Threat Intelligence

12/5/2018
02:30 PM
Gus Hunt
Gus Hunt
Commentary
Connect Directly
LinkedIn
RSS
50%
50%

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

Since federal agencies have been connected to the Internet, government cyber activities have focused on protecting government information, operations, and assets against intrusions from cyber threats.

Although this security-driven focus has had beneficial effects, the cyber-threat landscape is moving at a far greater velocity, with a far larger threat landscape, and is growing more complex than federal agencies — or any other organization — can keep pace with. We must now admit that absolute cybersecurity is absolutely impossible. The issue is not whether our defenses will be breached but when they will be.

This is why we must shift from a reactive approach to a more proactive stance. We must place far more attention toward making federal systems and networks resilient — that is, being able to continuously deliver the intended outcome despite adverse cyber events.

There is some good news. Agencies have made progress in their cybersecurity preparedness, which they can continue to build upon. In Accenture's recent 2018 State of Cyber Resilience survey, federal cybersecurity professionals report that they can now stop 87% of cyberattacks aimed at our systems. In Accenture Federal's Nature of Effective Defense research, federal respondents also rated themselves as competent or highly competent in 21 out of 33 foundational cybersecurity capabilities that are defined as essential to cyber preparedness. The top five areas respondents feel most confident about are: risk analysis, cybersecurity architecture approach, cyber-incident escalation paths, peer monitoring, and cyber-incident recovery.

There has been legislative progress as well: Last year, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure, and Congress passed into law the Modernizing Government Technology (MGT) Act, which will expand federal IT modernization efforts. In May, the Department of Homeland Security (DHS) released a new cybersecurity strategy that places greater emphasis on building resilience into federal networks. In July, DHS announced the new National Risk Management Center to better coordinate responses to attacks and remediate their impact. And this September, the White House unveiled a new National Cyber Strategy that aims to improve the resilience of federal and critical infrastructures.

While these are all welcome developments, far more progress must be made. In May, a report by the Office of Management and Budget and DHS found that 71 of 96 agencies (74%) have cybersecurity programs that are either at risk or high risk. A Government Accountability Office (GAO) report in September found that agencies have not implemented roughly a thousand recommendations it has made to improve federal cybersecurity. In addition, in the Accenture State of Cyber Resilience survey, federal respondents ranked themselves least competent in several key capabilities, such as: identifying high-value assets and business, designing for the protection of key assets to improve resilience readiness, and cybersecurity investments for key assets.

Getting to cyber resilience requires that agencies think differently about how they build and implement their systems, particularly as they modernize their IT infrastructures. The following six steps, when embedded in agencies' modernization efforts and done in conjunction with the business process improvements identified by the State of Cyber Resilience survey, will help federal agencies transition to a cyber-resilience posture:

  1. Be brilliant at the basics. That includes routine maintenance tasks, such as patches, updates, and access permissions.
  2. Embrace the cloud for security. With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them
  3. Implement data-centric security. Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations.
  4. Demand application security by design. Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary.
  5. Leverage software-defined networking. Adversaries can't attack what they can't find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases.
  6. Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.

Knowing that federal agencies will continue to be under increasingly sophisticated attacks demands a shift in focus toward cyber resilience. It's also important to remember we got here one system, one application at a time, and that’s the same way we will get out of this problem. These six steps, adopted in any order, will help get us to a state of cyber resilience. 

Related Content:

 

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS's cyber practice. Before joining AFS, Hunt was chief architect and the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Apprentice
12/12/2018 | 12:37:00 AM
Hit it first
These 2 terms really create a huge contrast between having to salvage our situation or being able to prevent that very difficult situation from even happening. In business, the latter is usually a huge cost-saver and at some instances, a complete life-saver for the security team. If we can foresee that big risks are about to come our way, why not hit it before we get hit?
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.