Focusing on Data Security Controls Will Not Provide the Most Robust Protection Against Data Breaches
Since the U.S. government is recognized as a superpower when it comes to cyber warfare, many observers also believe these capabilities extend to the security posture of its agencies and IT infrastructures. Especially because the federal government has developed several innovative security frameworks that are used in many industries outside of the public sector. These include the Department of Homeland Security’s Continuous Diagnostic and Mitigation (CDM) Program, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and recently published draft version of a Cybersecurity Maturity Model by the Department of Defense.
Reality, however, paints a very different picture of the state of cyber security within the federal government. According to the 2019 Verizon Data Breach Investigations Report, the government sector has experienced more data breaches than all other industries. Considering the sensitivity of data that is being exfiltrated via cyber-espionage or by state-affiliated actors, these breaches pose a serious threat to economic and national security. Adding to these concerns are the recent findings in a report (PDF) by the Government Accountability Office that identified major shortcomings in IT infrastructure security and risk management practices across some 23 U.S. federal agencies. So why do federal agencies lack proper cyber hygiene despite the US government’s track record of innovation in cyber security best practices?
Given the bureaucratic environment within federal agencies it isn’t surprising to see that many are falling short of applying cyber security best practices in their day-to-day operations. Exposure to cyber risks is just one of many challenges that federal agencies must deal with. Lack of funding, and to a greater extent lack of cyber talent is contributing to slow adoption rates. Furthermore, many agencies are struggling to determine what security framework or best practices would offer the highest return on investment, as they’re simply overwhelmed when it comes to the regulations and programs they must comply with. The NIST Cybersecurity Framework alone includes a comprehensive collection of so-called Informative References, which encompass specific standards, guidelines, and practices for critical infrastructure sectors.
Think Like a Hacker
While many of the government frameworks provide a common nomenclature and methodology to help less advanced organizations assess and benchmark their level of security preparedness, they lack guidance on prioritizing security controls and best practices based on the current threatscape. Implementing an effective security strategy requires an understanding of hackers’ tactics, techniques, and procedures – often called TTPs. Thinking like a cyber-attacker allows security practitioners to focus on implementing security controls with a rate of return for preventing breaches.
According to the 2019 Verizon Data Breach Investigations Report, privileged access abuse is a major contributing factor to breaches within the government sector. This statistic also applies to most other verticals. In fact, Forrester Research estimates that 80 percent of all security breaches today involve weak, stolen, default, or otherwise compromised credentials.
Identity Comes First
Undeniably, identities and the trust placed in them, are being used against organizations. They have become the Achilles heel of cyber security practices. Therefore, government agencies should focus their efforts on implementing identity-related security controls recommended by the security frameworks they must comply with to counter the TTPs used by hackers to exfiltrate sensitive data.
Even though cyber-attackers are targeting government agency data, focusing on data security controls will not provide the most robust protection against data breaches.
That’s because identity, not data, is at the center of all transactions and represents an organization’s first line of defense against threats. For example, if an organization protects sensitive data with encryption, an authorized user would still have the authority and necessary entitlements to decrypt the files. With the right compromised user credentials a bad actor is easily able to exfiltrate, delete, or modify encrypted data without raising any red flags.
Until government agencies start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect cover for data breaches. In fact, focusing on endpoint, firewall and network security provides no protection against identity and credential-based threats. A better approach for government agencies is to focus on access by verifying who is requesting access, the context of the request, and the risk associated with the asset. The “never trust, always verify, enforce least privilege” model, or Zero Trust, provides the greatest security return on investment regardless of the industry.