Connecting state and local government leaders
COMMENTARY | From ransomware to exfiltration, cybersecurity attacks are targeting sensitive government data. Here’s a reliable approach to protecting mission-critical information.
Government organizations are storing, accessing and sharing more of their data in the cloud. Cloud-computing contracts were expected to grow by $500 million year over year to reach $6.6 billion in fiscal 2020, and then increase to $8.5 billion by fiscal 2023, according to Bloomberg Government. The cloud gives agencies the flexibility, for example, to allow employees to work remotely.
At the same time, cybersecurity attacks against government organizations and critical infrastructure are proliferating. Ransomware attacks, like the recent Kaseya and Colonial Pipeline breaches, have been dominating the media headlines. But breaches that could result in data exfiltration—such as the exposure of data on 191 million voters in 2015, the Office of Personnel Management hack, or the breach of the Department of Energy in 2020—are the bigger and longer-standing problem. While a ransomware attack can net tens of millions of dollars for cybercriminals, theft of personally identifiable information or government research data could potentially be worth hundreds of millions or even billions of dollars.
Organizations repel literally millions of attempted digital intrusions every month, and there’s always a danger some attacks will succeed. But to minimize their cybersecurity risk, organizations should take these practical, achievable steps:
1. Embrace a zero-trust mindset.
President Joe Biden’s May 12 Executive Order on Improving the Nation’s Cybersecurity states that the federal government must “adopt security best practices” and “advance toward Zero Trust Architecture.” Zero trust replaces implicit assumptions about who is trusted with explicit decisions made every time a user or system attempts to access data.
Zero trust starts with the concept of “least privilege”: Permit entities to access only the data they need. It then applies multifactor authentication to ensure that only authenticated and authorized entities can access data. MFA requires two or more factors to establish identity, combining something users know, like a password, and something they have, like a smartphone app, or something they are, like a fingerprint. In fact, MFA can potentially block up to 99.9% of account hacks.
2. Identify and segment your most sensitive data.
Next, analyze all your data to identify which information is most vulnerable. Data repositories might be considered sensitive because they contain PII or high-value research and development data, or because they need to be accessed or shared regularly by a wide range of employees, contractors or other organizations.
Then consider whether you can segment sensitive repositories from less mission-critical stores. The Department of Defense and the intelligence community have been highly effective at segmenting “low,” non-classified networks from “high,” classified networks. Other organizations should consider a similar approach. Such separation can prevent ransomware, for instance, from spreading from low-value repositories to your most sensitive data troves.
3. Adopt the latest cross-domain safeguards.
Organizations routinely deploy antivirus and firewall protections. They’re clearly necessary—but not wholly sufficient. What’s needed are cross-domain solutions (CDS) that provide a higher level of data protection—especially in collaborative environments where data needs to move between networks of different sensitivity levels.
CDS act as zero-trust gateways between segmented networks. They can automate the safe movement of data between networks to remove human error and prevent data spillover from one network to another. They differ from firewalls since they can perform deep data inspection and validation. Only authorized data that complies with the data transfer policies can be passed. They can be combined with data diodes to ensure one-way data flow in situations where you want to restrict the movement of data to only one direction.
4. Leverage content-threat removal to filter out hidden malware.
Organizations access, store and share digital content such as Microsoft Word documents, Adobe Acrobat PDF files and JPEG images in their daily operations. Cybercriminals can conceal malicious code within these files, bypassing traditional detection-based defenses such as antivirus and firewalls. The embedded malware can then take actions such as launching ransomware attacks.
Content Disarm and Reconstruction or threat removal technology can remove malicious code to make your content files 100% malware-free. It works by extracting the valid business content from the original document and using it to create a new file. It then discards the original document and transmits the new, clean file—all at speed, so it doesn’t slow productivity. In short, content threat removal extends the zero-trust approach to documents and files. This technology is also used within CDS gateways to provide a comprehensive zero-trust gateway.
5. Apply behavioral analytics to establish user risk scores for continuous monitoring.
Finally, on an ongoing basis you should consider implementing continuous user activity monitoring technology to understand how entities are accessing your data. You can then assign each user a risk score based on their usual behaviors. If a user’s risk score is typically 35 and suddenly jumps to 50, you know the user is accessing more sensitive data or behaving in a riskier manner, and there could be a problem.
By establishing a baseline of normal behavior, you can instantly and automatically recognize anomalous activities that could indicate a threat. For example, if someone stole your credentials, they would likely use those credentials in ways that differ from your usual practices, and behavioral analytics would recognize that—in real time. Or if an external supplier suddenly started accessing your HR systems, you could detect and block the activity—again, at the moment the risk emerges. This is no different to what the credit card companies do to prevent credit card misuse or fraud.
Government organizations will continue to move data repositories to the cloud. Cybercriminals will continue their efforts to tamper with that data. But by following these five steps, agencies can make tangible progress in reducing vulnerabilities and hardening defenses. Ultimately, they can more effectively protect sensitive information while allowing their people to use those resources to advance agency missions.
George Kamis is chief technology officer of Global Governments and Critical Infrastructure at Forcepoint.