Governmental agencies shouldn’t just rely on installing the latest software and hardware – they should take clear steps in training, process and practice to ensure they’re protected from cyber attacks. Although there is no such thing as one solution fits all when it comes to cyber defence, there are certain steps that every government agency must employ to create a solid foundation on which they can start building their cyber defences.
Government agencies remain in the cross hairs of cyber attackers as hostile nation-states, terrorists, hackers for profit and campaigning organisations (hacktivism) focus on breaching their systems. Government cyber security professionals should always take a holistic approach to managing their defences and response procedures, but there are some key steps which are the building blocks of a strong defence.
Edward Snowden’s data leakage and the WikiLeaks scandal have highlighted the danger of malicious disclosure, but more often than not the threat comes not from deliberate employee sabotage, but rather from ignorance or careless practice. Threats from hostile governments or sophisticated criminal organisations – dubbed ‘Advanced Threats’ by the industry – often use an initial employee mistake to embed themselves in a targeted department, gaining persistent access to a system and becoming increasingly difficult to detect.
So employee mistakes can have implications far beyond the immediate incident. It is therefore vital that all employees, whatever their seniority level, should be given continuous cyber-security awareness and counter-intelligence training, to avoid poor practice and minimise the possibility of a security breach. Employees are the most important part of the information system of an agency, but also its weakest link when it comes to cyber security and defence.
Likewise, public knowledge of software and hardware used in a department’s network should be limited to a few trusted and vetted employees who have a real “need to know”. If hostile actors understand a system’s make-up in advance (as part of their pre-attack recognisance), then they can tailor their attacks to known vulnerabilities, giving them a headstart before they begin probing the system’s defences directly.
This is why it’s also vital to do a constant security vetting, and re-vetting, of outside vendors with access to the system, even if their role is relatively limited. Many times breaches of the vendor’s networks or software and hardware products, lead to breaches of their customer networks and to data exfiltration, and many a time goes undetected by the customer.
Just as knowledge should be compartmented and firewalled, so should software. Patches, updates and fixes can often prove a ‘Trojan horse’ allowing malware to enter the system either causing direct damage, or creating an opening for future exploitation. They should therefore always be deployed in a ‘sandbox’, a virtual space, discrete from the main system which allows new software to be run isolated without risk of contamination of the main network.
Once vetted from the security, compatibility and functionality point of view, the patches or updates should be deployed to the main network in a staged upgrade push that would minimise the possibility of the entire network being down. To avoid unwitting disclosure of information all communications should be end-to-end encrypted – that means not just voice, but texts and files as well, both in transit and at rest.
Crucially, encryption systems should also sit on hardened hardware, the best algorithm in the world won’t preserve your privacy if it’s hosted on an insecure computer, cloud or mobile handset.
Lastly, but certainly not least, government cyber security professionals should constantly test the security of their systems through penetration testing. Knowing your network from the outside will provide invaluable information about the vulnerabilities (and sometimes even zero day exploits) of your systems. This is an ideal role for outside vendors who can bring in some of the best hacking expertise in the world, at far lesser expense than keeping it in-house.
External contractors also have the great advantage of being unbiased by the system; they won’t overlook that crucial vulnerability because that’s how the department has held its data for years, or because it’s due to be resolved in next year’s round of IT upgrades. They bring an honest perspective on how your system works from the outside.
Testing has to be a constant and iterative process: test, analyse, remediate (both through processes and upgrades), then test again.
There’s never a magic bullet to defeating cyber threats, this is a constant battle, but through a combination of training, processes and judicious use of outside expertise government security professionals can help ensure their department doesn’t become the subject of the next cyber attack newspaper headline.
The writer is Senior Vice-President – Technology and Research, DarkMatter.
