[BreachExchange] Network security demands better procurement processes

Tue Mar 7 19:41:23 EST 2017

http://www.cso.com.au/article/615426/network-security-
demands-better-procurement-processes/

In 2015, two cybersecurity breaches at the Office of Personnel Management
prompted the federal government to take steps to ensure that personal
information will not be compromised in the future.

Most of that work, however, was basically closing the barn door after the
horse had run off. The General Services Administration (GSA) moved quickly
to award government-wide Federal Supply Schedule Blanket Purchase
Agreements (BPA) for identity monitoring, and data breach response and
protection services. According to the GSA, the BPAs have an estimated value
of $500 million.

So we are spending $500 million to deal with the aftermath of the breaches
(and possible future breaches), but somehow we never have enough money to
prevent these breaches from the start. It begs the question of where that
money was before the problem?

Well, of course, that’s a line item that is difficult to get through the
federal budgeting process. In these austere days, Congress isn’t likely to
provide “mission to the moon” funding to pre-empt possible problems.

And yet possible problems, as we have already seen, are increasingly likely
as we rely more on IT infrastructures that may not be up to the challenge
of increased use. The hard truth is that many IT systems in both the public
and private sector were designed in the storybook days before cybersecurity
became an issue. Federal programs that depend on IT infrastructure also
tend to have complex supply chains, which can make systems vulnerable to
things like clandestine listening, pattern analysis and distributed denial
of service (DDoS) attacks.

Down the road, better coordination between technology vendors and buyers
before the acquisition process will be able to stem some of the cyber tide
(more on that later). That’s great for future purchases, but what do we do
in the meantime with what we have now?

Defense in depth – a moat to defend the castle

The right approach to security in IT infrastructure begins by accepting
that stopping every cyber attack is an impossible strategy. Similarly,
static security certifications and “set-and-forget” IT systems are a thing
of the past; we need to vigilantly rethink access controls and
vulnerabilities patching.

While technology vendors continue working on making their products and
components less susceptible to attack, a practical approach to security now
means looking at “defense in depth” solutions.

Defense in depth looks to manage risk with a broad range of defensive
strategies. That way, if one layer of defense fails, bad agents still need
to get through another layer – and another. This strategy is already used
in some private sector networks. Financial services firms, for example,
typically have numerous security measures in place. Bad actors have to get
past barricades and cross the moat before they can get into the castle.

By making it harder for adversaries to access your system, these bad actors
may choose easier targets. Without a defense in depth strategy, it is easy
to be overwhelmed by even unsophisticated tactics like DDoS attacks.

The need for better procurement processes

Ultimately, however, security for the federal government (and private
sector enterprises) is going to need help from industry. Technology
companies are going to need to treat security as a fundamental feature in
their products from day one. That means putting security up front in
product development, with a sound plan and security features designed into
products from the start.

At the same time, the purchasing authorities need to bring their security
needs front and center. Some necessary steps:

Build IT security into your contracts, and develop standards for what
secure computing must look like. Your Chief Information Security Officer
needs to be actively involved in this process, and your contractors must be
responsible for maintaining whichever system you settle on.
Stop trying to reinvent the wheel, and start seriously leveraging existing
industry standards. Similarly, make sure that the certifications and
standards industry is already using are adequate to the level the
government needs.
Get out of hardware procurements, and start buying infrastructure as a
service (IaaS). Be clear on what your particular industry needs (and keep
in mind that federal cloud offerings are months behind the commercial cloud
in terms of offerings).

This last point is important to elaborate. Does your preferred provider
offer orchestration tools for deleting and building apps? You want apps to
be able to easily scale up or down; this elasticity ensures the long-term
viability of your network.

Likewise, make sure that your provider offers Identity and Access
Management (IAM) tools for life-cycle management. You need to be able to
extend on-premise IAM tools to the off-premise cloud data center
environment.

As we’ve seen, stopping attacks and unauthorized access of network
platforms demands a coordinated enterprise approach to mission assurance
and cyber defense. A strong defense alone will not mitigate risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170307/09474788/attachment.html>