportunity to control the websites visited by network users. They act as a proxy, making requests to web servers on behalf of end users and perform filtering to remove malicious traffic and block access to known malicious sites, preventing users from accidentally harming agency security.
Data loss prevention: Agencies can restrict the flow of sensitive information outside of controlled environments through data loss prevention systems. These systems may reside as a hardware appliance that monitors network traffic, a software solution that resides on endpoints and monitors user activity or a cloud-based solution that filters email and web traffic. DLP technology identifies sensitive information using two primary techniques. The first, pattern recognition, understands the formatting of sensitive data elements such as Social Security or credit card numbers and watches for data matching those patterns. The second approach, watermarking, applies digital tags to sensitive files and then watches for those tags leaving the secure network in an unauthorized fashion.
Internet of Things security: Modern networks are becoming increasingly complex as agencies deploy Internet of Things solutions in support of smart office programs, smart city initiatives and public safety programs. These IoT solutions use a broad network of sensors that require the same monitoring and maintenance as any other networked device. They often contain embedded operating systems that require security patches; left unmaintained, these may serve as access points for intruders. Before deploying any IoT solution, agencies should ensure that they have appropriate security controls in place to segment IoT from other networked devices, controlling access and maintaining a secure operating environment.
Analytics Tools Can Reveal Risks for Agencies
Today’s networks are growing complex enough that even the toughest defenses need backup:
Security analytics: The security infrastructures deployed by government agencies generate massive amounts of information. From anti-virus alerts on endpoints to intrusion alerts on the network, cybersecurity analysts must handle a deluge of information. Security information and event management solutions help manage this problem by receiving and aggregating information from a wide variety of security tools. They also use artificial intelligence and machine learning algorithms to correlate information received from different tools, watching for signs of compromise that might otherwise go unnoticed.
Security assessments and penetration testing: Even the most well-designed security infrastructure experiences issues. From accidentally created firewall rules to undetected software vulnerabilities, unexpected events can create sudden and significant cybersecurity risks. Agency cybersecurity teams should complement existing security controls with a set of security assessment tools designed to continuously evaluate the security of their infrastructure. Vulnerability management systems scan networked devices, searching for signs of vulnerabilities and tracking remediation efforts. Software testing tools watch for critical flaws in production code.
Penetration tests are the ultimate security assessment. During these tests, skilled cybersecurity professionals take on the role of an attacker and seek to break into a network using common hacking tools and techniques. If they gain access, they report back the vulnerabilities that they exploited, allowing agency cybersecurity teams to correct them and lower the risk of an actual attack.
Learn how federal agencies can address the growing threats they face in the CDW white paper, “Managing Cyber Risks in a Public Sector Environment.”