By now CIOs across the federal government have seen Emergency Directive 19-1 issued by the Department of Homeland Security, which was issued in response to cyberattacks on DNS infrastructure for several executive branch agency domains. In these attacks, outsiders compromised user accounts that were authorized to change or manipulate DNS records. The attackers were able to alter those records and direct user traffic to their own infrastructure for manipulation. As the DNS changes originated from a known good account with proper credentials, the attacks did not trigger any alerts. They also were not visible to the end user.
Once upon a time, all it took to keep your agency protected against these types of attacks was to build a really good perimeter that stood between everything in your enterprise and anything that didn’t belong. Threats had to break through the firewall to gain access to your information. Now, as these recent attacks expose, they can come through the front door undetected. And this certainly isn’t the first example. A 2017 Verizon Breach Investigative Report found that 80% of hacking-related breaches leveraged weak, default, or stolen passwords. The State of Cybersecurity Report 2018 notes that 29% of breaches used personally identifiable information combined with user credentials. The headlines are full of data losses that originate from inside of well-built perimeters.
What does this mean for CIOs? We are back to security basics. Attackers will often search for the weakest link in the agency’s security posture. With the ever growing sprawl of user accounts, critical resources, and touch points into the network, focusing on the perimeter is completely inadequate. Even the best perimeter can’t protect you from inside threats, which occur not only because of rogue employees, but because of theft of employee personal information and passwords that grant attackers access to the inside of your perimeter. Passwords are vulnerable to hackers because they are often created using personal information – which in today’s world is no longer “secret” knowledge. Biographical and geographical data is just as accessible to hackers as it is to the owners of the data themselves.
NIST agrees. In 2017, NIST published Digital Identity Guidelines, which requires government agencies and contractors who process, store, and transmit data to implement strong authentication controls. The Levels of Assurance measures are gone, and have been replaced with more rigorous security measures for the authentication process segmented into three Authenticator Assurance levels as determined by the sensitivity of the information.
These recent attacks should serve as a wake-up call for technology professionals to re-examine the policies and methodologies of cyber threat hunting. Federal agencies need to tighten security via identity proofing and strict authenticators on the inside so that the perimeter isn’t the only thing keeping would be attackers from accessing your precious information.
Security at the Application Level, Not the User Level
Both multi-factor and zero-trust authentication offer a security model that shifts the point of access conversation from traditional, perimeter-based security where anyone with the credentials can access everything inside from any device to individual application security. Application-based security utilizes user identity, the trustworthiness of the device, and established security policies to grant access to that one application. It is a more scalable approach to security that protects every attack surface by validating every point of access.
The latest trends in authentication don’t rely on privacy-protected personal information. They use biometric information that is unique to that individual user – and is hard to compromise. Authentication can occur through applications specifically designed for that purpose, offering another level of secured user verification.
Meeting the Directive and Achieving Mission Success
Looking back to the directive, federal agencies have been charged with some clear remediation steps for this latest attack:
- Audit DNS records for change
- Change passwords of all accounts with access to manipulate DNS records
- Layer multi-factor authentication (MFA) onto all accounts with such access
- Monitor certificate logs
Given the possible breadth of the data compromise and the severity of the directive, facilitating a reasonable method to quickly add MFA or the stronger zero-factor authentication to all accounts is imperative. To achieve mission success, agencies should take a close look at DUO Security, which was recently acquired by Cisco. Duo offers an impressively easy way to layer on MFA with a minimal disruption to the user while incorporating the latest methods of authentication. Through its authentication application, DUO sits between your points of access and your network. Authentication operates via Universal 2nd Factor (U2F), a more secure means of authentication facilitating push notifications in comparison with less secure SMS (text) based methods. DUO works with PIV/CAC and meets common federal technology requirements, including NIST 800-63-3 and 53/63/171 authentication. DUO can also provide an additional layer of control by limiting account access to known methods of attacks – blocking access based on location of request or anonymous networks. These capabilities will protect agencies from the types of attacks that caused this recent directive.
