US Cybersecurity Strategy In The Trump Era

Uploaded on 2016-11-30 in FREE TO VIEW, GOVERNMENT-National, NEWS-Cybersecurity News

In a few months there will be a new Trump Administration in Washington with an opportunity to update  US national security policies.  So it’s good time to reflect on what  might might be done  differently for cybersecurity.

A quick search on the Internet will reveal many national cybersecurity initiatives. However, given the recent data theft of DNC emails and DDoS attack on Dyn it’s evident that current initiatives aren’t working. The question to ask is why?  The quick answer is that we don’t have a national cybersecurity strategy that everyone can implement.

Click on any cybersecurity initiative you desire and you’ll find comprehensive strategies developed by smart security experts.  While well intentioned the writers make the common mistake of laying out cybersecurity strategies that are too complex for most organizations.  Apart from the top 0.1% of US organizations (financial institutions and intelligence agencies), the 99.9% simply don’t have the resources to implement anything complex.

A workable national cybersecurity strategy needs to be built using simple tasks the 99.9% can implement to mitigate the most common cyber-attacks. For those organisations have a higher threat profile, a cybersecurity strategy should also offer a clear path that steps-up their security posture, when called for. Thus we need a basic requirement that everyone can implement (without exception) plus a step-up path when necessary.

Another challenge in developing a national cybersecurity strategy that uniquely American is that we are an open society where the bulk of IT tasks are outsourced.  Thus cyber attackers know exactly what we’re doing.  A national cybersecurity strategy must be based on verifiable tasks (not secret activities) that reduce cyber risk.

So here’s three things the nation can do to make it less vulnerable to cyber-attacks:

1/ Implement 2-Factor Authentication

Basic: Implementing two-factor authentication is the simplest mitigation against credential theft.  The great thing about 2-factor is there are so many free or low cost solutions out there from mobile phone texts messages to soft client tokens to email verification. So there’s really no excuse not to do this!

Step-up: For those organisations desiring to, step-up from 2-factor, there are new attribute-based access control solutions like software defined perimeter (SDP) that verify device and user identity as well as check for software tampering.

2/ Encrypt Data Stores  

Basic: Application data stores, email servers and collaboration applications should all have their data encrypted.  Ideally the private key must be on a different physical server from the storage unit and should only be assessable with 2-factor authentication.

Step-up: The next step up from encrypting data on servers is keeping it encrypted on user’s devices.  This requires a bit more work, such as issuing and managing device certificates, but makes it more difficult for cyber attackers to get to data even if they compromise the user’s device.

3/ Lockdown Servers

Basic: Scanning for open server ports is a favorite technique of cyber attackers to gain entry to an organization.  Thus closing un-used interfaces is one of the easiest mitigation techniques. This can be done by configuring the internal Firewall on Internet facing application servers.

Step-up: Implement the OWASP Top 10 controls to further insure your Internet facing servers are not vulnerable to front door attacks.  Additionally, locking down internal servers with host-based Firewalls or software defined network (SDN) is also recommended for those organisations with higher risk profiles.

Looking the short “short-list”, you’ll find the recommended tasks have been around for decades.  While not fancy they’re proven to be effective.  More important, there’s no excuse for everyone not being able to implement them!  One can only speculate that if the DNC had encrypted their email storage system and implemented 2-factor how history would be different? Or if stronger authentication would have lessened the DDoS attack on Dyn?

A national cybersecurity strategy is well within our reach. We just need to align available security tools and techniques against the most common threats. There is no reason why this cannot be done.

CTO Vision:    

Donald Trump Has A Plan for CyberWar:      US Has A Strategy To Defend Against Another Massive IoT Attack:

 

 

« AI Needed To Prevent Cyber-Attacks On Healthcare
Artificial Intelligence: AI Fact & Fiction »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Help Net Security

Help Net Security

Help Net Security has been a prime resource for information security news and insight since 1998.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

IoT Security Foundation (IoTSF)

IoT Security Foundation (IoTSF)

IoTSF is a collaborative, non-profit organisation with a mission to raise the quality and drive pervasive security in the Internet of Things.

Trust Guard

Trust Guard

Trust Guard services provide complete security for your website.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Aiuken Cybersecurity

Aiuken Cybersecurity

Aiuken is an international IT Security company, focused on communications and IT technologies, specialised in Security and Cloud Services solutions with high added value.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

Britive

Britive

The Britive Platform is a cloud-native security solution built for the most demanding cloud-forward enterprises.

Agile Underwriting

Agile Underwriting

Agile, an underwriting agency, insurtech and Coverholder at Lloyd's, provides niche insurance products across Aviation, Marine & Cargo, Cyber and Financial Lines.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

eaziSecurity

eaziSecurity

eaziSecurity has built an eco-system of technology and services that bring enterprise scale security solutions to the SME marketplace.

ATSG

ATSG

ATSG is a global leader in transformational technology solutions for today’s digital enterprise. Cybersecurity ranging from Advisory & Assessment to Fully Managed Detection and Response Services.

Kivera

Kivera

Kivera enforces your organisation governance and security policies across cloud deployments preventing misconfigurations turning into attack vectors.

SecuCenter

SecuCenter

Secucenter is a trusted partner for SOC services, offering security expertise in a cost-effective way.

UFS Technology

UFS Technology

UFS, the bank technology outfitter for community banks, provides purpose-built, bank-exclusive technology services and solutions including cybersecurity.