With a number of high-profilesecurity hacks involving widely used software, government agencies are retraining their focus on their organization's security measures and those of the vendors and service providers that work with them. This shift in focus was actually on the rise before the recent hacks in anticipation of cyberattacks just like the ones we've recently seen.
In January of 2020, the Defense Department implemented the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. Contractors have always been held responsible for implementing and documenting their IT systems' security that touch sensitive government data. Under CMMC, this continues, but adds the need for a third party to assess the contractor's compliance.
In October, ghosts and goblins come to life as decorations on front lawns and as candy-seeking children knocking on our doors. But stepping away from the frivolity of Halloween, October has also become a time for us to reflect on the real threats we face year-round when it comes to our data, identity privacy and online security.
National Cybersecurity Awareness Month (NCSAM), spearheaded by the Department of Homeland Security (DHS), is a "collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online." This year's theme is Own IT. Secure IT. Protect IT. Programs around the country will address topics including citizen privacy, securing consumer devices, and eCommerce security.
More than IT professionals talking to one another, NCSAM aims to reach out to the public to emphasize personal accountability and educate people about the importance of taking proactive steps to enhance cybersecurity at home and in the workplace. The NCSAM website has some handy guides that can be shared to educate people on these actionable steps.
Insider Threat has been a recognized attack and vulnerability vector for some time. In fact, one survey found that government IT professionals report that insider threats are at an all-time high. One source of this increase may be the rise in the use of mobile devices to access government systems. The main challenge in securing mobile access is ensuring that the person who owns the device is the one actually using it and the apps that reside on it. The portability and ease with which devices are lost and misplaced complicate security authentication efforts. But there are ways to mitigate this risk.
Agencies have looked to multi-factor identification to confirm the person accessing the system is who they say they are. This process includes combining two or more credentials. Typically this is something a person knows (a password), and something they have (an access card or a fingerprint). A practice growing in popularity as part of multi-factor identification is behavioral analytics (BA). This looks at how users typically interact with an application or device analyzing things like browsing habits, message syntax, even how they hold the device. If the behavior is out of the realm of normal, the system can lock that user out until they prove their identity another way.
Implementing these types of identity tracking and management is, of course, not without issue. The Department of Homeland Security is being challenged to put more procedures and policies in place to ensure its insider threat program doesn't violate employees' Fourth Amendment rights (protection against unreasonable searches and seizure).
There are many events in the coming months that include a deep look at insider threat and identity management to help navigate these security challenges.