In a few months we’ll have a new Administration in Washington and a chance to update our national security policies. So it’s good time to reflect on what we might want to do differently for cybersecurity.
A quick search on the Internet will reveal many national cybersecurity initiatives. However given the recent data theft of DNC emails and DDoS attack on Dyn it’s evident that current initiatives aren’t working. The question to ask is why? The quick answer is that we don’t have a national cybersecurity strategy that everyone can implement.
Click on any cybersecurity initiative you desire and you’ll find comprehensive strategies developed by smart security experts. While well intentioned the writers make the common mistake of laying out cybersecurity strategies that are too complex for most organizations. Apart from the top 0.1% of US organizations (financial institutions and intelligence agencies), the 99.9% simply don’t have the resources to implement anything complex.
A workable national cybersecurity strategy needs to be built using simple tasks the 99.9% can implement to mitigate the most common cyber attacks. For those organizations have a higher threat profile, a cybersecurity strategy should also offer a clear path to step-up their security posture when called for. Thus we need a basic requirement that everyone can implement (without exception) plus a step-up path when necessary.
Another challenge in developing a national cybersecurity strategy that uniquely American is that we are an open society where the bulk of IT tasks are outsourced. Thus cyber attackers know exactly what we’re doing. A national cybersecurity strategy must be based on verifiable tasks (not secret activities) that reduce cyber risk.
So here’s three things the nation can do to make it less vulnerable to cyber attacks:
1/ Implement 2-Factor Authentication
Basic: Implementing two-factor authentication is the simplest mitigation against credential theft. The great thing about 2-factor is there are so many free or low cost solutions out there from mobile phone texts messages to soft client tokens to email verification. So there’s really no excuse not to do this!
Step-up: For those organizations desiring to step-up from 2-factor, there are new attribute-based access control solutions like software defined perimeter (SDP) that verify device and user identity as well as check for software tampering.
2/ Encrypt Data Stores
Basic: Application data stores, email servers and collaboration applications should all have their data encrypted. Ideally the private key must be on a different physical server from the storage unit and should only be assessable with 2-factor authentication.
Step-up: The next step up from encrypting data on servers is keeping it encrypted on user’s devices. This requires a bit more work, such as issuing and managing device certificates, but makes it more difficult for cyber attackers to get to data even if they compromise the user’s device.
3/ Lockdown Servers
Basic: Scanning for open server ports is a favorite technique of cyber attackers to gain entry to an organization. Thus closing un-used interfaces is one of the easiest mitigation techniques. This can be done by configuring the internal Firewall on Internet facing application servers.
Step-up: Implement the OWASP Top 10 controls to further insure your Internet facing servers are not vulnerable to front door attacks. Additionally locking down internal servers with host-based Firewalls or software defined network (SDN) is also recommended for those organizations with higher risk profiles.
Looking at the short “short list”, you’ll find the recommended tasks have been around for decades. While not fancy they’re proven to be effective. More important, there’s no excuse for everyone not being able to implement them! One can only speculate that if the DNC had encrypted their email storage system and implemented 2-factor how history would be different? Or if stronger authentication would have lessened the DDoS attack on Dyn?
A national cybersecurity strategy is well within our reach. We just need to align available security tools and techniques against the most common threats. There is no reason why this cannot be done.