Vijay Basani is co-founder and chief executive officer of EiQ Networks, a pioneer in simplified security and compliance solutions. He has built successful businesses delivering enterprise-class solutions that transform how organizations identify threats, mitigate risks and enable compliance. (Courtesy Photo)
The indictment of foreign generals by a U.S. grand jury highlights the scale and severity of cyber-espionage and attacks on critical industrial and governmental entities. Organizations should theoretically already be in compliance with fundamental security standards outlined in DISA’s Security Technical Implementation Guides (STIGs), NIST Special Publication 800-53, 8500.2, and AR25.2. (See related story.)
However, in their struggle to protect their assets and satisfy government regulations, enterprises and government agencies can easily lose focus. In spite of the continuous monitoring requirements coming into place from DHS, DISA and DoD initiatives, the rollout of solutions has been slow, funding insufficient, and the guidance lacking clarity. To compound matters, there is much hype about new technologies that promise to plug every potential security gap.
While the threat environment remains at a high, continually evolving level, there is no true mandate that requires agencies to implement continuous solutions in a timely fashion. The lack of strict enforcement and timelines means that progress is made mostly on a best-effort basis.
Until government agencies get serious about implementing solutions, they make appealing targets and their critical assets remain at risk. The Verizon Data Breach Investigatives Report highlights this sobering truth: almost 90 percent of the attacks could have been prevented, if simple security controls had been implemented. Given that government agencies are still dealing with limited resources and budgets are being pulled in a million directions, it is imperative to prioritize. If efforts can be focused, more progress will be made. The common sense approach would be to prioritize the core infrastructure over the network boundary. Firewalls, IPS, anti-malware systems encircle your core, but cannot provide total protection. If the core is weak, critical assets are at risk.
In light of the increased pressure created by espionage and breaches, agencies might be tempted to invest in “cutting-edge” security technologies that work on the perimeter. A more common-sense approach to mitigate risks more effectively would be for agencies to focus efforts and resources on protecting the core infrastructure where critical data resides. From there, implement common-sense yet stringent controls around access, user rights, user management, systems configuration, and data encryption. Inline network technologies are separate from fundamental security controls. Security controls monitor and analyze event data (log and activity data) and state data (configuration and vulnerability state). Security controls enforcement should include continuous examination of system settings to ensure they are aligned with the best practices defined by DISA, NIST, CSIS, SANS, etc.
■ Make sure any system that touches the data is properly configured and aligned with the right security controls on a real-time basis as defined by standards and mandates such as DISA STIGs. Have a mechanism to continuously assess those controls against the standard, find deviations, raise notifications, and take a remedial action to correct them. This applies to applications, as well as network devices. Automating security controls assessment continuously would help government agencies detect weak links in their environment before they are exploited by the bad guys.
■ Make sure the data (e.g., intellectual property) being collected and stored is properly handled and encrypted. User access privileges should be continuously managed.
■ Expand information technologies to the network layer where anti-malware, IPS, firewall and other technologies help protect your network and try to keep the bad guys from creating havoc.
■ Finally, build security into organizational culture. Everyone who connects to your network, from C- to entry-level to partners, must truly subscribe to and be aware of security and proper user behavior. Educate them about the potential consequences — i.e., clicking a link that could have a hidden trojan, which is how phishing attacks are usually spread.
Emphasize creating the right security conscious environment, have right policies in place, and measure, analyze, remediate and enforce policies on a continuous (24-7) basis.
Vijay Basani is co-founder and chief executive officer of EiQ Networks, a pioneer in simplified security and compliance solutions. He has built successful businesses delivering enterprise-class solutions that transform how organizations identify threats, mitigate risks and enable compliance.