FISMA 2016... The Best of Times, the Worst of Times

Depending on the news outlet you visit the 2016 FISMA report could signal the cyber apocalypse, with huge cybersecurity gaps and 16 major cyber incidents in the year. Or, it could be sunny skies with twice as many agencies meeting goals than in the year prior and considerable progress in increasing the cyber workforce. Whether optimistic or pessimistic in your view, the fact remains that nearly 50% of federal agencies reviewed didn’t make the grade; there were just short of 31,000 cyber incidents across thousands of aging IT systems. Federal IT is a complex risky environment that has some distance to go to be secure.

Privilege Abuse & Misuse was at the Center of Many Cyber Incidents

4,130 cyber incidents were the result of improper usage, the “violation of an organization’s acceptable usage policies by an authorized user”. Of the 16 major incidents, 11 involved employee improper usage and exfiltration of large amounts of highly sensitive data. We have two words for this problem... Least Privilege.

Called out in the Access Control Family of NIST SP800-53, and as part of the Protect functional area of the NIST Cybersecurity Framework, the principle of least privilege is based on mitigating risk from insider threats by limiting access to the lowest level user rights still allowing employees to do their jobs. This limits exposure of sensitive information or inappropriate access to privileges that would allow unauthorized changes within the information system.

Steps to Balancing Security and Productivity

Some are resistant to implementing least privilege for a variety of reasons, but often it is to avoid slowing down the business at hand, or to avoid overburdening an already stretched IT team. But, folks, if you were one of those agencies reporting the 16 major incidents, I’ll guarantee that’s far more inconvenient than an occasional call about user access. Here are a few steps to take to mitigate the majority of incidents described in the FISMA report:

• To support efficiencies, grant privileges to applications and tasks, not users. This means the user is never granted administrator credentials but has access to the applications needed.

• To gain a full picture of privilege activity, analyze privilege password, user and account behavior. This is the key to uncovering emerging privilege escalation threats, pinpointing and reporting on at risk systems, then actively removing the threat. Least privilege doesn’t just mitigate insider threats; it also prevents lateral movement within a system should a breach occur.

Don’t be one of the over 30,000 incidents reported in the next FISMA report. Check out these great resources to start on the path to locking down your agency privileges today.

[Blog] What Is Least Privilege & Why Do You Need It?

When your agency is ready to explore options to mitigate Federal data breach risks, contact us for a strategy session. BeyondTrust has the experience and solutions to help.