Expert Q: Using good hygiene for cybersecurity

Cybersecurity. Think of it like brushing twice a day or visiting the gym a few times each week. Good cybersecurity hygiene matters, and goes a long way towards protecting a government agency’s health — especially when it comes to safeguarding critical information and data.

“It’s like saying we could all do better by wearing our seat belts. We can reduce data breaches by doing our part,” said Paul Christman, vice president for public sector at Dell Software.

In many ways the government is a cybersecurity leader for the public and private sectors, thanks in part to a federal framework that provides specific cybersecurity recommendations applicable to all levels of government as well as private sector businesses.

But for government to continue to be a leader, agencies must constantly evaluate their security practices. When it comes right down to it, internal breaches are some of the biggest threats an agency will face, Christman said. Having critical pieces of security — like two-factor authentication, endpoint encryption, identity and access management, and security training for the end user — will go a long way towards protecting government and citizen data.

In an interview, Christman explains what government can do when it comes to good hygiene for cybersecurity.

What are the steps agencies need to take to implement a good foundation for security?

There are three things an agency can do without reinventing their entire identity and credentialing system.

We talk about two-factor authentication. Passwords are horrendous when it comes to creating a secure environment. The litany of things that could go wrong with a password is enormous. I talk to people who are integrating with Personal Identification Verification [PIV] cards, and they’re jumping up and down. It’s two-password authentication that’s real and actionable. For organizations that aren’t using PIV cards or where security isn’t as tight, there are soft solutions for mobile devices. You can enter in a code from a mobile device. It’s the easiest option to do, and you can do it in the public and private sector.

Issue number two is endpoint encryption. Just do it. It’s part of endpoint management to be able to understand what’s going on with your devices. And, the third is privileged user access. People like systems administrators should be tracked. They have the keys to the kingdom.

What about protecting internal vs. external threats? Identity and access management (IAM) is integrated within the federal government’s NIST Cybersecurity Framework. How important is IAM in this framework?

There’s no way to achieve cybersecurity without understanding identity because everything is driven off of who you are. Very few organizations, at least public sector-wise, run an unregulated pipe where the end user is anonymous. Identity is sort of a foundation for all security. Once you look at it that way, all the identity management has to be right and tight. It has to be instances of knowing your users, granting them proper privileges, tracking those privileges, and allowing for those privileges to change over time as the person’s role changes. These are basic functions to identity and access management. It’s more a question of if you don’t do it, then it’s creating an enormous security risk.

You’ve talked about the hardware, software, and security related services. But what about the people working inside the organization?

A majority of breach incidents are caused by internal errors according to a recent Verizon Data Breach Survey… I can sympathize with the people who lose their laptop or phone, but I think of breaches as an insider problem too. Encryption is a very easy solution. It doesn’t make any sense for someone not to use it. It’s negligence on the part of IT not to enforce a policy of endpoint protection with encryption. I’ve been hearing the excuses for why it’s not done. But, they’re simply not true any more. Encryption is a very important security measure.

How does this play into the growth of the Internet of Things? Government is using the Internet of Things, but what sort of risk does it put them at?

I think this is a little bit of hysteria right now. I don’t think the issue really is in the device. What hackers really want is access through it. So this idea that you have to protect the device that’s the “thing” of the Internet of Things is, I think, a bit of a fallacy. What you have to do is a better job of protecting and controlling the information that transits the network that may be generated by or consumed by The Internet of Things. We have to focus on network protection, and if we look at it that way, then it becomes more about monitoring internet traffic. We just have to monitor with better firewalls and network monitoring. You don’t have to protect every device. You have to protect the point in your network that the device is accessing.

Let’s talk about continuous diagnostics and mitigation (CDM). How much interest are you seeing in this from a federal standpoint?

There’s large interest in CDM as a technique for becoming more secure. Large interest in going into what is called active defense rather than passive defense: things like antivirus, firewalls. It’s all good, but you need to control cybersecurity with active defense. This is continuous inspection of network and user behavior. You’re looking at activity on the network rather than controlling access to the network. CDM is continuous and near-real time. So as assets move around in the network, you can determine if it’s a security risk or if it’s just normal behavior. Now, the funding issue is still a big part of the challenge. Quite a few end-user agencies don’t really understand CDM as a funding and procurement vehicle.

What else do agencies not understand when it comes to network security?

We talk about the need for user training too. End-user awareness, end-user management, and training will solve most of the problems. We did a survey of federal employees, and it was the highest rated item that leaders thought could improve cybersecurity. It was right up there with risk management. It’s cybersecurity literacy training. It’s the human element that really is what we all need to address. There are a lot of people with internet access, and they can download whatever they want. We really need to train people and sign them up for a social contract. By reassessing our responsibilities as a data owner, we become more secure and smarter in our work. People really are part of the solution, especially with federal employees that look at sensitive data daily.

About Dell Software

Paul Christman is the vice president for public sector at Dell Software.

Dell Software helps government agencies unlock greater potential through the power of technology — delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. Dell Software solutions for security, information management and systems management enhance your on-premises, remote, cloud-based, and mobile infrastructure and endpoints. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate results. www.dellsoftware.com.

This content is made possible by Dell Software; it is not written by and does not necessarily reflect the views of Nextgov's editorial staff.