Cyberdefense Guidelines For Agencies And Departments
By David Gewirtz
From a cyberdefense perspective, 2014 was a long year. Barely
a day went by without reports of another breach, another hack
attack, and another devastating security violation.
For agencies and departments tasked with their own missions,
cybersecurity has often been an afterthought. But with so many
disturbing reports in the news, administrators and directors have
started to ask what they need to do to be prepared.
Although a full security policy is beyond the scope of this column,
the following baker's dozen of security guidelines will give you
a starting point as you make recommendations to your organizations.
1. Prepare to budget-up. You're going to war whether you want
to or not.
Expect to spend on security software, systems, and consultants.
This is a war and making sure you have the right defenses will
cost money. The only thing that might make you feel slightly better
is that it would cost you vastly more if you were attacked without
2. The threat is asymmetrical. You have to defend against everything.
All they have to do is find one weak entry point.
Enemy actors aren't just enemy actors. They are also organized
crime organizations, activist hackers, and anyone trying to find
information they can resell. As a result, you will need to defend
against a wide variety of unknown attackers, and all they need
to do is find one employee who has poor cybersecurity hygiene.
3. The damage can be catastrophic and can range from physical
to security to ending careers.
We have all read about the costs to Target, Home Depot, Sony
and many other popular brands when their networks were breached.
But it's not just about information breaches. As more and more
devices are connected to the Internet, expect physical threats
ranging from gas station explosions to hijacked vehicle control
and even damage to the electric grid.
Of course, there's one other aspect to a big breach and that's
if you were in charge when it happened, the only office you're
likely to be going to anytime soon is the unemployment office.
4. No matter how much more important other potential targets
may be, everyone is a target.
You may not think your organization is as juicy a target as,
say, the agency down the block. But most cyberbreaches (particularly
those trolling for monetary gain) are about numbers, not quality.
Anything that can be found (credit card information, login credentials,
personal information) can often be resold or used as a way into
other organizations. Bottom line: you are a target. Get used to
5. Don't worry about who might attack. Focus instead on how they
might get in.
When you try to figure out who might want to attack you, you
will undoubtedly miss some potential bad guys. The point in preparing
is not to try to guess who the bad guys might be, but how they
might try getting in. When planning your defense, look for vulnerabilities,
not personalities. Look for weaknesses.
A recent breach occurred because all servers had been protected
with multifactor authentication, except for one older machine,
which still just used user names and passwords. Wouldn't you know
it? The bad guys found that weak machine and used it to gain access
to the network, then proceeded to wreak havoc.
6. Older tech is highly vulnerable, so it's time to let go of
all those old Windows XP machines.
Back in the day, cybersecurity wasn't the first concern when
designing systems software. Instead, it was getting enough performance
out of the hardware. As a result, older systems weren't built
with cyberdefense in mind and are often exceptionally vulnerable.
Windows XP is no longer supported and is also very vulnerable.
If you are running systems more than two or three years old,
it is time to consider moving on. When it comes to desktops, if
you are running Windows older than Windows 7, you must upgrade.
If you are running OS X older than "Mavericks," you
must upgrade. Older Android devices are vulnerable as well.
Worse, older systems are no longer getting security upgrades,
so guess what sorts of machines the bad guys will look for first?
About the Author
David Gewirtz is Director of the U.S. Strategic Perspective Institute,
Distinguished Lecturer for CBS Interactive, Cyberwarfare Advisor
for the International Association of Counterterrorism and Security
Professionals, IT Advisor to the Florida Public Health Association
and an instructor at the UC Berkeley extension.
This is only a partial version
of the article published in the latest Journal of Counterterrorism & Homeland
for the full version of the article and many others like this,
please use our IACSP membership form to join the IACSP.
Get one year of magazines and newsletters for the low price of
$65 Click Here!