Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Perception vs. Reality in Federal Government Security Practices

Focusing on Data Security Controls Will Not Provide the Most Robust Protection Against Data Breaches

Focusing on Data Security Controls Will Not Provide the Most Robust Protection Against Data Breaches

Since the U.S. government is recognized as a superpower when it comes to cyber warfare, many observers also believe these capabilities extend to the security posture of its agencies and IT infrastructures. Especially because the federal government has developed several innovative security frameworks that are used in many industries outside of the public sector. These include the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) Program, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and recently published draft version of a Cybersecurity Maturity Model by the Department of Defense. 

Reality, however, paints a very different picture of the state of cyber security within the federal government. According to the 2019 Verizon Data Breach Investigations Report, the government sector has experienced more data breaches than all other industries. Considering the sensitivity of data that is being exfiltrated via cyber-espionage or by state-affiliated actors, these breaches pose a serious threat to economic and national security. Adding to these concerns are the recent findings in a report (PDF) by the Government Accountability Office that identified major shortcomings in IT infrastructure security and risk management practices across some 23 U.S. federal agencies. So why do federal agencies lack proper cyber hygiene despite the US government’s track record of innovation in cyber security best practices?

Given the bureaucratic environment within federal agencies it isn’t surprising to see that many are falling short of applying cyber security best practices in their day-to-day operations. Exposure to cyber risks is just one of many challenges that federal agencies must deal with. Lack of funding, and to a greater extent lack of cyber talent is contributing to slow adoption rates. Furthermore, many agencies are struggling to determine what security framework or best practices would offer the highest return on investment, as they’re simply overwhelmed when it comes to the regulations and programs they must comply with. The NIST Cybersecurity Framework alone includes a comprehensive collection of so-called Informative References, which encompass specific standards, guidelines, and practices for critical infrastructure sectors.

Think Like a Hacker

While many of the government frameworks provide a common nomenclature and methodology to help less advanced organizations assess and benchmark their level of security preparedness, they lack guidance on prioritizing security controls and best practices based on the current threatscape. Implementing an effective security strategy requires an understanding of hackers’ tactics, techniques, and procedures – often called TTPs. Thinking like a cyber-attacker allows security practitioners to focus on implementing security controls with a rate of return for preventing breaches. 

According to the 2019 Verizon Data Breach Investigations Report, privileged access abuse is a major contributing factor to breaches within the government sector. This statistic also applies to most other verticals. In fact, Forrester Research estimates that 80 percent of all security breaches today involve weak, stolen, default, or otherwise compromised credentials.

Identity Comes First

Undeniably, identities and the trust placed in them, are being used against organizations. They have become the Achilles heel of cyber security practices. Therefore, government agencies should focus their efforts on implementing identity-related security controls recommended by the security frameworks they must comply with to counter the TTPs used by hackers to exfiltrate sensitive data. 

Even though cyber-attackers are targeting government agency data, focusing on data security controls will not provide the most robust protection against data breaches.

That’s because identity, not data, is at the center of all transactions and represents an organization’s first line of defense against threats. For example, if an organization protects sensitive data with encryption, an authorized user would still have the authority and necessary entitlements to decrypt the files. With the right compromised user credentials a bad actor is easily able to exfiltrate, delete, or modify encrypted data without raising any red flags.  

Until government agencies start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect cover for data breaches. In fact, focusing on endpoint, firewall and network security provides no protection against identity and credential-based threats. A better approach for government agencies is to focus on access by verifying who is requesting access, the context of the request, and the risk associated with the asset. The “never trust, always verify, enforce least privilege” model, or Zero Trust, provides the greatest security return on investment regardless of the industry.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.


More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...