While data breaches and ransomware attacks have become regular occurrences, the ransomware attack on Colonial Pipeline garnered national attention—including the attention of those on Capitol Hill.
In 2020 alone, cybercrime losses topped $1 trillion, yet many politicians called the attack a “wake-up call,” which left much of the Southeast in short-term panics with fuel shortages.
Attacks on municipalities and public/privately owned critical infrastructure is becoming more common as hackers take advantage of weak cybersecurity controls in place. Plus, the pressure to pay the ransom to restore systems in these scenarios is much higher, since unavailable critical infrastructure can quickly cause a panic in our economy.
As a result, on May 12, 2021, the Biden administration issued an executive order on improving the nation’s cybersecurity. The administration has outlined some ambitious steps aimed at ensuring the security and privacy of the networks of both public and private sector organizations.
While the steps are geared toward federal information systems, many of the criteria are considered good industry best practices to securing any organization.
Below is an outline and summary of those goals presented in the executive order, plus how it can inform the cybersecurity decisions you make in your own organization:
1. Remove Barriers to Threat Information Sharing Between Government and the Private Sector
While many public/private information sharing partnerships are in place—such as InfraGard, a partnership between the FBI and the private sector—this goal in the executive order is to ensure those relationships remain intact. This is especially important as it relates to third-party IT providers providing services to a governmental or private entity.
The executive order acknowledges that parties may be hesitant to share information when it comes to incidents and breaches due to the sensitive nature of this information and seeks to remove barriers between communication by re-defining contractual language that may prevent it.
We’re all in this battle together, and the timeliness of information sharing regarding an incident or breach can be crucial to preventing an attack.
2. Modernize and Implement Strong Cybersecurity Standards in the Federal Government
This item specifically outlines improvements in the organization’s controls, such as the securing of cloud services and a zero-trust architecture, which should be built on principles such as least privilege.
Employing this principle, along with periodic logical access reviews, helps to ensure that access given to the network or applications provides the user with the bare minimum needs to perform his/her job duties.
Additionally, the executive order stresses the importance of multi-factor authentication and protecting sensitive data that is held with appropriate encryption while at rest and in transit.
3. Improve Software Supply Chain Security
It should be no surprise that software and applications are often not developed with security top of mind. Instead, the end user experience and convenience are usually the priorities.
This item in the executive order is primarily aimed at ensuring that software developed and sold to governmental and private entities was developed in a secure fashion by aligning itself against a baseline security standard.
Additionally, a pilot program that labels “securely developed software” will be developed, similar to Energy Star rated products on the market today. While a set of standards for third parties will help to standardize a security baseline for product/service evaluation, as end users of software or services, we must always remember that while we may choose to outsource a service or purchase a product, we cannot outsource the responsibility.
Ensuring that we practice good vendor due diligence prior to engaging a vendor, as well as throughout the life of the vendor relationship, is crucial.
4. Establish a Cybersecurity Safety Review Board
This item strongly follows the same principle outlined in #1 above, recognizing that post-incident analysis and information sharing of those lessons learned with others and your peer groups is crucial.
Therefore, the order establishes a Cybersecurity Safety Review Board, similar to the National Transportation Safety Board which analyzes aircraft accidents. The Board will analyze cyber incidents, response procedures and lessons learned to help improve processes and procedures.
Post-incident analysis is key to understanding what went wrong and to help identify control gaps and failures.
5. Create a Standard Playbook for Responding to Cyber Incidents
Organizations commonly rely on preventative type controls to stop a cyber attack. However, the controls used to detect and respond to an attack should arguably garner a higher level of concern.
We see stats annually that tell us that on average it takes approximately seven months for an organization to detect a cyber attack and another two months to contain it. This item in the executive order will develop a standardized set of procedures to respond to a cyber incident.
While incident response plans are critical, organizations should also ensure those plans are tested at least annually to measure and improve the cyber response readiness.
6. Improve Detection of Cybersecurity Incidents on Federal Government Networks and Improve Investigate and Remediation Capabilities
Detection is key.
Network monitoring systems collect large amounts of data in the form of logs that must be analyzed and used to continually improve your systems to detect future attacks.
Log aggregation tools, such as security information and event management (SIEM) systems, are great products to help make sense of the large amounts of data collected. Additionally, many endpoint protection products and firewalls utilize artificial intelligence (AI) to help analyze web traffic, detect network spikes or unusual trends and alert/block intrusion attempts as they happen.
Early detection can help to stop an attack quickly before systems are completely compromised.
Learn More about Protecting Your Organization from a Cyber Attack
While these items are certainly not meant to be an exhaustive list of cybersecurity controls to be considered by an organization and some discussion may take place about what was or wasn’t included, education and adoption within these areas is key.
We must remain vigilant and ensure sound technology controls are in place and working effectively to protect our organizations from cyber attacks.
For information about how your specific organization should move forward to establish secure controls and guard against attacks, ask an advisor in Warren Averett’s Security, Risk and Controls Group to reach out to you.