Cyberthreats are constantly evolving. There are new attackers, new vulnerabilities, and new security risks that are arising every day. Threat hackers have rapidly increased their sophistication and techniques that make them harder to spot and threaten even the savviest targets. Criminal groups are also targeting businesses that have moved their infrastructure to the cloud. This way, they can hide among legitimate services. Attackers have developed new ways to scour the internet for systems vulnerable to ransomware.
Federal officials examined best practices to improve their security measures and enhance their overall cyber ‘hygiene’ on GovExec’s Cyber Hygiene webinar.
Gerald J. Caron III, CIO and assistant inspector general of IT at the U.S Department of Health and Human Services (HHS), said this all comes down to an organization’s cyber ‘hygiene.’
An agency’s cyber ‘hygiene’ is its overall cybersecurity program and the way it’s implemented. Basic cyber hygiene is ensuring that your system’s abilities are locked down.
Still, agencies must go beyond that, Victor Troyan, assistant division chief for Cybersecurity Operations at the Office of Information Security and U.S. Census Bureau, said. By using penetration testing teams, agencies can test what settings are effective in accomplishing their security needs. This creates a more proactive and functional security relationship.
“We have an intel team that’s constantly looking to find out what new exploits are out there. Our team can quickly go and identify what exploit is being used against us,” Troyan said at the webinar.
Additionally, when considering its cyber ‘hygiene’ program, many agencies address compliance needs. Caron explained that over the years, government agencies had measured their security based on compliance. But this isn’t an effective mode of protection.
“We’ve got to push to a more effective method. And I think methods like zero-trust are the way to go because we’ve seen that to be compliant and change a password does not equal effectiveness,” said Caron.
But a critical aspect of cyber ‘hygiene’ is education. According to Troyan, terms and solutions can be suggested as appropriate security methods, but more education is needed. For example, when discussing zero-trust, this is a term tossed around and redefined to meet the needs of individual agencies because conditions and needs change.
“Therefore, each agency must do their homework and see where and if these solutions fit in their framework before implementing any solutions,” Troyan said.