Creating a cyber fortress to defend the nation
09 Jul 2016
Governmental agencies and departments, shouldn’t just rely on installing the latest software and hardware, they should take clear steps in training, process and practice to ensure they’re protected from cyber attacks. Although there is no such thing as one solution fits all when it comes to cyber defence, there are certain steps that every government agency must employ in order to create a solid foundation on which they can start building their cyber defences.
Government agencies remain in the cross hairs of cyber attackers as hostile nation states, terrorists, hackers for profit and campaigning organisations (hacktivism) focus on breaching their systems. Government cyber security professionals should always take an holistic approach to managing their defences and response procedures, but there are some key steps which are the building blocks of a strong defence.
Edward Snowden’s data leakage and the WikiLeaks scandal have highlighted the danger of malicious disclosure, but more often than not the threat comes not from deliberate employee sabotage, but rather from ignorance or careless practice. Threats from hostile governments or sophisticated criminal organisations, dubbed “Advanced Threats” by the industry often use an initial employee mistake to embed themselves in a targeted department, gaining persistent access to a system and becoming increasingly difficult to detect. So employee mistakes can have implications far beyond the immediate incident. It’s therefore vital that all employees, whatever their seniority level is, should be given continuous cyber-security awareness and counter-intelligence training, to avoid poor practice and minimize the possibility of a security breach. Employees are the most important part of the information system of an agency but also its weakest link when it comes to cyber security and defence.
Likewise public knowledge of software and hardware used in a department’s network should be limited to a few trusted and vetted employees who have a real “need to know”. If hostile actors understand a system’s make-up in advance (as part of their pre-attack recognisance) then they can tailor their attacks to known vulnerabilities, giving them a head start before they begin probing the system’s defences directly. This is why it’s also vital to do a constant security vetting, and re-vetting, of outside vendors with access to the system, even if their role is relatively limited. Many times breaches of the vendor’s networks or software and hardware products, lead to breaches of their customer networks and to data exfiltration and many times goes undetected by the customer.
Just as knowledge should be compartmented and firewalled, so should software. Patches, updates and fixes can often prove a “Trojan horse” allowing malware to enter the system either causing direct damage, or creating an opening for future exploitation. They should therefore always be deployed in a “sandbox”, a virtual space, discrete from the main system which allows new software to be run isolated without risk of contamination of the main network. Once vetted from the security, compatibility and functionality point of view, the patches or updates should be deployed to the main network in a staged upgrade push that would minimize the possibility of the entire network being down. To avoid unwitting disclosure of information all communications should be end-to-end encrypted, that means not just voice, but texts and files as well, both in transit and at rest. Crucially encryption systems should also sit on hardened hardware, the best algorithm in the world won’t preserve your privacy if it’s hosted on an insecure computer, cloud or mobile handset. On a future blog we will discuss the building blocks of end-to-end encryption, the difference between link encryption and end-to-end encryption as well as the use of perfect and future forward secrecy for encryption of data and communication in transit and at rest, as well as geo-fencing of data and the use of ephemerality to aid in controlling the region and the time access to classified communication and data.
Lastly, but certainly not least, government cyber security professionals should constantly test the security of their systems through penetration testing. Knowing your network from the outside will provide invaluable information about the vulnerabilities (and sometimes even zero day exploits) of your systems. This is an ideal role for outside vendors who can bring in some of the best hacking expertise in the world, at far lesser expense than keeping it in-house. External contractors also have the great advantage of being unbiased by the system; they won’t over look that crucial vulnerability because that’s how the department has held its data for years, or because it’s due to be resolved in next year’s round of IT upgrades. They bring an honest perspective on how your system works from the outside. Testing has to be a constant and iterative process: test, analyse, remediate (both through processes and upgrades), then test again. Next time we will continue the discussion and recommended steps for government agencies in setting up proper cyber defence mechanisms and procedures towards achieving cyber immunity from attacks. We will tackle multi factor authentication, defence-in-depth approach and best of breed cyber-defence systems
There’s never a magic bullet to defeating cyber threats, this is a constant battle, but through a combination of training, processes and judicious use of outside expertise government security professionals can help ensure their department doesn’t become the subject of the next cyber attack newspaper headline.