INDUSTRY INSIGHT

Elevate your security posture and readiness for 2021

• By Ari Vidali
• Jan 21, 2021

For some agencies, the SolarWinds attack was simply a wake-up call. For untold thousands of others, it was a tangible threat to digital assets with the potential for real-world consequences. While only 50 such organizations are thought to be “genuinely impacted” by the breach -- and the ramifications may be years or decades from full discovery -- it is clear that agencies must strongly reconsider their security posture and organizational readiness in light of the attack.

What does that mean for government IT personnel and related stakeholders? As the people keeping vital information systems safe, the best thing agencies and staff can do is find ways to apply these lessons in day-to-day operations.

The software supply chain matters more than ever

The potential for supply chain attacks and breaches from are “far from a new concept,” one ComplianceWeek piece noted, but recent examples remind us that attackers can leverage third-party code to directly compromise agency systems. Software supply chain attacks are up more than 400%, pointing to an increasingly attractive avenue of attack.

Also of concern is the practice of using free or open-source tools. While it is tempting to use free solutions, the risk of breach is quite high. By nature, open-source supply chain software is even more vulnerable to compromise by nefarious nation-state-sponsored hackers intent on breaching U.S. homeland defense and public safety organizations.

Organizations prioritizing security should avoid open-source software altogether, and those using prepackaged application programming interfaces and other third-party components must make a stronger commitment to testing, verifying and securing code integrated from outside sources. An initial breach in one system can allow attackers to gain increasing control over time, leapfrog to other systems and ultimately infect those outside the agency via a compromised update.

Agencies must likewise verify the safety of any third-party systems that integrate or use core agency computing or infrastructure systems -- such as a vendor’s schedule program sending automated update emails over the network -- and confirm the security of the vendors used by their third-party partners as much as possible.

Even within local government, every agency’s digital topography will consist of dozens or even hundreds of third-party products, themselves comprised of hundreds more underlying third-party components.

Using guidance from the Federal Risk and Authorization Management Program and Federal Information Security Modernization Act, agencies can conduct a thorough audit of their third-party contractors by asking these questions:

• How do they nominally do their jobs?
• What would a possible security breach using their components look like?
• How do the people providing the service plan negate the chance of a successful attack?
• What are their protocols for when malicious traffic does get through?

Knowing these answers can make life much easier both during normal operations and in the event of a breach. Strong organizational readiness requires deep knowledge into the systems, processes and organizations with which agencies work.

Move from blacklisting to a whitelisting strategy

Think of blacklisting -- banning malicious or untrustworthy activity -- as a reactive approach to security. In contrast, whitelisting is a proactive strategy that assigns trust to reliable sources instead of revoking trust when things go wrong.

How do things look when an agency approaches security from a trust-giving perspective instead of a trust-taking one? Agencies can model the idea over any number of digital activities, from web traffic to application data to inbound network requests from presumably trustworthy sources.

Embrace the zero-trust model

In a technology environment with so many moving parts, it can be difficult to monitor all suspicious activity. Instead of trying to identify all potentially nefarious actors, consider a zero-trust security model -- a system of governance aligned to the trust-giving perspective. Having caught the IT world by storm, the idea as described by one expert in a CSO piece is quite simple: “Cut off all access until the network knows who you are. Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized.”

In a public-safety context, for example, the concept of inside vs. outside is key. While older “castle-and-moat” governance styles give a large degree of freedom to devices and users once they’ve been permitted past the initial moat, zero trust regards interior users with a consistent level of wariness.

With a castle-and-moat model, hackers can leverage the trust allocated to vendors to compromise agency system more easily -- executing remote commands, sniffing passwords and more. A system that instead requires components to be identified, justified and authenticated at all points is one that can more easily catch compromises and prevent further access. This makes a zero-trust model a serious consideration for IT managers trying to keep operations secure with minimal manual intervention.

Check weak points before it’s too late

Knowing about potential (or even confirmed) breaches has obvious value and is also a boon for an agency’s overall security posture -- understanding weaknesses and points of entry means they can be addressed.