Thursday, November 25, 2021

3 Things The U.S. Federal Government Needs To Do For Cybersecurity

 


Well, first and foremost to everybody out there, have a wonderful Thanksgiving!  May you enjoy the holiday with family friends.  Even despite what the year has brought us, there is still a lot to be grateful for, especially that we, the United States, have survived yet another year of the COVID19 pandemic. 

As for me, being a day off, I was bored so I thought I would write an article anyway.  Except for all of the technojargon that has come and gone as well as all of the vendors, there is a newer trend that is happening in out world today:  The mushrooming of frameworks, policies, templates, etc. by the Federal Government, brought on especially by NIST.

One of the main catalysts for this has been the CMMC, which is a mandate that all contractors/subcontractors in the Defense Industrial Base have to achieve some sort of certification by the DoD before they will be allowed to bit on future contracts or even to continue on existing contracts. 

There also have been other things that have come out to help businesses establish the right balance of controls for data privacy compliance, etc.

But the problem is, as we all know is that by the time the Federal Government has established new guidelines for Cybersecurity, the threat landscape has changed and as a result, these policies need to be updated again.  Very often, the Federal Government is blamed for this, for being too far behind on the curve in keeping up with what is happening out there.

It’s like Biden’s recent Cybersecurity Executive Order.  It’s great that has been signed, but how long will it take before it really has an impact?  My best guess at this point would be probably a few years, at the very least. 

So, what can the Federal Government do to make sure that whatever new frameworks, policies, etc. that they come up with will still have some bearing for the future?

The key is to look what the trends are now, and see which ones will still carry out at least for the next few years down the road.  It is also very important to keep in mind that the emergence of the near 99% Remote Workforce has also played a huge part in dictating this picture, and this will also have to be kept in mind as well. 

So, what should the areas of emphasis be when creating these new pieces of documentation?  Here is a sampling:

1)     The Cloud:

Although Corporate America started to realize the benefits long before COVID19 hit, it is the pandemic which has fueled this growth to a much more permanent level.  For example, many  businesses are now migrating their On Prem Infrastructures entirely into a Private Cloud(s) platform such as that of the AWS or Microsoft Azure.  Although in theory the same controls should still take effect, there could be some differences.  The adoption of the Cloud is only going to grow into the future, as the thought of the “Metaverse” is now starting to get embraced by companies as well.  This is where avatars are used 100% to represent ourselves in the real world.  Also, data privacy is a whole new ball game here as well, as leakages are more prevalent in the Cloud than ever before.

2)     Address the issue of Endpoint Security:

Before the near 99% Remote Workforce took hold, many companies simply relied upon the traditional VPN in order to secure the lines of network communications from the point of origination to the point of destination, and vice versa.  But with everybody WFH now, the VPNs have reached their breaking points, and the thoughts of protecting these Endpoints have been a forgotten about issue.  Because of both of these factors, the Cyberattacker now has a new ways of getting in, and staying in for much longer periods of time, going unnoticed.  As a result, organizations in Corporate America have started to realize this and have started to do something about it, albeit too late, IMHO.  Therefore, any new frameworks or guidelines that come out by the Federal Government have to address these two issues, and even provide checklists to make sure that not only is newer technology being used to keep up with the sheer implosion of people WFH, but that the right tools are also in place to help fortify these Endpoints, as they will only grow more into the future as well.

3)     Wireless Access:

Even more so than the VPN, this kind of access will proliferate into the future as well, probably even more so than anything else.  Once again, it is COVID-19 that has really brought this on.  For example, when everybody was in the office, this was barely an issue.  But once again, with everybody WFH, the meshing of the home and corporate networks became a problem.  For example, many remote workers still continue to use their home networks in order to access the corporate networks.  While this may be secure in one sense, how on earth do the IT Security teams apply software patches/upgrades to the wireless devices without first getting access to the home network?  Nobody will allow this to happen, because of the privacy issues that are involved.  People would much rather sooner quit than giving access to some stranger they do not even know.  Compounding this problem are when people choose to work in public venues, so as the local Starbuck’s, and choose to totally ignore all of the employer’s security policies.

My Take On This

Well, there you have it, some of the top Cyber issues that the Federal Government has to take into consideration when creating their new frameworks and guidelines.  But the reality is that it will literally take forever for the government to respond to this, as mentioned before.  So what is one to do? Well, just make sure that you are keeping snuff as to what is happening now.

In terms of compliance, this means keeping up with the tenets of the GDPR and the CCPA so that you do not get fined or audited.  But more than anything else, whatever good security practices you have on hand right now, make sure you keep up with that, and more!!!

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...