Many agencies’ websites have shifted from stagnant pages to interactive platforms. However, as government organizations move to these new platforms to better engage their employees and citizens, it makes them more vulnerable to cyberattacks.
To gain more insight into how the public sector workforce can protect their websites from cyberattacks, GovLoop sat down with Tony Lauro, Lead Senior Enterprise Security Architect at Akamai, a content delivery network that provides media and software delivery and cloud security solutions.
According to Lauro, we are currently living and working in a cyber world. This means we have to take a new approach to handling cybersecurity. “In the past years, cyber has been seen as this shadow world but that is no longer the case. Cyber and the internet are all around us now,” Lauro explained. With this evolution comes new threats.
“We are seeing a move from basic disruptive types of hacktivism to threat actors strategically trying to accomplish nefarious goals,” Lauro explained. These actors know how to disrupt networks and are doing so to achieve their goals, which can include anything from starting a riot to gathering data.
In order to counter these nefarious actors, agencies must be mindful of the methods they employ to infiltrate networks. Recently, attackers have been hacking networks through government websites and the applications on these websites. For example, in a Distributed Denial of Service (DDoS) attack, there is too much information coming into a small entry point making it difficult to stop attack points. As a result, attackers can slip into the network undetected. “Think of a moat around a castle. When you drop the drawbridge while you are under attack to let the good traffic in, you are not going to be able to effectively stop the attack because the good traffic still has to pass through,” Lauro clarified.
Another example of infiltration is an application layer attack. This type of attack has become prevalent as government websites have shifted towards having employees log into the agency website to access their portal. While more interactive and helping with efficiencies, this process inherently means that all of the users’ data is stored on a back end database. “Application layer attacks bypass security mechanisms to access applications across the site,” Lauro explained. He continued, “this kind of attack largely occurs because there is a shortage in the security market of trained web application security experts. This has led to the development of website applications that are not securely coded.” Consequently, attackers are able to take advantage of the security lapse in applications to access larger networks and the data that resides behind them.
However, there are steps that organizations can take to invest in cybersecurity solutions and prevent attacks. According to Lauro, “as a state or local agency you have to ask if security and cyber resiliency are part of your core business competencies. If they’re not, they need to be and you’re going to have to find the right people to train and make sure that you build up that competency within your own organizations.”
Akamai offers solutions to help state and local agencies integrate security into their core competencies. In website attacks, information can be gathered by nefarious actors through incoming requests that infiltrate the network and information leaks in outbound requests. For inbound requests, Akamai inspects each one before they are passed onto the datacenter, intercepting any nefarious request before it can damage the network. When an outbound attack tries to infiltrate a network through malware, Akamai sends out alerts to make users aware that this malware has been sent out.
These solutions allow state and local employees to do their jobs better by providing tools to identify threats and attacks to their network in the midst of normal user traffic. Establishing a resiliency framework that achieves this allows agencies to promote innovation without worrying about creating new vulnerabilities in the face of advancement.