Page 61 - Cyber Defense Magazine for August 2020
P. 61
The reality is that many organizations were already struggling with basic cyber hygiene before the
telework surge – and most of the security tools implemented were designed for local enterprises. With a
distributed workforce, this means increased cyber risk, as the security tools in place become even less
effective.
In this new environment, federal IT teams should focus on risk prioritization and remediation – identifying
and addressing the vulnerabilities that pose the highest risk and could have the biggest negative impact
on the agency and its mission.
Performing Risk Prioritization and Remediation
Almost half of federal agencies say the new distributed workforce has affected the execution of projects
and over one-quarter feel planning for the next fiscal year has been delayed. April and May were months
of change, and June is predicted to be a catch up month. Demand and expectations for real-time
information and IT support from customers are up, so agencies must be prepared.
Risk prioritization can help IT teams evaluate the infrastructure beyond data vulnerabilities to help
determine which vulnerabilities to patch and assess an endpoint’s security level – which can dramatically
change the risk level. By prioritizing risks, security teams can more effectively allocate their already
limited resources to focus on mission critical tasks.
However, IT teams now have to consider the degrees of separation between each endpoint in context.
In addition to the connectivity to the enterprise network, there’s often connectivity to other endpoints, the
applications and users authenticated to each, and the rights and privileges conveyed through such
mechanisms as AD group membership. Even if one endpoint is completely secure, a user profile on
another more vulnerable endpoint could provide an access point for lateral movement into the entire
network. Given that these factors and variables can change by the second in a large enterprise, a
quarterly, monthly or even weekly risk assessment is insufficient.
Often, the security problems that agencies are facing are oversimplified, and vendors can only provide
partial solutions to help; they run a vulnerability assessment and receive a risk score from systems such
as the industry standard Common Vulnerability Scoring System (CVSS), helping them assess and rank
their vulnerability management processes. However, while risk scoring systems such as these combine
several types of data in order to provide the vulnerability risk score, they aren’t always based on real time
data and the results are only as good as the data that’s input.
Vendors have completed a piece of the puzzle by diagnosing vulnerabilities and identifying threats, but
have to now take into consideration the millions of risk scores across millions of endpoints – some of
which are unknown – trying to access the network and the context of the relationship between these
endpoints over time.
The lack of complete visibility into the network leaves many vulnerabilities unknown and makes risk
assessments little more than guesswork for IT teams – increasing the likelihood of a breach. Risk scores
are living, breathing things and, especially in the new teleworking environment, must be based on real
time data to protect the agency’s environment and overall mission.
Cyber Defense eMagazine – August 2020 Edition 61
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
