cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Three Ways the Department of Defense Can Plug Security Holes

Level 12

Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article by my colleague Brandon Shopp with ideas for improving security at the DoD by finding vulnerabilities and continuously monitoring agency infrastructure.

An early 2019 report from the Defense Department Officer of Inspector General revealed how difficult it’s been for federal agencies to stem the tide of cybersecurity threats. Although the DoD has made significant progress toward bolstering its security posture, 266 cybersecurity vulnerabilities still existed. Most vulnerabilities have only been discovered within the past year—a sure sign of rising risk levels.

The report cited several areas for improvement, including continuous monitoring and detection processes, security training, and more. Here are three strategies DOD can use to tackle those remaining 200-plus vulnerabilities.

1. Identify Existing Threats and Vulnerabilities

Identifying and addressing vulnerabilities will become more difficult as the number of devices and cloud-based applications on defense networks proliferates. Although government IT managers have gotten a handle on bring-your-own-device issues, undetected devices are still used on DoD networks.

Scanning for applications and devices outside the control of IT is the first step toward plugging potential security holes. Apps like Dropbox and Google Drive may be great for productivity, but they could also expose the agency to risk if they’re not security hardened.

The next step is to scan for hard-to-find vulnerabilities. The OIG report called out the need to improve “information protection processes and procedures.” Most vulnerabilities occur when configuration changes aren’t properly managed. Automatically scanning for configuration changes and regularly testing for vulnerabilities can help ensure employees follow the proper protocols and increase the department’s security posture.

2. Implement Continuous Monitoring, Both On-Premises and in the Cloud

While the OIG report specifically stated the DoD must continue to proactively monitor its networks, those networks are becoming increasingly dispersed. It’s no longer only about keeping an eye on in-house applications; it’s equally as important to be able to spot potential vulnerabilities in the cloud.

DoD IT managers should go beyond traditional network monitoring and look more deeply into the cloud services they use. The ability to see the entire network, including destinations in the cloud, is critically important, especially as the DoD becomes more reliant on hosted service providers.

3. Establish Ongoing User Training and Education Programs

A well-trained user can be the best protection against vulnerabilities, making it important for the DoD to implement a regular training cadence for its employees.

Training shouldn’t be relegated to the IT team alone. A recent study indicates insider threats pose some of the greatest risk to government networks. As such, all employees should be trained on the agency’s policies and procedures and encouraged to follow best practices to mitigate potential threats. The National Institute of Standards and Technology provides an excellent guide on how to implement an effective security training program.

When it comes to cybersecurity, the DoD has made a great deal of progress, but there’s still room for improvement. By implementing these three best practices, the DoD can build off what it’s already accomplished and focus on improvements.

Find the full article on Government Computer News.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

13 Comments
Level 13

Thanks for the article!

MVP
MVP

Thanks for the article.

MVP
MVP

This applies to the private sector as well.

Level 13

thanks for the article

Level 12

Patching is always a good idea but DOD requirements seem to greatly delay the implementation of patches.

Level 13

This is truly the never ending battle.  One of the most difficult things is finding / detecting vulnerabilities that you don't know about yet.

Level 12

I hope the DoD is doing these three things already!

Level 12

I wonder how long it will take the DOD to approve installing the CVE-2020-0601 patches. Weeks or months?

And I'm probably showing some ignorance here, but wouldn't effective use of 802.1x significantly reduce, if not eliminate, insecure BYOD usage?

Level 13

Interesting article.  Thanks.

Level 9

This applies to all sectors of business, the cyber threats are not only for the big companies.

Thank you for the article.

Level 12

thanks very interesting!

MVP
MVP

Monitoring and training are keys to any business entity. Both tend to get ignored way too much. Monitoring is often built in a reactive way - Oops, why didn't we see that, better add it to the monitoring. It takes time to properly build a monitoring system and insight into what and why you might need information in the future.

Training tends to be "on the job" i.e. you'll figure it out. That doesn't work so well with security because well it's pretty obvious. Yet still most business' don't invest in proper security training. The upfront cost of materials, trainers, time away from their regular jobs. It all seems expensive. I see training as both a need and an opportunity. Well done training not only provides information but also builds loyalty and friendships among the staff (again that's proper training - not the boring, monotone, let's all just get through this so called "training")

MVP
MVP

Everything we need to know!!! Thanks orafik Believe it or don't .. the Government, Department of Homeland Security ... is doing a really good job assisting other government agencies ... FOR FREE!!!