Cybersecurity is everywhere. Major attacks dominate the media, agencies shape their strategies around security, and almost all new employees have to learn about computer safety tips when they start a new job. But despite this apparent pervasive quality of cybersecurity, many agencies still struggle to develop a clear to-do list.
Christopher Dorobek sat down with cybersecurity experts to create such a list for this month’s DorobekINSIDER Live, Taking Bold Action To Defend The Digital World. Ralph Pisani, a Fellow at the Institute for Critical Infrastructure Technology and Executive Vice President of Field Operations at Exabeam; Stacey Wright, an Intel Manager at the Multi-State Information Sharing and Analysis Center; Alan Paller, President of SANS Technology Institute and Director of Research at the SANS Institute; and Hannah Moss, Senior Editor and Project Manager at GovLoop offered suggestions for the cybersecurity to-do list.
Knowledge is essential for any strategy, and Moss, Pisani, and Paller all included it on their list. Moss noted that while the news often covers cyberattacks, these stories rarely cover details about the attacks. This vagueness makes it difficult to actually understand what agencies are going through as well as making it more difficult to create an effective solution.
Pisani added to this, emphasizing the importance of knowing what strategies cyberattackers are using in order to understand how to combat them. One example is phishing attacks, where attackers steal credentials and then “legitimately” enter other secured accounts with the stolen information. Because the attackers are entering through the front door, it can be difficult to separate instances of fraud from legitimate uses.
Knowledge also means understanding how to respond to cyberattacks, and that’s where the Center for Internet Security’s Critical Security Controls come in. They are derived from common identified attack patterns and constitute a consensus of leading government and industry experts on the question of how to stop known attacks. Paller described the underlying philosophy as fixing known issues before attempting to tackle everything else and argued that a strength of the controls is the consensus behind them.
Wright drew heavily on the controls in her support for security patches. Several of the controls rely on patches, and the fourth control in particular—continuous vulnerability assessment and remediation—requires regular patches. Wright said that the majority of security incidents that she sees could have been prevented if the user had had the proper patches in places.
However, despite the importance of patches, they are not being used as much as they should. Wright says this is because there is a lack of awareness of the wide variety of security patches available as well as difficulties in implementing and maintaining them. These updates can come several times a day, and system officials need to know everything in their networks in order to implement the patches in the most effective locations.
Another struggle agencies face in successfully using patches is a lack of staffing, and Wright, Stacey, and Paller all touched on it as one of the items on the to-do list. Without sufficient trained staff, it can be difficult to identify which areas in the network need to be updated and when. Paller said that the increased length of attacks—the time that attackers are in a network—means that they have more time to move from unit to unit unless the organization has the workforce to move quickly and deeply against the invaders.
Recruiting this workforce can be challenging but is very necessary. Pisani said there is a major skills gap in government, and people are moving through jobs quickly without creating the long-time investments needed for a strong security force. Similarly, Wright and Paller both noted that even when agencies can recruit new employees, the new staff requires extensive amounts of training.
Training followed the workforce as the next item on the to-do list. While most employees get some cybersecurity training when they are on-boarded at a new job, this is often forgotten in the shuffle of new job tasks. Pisani recommended that security training become more practical, giving users a thorough understanding of what to look for and what to do or not do.
Wright built off Pisani’s point, championing for audience-based trainings. Computer users don’t need the same training as IT staff or the developers, and the C-Suite needs a different understanding of security. By catering the security trainings for their audience, each part of the team will have a better understanding of what their role in cybersecurity is.
The experts in Wednesday’s DorobekINSIDER Live covered knowledge, patches, workforce, and training as four key items on any cybersecurity to-do list, but they also provided tips on how to get ahead of the security issue in the future. For these tips as well as more information on things your agency should consider, check out the full webinar here.