Cyber hygiene needs to evolve, state cybersecurity officials say
Cybersecurity hygiene, the maintenance required to protect the health and security of users, devices, networks and data, needs to significantly evolve to compete with the increasing sophistication of cyber threats, security experts said at the Billington State and Local Cybersecurity Summit in Washington, D.C. on Wednesday.
“A system cannot be considered secure if it is not reliable, and it cannot be considered reliable if it is not secure,” said Colin Ahern, chief cyber officer for the state of New York, one of four such positions in the country.
“There were large, sophisticated nation states, who sought to gain strategic access to certain systems [with] low sophistication, intent-based attacks, and then there were cyber criminals. And they were after one thing, money,” he said of cybercriminals security experts used to fret over.
But today, nation-state actors are using hacking techniques to further more destructive goals, such as pre-positioning spy tactics against critical infrastructure.
“So the idea that the same threat posture, the same set of activities, you could undertake as an organization 10 years ago, when maybe these systems were bought, they were installed, the contracts were written, is obviously not a sustainable reality,” he said.
Bad cyber hygiene
“Cyber hygiene practices have to evolve with the threat cyber threat landscape and the regulatory requirements,” Wisconsin Chief Information Security Officer Troy Stairwalt told the conference.
Bad cybersecurity hygiene can have devastating consequences in the public sector. Last year, the Municipal Water Authority in Aliquippa, Pennsylvania, suffered a cyberattack on one of its water utility stations when an Iranian-backed hacking group disabled the monitor used to regulate water pressure. Plant managers continued operating the system manually, so service was not disrupted, nor was the quality of the drinking water impacted.
The Department of Homeland Security sent investigators to Aliquippa on Nov. 26, the day after the attack, and discovered a glaring oversight: The water authority was still using the software’s default ‘1111’ password at the time of the cyberattack.
“Bad cyber hygiene is taking something and not changing the configurations, like the administrative passwords, right from the start. Someone can do reconnaissance and find out that this is the making model and the defaults are still there,” said Stairwalt. “The fact that we’re still dealing with SQL injection, 20 years later, and one input validation could correct it. That’s poor cyber hygiene.”
The Cybersecurity and Infrastructure Security Agency considers the use of strong passwords, regular software updates and multi-factor authentication to be basic cyber hygiene.
Stairwalt said Wisconsin practices “fast attack, fast response” when it comes to cybersecurity preparedness, an essential part of good cyber hygiene.
“We’re constantly evaluating the cyber threat intelligence to see what the trends are in the industry and then evaluate our controls to determine how they’re going to be resilient or resistance to it,” Stairwalt said. “How do we limit the negative impact to our systems so that our organizations and entities can absorb the blow and maintain the operations and provide those services?”
Shared responsibility
Stairwalt said many state and local governments in the U.S. don’t use a shared-responsibility model for cloud management and he criticized the practice of blindly relying on cybersecurity and IT professionals without understanding the basic services they provide or how to implement them.
A better understanding of cybersecurity is one reason many state technology officials advocate for a whole-of-state approach to cybersecurity, a model in which all public sector entities throughout a state consolidate their resources and strengthen their defenses against ransomware, denial-of-service attacks and other cybersecurity threats.
“Cyber officers play a critical role in providing what I consider ‘translation services,’” Stairwalt said. “But we have to increase everybody’s cyber awareness and help everybody understand what their roles are from a cyber response and intelligent perspective.”
