Since 2003, with the sponsorship of the U.S. Department of Homeland Security (DHS), October has been recognized as National Cyber Security Awareness Month.  As with other important issues that have “designated months,” like Bullying Prevention Month and Domestic Violence Awareness Month (both also recognized in October), these are issues that deserve year-round attention, not limited to 31 days in October. As a result, this seems like a good time to revisit some critical aspects of cybersecurity about which Federal, State, and local agencies need to remain particularly vigilant. 

After 18 months of this worldwide pandemic, I think we all realize that we will continue to support either a fully remote, or at best a hybrid workforce, for the foreseeable future. Our employees and contractors continue to work from everywhere. The almost overnight transition to nearly 100% telework in March of 2020 has presented challenges for connectivity, VPN capacity and routing, and expanded the agency’s threat surface significantly. Add to that, the timing of this move to remote work coincided, for many agencies, almost perfectly with their migration to Office 365 and cloud-based productivity apps. This further acerbated the strain on IT and network administrators charged with patching and protecting their network, applications, and data. 

Two of the most critical threats facing agencies today are Phishing Attacks and Weaponized Vulnerability Attacks. DHS recently said, that as agencies are improving their cybersecurity protections and access controls, Nation-state threat actors and cyber attackers are focusing even more attention on “Spear Phishing” -- targeting specific individuals within an organization to gain an entry foothold.  DHS went on to say that these “Spear Phishing” attacks, are not necessarily focused on high profile or senior executives, rather they are focused on individuals for which they have sufficient information to create an individualized and enticing phishing email.  The bottom line, spear phishing is not necessarily targeting the biggest fish, just the easiest to catch!

At the same time, the speed of vulnerability weaponization continues to increase. As threat actors are maturing their tactics and weaponizing vulnerabilities, especially those with remote code execution, organizations are struggling to discover their attack surface, understand the risk and implement ways to accelerate patch and remediation actions.  If we think back to 2017, which seems like an eon ago in cybersecurity years, we recall the “WannaCry” ransomware attacks.  This exploit and resulting ransomware, encrypted hundreds of thousands of computers around the globe.  The more important thing to recall from this attack, is that the vulnerability that was exploited and the patch to address the vulnerability, were known for months in advance of the attack.  And even now, four years later, more than 60% of companies still have not implemented the necessary patch and remain vulnerable to this attack.  In the first quarter of 2021, there was a 53% increase in the number of organizations newly infected with WannaCry ransomware. 

So, what do agencies do to protect against ransomware?

1. Employee Training – Even while only marginally effective, a recent study showed that 97% of users could not recognize targeted phishing attacks.  Frequent and recurring education can help keep this attack top of mind for our users.

2. Backup your Data – All of your data including system snapshots, configurations, applications, and data, and even log files; and store it off-line and off site. 

3. Update and patch your systems – Patching your systems includes operating systems, applications, third-party software, and firmware.  This is where a vulnerability-based patch management system can return a rapid time to value, in helping to prioritize and automate patching of those vulnerabilities that are actually, actively being attacked “in the wild”.  Today, it is nearly impossible to remain fully current with all of the patching required for most heterogeneous environments. 

Ivanti recently released the results of a survey that was conducted, in which more than 70% of IT and security related professionals indicated that patching is too complex, and time consuming.   The survey indicates that most agencies do not have the bandwidth or resources to map active threats, such as those tied to ransomware, with the vulnerabilities they exploit, and struggle to keep up with deploying patches and validating that they were successfully implemented.

4. Segment your networks – implementing a zero-trust architecture with network segmentation, even micro segmentation, and doing continuous authentication and authorization of users, devices, and transactions to ensure that only authorized transactions are accessing data and resources.  Separate your business networks from your operations/manufacturing/production networks, and of course separate your dev/test/and QA networks.  And then further segment your network with access control checks to prevent lateral movement within the network for non-authorized users or bots.   

5. Regularly test your incident response plans – test that you can recover from your backups and test your system recovery, and continuity of operations plans to make sure they work, are documented, and your teams know what to do and what not to do. Include in your plans crisis communications, and rehearse and practice every contingency.

The top risk that most agencies face today is ransomware, and the top attack vectors are phishing attacks and weaponized vulnerability attacks against unpatched systems and applications.  In many cases, a successful phishing attack, has the payload of launching the weaponized vulnerability attack from inside the network’s perimeter defenses.  As threat actors continue to refine their attacks, these vulnerabilities, especially those with remote code execution capabilities