Protectors of Critical Networks Look Within For Vulnerabilities
In the rush to defend critical public and private networks, organizations are seeking to give cybersecurity professionals the tools they need to track and defeat a multitude of threats on a daily basis, including those that come from inside an agency.
Organizations must keep an eye on those who misbehave on internal networks, intentionally or not. The problem of “the insider” can’t be overlooked, said Steven Chabinsky, deputy assistant director of the FBI’s Cyber Division.
“The insider is a phenomenal issue,” he said. “We’ve got insiders that are purposely sent to companies to do espionage . . . And then you have well-meaning employees who simply by opening up an email or doing something else” can compromise network security.
Hackers have been successful against firms with solid security frameworks by analyzing their employees and going after them with cleverly worded emails, also known as “spear-phishing.” Companies have begun training all employees on cybersecurity fundamentals. No amount of technology can prevent attacks if employees are not educated, said executives at the Air Force Association’s “CyberFutures” conference.
SAIC uses a game — which has now been given to the Defense Department — that teaches employees that they all have crosshairs on their backs when it comes to network security. Northrop Grumman sends workers through an internal Cyber Academy and requires everyone on its staff to have a basic understanding of network security issues. Company officials say that the nation needs a “broadly-based” work force with a certain amount of digital literacy across the board and specialists in the right spots.
But more challenges arise as technology advances.
The government’s increasing use of wireless technologies can create vulnerabilities for hackers and makes the problem even trickier to solve. While these devices can make life easier for the government worker, they also can make it more difficult to defend against intrusions.
The Government Accountability Office first took a look at wireless networks at six federal agencies back in 2005. It found unauthorized activity and broadband signals being broadcast beyond the perimeter of certain buildings, which increased susceptibility to an attack. At one agency, more than 90 laptops were being used to connect wirelessly to the Internet while they were physically wired to internal networks. This is a continuing problem that allows outsiders to gain access to sensitive data, said Naba Barkakati, chief technologist at GAO.
The office recently turned its attention to wireless gadgets again, this time studying their use by 24 federal agencies. It found that 14 had blue-tooth devices, 17 used cellular cards to connect to the Internet and all of them issued smartphones.
While agencies have taken steps to secure their wireless networks since the 2005 investigation, more needs to be done to reduce the risk of intrusions, Barkakati said.
Many organizations began using encryption and incorporated mobile device security into employee training sessions. Others strengthened access controls and continuously monitored their wireless networks for rogue entry points and clients.
However, of the 23 agencies studied that required encryption, seven were using outdated or unsecure forms, GAO officials concluded.
The problem of dual-connected laptops also has continued. Turning off the wireless capability on a laptop while it is connected to a hard-wired network mitigates the risk of providing unauthorized access to internal data. But eight of 24 agencies reviewed by the GAO did not have policies in place requiring this step to be taken. In addition, only half of the agencies had policies in place for safeguarding mobile devices used during international travel.
The Office of Management and Budget and the Department of Homeland Security must develop an effective means for oversight of federal efforts to secure wireless networks, the GAO report states. Until they do, the extent to which networks are vulnerable to attacks will remain unknown, officials said.
The Defense Department also must keep closer tabs on IT personnel and take steps to punish those who compromise the security of military networks, said Air Force Maj. Gen. Ronnie D. Hawkins Jr., the vice director of the Defense Information Systems Agency.
Improvements in cybersecurity across the Defense Department will require tighter internal controls, Hawkins said at the CyberFutures conference. “We need to look at individual actors, and that’s you and I,” he told an audience of service members and industry representatives.
Every network user must be educated and trained about Internet security, Hawkins said. Part of the problem today is that those who make laws and regulations may not fully understand the nuance of cybersecurity. He suggested online training and official certification for everyone — from senior leaders down to the rank and file.
The Pentagon should have a disciplinary structure comparable to an accident review board for matters involving networks. If someone were found to have done something wrong, they could lose their certification, Hawkins said.