Security Clearance: Solution Providers Pinpoint 10 Steps The Government Needs To Take Post-Breach
Security Clearance
In response to one of the largest data breaches in history, which compromised the personal information of more than 4 million federal workers, the White House has ordered federal agencies to ramp up their security efforts. The U.S. Office of Personnel Management, where the breach occurred, told agencies to patch vulnerabilities, use antivirus software, adopt two-factor authentication and limit user access to critical information. In interviews with CRN, top federal solution providers said those are good first steps, but recommended further strategic action down the road to prevent or limit another megabreach. Take a look at some of their security suggestions.
10. Encryption
In the first wave of the breach, hackers gained access to the records for more than 4 million current and former federal employees, and a second related attack exposed security clearance information. Going forward, Jason Hicks, director in the Office of the CISO at FishNet Security, soon to merge with Accuvant and become Optiv Security, recommended the government encrypt critical personnel data, such as that obtained by the hackers. To gain the full level of protection from encryption, DLT Solutions Chief Cybersecurity Technologist Don Maclean said the government should encrypt data in transition, data at rest and make sure keys are protected.
9. Data Segmentation
Security experts agreed that data segmentation, especially of classified data, is a key practice that the federal government should adopt. Even with the best intentions and security practices, companies and the government have to be prepared for malware to get into the network, Unisys Vice President of Security Tom Patterson said. Segmentation is one way to do that.
"By segmenting off the crown jewels, you are able to withstand a breach by containing the loss. Today, segmenting is done easily and effectively with micro-segmentation tools, and they work in data centers as well as clouds," Patterson said.
8. Patch 'Obsessively'
While the White House ordered agencies to patch software vulnerabilities "without delay," Unisys' Patterson recommended taking that to the next level, making sure patches are updated quickly across all levels of infrastructure.
"Every single facet of the enterprise should be patched obsessively, despite it being a pain. Most false entry is still gained via well-known weaknesses in software and configurations, and patches are being created in real time to address them, but they don't do any good if they are not applied quickly," Patterson said.
7. Integrate Cyber And Physical Security
On top of information security additions in wake of the breach, Unisys' Patterson recommended the federal government integrate its physical security strategy with added information security steps. Without integration, Patterson said hackers can exploit the gap to successfully steal identities, live video and more. In particular, Patterson recommended the federal government evaluate integrating its event management solutions, such as SIEM, with its employee ID card systems.
"Enterprises are still too siloed in their approach to security, with logical [cyber] security separated from physical security," Patterson said. "Today’s attackers are exploiting that gap, which informs a new defensive strategy that unites the two towers."
6. User Training
DLT Solutions' Maclean recommended "doubling down" on user training, including making sure that users, technical staff and executive staff are getting comprehensive training on cybersecurity. Maclean said an attack such as one on the U.S. Office of Personnel Management, which he said likely began with a spearphishing attack, could have been prevented with a "truly savvy" workforce. To get that type of education, Maclean recommended not settling for "click-through" training, which he said "dissipates the effect of security training."
5. Extended Security
Building a strong security practice isn't as simple as protecting your own systems. As employees, suppliers and users bring their own systems and devices into the network, Unisys' Patterson said the federal government has to extend its security beyond the four walls of the agency or department. A large part of building that larger security strategy is to understand the system architecture and what pieces could be vulnerable, DLT Solutions' Maclean said.
"Cloud adoption and ubiquitous BYOD are making system boundaries much less tangible than they were just a few years ago," Maclean said. "Understand the impact of these new boundaries."
4. Secure Application
As the security clearance process moves to an online application system, FishNet Security's Hicks said the federal government should change to a one-way system, which would move the data to a holding location before brought to a classified network and deleted. By doing that, Hicks said the federal government could avoid storing the security clearance data on an unclassified network.
Look Beyond Compliance
Just because an organization is compliant doesn't mean it is secure, DLT Solutions' Maclean said. Maclean recommended tossing out audit and assessment results, and instead actively looking for obvious and hidden vulnerabilities.
"Just because your FISMA [Federal Information Security Management Act] score is 'in the green' doesn't mean your agency is safe from attack," Maclean said. "Any organization can suffer a breach."
Automated Incident Response
In the wake of the breach, DLT Solutions' Maclean recommended the federal government implement more automated tools for breach detection and response. By doing that, Maclean said the government can fill in the gaps in staffing and enhance security performance overall.
"Hackers work around the clock, but too often incident response personnel are not on duty when an intrusion hits," Maclean said. "Even if you have a 24/7 staff, these tools are much more reliable and effective than humans."
Multifactor Authentication
The White House's recommendations included starting to use multifactor authentication. FishNet Security's Hicks reinforced that as a best practice for accessing federal employee data. On top of that, for all security-clearance-related data, Hicks said the government should also use strong multifactor authentication as well as restricting access to the federal network for classified information.