It happened again.
One week after the Internal Revenue Service (IRS) revealed hackers had accessed approximately 100,000 tax accounts, another government agency was attacked.
Some four million current and former government employees may have had their personal information compromised due to a cyberattack on the U.S. Office of Personnel Management (OPM). Exploiting a “zero day” security hole, the perpetrators sneaked past the government’s multimillion-dollar Einstein 3 anti-hacking system.
With all the resources available to the U.S. government, how could this happen — and what does it mean for private sector companies trying to ensure data security?
It’s a complex situation with no easy answers.
What Went Wrong
There’s a tendency to think that government networks are — or at least should be — better protected than those of private businesses. The fact is that the government is like many large corporations. It’s a massive organization comprised of numerous entities, each with their own priorities, budgets and processes.
Not surprisingly, the government’s highly touted Einstein 3 system has been the victim of red tape and inter-agency fights over privacy, control and other issues. Different iterations of the system exist, each with varying functionality. It is unclear what agencies have which, if any, version on their networks.
It all also makes for slow adoption and implementation of newer data security technologies. The Einstein 3 system’s perimeter-based approach is outdated. With the growing sophistication and frequency of cybercrime; the evolution of the Internet of Things (IoT); and the rapid adoption of mobile and other disruptive technologies, it’s clear that perimeter-based defenses alone cannot prevent cyberattacks.
Many within the security industry have moved on to a “defense in depth” approach. It addresses both internal and external threats by using multiple layers of security — physical, network, computer, application, device, people acting as human firewalls — and applying appropriate controls to address the risks that might arise in each.
Trust No One
Others advocate a “zero trust” strategy that assumes the perimeter, including all “defense-in-depth” security layers, will be breached. By establishing zero trust boundaries that compartmentalize different segments of the network, critical data can be protected from unauthorized users and applications. There is no default trust for any entity, including users, devices, applications or packets.
There is also the adaptive perimeter approach, which re-defines and re-configures the perimeter around new attack surfaces such as mobile devices and cloud infrastructure. An example is application wrapping, which enables an administrator to apply security policies to an application or group of applications. This could include requiring user authentication for an app or prohibiting the use of certain APIs such as “copy and paste.”
Time for a Change
It is doubtful that any of the aforementioned security approaches, alone, can completely stop cyberattacks. A new data security approach is needed — one that is adaptable and multi-faceted to protect at the perimeter and anywhere else. It must enable disruptive technologies without increasing the risk of data loss. And it’s something we can’t wait for the government to address.
Here are a few tips for developing a more multi-faceted security strategy:
- Employ security basics and best practices. Tap the expertise of security specialists if needed.
- Stay on top of new security technologies and approaches, as well as emerging threats.
- Restrict data access to only those who need it, and always screen personnel that have access.
- Train all employees to protect data.
- Keep anti-virus software up to date, and operating systems and applications patched.
- Encrypt sensitive data.
- Work with data center and cloud services providers that undergo independent assessments to ensure they meet the stringent security requirements of HIPAA, PCI DSS and other regulatory bodies and legislative acts.
- Undergo third-party intrusion tests.
- Always expect the unexpected.