At GovLoop’s latest live event on cybersecurity, a panel of experts gathered to discuss the myriad challenges that the government and organizations face when it comes to being prepared for cyberattacks. But it wasn’t all doom and gloom — each participant also offered up concrete tips on what you can do today to start creating better protection against hackers and other security threats that your organization may face.
Our panel included:
- Ann Barron-DiCamillo, Manager and Chief of Operations, United States Computer Emergency Readiness Team, Office of Cybersecurity and Communications, Department of Homeland Security
- Larry Clinton, President, Internet Security Alliance
- Thomas Kellermann, Instructor, School of International Service, American University and CSO at Trend Micro
- Greg Wilshusen, Director of Information Security Issues, Government Accountability Office.
Ann Barron-DiCamillo noted that one of the top trending challenges in cybersecurity affecting government is the Internet of Things. She explained that the Internet of Things — where data can be automatically transferred over a network without requiring human-to-human or human-to-computer interaction — might be particularly hard for the government to deal with, especially as more IP-enabled devices enter the market, and are being used by government employees in both their personal and professional lives.
“All of these devices have a capability to connect to the internet, but a lot of times these devices are never managed,” she explained. Because of this, government is exposed to more risk, as those wishing to compromise government information have more entry points.
As more devices become web-enabled, an already complex cyber landscape becomes even more difficult for agencies to manage and mitigate risks.
“The very dynamic nature of security threats that keep you bobbing in highly dynamic complex environments. Agencies need to implement appropriate and effective property practices procedures,” said Greg Wilshusen.
He said that progress is being made, however. “I think we’re moving and agencies are improving in several aspects of their programs. In our audits we find that we have to dig deeper to find basic security vulnerabilities. But we still have issues with agencies still not performing basic security maintenance — for example, implementing patches across the agency in a consistent manner.”
Larry Clinton said his biggest cybersecurity challenge was a basic one: “We simply don’t know what we’re talking about.”
Explaining further, he added, “I go to a lot of these conferences and we have a bunch of IT and security people talking about, well, IT and security. But the biggest issue by and largest isn’t technical – it’s economic. It’s resources. It sounds really easy – just monitor your suppliers more! But it’s not that easy. We have to fundamentally reorient how we are thinking about this problem. It is not an IT issue. It is enterprise-wide risk management issue. The single biggest vulnerability is not the technology – it’s the people. it’s always the people.”
Thomas Kellermann said that he’s worried about cybersecurity and the cloud. “We have a highly problematic situation as we consolidate data and migrate to the cloud. We are not cognizant of the fact that the maturity of cloud systems is not there yet for technology protection purposes.”
From the Experts: 4 Mitigation Techniques
So what should we all be doing to make sure we’re safe? The panel, luckily, had concrete advice.
Barron-DiCamillo said we should be following the Australian government’s Top 4 Strategies to Mitigate Targeted Cyber Intrusions:
- Mitigation 1: application whitelisting
- Mitigation 2: patch applications
- Mitigation 3: patch the operating system
- Mitigation 4: minimise administrative privileges
Wilshusen’s number one recommendation: implement CDM monitoring and mitigation.
Clinton explained that he would focus on people, and work diligently to educate the workforce on cyber risks. “At my company, we are developing a set of best practices on cybersecurity for corporate boards of directors. We need to get these people to understand things much better. Focus on the human resources element of this problem. Make sure that when IT people leave their access is turned off; that you’re putting the appropriate incentives for people to practice good cybersecurity. If you don’t get the people involved, nothing else matters.”
Kellermann’s one step that everybody needs to be doing is to deploy file integrity modeling. “Use advanced threat detection capabilities,” he added. “And then procedurally, I recommend using penetration testing. Lastly — use egress filtering, not just when you experience an event. You should always be looking or IP addresses that should not exist in your cache.”
Said Wilshusen: “We can’t eliminate risk. But we can manage it.”