New Year’s Resolutions Federal Employees and Their Agencies Can Actually Keep

Graphic farm/Shutterstock.com

Don't worry: Losing weight isn't one of them.

This time of year everyone is probably thinking about their upcoming New Year’s resolutions. Or they might be tactfully forgetting the ones that they made last year, which have probably long since been broken. We all tend to make these impossible promises to ourselves as the year draws to a close. We are going to spend less money on stuff we don’t need, lose weight, take more time to enjoy life, eat healthier, get more organized, go back to school, help people, be nicer to our families or change the world.

We make those promises with the best of intentions. I suppose if they last for a couple weeks or months before going down in flames, then at least we attempted some better behaviors for a little while. I can’t really do anything to encourage you to keep your gym memberships up, but I may be able to help with some technical resolutions that can, and probably should, be followed all year long. And I am not just talking about individual feds. Some of these resolutions can be implemented agencywide. 

While not all of them are quick fixes, once implemented they should be easy enough to maintain. Mix a few of these in with your anti-chocolate New Year promises and you can at least make sure that a few resolutions survive until 2021.

1. I promise to add multi-factor authentication to my networks and devices.

For individuals, adding multi-factor authentication is relatively easy for most devices. For example, if you own a modern Windows laptop, it comes with Windows Hello, which can be used as a biometric-based password. How it works is that the webcam can be trained to recognize valid users, only letting someone login after it verifies who they are. Lots of those same devices have fingerprint scanners, which can be a second verification method. And finally, the aging password can be used to add a third factor. Passwords are problematic, sure. You would not want a password to be the only gatekeeper these days. But as a third authentication factor behind two other stronger methods, it will do just fine.

For agencies, two-factor authentication has been the norm for a while now. But don’t forget that this resolution calls for multi-factor authentication, which in this case is more than two elements. For the most part, agencies have been achieving two-factor authentication by requiring users to login using both a password and some type of token, like a badge ID. That can work, but highly skilled hackers these days, especially those well-funded by nation-states, can sometimes find ways around that level of security. For example, they can launch a phishing attack against an active and already authenticated user. It’s no wonder that some agencies are thinking about moving past two-factor authentication. 

Unfortunately for agencies, simply stacking up more front-end authentication methods probably won’t work. For one, it can bog down users just trying to log in and do their jobs. For another, it might not even be effective. In the above example of a user getting compromised through a phishing attack, it wouldn’t matter how many hoops they had to jump through before getting hacked.

For agencies, the solution might be continuing authentication, which is a process whereby user behavior is profiled while they work. It’s invisible to users, so it won’t get in the way but keeps the network safe even after they have logged in. This can be as simple as geofencing, ensuring that users are accessing assets from a specific office or at least from within the United States. Or it can be behavior-based. If a user who logs in to check their email every day and not much else suddenly starts downloading critical files or accessing a restricted database, there is a good chance that their identity has been hijacked. 

This pairs well with zero-trust networking, whereby users are assigned the least privilege needed to do their jobs on a network. In any case, adding more protections is a fine resolution that is both achievable and sustainable.

2. I resolve to practice better email hygiene.

While at first this resolution might seem tailored just to users, in truth, many agency employees could probably use a little help achieving this one. By now almost everyone knows that Nigerian princes are not going to deposit gold bullion in their bank accounts. But phishers have moved on from those scattergun types of attacks to crafting more targeted, intelligent strikes that can sometimes snare even advanced users in their net.

For users, the biggest thing they can do is to exercise caution when browsing their email or other communications platforms like direct messaging. The key is to take a beat and study the mail before zipping off a reply, and especially before taking an action like clicking on a link or providing a password. Ask yourself why the CIO of your agency is emailing you from a Gmail account, or why your system administrator needs to make an urgent plea to get your password. Most phishing scams, even very good ones, don’t hold up to scrutiny, which is why many of them come with time-sensitive requests.

On the agency side, users must be seen as their first line of defense against those kinds of attacks. It’s important to have cybersecurity programs monitoring for suspicious activity, but if users reject attacks, then most hackers won’t even get a shot, at least when phishing. The key to helping foster a good human firewall is effective email training. 

Traditionally, that kind of training has been pretty heavy-handed and inefficient. But it, like phishing attacks, is also evolving. I’ve reviewed quite a few really good enterprise-level email hygiene training programs over the past year. They are not only unobtrusive these days, but use automation to ensure continuous improvement, and many are even self-auditing. You will actually see your users becoming more effective frontline fighters in the war against phishing.

3. I promise to practice protected powering. 

This last one is mostly for the users, although I could see it being a boon for agencies. One of my predictions for next year is the rise of a specific kind of attack known as “juice jacking.” Right now this attack has been demonstrated as possible, but no cases of it have been found out there in the real world. But it’s a problem waiting to happen.

If you look around almost anywhere, you will find public USB charging stations. They are in airports, hotel lobbies, coffee shops, buses, shopping malls and plenty of other places. And they are really useful. If you are down to a 10% charge, ducking into a coffee shop to fuel yourself and your device can be a real lifesaver. 

However, charging cords can carry power as well as data. The hack comes if someone has compromised a public port by adding some type of storage device to distribute spyware or malware. Again, this has not happened yet, but it's possible, and probably tempting given how many of these chargers are popping up everywhere.

The other danger is that someone with an infected phone might plug it into an agency asset to get a charge and accidentally infect the network. I have seen that happen at a private company before. 

Apple and Android phone makers have taken steps to stop this kind of attack by disabling the data transfer capabilities of the charger port by default. Instead, users will be asked if they want to transfer data before the sharing process begins. That could be helpful, but I could see malware figuring out how to override it, or even some clever social engineering ploy to get users to approve the transfer. 

Instead, everyone should consider investing in a USB condom. Yes, it sounds kind of silly, but these little devices, most sell for about $10, are pretty ingenious. You plug your device into the condom and then into the public or agency asset you want to charge from. The condom blocks off the wires that make up the data cables, while allowing the power wires to connect normally. And just like that, you get safe charging with no risk of data leakage or being impregnated by malware.

And with that amusing image, I am going to wrap up my column for another year. I hope you all enjoyed my sometimes unusual insights about government technology, and I look forward to many more good times in 2020. 

Happy New Year everyone!

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.