cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

5 Fundamental Strategies for Cybersecurity

Level 11

Here's an interesting article from my colleague Joe Kim, in which he offers suggestions to reduce vulnerabilities.

Agencies should focus on the basics to protect against attacks

The government’s effort to balance cybersecurity with continued innovation was underscored in late 2016 with the publication of the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy. The report included key recommendations for cybersecurity enhancements, while also serving as a sobering reminder that “many organizations and individuals still fail to do the basics” when it comes to security.

But in today’s environment, agencies must focus on some basic but highly effective fundamentals to protect against potential attackers. Some of these involve simple and basic security hygiene and others require more of an investment, both in terms of capital and human resources, and long-range thinking.

Let’s take a look at five fundamental strategies that can help agencies build an advanced and solid security posture.

Embrace network modernization

The report says, “The President and Congress should promote technology adoption and accelerate the pace at which technology is refreshed within the federal sector … the government needs to modernize and ensure that this modernization can be sustained at a faster pace.”

Modern network technologies are better equipped to handle cyberattacks, are often easier to manage, and are more efficient. Most can work in any environment and adapt to changing threat conditions. They can also automatically detect and respond to potential attacks without the need for human intervention, mitigating the threats before damage occurs. 

Modernization often leads to standardization, which means fewer device types and configurations to manage. This reduces vulnerability, because configurations can be refined, deployed, and maintained more easily.

Implement continuous monitoring

The commission states that “a security team has to protect thousands of devices while a malicious actor needs to gain access to only one.” This makes automated continuous monitoring extremely important.

A proper continuous monitoring solution contains a variety of components working together to strengthen an agency’s defenses against many attack methods. Those solutions could include log and event management tools that track login failures and make it easier to spot potential security incidents; device tracking solutions that can detect unauthorized network devices; or network configuration management solutions that can improve network compliance and device security. All of these can be done without human intervention, and most can be easily updated.

Remember to patch

Keeping software current with the latest patches and updates is an important threat deterrent, and almost impossible to do manually, given the amount of software that powers federal networks.

Automated patch management tools can analyze various software programs and scan for known vulnerabilities and available updates. These updates can be automatically applied as they become available, keeping software up-to-date and well-fortified against the latest threats.

Implement strong encryption

In the words of Edward Snowden, “Properly implemented strong encryption systems are one of the few things that you can rely on.” However, ensuring the security of data at rest and in flight is not necessarily an easy task, considering the hybrid cloud and IT environments that many agencies have adopted.

Still, strong encryption protocols must remain in place regardless of where the data resides, and data that travels from a hosted site must receive the same level of encryption—or, perhaps an even greater level of encryption—than data that exists on-premises. The slightest vulnerability in an unencrypted network can be a window to cyber attackers, while solid, end-to-end encryption remains extremely difficult to penetrate, regardless of where the data exists.

Adopt the Cybersecurity Framework

While many agencies have adopted the NIST Cybersecurity Framework, there’s room for more to get on board. There are signs that the government plans to increase use and is working to ensure the framework’s continued growth. In March, the House Committee on Science, Space, and Technology passed a bill designed to encourage adoption of the framework.

This shows how serious the government is about balancing proactive cybersecurity with innovative technology. Agencies can support this effort by combining a few basic strategies with some long-term investments that will ultimately pay big security dividends.

Find the full article on SIGNAL.

16 Comments

There's loads of history to back this all up.  And those who fail to study history are doomed to repeat it.

I don't know a better example and source to reference and study for security and its strong and weak points than Snowden.  Say what you will about the man, his work has bettered the I.T. environment.

Level 14

All good points but, here, we are only allowed a two hour window every week to patch and, with overtime banned, we lose one of those hours.  One hour per week to keep 1000+ servers patched.  No patching allowed outside this window.  Management don't seem capable of understanding the risks.

Level 16

Thanks for the article! The more security the better. A side benefit from collecting logs for security is being able to mine that data for other metrics

Level 13

Good Article

that's a tough task they put on you. It seems impossible to accomplish proper patching in this timeframe. Whatever brings the money is valued most... maybe something needs to happen first before the awareness is there.

Sad but this is how it usually works.

Level 14

It's a University run by academics who know nothing about IT but don't listen to us mere mortals who only have Degrees in Computer Science.  They have Doctorates and / or are Professors of really useful stuff like medieval studies so know better than us.

MVP
MVP

Good article

Level 13

I concur

Level 20

One things for sure we have a LOT of monitoring tools.  Not just Orion either.

I would like to add to Embrace network modernization.  Standardization should also be heavily mentioned. The ability of the support professionals to identify the resources in the organization without having to refer to charts, spreadsheets, or High-Level Techs will help make the modernization and communication succeed. 

MVP
MVP

Good set of best practices to set the foundation.

When I took over security for my company I was overwhelmed by the attention reqyireq to just satisfy the "basics." Almost two years later and I am still tackling the basics so that we can establish a baseline.

No patching timeframe in academics? there should be enough time to do proper patching there. The univerityI went to had patching weekends and patching timeframes during the night. When there was no class or no exams they could even boot the systems at any given time.

Level 14

I agree but reality trumps everything else.  Patching window is 07:00 to 09:00 Tuesday and, as they won't pay overtime for it and no one starts before 08:00 we only get 1 hour per week for patching.  It doesn't matter how much we rant and rave at them, they won't listen.  I don't care anymore.  I just wait for things to break then the system is already down so I take my time and fix everything to so with that system.

Level 16

Need to address internal security and physical security with just as much attention as external and log EVERYTHING.

Level 21

All good points!  It's always a good idea to start with a basic Block & Tackle approach and then work your way up from there and not get distracted with the new shiny technology.  Patching for example is not new and the tools to do it successfully have been around for a long time but it often gets overlooked in a security approach because it's not fun, exciting or new shiny technology; it's difficult, messy and nobody really wants to deal with it.  Also, "begin with the end in mind"; in other words, set out with some clear objectives on what you are going to implement, what important data you are going to collect and what you are going to do with that data.

About the Author
Paul Parker, a 25-year information technology industry veteran, and expert in Government. He leads SolarWinds’ efforts to help public sector customers manage the security and performance of their systems by using technology. Parker most recently served as vice president of engineering at Infoblox‘s federal division. Before that, he served in C-level or senior management positions at Ward Solutions, Eagle Alliance and Dynamics Research Corp.