Elevate your security posture and readiness for 2021

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Ari Vidali
 

Connecting state and local government leaders

By Ari Vidali

|

Until the full ramifications of the SolarWinds breach is known, agencies must reconsider their security posture and organizational readiness.

For some agencies, the SolarWinds attack was simply a wake-up call. For untold thousands of others, it was a tangible threat to digital assets with the potential for real-world consequences. While only 50 such organizations are thought to be “genuinely impacted” by the breach -- and the ramifications may be years or decades from full discovery -- it is clear that agencies must strongly reconsider their security posture and organizational readiness in light of the attack.

What does that mean for government IT personnel and related stakeholders? As the people keeping vital information systems safe, the best thing agencies and staff can do is find ways to apply these lessons in day-to-day operations.

The software supply chain matters more than ever

The potential for supply chain attacks and breaches from are “far from a new concept,” one ComplianceWeek piece noted, but recent examples remind us that attackers can leverage third-party code to directly compromise agency systems. Software supply chain attacks are up more than 400%, pointing to an increasingly attractive avenue of attack.

Also of concern is the practice of using free or open-source tools. While it is tempting to use free solutions, the risk of breach is quite high. By nature, open-source supply chain software is even more vulnerable to compromise by nefarious nation-state-sponsored hackers intent on breaching U.S. homeland defense and public safety organizations.

Organizations prioritizing security should evaluate open-source software carefully, and those using prepackaged programming interfaces and other third-party components must make a stronger commitment to testing, verifying and securing code integrated from outside sources. An initial breach in one system can allow attackers to gain increasing control over time, leapfrog to other systems and ultimately infect those outside the agency via a compromised update.

Agencies must likewise verify the safety of any third-party systems that integrate or use core agency computing or infrastructure systems -- such as a vendor’s schedule program sending automated update emails over the network -- and confirm the security of the vendors used by their third-party partners as much as possible.

Even within local government, every agency’s digital topography will consist of dozens or even hundreds of third-party products, themselves comprised of hundreds more underlying third-party components.

Using guidance from the Federal Risk and Authorization Management Program and Federal Information Security Modernization Act, agencies can conduct a thorough audit of their third-party contractors by asking these questions:

  • How do they nominally do their jobs?
  • What would a possible security breach using their components look like?
  • How do the people providing the service plan negate the chance of a successful attack?
  • What are their protocols for when malicious traffic does get through?

Knowing these answers can make life much easier both during normal operations and in the event of a breach. Strong organizational readiness requires deep knowledge into the systems, processes and organizations with which agencies work.

Move from blacklisting to a whitelisting strategy

Think of blacklisting -- banning malicious or untrustworthy activity -- as a reactive approach to security. In contrast, whitelisting is a proactive strategy that assigns trust to reliable sources instead of revoking trust when things go wrong.

How do things look when an agency approaches security from a trust-giving perspective instead of a trust-taking one? Agencies can model the idea over any number of digital activities, from web traffic to application data to inbound network requests from presumably trustworthy sources.

Embrace the zero-trust model

In a technology environment with so many moving parts, it can be difficult to monitor all suspicious activity. Instead of trying to identify all potentially nefarious actors, consider a zero-trust security model -- a system of governance aligned to the trust-giving perspective. Having caught the IT world by storm, the idea as described by one expert in a CSO piece is quite simple: “Cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized.”

In a public-safety context, for example, the concept of inside vs. outside is key. While older “castle-and-moat” governance styles give a large degree of freedom to devices and users once they’ve been permitted past the initial moat, zero trust regards interior users with a consistent level of wariness.

With a castle-and-moat model, hackers can leverage the trust allocated to vendors to compromise agency system more easily -- executing remote commands, sniffing passwords and more. A system that instead requires components to be identified, justified and authenticated at all points is one that can more easily catch compromises and prevent further access. This makes a zero-trust model a serious consideration for IT managers trying to keep operations secure with minimal manual intervention.

Check weak points before it’s too late

Knowing about potential (or even confirmed) breaches has obvious value and is also a boon for an agency’s overall security posture -- understanding weaknesses and points of entry means they can be addressed.

For agencies developing their own code in some capacity, static code analysis -- considered a staple of secure development -- allows developers to test code between development and full deployment. In terms of breach prevention, developers can find and correct changes at the baseline before they become larger concerns in production. Agencies concerned about source code security in the wake of the SolarWinds breach, meanwhile, may find help in products that scan binary code, allowing a level of verification over the source code of third-party products, even when that source code is not available, which is usually the case.

As for active-production measures, an agency’s ability to detect malicious or unwanted network traffic is essential. A Dark Reading piece on the topic includes several helpful tips for keeping a closer eye:

  • Paying special attention to packets that deviate from normal sizes.
  • Monitoring unusual bandwidth usage to spot the source of the aberration.
  • Watching for desktops and laptops that attempt to connect to one another.
  • Looking for outbound connections from printers and internet-of-things devices.

Of course, the topic of network forensics goes as deep as one cares to explore. Agencies more deeply concerned about security posture could look further into trapping, inspecting and acting upon the discovery of suspect activity.

Refactor two-factor authentication

Two-factor authentication (2FA) is rightly hailed as a strong security measure for organizations wishing to add another layer of user verification -- a concern that should be front-of-mind for any agency considering its readiness.

That said, not all 2FA approaches are equally effective, and the most popular method is arguably the least effective: the phone-based calls and messages commonly used by many applications. As Tom’s Guide says, it’s key to note that phone-based systems are tied to numbers, not people, and the calls and texts themselves are subject to interception and other trickery that can defeat the whole purpose of a verification system.

Agencies that still use phone-based apps or SMS systems for 2FA should consider instead the advantages of a dedicated authentication hardware token. The popular YubiKey, for example, is a device registered on a qualified online service and physically plugged in (or gets close to, if the technology utilizes near field communication) to gain access to the system in question. These devices do create some day-to-day hassle in the average IT staffer’s life -- replacing and re-registering lost keys, for instance. However, their ability to boost an agency’s security posture and overall readiness are unquestionable -- making 2FA one of the fastest and easiest weak points to shore up, compared to the legacy systems agencies may be using now.

Staying secure and ready

SolarWinds was a multifaceted, highly sophisticated attack, and its full ramifications will likely not be known for some time. In the interim, all organizations can learn something from the breach in terms of their security posture and readiness when nominal operations go askew.

Both the attack and the potential reactions come down to a few overarching concepts, namely trust and verification. That applies to the third-party vendors providing critical services, naturally, but the examination shouldn’t stop there. Using the SolarWinds breach as a framework, it’s clear that internal processes (including those usually given a high degree of trust, such as software updates) also need a greater focus.

Whatever that discovery looks like, agencies should not miss this opportunity for positive change, because waiting for the attack to happen is never the best response.

This article was changed Jan. 26 to clarify the author's points about open source software. 

NEXT STORY: One-to-one unemployment insurance fraud investigations are over. Here’s what’s next.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.