Insider Threat Goes Mobile

Insider Threat has been a recognized attack and vulnerability vector for some time. In fact, one survey found that government IT professionals report that insider threats are at an all-time high. One source of this increase may be the rise in the use of mobile devices to access government systems. The main challenge in securing mobile access is ensuring that the person who owns the device is the one actually using it and the apps that reside on it. The portability and ease with which devices are lost and misplaced complicate security authentication efforts. But there are ways to mitigate this risk.

Agencies have looked to multi-factor identification to confirm the person accessing the system is who they say they are. This process includes combining two or more credentials. Typically this is something a person knows (a password), and something they have (an access card or a fingerprint). A practice growing in popularity as part of multi-factor identification is behavioral analytics (BA). This looks at how users typically interact with an application or device analyzing things like browsing habits, message syntax, even how they hold the device. If the behavior is out of the realm of normal, the system can lock that user out until they prove their identity another way.

Implementing these types of identity tracking and management is, of course, not without issue. The Department of Homeland Security is being challenged to put more procedures and policies in place to ensure its insider threat program doesn't violate employees' Fourth Amendment rights (protection against unreasonable searches and seizure).

There are many events in the coming months that include a deep look at insider threat and identity management to help navigate these security challenges.

Continue reading

Is IoT a Superhero or Villain?

The Internet of Things (IoT) is made up of webcams, sensors, thermostats, microphones, speakers, cars, and even stuffed animals. All of these connected devices can help individuals and organizations stay connected across geographic distances, keeping tabs on and managing assets from miles away. The data they collect can be combined with other data sets to create actionable advice for better management and service.

This holds incredible promise for local governments and federal agencies charged with maintaining safe operating fleets and facilities. There's also the application for improving the routing of field technicians as well as traffic flow in general. But, as every superhero knows, with great power comes great responsibility.

As with any technology, IoT standards need to be developed for effective and safe use as well as to enable interoperability. NIST has been working on defining standards and recently released Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, but no federal agency is currently claiming jurisdiction over IoT policy and rule-making. In this vacuum, the legislative branch is getting involved. This past November, the House passed the SMART IoT Act that tasks the Department of Commerce with studying the current U.S. IoT industry. A Senate bill was introduced to manage what types of IoT devices the government can purchase, ensuring that all IoT tech in government is patchable and has changeable passwords. Finally, states are even weighing in on the proper use of IoT in government. California passed the first IoT cybersecurity law, making device manufacturers ensure their devices have "reasonable" security features. Continue reading

Government Gets Social

Social media management platform, Hootsuite, recently released "The Social Government Benchmark Report 2018" that looked at how agencies are using and viewing social media use in connection with their mission. The report examined the value of social media for government organizations as well as explored best practices for enterprise-level social media management for government.

The survey of public sector employees found that about half of respondents rated their agency's use of social media as good or excellent. The top use cases for social media cited were:

  • Citizen engagement (77%) - social media allows for a better understanding of citizen needs and they've seen an increase in positive sentiment.
  • Customer care/service delivery (48%) - teams are able to have faster response times.
  • Critical response communications (47%) - agencies found that citizens are better informed about critical issues and rumors are quickly addressed via social channels.
  • Employer branding and recruitment (45%) - respondents say they are getting a higher volume of candidates as a result of social outreach.

Based on these successes, it's no surprise public servants want to do more with social. 87% of respondents said there is room for improvement. Luckily, there are several events in the coming months that can provide guidance on how public sector organizations can better use social media. Continue reading

CDM Hits Phase Three: Determining What is Happening on the Network

The Continuous Diagnostics and Mitigation (CDM) program, led by the Department of Homeland Security, was designed to fortify the cybersecurity of government networks and systems with capabilities and tools that identify risks on an ongoing basis, prioritize these risks based on potential impacts, and enable personnel to mitigate the most significant problems first. The program was rolled out in phases with phases one and two pretty much complete across government.

Now that agencies know what and who is on their network, they need to move onto phase three - what is happening on the network. This involves installing and managing the network and perimeter security measures. Given that the perimeter now includes mobile devices, securing those devices and the way they access the network is critical to meeting CDM goals. Currently,agencies are mapping out mobile connections at the agency level, and the networks with which agencies are regularly interacting.

Continue reading

So, You’ve Got an App for That. Now What?

A mobile app launches in the App Store, but no one downloads it. Does it make an impact? Unlike the philosophical exercise of the "if a tree falls in the forest" question, this similarly worded one has a definite answer -- if no one is using your mobile app, the work and resources you've put into it are wasted.

The ubiquity of mobile devices, the comfort with apps, and the options for no-code development all have made apps a real option for all types and sizes of events. With app adoption, event organizers can reduce paper, create more interactivity with the audience, and gather data on their experience before, during, and after the event. Today, we want to focus on making sure people are using event apps so that these benefits can be realized. Continue reading