Threat Intelligence

12/5/2018
02:30 PM
Gus Hunt
Gus Hunt
Commentary
Connect Directly
LinkedIn
RSS
50%
50%

A Shift from Cybersecurity to Cyber Resilience: 6 Steps

Getting to cyber resilience means federal agencies must think differently about how they build and implement their systems. Here's where to begin.

Since federal agencies have been connected to the Internet, government cyber activities have focused on protecting government information, operations, and assets against intrusions from cyber threats.

Although this security-driven focus has had beneficial effects, the cyber-threat landscape is moving at a far greater velocity, with a far larger threat landscape, and is growing more complex than federal agencies — or any other organization — can keep pace with. We must now admit that absolute cybersecurity is absolutely impossible. The issue is not whether our defenses will be breached but when they will be.

This is why we must shift from a reactive approach to a more proactive stance. We must place far more attention toward making federal systems and networks resilient — that is, being able to continuously deliver the intended outcome despite adverse cyber events.

There is some good news. Agencies have made progress in their cybersecurity preparedness, which they can continue to build upon. In Accenture's recent 2018 State of Cyber Resilience survey, federal cybersecurity professionals report that they can now stop 87% of cyberattacks aimed at our systems. In Accenture Federal's Nature of Effective Defense research, federal respondents also rated themselves as competent or highly competent in 21 out of 33 foundational cybersecurity capabilities that are defined as essential to cyber preparedness. The top five areas respondents feel most confident about are: risk analysis, cybersecurity architecture approach, cyber-incident escalation paths, peer monitoring, and cyber-incident recovery.

There has been legislative progress as well: Last year, President Trump issued an executive order to strengthen the cybersecurity of federal networks and critical infrastructure, and Congress passed into law the Modernizing Government Technology (MGT) Act, which will expand federal IT modernization efforts. In May, the Department of Homeland Security (DHS) released a new cybersecurity strategy that places greater emphasis on building resilience into federal networks. In July, DHS announced the new National Risk Management Center to better coordinate responses to attacks and remediate their impact. And this September, the White House unveiled a new National Cyber Strategy that aims to improve the resilience of federal and critical infrastructures.

While these are all welcome developments, far more progress must be made. In May, a report by the Office of Management and Budget and DHS found that 71 of 96 agencies (74%) have cybersecurity programs that are either at risk or high risk. A Government Accountability Office (GAO) report in September found that agencies have not implemented roughly a thousand recommendations it has made to improve federal cybersecurity. In addition, in the Accenture State of Cyber Resilience survey, federal respondents ranked themselves least competent in several key capabilities, such as: identifying high-value assets and business, designing for the protection of key assets to improve resilience readiness, and cybersecurity investments for key assets.

Getting to cyber resilience requires that agencies think differently about how they build and implement their systems, particularly as they modernize their IT infrastructures. The following six steps, when embedded in agencies' modernization efforts and done in conjunction with the business process improvements identified by the State of Cyber Resilience survey, will help federal agencies transition to a cyber-resilience posture:

  1. Be brilliant at the basics. That includes routine maintenance tasks, such as patches, updates, and access permissions.
  2. Embrace the cloud for security. With the cloud, agencies can take advantage of elastic workloads, multizone computing, and multicloud strategies that make it exponentially more difficult for adversaries to find and harm them
  3. Implement data-centric security. Techniques such as encryption, tokenization, segmentation, throttle access, marking, tagging, strong identity and access management, and automated access decisions help ensure data security is embedded in day-to-day operations.
  4. Demand application security by design. Adopt DevSecOps practices and use automated scanning and testing to continually identify potential vulnerabilities. Consider applying polymorphic coding techniques to constantly shape-shift the application attack surface to frustrate and raise the cost for the adversary.
  5. Leverage software-defined networking. Adversaries can't attack what they can't find. Software-defined networking enables agencies to constantly shape-shift their networks, sending adversaries on wild goose chases.
  6. Engage in proactive defense. Apply artificial intelligence and security automation and orchestration tools to detect and act at machine speed. Constantly probe and pressure test the IT environment to find vulnerabilities before attackers do. Fully leverage threat intelligence to better know the adversary and focus on the most important threats.

Knowing that federal agencies will continue to be under increasingly sophisticated attacks demands a shift in focus toward cyber resilience. It's also important to remember we got here one system, one application at a time, and that’s the same way we will get out of this problem. These six steps, adopted in any order, will help get us to a state of cyber resilience. 

Related Content:

 

Gus Hunt is Managing Director and Cyber Strategy Lead for Accenture Federal Services. He is responsible for developing differentiated approaches to dealing with the cyber threat environment and growing AFS's cyber practice. Before joining AFS, Hunt was chief architect and the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20050
PUBLISHED: 2018-12-10
Mishandling of an empty string on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via the ONVIF GetStreamUri method and GetVideoEncoderConfigurationOptions method.
CVE-2018-20051
PUBLISHED: 2018-12-10
Mishandling of '>' on the Jooan JA-Q1H Wi-Fi camera with firmware 21.0.0.91 allows remote attackers to cause a denial of service (crash and reboot) via certain ONVIF methods such as CreateUsers, SetImagingSettings, GetStreamUri, and so on.
CVE-2018-20029
PUBLISHED: 2018-12-10
The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6.4.6 on Windows 10 allows local users to cause a denial of service (BSOD) because uninitialized memory can be read.
CVE-2018-1279
PUBLISHED: 2018-12-10
Pivotal RabbitMQ for PCF, all versions, uses a deterministically generated cookie that is shared between all machines when configured in a multi-tenant cluster. A remote attacker who can gain information about the network topology can guess this cookie and, if they have access to the right ports on ...
CVE-2018-15800
PUBLISHED: 2018-12-10
Cloud Foundry Bits Service, versions prior to 2.18.0, includes an information disclosure vulnerability. A remote malicious user may execute a timing attack to brute-force the signing key, allowing them complete read and write access to the the Bits Service storage.