Rick Holloway | September 23, 2015
The Federal Government’s 30-day Cybersecurity Sprint ended earlier this summer, but the real work continues. Government agencies and equipment manufacturers are awaiting the results of the ongoing cybersecurity review and the release of the Federal Civilian Cybersecurity Strategy – expected soon – but the preliminary principles of the strategy are intriguing on their own.
One thing that’s clear – and not at all surprising – is the government believes the approach to the increasing cybersecurity challenge is both behavioral and equipment-focused. There is no magic bullet piece of hardware or software that will provide adequate protection against all of today’s security threats, but a combination of threat awareness, adherence to best practices and deploying and properly using today’s hardened technologies can reduce risks.
There are eight key principles that will form the foundation of the Federal Civilian Cybersecurity Strategy. They are:
1. Protecting Data: Better protect data at rest and in transit.
2. Improving Situational Awareness: Improve indication and warning.
3. Increasing Cybersecurity Proficiency: Ensure a robust capacity to recruit and retain cybersecurity personnel.
4. Increase Awareness: Improve overall risk awareness by all users.
5. Standardizing and Automating Processes: Decrease time needed to manage configurations and patch vulnerabilities.
6. Controlling, Containing, and Recovering from Incidents: Contain malware proliferation, privilege escalation, and lateral movement. Quickly identify and resolve events and incidents.
7. Strengthening Systems Lifecycle Security: Increase inherent security of platforms by buying more secure systems and retiring legacy systems in a timely manner.
8. Reducing Attack Surfaces: Decrease complexity and number of things defenders need to protect.
I doubt anyone would disagree with those points. But what can we infer if we take a closer look?
It’s not called out specifically, but a consistent theme is access awareness and control. We live in a time when everything is connected—and needs to be, to ensure our data, our networks, our lives move at the speed the world demands. But every connection is an access point, and every access point is a potential vulnerability. Understanding where those access points are and securing them through both technology and best practices is a significant first step in securing a network. This can be as simple as proper credential and password controls.
The point about replacing less secure legacy systems with more secure, modern technologies is important. While there are limits to the effectiveness of software updates and patches, equipment replacement can be costly. Organizations that value security will put plans in place to upgrade equipment over time—and the sooner they start, the better.
One of the more interesting and encouraging points in the preliminary list is the bullet about recruiting and training cybersecurity personnel. This reflects a necessary awareness of the nature of these threats. They aren’t static; hackers are evolving and devising new attacks and tactics every day. It’s critical that our IT personnel maintain the same vigilance and dedication to security and threat education.
Of course, these are simply preliminary indications of the government’s thinking. We’ll know more when the Federal CIO releases the final Federal Civilian Cybersecurity Strategy, and we’ll take a closer look at that strategy and what it means at that time.
For More Blogs and News from Emerson Network Power Click Here