In March 2016, the U.S. Department of Defense embarked on a Cybersecurity Discipline Implementation Plan to identify specific tasks its IT personnel must perform to reinforce basic cybersecurity requirements in policies, directives, and orders.
The plan segments tasks into four key “lines of effort” to strengthen cybersecurity initiatives:
- Strong authentication
- Device hardening
- Reduce attack surface
- Align cybersecurity and computer network defense service providers
Let’s analyze the plan’s goals one at a time. “Strong authentication helps prevent unauthorized access, including wide-scale network compromise by [adversaries] impersonating privileged administrators,” reads a portion of the planning guidance. Tasks specifically focus on protecting web servers and applications through PKI user authentication.
The authentication effort helps ensure that an organization’s list of privileged and non-privileged users is always current and PKI verifies that unused accounts are deactivated or deleted. Account authentication is tied to named individuals and each account meets a level of access required for users’ roles. Individual privileged users’ accounts are tied to specific users, so accounts only have privileged access to network segments and applications required for assigned tasks.
“Ensuring devices are properly hardened increases the cost of, and complexity required for, successful exploitation attempts by the adversary,” the document states.
One of the first steps is to verify that each device on the network is mapped to a secure baseline configuration and that the IA team performs routine configuration validation scans. This activity, coupled with vulnerability assessment scans, makes sure that patches are applied expediently and that only permitted ports, protocols and services are operational.
It is essential to create a plan of action, and set milestones to track all findings. A mitigation plan, timing for each finding, and an identification of the severity of each finding are also required.
IT managers must seek to reduce the attack surface, eliminating internet-facing servers from the core of the Department of Defense Information Network (DODIN), while ensuring that only authorized devices can access the infrastructure.
Managers who oversee user access to applications or systems via commercial internet should have a migration plan to move the system or application away from the DODIN core and toward a computing environment that requires a lower level of security.
“Monitoring activity at the perimeter, on the DODIN and on all DOD information networks, ensures rapid identification and response to potential intrusions,” the document states. For the IT professional, this means making sure you know exactly what’s happening on the network at all times.
A SIEM solution will lead successful strategies here, as it provides log and event management among other benefits. Add in a network traffic analyzer—particularly one that provides the ability to perform traffic forensics—and server monitoring to understand interdependencies within and outside the network.
The DOD effort seeks a “persistent state of high enterprise cybersecurity readiness across the DOD environment,” the document states. This is the first phase of the agency’s security plan. With more to come, each step likely will focus on different DOD infrastructure areas. Our job? Be prepared.
Find the full article on Signal.