Nation-state backed cyber attacks are an ever-present risk for the public sector. But in a year in which over 50 countries are heading into high-profile elections, it is more important than ever that democratic nations shore up their defenses against malicious actors. With a recent and urgent warning from GCHQ highlighting the severity of modern geopolitical cyber risk, bolstering cyber resilience should be a top public sector priority. The security and operational success of government organizations is increasingly coming under the public spotlight. As a result, threat actors know that the national and reputational damage potential of a successful attack is high, giving ample ammunition for extortion. But while financial gain may appeal to ransomware groups, nation state attackers will see an opportunity to cause devastating disruptions and undermine our national security. It may sound like stating the obvious, but all critical national infrastructure providers should have a clear understanding of the threat.
Technical Evangelist for EMEA at Gigamon.
Worryingly, there is a common misconception that threat actors must use very complex hacking methods to break into networks, and yet simple blind spots persist. The weakest point of an organizations' defenses is almost always its own people. Bad actors will often secure their initial foothold in a corporate network through social engineering tactics, tricking members of the organization into exposing their companies to malware or releasing their credentials to a fake login page. This problem is further exacerbated by hybrid cloud environments that have users accessing corporate and cloud based networks through personal devices or on unsecured networks while out of the office. With nation state actors’ ample supply of resources and time to find critical vulnerability gaps, proactively shoring up defenses is crucial.
There are 4 steps that government and public sector organizations can implement to energize their cyber resilience:
1. Reduce inherent trust
With people being the main entry point to networks, the first step in any security strategy should be to reduce inherent trust wherever possible. This puts organizations on track for implementing Zero Trust, helping them to mitigate risk by identifying suspicious access, and preventing the escalation of privileges.
It is crucial that organizations identify their crown jewels before implementing any changes to their security strategy. Whether they’re operationally critical servers or sensitive data, or both, access should be limited to only the specific individuals that need those assets. All government organizations should also be implementing strict multi-factor authentication (MFA) controls, adding a much-needed extra layer of defense at their entry point. The recent breach of Change Healthcare in the USA, which exploited credentials for an account without MFA, should mark a turning point in making multi-factor authentication a non-negotiable for today’s companies.
2. Practice defense-in-depth
Securing the endpoints is not enough, especially for government organizations. Taking a layered approach to security is key in ensuring that if one security barrier fails, threat actors don’t flood the gates and roam freely on the network. A true Zero Trust strategy practices ‘defense-in-depth' by implementing multiple policies, tools, and processes that go beyond the perimeter and endpoint detection tools. Micro-segmentation is a critical part of this, splitting up the network into multiple sections with access controls at each segment's entry point to help security teams see and control any movement within the network. This is the first step towards achieving improved visibility into lateral traffic and, when coupled with MFA protocols at entry points, creates a fortress from the inside out.
Building an IT environment with Zero Trust at its core not only creates a safety net, but it also improves security teams’ ability to analyse and learn from each attempted breach. Threat detection and response is critical to any security posture, but for the public sector, being able to neutralize and analyze threats with minimal disruption should be a number one priority.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
3. Address blind spots and leverage real-time network intelligence
Achieving complete network security goes beyond access control – it must be secure from the inside out. Organizations should be actively looking for and addressing blinds spots, and working towards achieving complete visibility into every corner of their networks. With the increased proliferation of public and private cloud environments, blind spots are most commonly found in East-West (lateral), and encrypted traffic, so it is imperative that security leaders in government organizations implement tools that not only provide network-level intelligence, but also full visibility into all the data and activity on their networks. Achieving this level of deep observability allows security teams to eliminate crucial blind spots, shining a light on every dark corner of their networks, and exposing threats being hidden in encrypted traffic.
4. Reduce tool sprawl
Tool sprawl should be a concern at the front of every security leader’s mind, but consolidating to one vendor is not always the best way forward. Instead, security teams should focus on making sure their tools are working efficiently and fit their organization's specific needs – shifting the focus from consolidation to optimization. It’s not about having all the tools, it’s about having the best tools that together cover all assets and data. This once again goes back to having full visibility into network traffic, be it lateral or encrypted. Security teams must look to refine the data that is being fed into their tools, as not all network traffic needs to be decrypted, nor sent to every single tool.
Organizations can employ tactics such as application filtering and deduplication to effectively manage and direct their traffic to tools, whilst simultaneously maintaining adequate visibility. Application filtering entails separating traffic into high and low risk by distinguishing ‘trusted’ traffic signatures, ensuring only high-risk traffic is decrypted. While deduplication ensures that every new packet of data is only decrypted once before it is trusted to flow through the network. Both tactics can significantly increase tool efficiency and while maintaining the visibility needed to keep the network secure.
Conclusion
The evolving cyber landscape and growing threat from nation-state attackers creates a complex environment for government organizations to navigate. Securing operations against attack is not a simple task, but it is critical, and must be informed by real-time, network-derived intelligence to ensure all blind spots are addressed, before they can become critical incidents.
We've featured the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Mark Jow is Technical Evangelist for EMEA at Gigamon.