By Lou Manousos, CEO, RiskIQ
After some high-profile cyberattacks and information breaches, the cybersecurity posture of the U.S. government has never been more front and center in the public consciousness.
Following President Trump’s signing of an executive order calling for the strengthening of the cybersecurity of federal networks and critical infrastructure, the tools and processes of government security teams will be under even more intense scrutiny.
There’s no doubt that lots of this focus will fall on the modernizing of internal networks including moving to shared IT services and the cloud—and rightly so.
But to be in full compliance with the new guidelines outlined in the order, agencies will still have to deal with a lingering blind spot comprised of thousands of unknown and unmanaged internet-facing assets that are potential inroads for cyberattacks and data breaches.
With ever-changing administrations, projects, and initiatives, those in control of processes and initiatives for today’s agencies aren’t necessarily the people who started them.
The result is a digital debris field of assets that security teams aren’t aware they own, which hackers can target to devastating effect.
This dilemma doesn’t affect agencies only: according to the 2017 Verizon Data Breach Investigations Report, more than 75% of the incidents that lead to data breaches originate externally, almost half of which target unknown—and thus unmanaged—digital assets.
Given this new threat landscape, government organizations need to keep visibility outside the firewall in mind while revamping their cybersecurity tools, as major threats no longer need to traverse the traditional computer environments that they control.
For example, even the hardest, most robust network defenses could not have stopped the very simple phishing campaign targeting former Chairman of the Democratic National Committee (DNC) John Podesta, which resulted in the outing of private communication that shook the political foundation of the U.S.
Phishing remains one of the most efficient ways for threat actors to compromise legitimate credentials and gain access to sensitive information, financial details, and critical systems—RiskIQ detected 158,904 phishing incidents a day in 2016—but there’s a whole laundry list of threats that do not directly target corporate networks.
How many .gov websites employ compromised third-party components like CDNs in their digital supply chain? How many are asking for PII but don’t have a current SSL cert? How many were registered outside of compliance?
Because many organizations lack this visibility outside the firewall, allegations that Russian hackers influenced the 2016 election cycle have caused many people to wonder if federal agencies are prepared to defend their modern attack surfaces.
Because the stakes couldn’t be higher, I commend the order’s emphasis on agency leadership’s responsibility for cybersecurity, which will help make cybersecurity issues a main priority. After all, the hackers potentially working on behalf of Russia are just some of many adversaries attempting to disrupt the U.S. government.
As agencies expand their digital footprints across the web, social, and mobile channels, thousands of global adversaries—nation-states, hacktivists, and cybercriminals—do the same, leveraging the same technologies to propagate malware and fool users into giving up credentials and other sensitive information.
According to the order, effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST), which calls for the implementation of five core functions to organize basic cybersecurity activities at their highest level: Identify, Protect, Detect, Respond, and Recover.
Leaders responsible for filling these functions should be expected to consider security on their networks as well as internet beyond their firewalls, enabling their teams to:
- Understand their digital attack surface
- Keep track of how it changes
- Monitor existing, new, and changing assets
- Stay under compliance
Having this type of visibility on the internet requires internet data and automation. What does this look like?
For Security Defenders: In addition to monitoring and protecting the agency’s network and network perimeter, security defenders must continually discover and rediscover the agency’s digital footprint and monitor it for changes.
Such vigilance requires current, full internet intelligence across the web, social media platforms, and mobile apps.
Always in discovery mode, defenders should be aware of new assets and properties and immediately be able to assess them for security threats and compliance with government regulations.
For Security Threat Hunters: Threat hunters must be able to investigate and respond to incidents and suspicious events on their network that are linked to external threats.
Most hunters today are plagued by floods of false positives and must sift through the inconsequential to find meaningful threats.
Having an up-to-the-minute, comprehensive knowledge of external threats hastens investigations and the process of triaging incidents and events.
For the Security Operations Center (SOC): While threat hunters may be proactively tracking down clues about internal security issues, the SOC team needs to quickly respond to problems prompted by the SIEM or individual security components.
Again, a surfeit of false positives is a major obstacle, and differentiating between the significant and insignificant is time-consuming and problematic. SOC teams can only assess a fraction of security alerts, and they could easily miss an important security event in alerts they are not able to review.
The cybersecurity executive order is a great first step insuring up the nation’s digital infrastructure and protecting against modern threats. But fulfilling its requirements goes beyond the firewall.
To protect government networks, they must be able to discover and monitor assets across all channels, including all application stores and portals, social media properties, DNS changes, and web content or destinations.
About the Author
Elias (Lou) Manousos is a recognized expert in internet security and fraud prevention. He has been developing and delivering enterprise protection technologies for more than 15 years. As CEO of RiskIQ, he has spearheaded a new approach that helps internet, financial services, healthcare, media, and consumer packaged goods companies protect their brands from online fraud. He is also co-chair of the Online Trust Alliance (OTA) Anti-Malvertising Working Group and is responsible for Malvertisements.com, the first and only public database documenting malvertising incidents on a continuous basis. Prior to RiskIQ, Elias was VP of R&D at Securant Technologies (acquired by RSA), which pioneered identity and access management for web applications. At Securant, he was instrumental in creating now-commonplace technologies for single sign-on (SSO) security.