Wednesday, 15 July 2015

The Federal Government Needs a Cybersecurity Marathon, Not a Sprint

Over the past 16 years, he served as the chief information officer (CIO) for both Microsoft and Walt Disney, and from 1999-2005 he was the chief technology officer of information systems and services at General Motors Corporation. He was recruited to become the CIO of the U.S. back in February to stop our nation’s cyber-bleeding, specifically at federal agencies like the Office of Personnel Management, which suffered a monumental breach, the full ramifications of which are still unknown.

In an interview with Federal Times, Scott described our nation’s antiquated data security practices in stark terms.

“Most of the systems, most of the technology you and I use every day was designed and architected in the 1970s or 1990s,” he said, noting even newer systems are built on the same framework. “It’s kind of like trying to put airbags on a ’65 Mustang — it just wasn’t designed for security, wasn’t designed for safety.”

In an effort to jump-start a thorough review of federal systems and hopefully get people thinking, working and most importantly taking the necessary actions to close loopholes, Scott called for something he called a “30-Day Cybersecurity Sprint,” which started on June 12. Federal agencies have to report how they did on Monday, and according to Scott, not every agency will pass muster. “Some will get there, and some won’t,” he told Reuters.

The list of tasks Scott set for the federal agencies he oversees was impressive:

  • Immediately deploy indicators provided by the Department of Homeland Security regarding priority threat-actor techniques, tactics and procedures to scan systems and check logs.  Agencies shall inform DHS immediately of any signs of malicious cyber activity.
  • Patch critical vulnerabilities without delay.  The vast majority of cyber intrusions exploit well known vulnerabilities that are easy to identify and correct.  Agencies must take immediate action on the DHS Vulnerability Scan Reports they receive each week and report to the Office of Management and Budget and DHS on progress and challenges within 30 days.
  • Tighten policies and practices for privileged users.  To the greatest extent possible, agencies should: minimize the number of privileged users; limit functions that can be performed when using privileged accounts; limit the duration that privileged users can be logged in; limit the privileged functions that can be performed using remote access; and ensure that privileged user activities are logged and that such logs are reviewed regularly. Agencies must report to OMB and DHS on progress and challenges within 30 days.
  • Dramatically accelerate implementation of multi-factor authentication, especially for privileged users.  Intruders can easily steal or guess usernames/passwords and use them to gain access to Federal networks, systems and data. Requiring the utilization of a Personal Identity Verification (PIV) card or alternative form of multi-factor authentication can significantly reduce the risk of adversaries penetrating Federal networks and systems. Agencies must report to OMB and DHS on progress and challenges within 30 days.

How Did It Come to This?

It would be an understatement to say that we need to get a better handle on the state of federal cybersecurity in the wake of the mother of all data breaches, the depth and breadth of which continues to unfold over at the Office of Personnel Management. For instance, the agency just revealed that 1.1 million fingerprint records were among the purloined files—that is in addition to the sensitive personal, financial and medical records already reported.

“The government may need to invest in tools that go beyond trying to prevent hacks, and more quickly detect and contain threats, and repair any damage,” Scott also told Reuters.

You think? If my tone seems a little arch, consider the millions of unnecessarily compromised records that got us to this important milestone in the evolution of best data security and privacy practices. It’s simply dumbfounding. There are way more than a billion records “out there.” Scott’s proposed protocols are welcome rain, but we are nonetheless lost in the desert of a very real and very pitched crisis, and nothing will ever un-compromise the records that have been stolen to date.

Our agencies have been defending against tens of thousands of persistent attacks for more than a decade. We have seen intrusions at many federal agencies. Yet it took us this long to initiate a 30-Day Cybersecurity Sprint to do what everyone in the data and privacy business has been screaming for since 2005.

View the original content and more from this author here: http://ift.tt/1JgF9Md



from cyber security caucus http://ift.tt/1HLhDpQ
via IFTTT

No comments:

Post a Comment