Combating Cybersecurity Challenges with Senior Leadership Support
By Ram Murthy, CIO, US Railroad Retirement Board
With ever-increasing information security and privacy risks, we must make our systems and processes more robust. Several federal agencies and well-established institutions have legacy systems built using an architecture that was deemed vigorous 40 years ago but stands no chance exposed to the modern security threats and real-time interactions of today. Our mission essential functions are performed in a legacy mainframe environment that is costly and extremely resource heavy in order to protect high-value assets and customer data from increasing cyber threats. This concern is compounded by our aging workforce and the scant number of individuals with these legacy skills in the job market today. By re-engineering our legacy systems, we reduce the inherent risks associated with a veteran staff of which 50 percent can retire today, many taking with them the institutional knowledge acquired over 40+ years. Working closely with my Chief Information Security Officer (CISO), my risk management and privacy strategy is to prevent and detect impending attacks through continuous monitoring. By modernizing our legacy systems, we ensure that our enterprise architecture is stable for years to come, is flexible enough to accommodate new innovations, and can enable the encryption and security aspects necessary to keep our high-value assets and data safe.
Cybersecurity is not a onetime activity, but rather a continuous effort requiring vigilance at all times. To improve their security posture, federal agencies continue to make progress toward a compliant information security program with the help of the Security Operations Center and senior leadership support.
Security Operations Center (SOC)
Our SOC is equipped with a robust infrastructure to support real-time monitoring and Network Admission Control (NAC). Our authentication and authorization process is three-fold—first the device must have a trusted certificate; second, the user must have a trusted identity in the network; and third, the Active Directory and NAC look for the trusted agreement of the user-device combination. Leveraging the Certificate Authority (CA) server, we generate agency tailored certificates for all of our devices. In general, all agency staff has federal PIV cards. In the limited scenarios where these PIV cards are not available, such as the case of a privileged login, or a new employee, the agency issues smart cards with certificates from the CA server. Our goal is to improve cybersecurity performance by focusing on the data and information entering and exiting our network, knowing what components are on this network and when their status changes, and who is logged on to our systems. We continue to manage the risk of the critical infrastructure and improve our response times to critical status alerts. Our SOC has large screen dashboards with multiple feeds related to InfoSec monitoring along with real-time notifications sent to the mobile devices of the Incident Handler staff. We have also enrolled in the DHS EINSTEIN-3 Accelerated (E3A) program that ensures all of the traffic from the Domain Name Servers (DNS) and Simple Mail Transfer Protocol (SMTP) is monitored by these services.
Senior Leadership Support
With the establishment of the Senior Agency Official (SAO) for Risk Management, the agency’s leadership is actively involved in risk-based decisions. CISOs today are implementing a risk scoring system that assists decision-making and encourages involvement from the system owners with data transparency and information sharing. Our risk management aim is to prevent high-risk material impact and to establish a potent threat prevention, detection, and threat eradication program. Building partnerships with DHS/CDM, we embrace cybersecurity intelligence collection and ubiquitous sharing.
We also still do our basic network hygiene, such as scanning the agency networks for IT assets to ensure that all information system components are known and thus are appropriately managed and patched from vulnerabilities. We stop the abnormal behavior at the end point sooner than being missed at the gateway controllers using Endpoint Detection and Response (EDR) software appliance. In addition, to minimize the use of administrative accounts across the network, we have deployed privileged account security software that sets up isolated space for administrators to perform privileged actions.
From an end user perspective, technology solutions are rapidly advancing. To mitigate the risk of the user accidentally clicking on a malicious link, there is the browser isolation concept, which is a remote browser from a managed virtual instance, thereby isolating the browsing function from the rest of the endpoint and agency network. From the reverse aspect, there are deception technologies to establish decoys, fake networks, and honeypots to lure the bad guys into a controlled section and monitor their behavior.
Web application attacks are more common and differ from DDOS volumetric attacks because they are not aimed at choking critical services with excess traffic. Instead, they target weaknesses in the servers and compromise online services. We have deployed Web Application and Database Firewalls (WAF / DBF) as an insurance policy to proactively detect common attacks such as SQL injection and Cross Site Scripting, which are often the result of sloppy coding practices. Our standard practice is to scan or analyze all software code through static code analyzers and remediate security defects prior to deploying code on production servers.
Cybersecurity and privacy have been in the news on several fronts this past year, and our objective is to proactively identify cyber-attacks or intrusions. My mantra to stay ahead of the cyber-attacks is to act like we are breached. Continuous monitoring is the new firewall. With the DHS partnership, our SOC is elevated to use threat intelligence, advanced analytics, and automation. Our systems engineers are educated to purposely segment the network using different domain controller accounts for routine network maintenance, thereby limiting the intruder traversing the network with compromised credentials. Users are often the weakest link, and besides raising awareness through continuous education, we are implementing Advanced Threat Analytics (ATA) as an on-premise Windows defender to protect links in email messages and on the Internet. With limited SOC resources, we cannot fix everything, and the best risk management approach is to automate with current technology such as enhanced DLP with User Entity-Based behavior. Last, but not least, my cybersecurity team is our greatest asset—we influence, develop, retain, and expand the cybersecurity skill set by investing in staff training and certifications in rapidly evolving technologies.