Zero-Trust Authentication in the Cloud
Adopting MFA will meet the immediate DHS directive. The ultimate goal should be zero-trust authentication. As agencies develop and implement plans to move their applications to the cloud to meet federal mandates, this is the perfect time to get the tightest security offered by zero-trust authentication because applications are already being reviewed to ensure they are cloud ready. This review should include a full security analysis, with an eye on the best way to keep that application safe against threats both inside and outside of your perimeter. Adopting a zero-trust authentication solution is a good way to ensure that only the people who are authorized to access your information are doing so.
Sirius Federal is the Network Security company and a Cisco Gold Partner. We have a wealth of knowledge and experience with building, integrating, and launching security measures across agencies. We can help protect your agency and meet the requirements of the DHS directive – and achieve your mission.
Co-authored by Sirius Federal’s Eric Stuhl, Director, Security and Enterprise Networking, and JR Silverthorne, Business Development Engineer. Contact us for more information.
March 22, 2022
Zero-Trust: Cloud Security for the Federal Government
As federal agencies modernize and move into the future with new initiatives such as AI, cloud, analytics, new infrastructure, capabilities and programs, they will need to consider how their security solutions must advance and modernize to keep pace.
April 27, 2021
How Zero-Trust Authentication Impacts Your Agency’s Modernization Plans
There was a time when all it took to keep your agency protected against data breaches and cybersecurity threats was a robust perimeter that stood between everything in your enterprise and everything outside. Threats had to break through security controls…
April 1, 2020
Network Security in a Remote World
Five Tips to Help Federal Technology Teams Keep Their Networks Secure with a Remote Workforce With the Office of Management and Budget’s (OMB) mandate for federal agencies to implement policies and procedures to slow the spread of the COVID-19 virus,…
March 16, 2020
Protecting Federal Agencies from Phishing and Ransomware Attacks
As we spend an increasingly large percentage of our time online, we’ve become aware of the malicious tactics used to trick us into downloading malware or betraying our credentials. However, when we’re not paying attention, serious trouble can take us…
February 26, 2020
Using the CDM Program to Keep Up with Compliance in the Digital Age
As the Homeland Security Department’s Continuous Diagnostics and Mitigation program enters its seventh year, its positive impact on federal agencies' cybersecurity is clear. Since implementation, Homeland Security has been able to field and navigate over 35,000 security incidents, and fiscal…
October 29, 2019
4 Security Lessons Federal IT Pros Can Teach the Private Sector
Whether in the private or federal space, there's one thing all IT security teams must deal with: making the most of limited resources to protect sensitive information. And while budgets are slow to increase, threats develop fast. Anyone with an…
May 29, 2019
NextGov: Security Doesn’t Have to Be a Sticking Point in Cloud Migration
Despite the innovations and efficiencies that come with cloud migration, only about 20 percent of federal agencies have migrated their applications and data to the cloud. Why such a low adoption rate? One reason is the challenge of securing data.…
April 11, 2019
Fifth Domain: How Agencies Can Protect Legacy IT As They Modernize
Cybersecurity threats grow more sophisticated every year. And while the federal government has pushed forward with efforts to modernize IT, some legacy systems pose unique challenges. Often, these systems remain static even as the landscape around them continues to change.…
January 29, 2019
What You Need to Know about Data Privacy
Data privacy is the crossroads of confidentiality and integrity. When data is shared, either voluntarily or involuntarily, there’s an expectation that the collected information will be kept confidential. In general, data privacy is really about identity—social security numbers, credit card…
January 2, 2019
NextGov: The Boldest Predictions for Federal Technology in 2019
Everyone is talking about artificial intelligence right now—it’s the buzz of the industry. But not many people fully understand what AI and machine learning can do. Jason Parry, our VP of Client Solutions, shares his prediction on the impact artificial…
