Federal Cyber Security - A Strong Case for Defense in Depth

BeyondTrust was a proud sponsor of several great federally focused events across the last few months. Including the AFCEA DC Cyber Summit, the AFCEA Bethesda Health IT Summit and CyberCon. These events are important platforms that bring government and industry together to explore ways to more efficiently and effectively carry out the business of the country. These events all featured impressive keynotes and panel discussions. A few interesting remarks stuck with me. The DC Cyber Summit and CyberCon conference featured a keynote by Retired Brigadier General Gregory Touhill, the new Federal CISO. He shared his vision and outlined five lines of effort in his strategy to improve Federal cybersecurity: strengthening the workforce, treating information as an asset, doing the right things the right way, continuing innovation, and making informed cyber risk decisions. Touhill pointed out that while, “Best practices achieve compliance, compliance does not always achieve best practices”. So, from the highest levels of federal cyber security strategy, it is a back to basics focus on people, processes and then technology. At the Bethesda Health IT Day, the discussion centered on protecting the PII and privacy of patients. Medical Devices as an attack vector dominated the cyber security panel discussion where it became clear that once again, the device was not the target but rather a pathway to horizontally move through an environment to compromise elevated privileges. The goal- capturing high value data- like the vast collection of chest x-rays stolen recently by exploiting an open pathway through a medical imaging device. Who would have thought that would be a target?

Thwarting the Adversary

A frequently utilized method for breaching federal information systems has been to enter they information system through a known software vulnerability to ultimately capture and exploit privileged credentials. Even with this well documented threat, the Department of Interior Inspector General recently reported that the DOI is struggling with managing thousands of software vulnerabilities, leaving their systems at extreme risk. It is time for agencies to take a hard look at their Privileged Access Management and Vulnerability Management capabilities as part of a layered cyber strategy. With all we know about the wide spread exploitation of privileged credentials and software vulnerability it makes no sense not to. This is a back to basics building block in line with General Touhill’s lines of effort. That said, we also know it is not so simple in the complex federal IT environment. So what can Federal IT professionals do?

Explore a Solution with the Experts

In the recent webinar, Defense in Depth: Implementing a Layered Privileged Password Security Strategy, Nick Cavalancia, Founder/Chief of Techvangelist, explores one of the greatest challenges faced today by Federal IT professionals, “How are you supposed to know which security measures are appropriate for a given privileged account without trampling on a user’s productivity?” Check out this on demand program. I think you’ll find it a valuable tool on the path to assessing and assigning appropriate risk values to the various accounts in your government information systems. Not everything should be treated equally. When your agency is ready to explore options to mitigate Federal data breach risks, contact us for a strategy session. BeyondTrust has the experience and solutions to help.