By Abel Morales, security engineer and CISSP, Exabeam
While cybersecurity ahead of the 2020 Presidential election is top of mind in the United States, Q1 2020 alone has shed light on the fact that government security issues are of global concern, not just national. This year has already seen a steep rise in leaked government records across the world, according to a recent study. These breaches are a stark reminder that government organizations in every country need to focus significant resources on security best practices while simultaneously physically protecting their nations.
Government cybersecurity breaches are becoming the norm. There is a danger that society will become increasingly desensitized to government security failures. A snapshot of recently discovered international breaches reveals these risks are increasing.
As recently as April 23, news broke that the US Small Business Administration (SBA), an agency distributing emergency Covid-19 government loans, had suffered a data breach affecting up to 8,000 applicants. Last month, the Dutch government admitted it lost two external hard drives containing the personal data of nearly 7 million organ donors. Even though they were placed in a secure vault for storage several years ago, authorities recently discovered the hard drives were missing and have yet to be recovered.
And in February, it was reported that data breaches across various government agencies in Canada had exposed the personal information of around 144,000 citizens. The incident is attributed to an alleged human error. At around the same time in Israel, it was revealed that a security flaw in a mobile app exposed the personal data of every eligible voter – that’s nearly 6.5 million people. It was described by the developer who discovered it as being a flaw so simple that “to call it a hack is an insult to professional hackers.”
Examples like these not only highlight the chronic nature of the problem facing government agencies worldwide, but they show the reasons behind them are diverse and require an increasingly sophisticated response. What’s also clear is that in many cases, governments are unable to implement a comprehensive security in-depth strategy to protect the many attack vectors adversaries are leveraging to steal data.
Implementing multiple layers of control that involve people, process, and technology should apply across all aspects of government security. Government agencies need an operational methodology that promotes continuous monitoring of current and new systems within the environment — for example, if the physical security department introduces IoT systems such as security cameras and sensors.
The cybersecurity teams for state and local governments need the ability to monitor the tactics, techniques, and procedures (TTPs) that adversaries use to exploit systems to help . protect their data from external attackers and insider threats. Unfortunately, some of the state and local governments are using technology developed in the early 2000s to detect modern threats. Newer technology provides cybersecurity teams with a user and entity centered view to help identify risky patterns of behavior that may lead to the exfiltration of sensitive data.
The newer technology is known as user and entity behavior analytics (UEBA). This approach models and identifies normal and anomalous behavior of users and machines within a network. UEBA solutions are intended to work in conjunction with rule or signature based-approaches, such as security information and event management (SIEM). They are very effective at processing large datasets in order to identify potential threats. UEBA solutions model behavior in order to create a baseline, which is then used to assess potential risks. The risk approach allows cybersecurity teams to focus on the highest threats, which comprises multiple anomalous activity throughout a session.
Traditionally, analysts become desensitized to alerts generated by SIEMs as a result of the large number of false positive alerts produced. The goal of UEBA is to leverage the technology to identify the anomalous behavior. By using these two tools in conjunction, organizations can become capable of defending threats much more effectively.
At a time when government agencies are under huge pressure dealing with the COVID-19 pandemic, the integrity of public sector services and cybersecurity is arguably even more important than usual. In the context of the current crisis, further security breaches are likely to erode public trust in systems that are in place to protect the population and provide invaluable support.