This interview is an excerpt from GovLoop’s recent research guide, The Current State of Government’s Cybersecurity.
It’s no secret that agencies continue to struggle with combatting insider threats. At the federal level of government, initiatives like the Cybersecurity Strategy and Implementation Plan (CSIP) and the Continuous Diagnostics and Mitigation (CDM) program are being deployed to better secure our information systems and critical infrastructure against potential misuse. These programs focus on endpoints and the networks to which they are tied, with the goal of upgrading and modernizing the underlying IT infrastructure of the U.S. government to one that can be better maintained, patched, and monitored.
But according to Scott Carlson of BeyondTrust, a privileged access management and vulnerability management solutions provider, these federal initiatives fall short of truly protecting government IT from credential misuse.
“Although these programs significantly improve infrastructure and monitoring, they offer very limited guidance regarding the access that employees and authorized individuals should have to government systems and data, as well as the actions that these users can take once they access systems in an authorized manner,” said Carlson in a recent interview with GovLoop. “Solving infrastructure pain points can definitively thwart external attackers and remove a large attack surface, but user-based risks are mostly still present.”
Credential theft continues to be a major challenge to government cybersecurity. Failing to rotate enterprise passwords, not enforcing a password management policy, and not maintaining accountability and control over who can use credentials (e.g., sharing passwords) are the biggest culprits behind this type of theft. Yet many organizations stop at password management and don’t look deeper into insider access trends.
To address that shortfall, Carlson recommended implementing policies and processes to better manage access privileges and credentials. “Remove credentials from people who do not need them to begin with,” he said. “If you can reduce the quantity of users who have access to privileged systems or applications, it reduces the attack surface.”
Additionally, administrators should correlate data from multiple users and behaviors in order to identify potential risk scenarios. “Combining multiple data elements like machine use, access over time, and executed commands can help distinguish patterns of events that should never happen, from those that are expected – or at least are legitimate under certain approved circumstances,” explained Carlson.
Building use cases that include these elements is a foundational step in countering insider threats. Once baselines for normal and threat behavior are created, Carlson suggested supporting those protocols with technical automation.
Implement automated solutions that establish baselines for normal behavior, observe any changes, and isolate and flag anomalies that may indicate a threat. This can trigger automated responses to proactively control and manage the activity, versus relying on a defensive/reactive posture.
“You can also introduce software that stores, maintains, and automates the periodic change of passwords. Attackers often guess and exploit default passwords to gain access to systems. Deploying a solution to manage passwords will reduce the possibility of damage from a compromised account and shorten the window of opportunity where a password is useful against the system,” said Carlson.
Finally, Carlson suggested using a solution that securely provides privileged users with access to critical infrastructure. Software, such as the BeyondTrust PowerBroker Privileged Access Management Platform, can monitor an entire system to ensure it’s accessed from an expected location, automatically provide the password when needed, and record what users do. It’s an integrated solution that offers control and visibility over all privileged accounts and users. Ultimately, by uniting capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security and reduces privilege risks.
Reducing the chance of an insider threat breach isn’t the only benefit of these solutions. “Agencies can also expect to gain better control over their user’s endpoints, because those users will be unable to change systems outside of what you have given them rights to change,” Carlson concluded. “They will also gain better visibility into user account and system activity, enabling them to proactively identify and mitigate threats from insiders – as well as from external attackers seeking to become insiders.”
To learn more about the current state of government cybersecurity, be sure to check out our latest guide by clicking here.