Latest Journal Article

Cyberdefense Guidelines For Agencies And Departments

By David Gewirtz

From a cyberdefense perspective, 2014 was a long year. Barely a day went by without reports of another breach, another hack attack, and another devastating security violation.

For agencies and departments tasked with their own missions, cybersecurity has often been an afterthought. But with so many disturbing reports in the news, administrators and directors have started to ask what they need to do to be prepared.

Although a full security policy is beyond the scope of this column, the following baker's dozen of security guidelines will give you a starting point as you make recommendations to your organizations.


1. Prepare to budget-up. You're going to war whether you want to or not.

Expect to spend on security software, systems, and consultants. This is a war and making sure you have the right defenses will cost money. The only thing that might make you feel slightly better is that it would cost you vastly more if you were attacked without any defenses.

2. The threat is asymmetrical. You have to defend against everything. All they have to do is find one weak entry point.

Enemy actors aren't just enemy actors. They are also organized crime organizations, activist hackers, and anyone trying to find information they can resell. As a result, you will need to defend against a wide variety of unknown attackers, and all they need to do is find one employee who has poor cybersecurity hygiene.

3. The damage can be catastrophic and can range from physical to security to ending careers.

We have all read about the costs to Target, Home Depot, Sony and many other popular brands when their networks were breached. But it's not just about information breaches. As more and more devices are connected to the Internet, expect physical threats ranging from gas station explosions to hijacked vehicle control and even damage to the electric grid.

Of course, there's one other aspect to a big breach and that's if you were in charge when it happened, the only office you're likely to be going to anytime soon is the unemployment office.

4. No matter how much more important other potential targets may be, everyone is a target.

You may not think your organization is as juicy a target as, say, the agency down the block. But most cyberbreaches (particularly those trolling for monetary gain) are about numbers, not quality. Anything that can be found (credit card information, login credentials, personal information) can often be resold or used as a way into other organizations. Bottom line: you are a target. Get used to it.

5. Don't worry about who might attack. Focus instead on how they might get in.

When you try to figure out who might want to attack you, you will undoubtedly miss some potential bad guys. The point in preparing is not to try to guess who the bad guys might be, but how they might try getting in. When planning your defense, look for vulnerabilities, not personalities. Look for weaknesses.

A recent breach occurred because all servers had been protected with multifactor authentication, except for one older machine, which still just used user names and passwords. Wouldn't you know it? The bad guys found that weak machine and used it to gain access to the network, then proceeded to wreak havoc.

6. Older tech is highly vulnerable, so it's time to let go of all those old Windows XP machines.

Back in the day, cybersecurity wasn't the first concern when designing systems software. Instead, it was getting enough performance out of the hardware. As a result, older systems weren't built with cyberdefense in mind and are often exceptionally vulnerable. Windows XP is no longer supported and is also very vulnerable.

If you are running systems more than two or three years old, it is time to consider moving on. When it comes to desktops, if you are running Windows older than Windows 7, you must upgrade. If you are running OS X older than "Mavericks," you must upgrade. Older Android devices are vulnerable as well.

Worse, older systems are no longer getting security upgrades, so guess what sorts of machines the bad guys will look for first?


About the Author

David Gewirtz is Director of the U.S. Strategic Perspective Institute, Distinguished Lecturer for CBS Interactive, Cyberwarfare Advisor for the International Association of Counterterrorism and Security Professionals, IT Advisor to the Florida Public Health Association and an instructor at the UC Berkeley extension.


 

This is only a partial version of the article published in the latest Journal of Counterterrorism & Homeland Security Int'l.
for the full version of the article and many others like this, please use our IACSP membership form to join the IACSP.

Get one year of magazines and newsletters for the low price of $65 Click Here!

IACSP Mailing List

NEW!

bullet Special Promotions
bullet Banner Ad Rates
bullet Promotional Graphics

Grab your subscription to the most read, well respected magazine on counterterrorism in the world.
Subscribe Now!