Rather than getting to the point of no return, agencies should manage cybersecurity through preventative action, technological excellence, hygiene and training.
It's no secret that all organizations must be on high alert for cyberthreats. But attacks on government agencies have been particularly relentless, resulting in 99 government and military data breaches in 2018 in the U.S. alone. In May, Baltimore was attacked by unknown actors -- city email service was shut down, online payment processing ground to a halt and real-estate transactions could not be recorded. The hackers demanded 13 bitcoins, an estimated $100,000.
Government agencies, especially on the local, municipal and state level, have limited resources. Cybersecurity functions are underfunded and understaffed, with staffing at one-sixth the level of similar-sized financial service organizations. For this reason and others, these entities are perceived as easy targets that offer a wealth of sensitive and private data that malicious actors can sell or hold for ransom.
How should government agencies respond to a cyberattack?
So, when hit by ransomware, should agencies hand over the money, or fight to re-establish control of what is rightfully theirs?
Unfortunately, there is no right answer, and government organizations often receive conflicting advice. Law enforcement officials maintain that ransoms generally shouldn't be paid, since payment encourages me-too attacks. Security consultants, charged with helping clients reclaim control of their systems and data, often recommend payment as the fastest, least expensive way to get systems back up and running.
Even if victims opt to pay ransom, there are no guarantees that agencies will be able to retrieve all information that was taken hostage. For example, NotPetya claimed to be ransomware, but in fact, wiped systems clean of all their data. Money was paid, but no data returned – a lose-lose for the victim. Other times, hackers might hand back access to data and functions, but systems must still be rebuilt to ensure that no trace of ransomware was left behind.
In order to minimize damage and downtime -- and perhaps better avoid having to pay ransom – agencies should identify what it is at stake if a hacker succeeds. Taking an inventory of all assets owned by the organization will allow agencies to know what's been affected and make it easier to recover and restore all data. It goes without saying that full access should never be granted to anyone who doesn't need it. Identify users who need access to all assets and resources and grant permissions accordingly. When individuals leave or are terminated from the organization, their access permissions should be immediately revoked.
Furthermore, frequent and complete backups will ensure that data is saved and protected and that the recovery process, should it be necessary, is as seamless as possible. Backups should ideally occur as often as resources permit. Many organizations opt for a cloud backup solution, due to its automation and added security layers – whereas external storage is more likely to be damaged, lost or stolen.
Prevention trumps response
Rather than getting to the point of no return, combatting cyberattacks should be proactively managed through preventative action, technological excellence and training of both IT professionals and users. Dedicated info security staff must take the lead in identifying and remediating cybersecurity weakness. They should weigh a range of options and approaches to strengthening defenses against breaches, data theft and extortion.
Educating staff should be priority. Fighting hackers is no easy task, and small errors can be the start of major problems. Awareness training will identify and strengthen weak links from within. Teaching strategies for identifying suspicious emails and links before clicking will certainly limit, if not eliminate, successful phishing, spear phishing and business email compromise attacks.
Many states are implementing their own cybersecurity programs. In 2015, New Jersey founded The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), also known as the New Jersey Office of Homeland Security and Preparedness' Division of Cybersecurity. This is the first state-level information sharing and analysis organization in the United States that exchanges cyber threat intelligence and conducts incident response for governments, businesses and citizens in New Jersey.
Other states have since followed suit with their own cybersecurity-focused projects, like the Michigan's Cyber Disruption Response Plan and California's Cybersecurity Taskforce. These types of programs can help local governments understand recent incidents, increase awareness of the threat landscape in their area and share that information with the public and local businesses.
Last, and certainly not least, infosec staff must continuously educate themselves about cybersecurity developments and best practices, such as internet isolation and zero-trust browsing. For instance, a zero-trust approach to browsing enables government organizations to protect their systems and data from the most common threats while allowing users to freely browse the sites that they need to get work done -- hassle free.
What is zero-trust security for cyber protection?
The zero-trust concept, summarized as "trust no one, verify everything," revolutionizes cybersecurity strategies. Government entities can avoid many cyberthreats if they assume that no individual or element can be automatically trusted. No traffic, whether internal or external, should automatically be deemed safe; organizations must simply stop trusting and start verifying, always.
Unfortunately, we all know that the internet cannot be trusted to be safe. Zero Trust supporters have suggested whitelisting safe sites and blocking access to others as a solution, but this causes frustrations and hobbles productivity. Every time users need access to blocked sites, they have to request access from the IT department, introducing wait time for users, burdensome overhead for IT and distracting context switching for both. IT will then have to interrupt what they're doing and assess the site before granting access (or not), and the user must wait before continuing work.
Secure zero-trust browsing
Secure browsing solutions are available that operate on the principle that nothing on the internet is to be trusted. Remote browser isolation (RBI), in particular, executes all browsing remotely, on virtual browsers in a disposable container located in the cloud, so no website content ever touches organizational endpoints.
Through RBI, users interact naturally with all websites and applications in real time via a safe media stream that is sent from the remote browser to the endpoint browser of their choice. When the user is finished browsing, the container and all its contents are destroyed. Users may interact freely and without danger with the sites that they need, with no need for helpdesk access requests or assistance.
To prevent users from falling victim to phishing attacks, which hackers have found highly effective in attacks on government agencies, robust RBI solutions offer the option of opening potentially dodgy sites in read-only mode to prevent unsuspecting users from revealing credentials. Known phishing sites can be blocked entirely or opened with a warning.
The best solutions are browser-agnostic, work with all devices and operating systems and are clientless, making roll-out and updating simple.
The future of cybersecurity in government organizations
Taking control of a situation before it becomes a problem must be the approach of all government infosec departments. We don't know what the future holds, but as hackers get more creative and more aggressive, we must be prepared. For government IT departments, this means rethinking current approaches and best practices and staying abreast of effective new solutions that protect their agencies without adding burdensome overhead for understaffed departments.
NEXT STORY: Senators look to codify CDM