December 6, 2018
Keeping Your Agency Secure in the Cloud
Like it or not, no government is permanently safe from cyberthreats. The agencies that protect their citizen data the longest are the ones that best assess the risks facing them daily. It’s a situation that doesn’t change after organizations adopt…
November 28, 2018
GCN: Securing Data in the Cloud Requires Planning, Constant Vigilance
Government agencies know -- and have largely accepted the fact -- that moving to the cloud is inevitable. Where many start struggling is with the “how.” How do they move legacy systems to the cloud? How do they choose the…
October 26, 2018
NextGov: It’s Time to Tackle the Problem of Unapproved Cloud Apps to Keep your Agency Secure
It’s a problem seen across all federal agencies: Employees are using cloud-based applications that aren’t approved or protected by IT teams. These apps range from sharing tools, such as cloud storage platforms, to social media sites or personal email accounts…
October 10, 2018
GCN: Why Blockchain Belongs in Government
Anyone with a finger on the pulse of the latest cybersecurity trends has probably noticed an increasing number of contributions to the blockchain conversation. The dialogue around blockchain, while loud, clear and growing, has been largely undirected for the past…
September 28, 2018
Federal Times: Can Industry Bridge the Government Cyber Skills Gap?
Federal agencies have until April 2019 to identify critical work roles and skill shortages in IT and cybersecurity as part of the Federal Cybersecurity Workforce Assessment Act. While this is a first step in determining a holistic approach to address…
September 12, 2018
CSO: Getting the Most out of Your Security Budget
There may be no more pressing need in today’s online world than quality cybersecurity, making it a top-line item for just about everyone. But even as the need builds, the salaries rise, and the expectations heighten, resources remain scarce. Security…
September 11, 2018
NextGov: The Time to Automate Security is Now
Cybersecurity threats are constantly evolving. Unfortunately, federal IT teams often find themselves low on resources, which means being proactive to combat them is a pipe dream. So how can leadership focus on strengthening their agency’s security posture when they spend…
August 13, 2018
CSO: Ways to Improve Your Security Team’s Response Time
When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated…
August 2, 2018
3 Ways to Unleash the Power of Your Next-Generation Firewall
We more or less abandoned pagers more than 15 years ago. Fax machines have gone from ubiquity to near obsolescence. And floppy disks? Many of the most recent generation of tech users have never even held—let alone inserted—one. And yet,…
June 22, 2018
Cisco Live 2018: Vendor Opens Management Console to Partners
In this article for TechTarget, Sirius Federal's VP of Client Solutions Jason Parry weighs in on the new opportunities arising from Cisco DNA Center. In Cisco's latest nod to software, the company has opened its Cisco DNA Center to developers,…
June 15, 2018
NextGov: How to Integrate TIC Security with the Federal Cloud-First Mandate
When the Trusted Internet Connections (TIC) initiative was first introduced more than a decade ago, the goal was to improve security in government IT systems by limiting the number of individual external network connections to the internet. Before implementing TIC security…
April 26, 2018
Anomaly Detection: Stop Threats Before They Hit Your Network
In today’s IT environment, endpoint monitoring is fairly standard procedure. Most organizations have at least some sort of system in place allowing them to collect network monitor firewalls and collect network usage data to for network anomaly detection. But, by…
April 25, 2018
5 Reasons Why Vulnerability Management Is No Longer Optional
For agencies determined to create the most effective network security strategy possible, vulnerability management is no longer optional—it’s a necessity. If there’s anything we’ve learned in recent years, it’s that cyber threats just keep coming. Thwart one and a new…
February 15, 2018
Dark Reading: 3 Tips to Keep Cybersecurity Front & Center
In today’s environment, a focus on cybersecurity isn’t a luxury. It’s a necessity, and making sure that focus is achieved starts with the company’s culture. For IT departments — especially in large organizations — daily operations are complex, multifaceted, and…
