In early June, the US Federal Government announced they would be undertaking a 30-day Cybersecurity Sprint. The goals of the program included:
- scanning systems for indications of malicious activity
- patching critical vulnerabilities without delay
- reviewing and improving policies regarding privileged users
- accelerating multi-factor authentication implementation, especially for privileged users.
For anyone who's working in cybersecurity for any length of time, these 4 items seem like baby steps. They are activities that a/ should have been implemented a long time ago and b/ take time, money and commitment to carry out. I suspect the problem in the past as been item b - there has been no commitment by top decision makers and, thus, there has been no money to make it happen. That is why this sprint has been such good news (once I ignore the fact that it's 2015 and it's only now happening...I started in this field in 1999 and had rather hoped we'd be in better shape by now). So yay, US Federal Government.
Preliminary results have been discussed stating that:
The fact sheet also notes that there are several activities that remain ongoing, as we would expect. Cybersecurity is not an end-point, it is a process of continual improvement.
- Federal civilian agencies have increased multi factor authentication use for privileged users by 20 percent within the first 10 days of the Sprint. Several agencies have increased multi factor authentication use for privileged users to 100 percent.
- DHS has scanned over 40,000 systems for critical vulnerabilities and it is increasing those numbers every day. Federal agencies are patching vulnerabilities as they are identified.
Now, here's the skeptic in me commenting.
- "...increased multi-factor authentication...by 20 percent..." So, if 10 privileged users used to have multi-factor authentication, a 20% increase means that there are now 12 privileged users. If you want me to applaud you, you're going to have to tell me what that increase represents as a percentage of all the privileged users. And if some agencies have increased to 100%, great for them, but where did they start from? Did they just remove privileged users (which could be OK; maybe they had too many privileged accounts to begin with).
- "...scanned over 40,000 systems..." And that represents what percentage of systems? Are we talking end-nodes (user workstations and PCs) only? What about telecommunications equipment, servers, smartphones, etc.? I suspect they still have a *very* long way to go.
As government agencies continue to look closely at their systems, we can expect them to find evidence of additional leaks or breaches - that means we're going to hear more about lost data and it's going to make everyone angry, especially those who learn they had personally identifiable information exposed. I'm really sorry, but at the same time, I think it's a good thing. We need to be honest about the scope of the problem before we can start fixing things. And that means that those of you in industry need to be honest about the scope of the problem in your organization(s), too.
So, what is your organization doing to improve its cybersecurity processes? Did you take the opportunity to run your own Cybersecurity Sprint? I would suggest that the activity would be helpful in any organization, regardless of how well you believe you are managing this aspect of your business. For those with strong processes and procedures in place, it's a chance to measure their effectiveness. And for those with little cybersecurity infrastructure, it's a chance to learn from the federal initiative and get yoru house in order, hopefully before you have a significant breach.
No comments:
Post a Comment