New Year’s Resolutions Federal Employees and Their Agencies Can Actually Keep

This time of year everyone is probably thinking about their upcoming New Year’s resolutions. Or they might be tactfully forgetting the ones that they made last year, which have probably long since been broken. We all tend to make these impossible promises to ourselves as the year draws to a close. We are going to spend less money on stuff we don’t need, lose weight, take more time to enjoy life, eat healthier, get more organized, go back to school, help people, be nicer to our families or change the world.

We make those promises with the best of intentions. I suppose if they last for a couple weeks or months before going down in flames, then at least we attempted some better behaviors for a little while. I can’t really do anything to encourage you to keep your gym memberships up, but I may be able to help with some technical resolutions that can, and probably should, be followed all year long. And I am not just talking about individual feds. Some of these resolutions can be implemented agencywide. 

While not all of them are quick fixes, once implemented they should be easy enough to maintain. Mix a few of these in with your anti-chocolate New Year promises and you can at least make sure that a few resolutions survive until 2021.

1. I promise to add multi-factor authentication to my networks and devices.

For individuals, adding multi-factor authentication is relatively easy for most devices. For example, if you own a modern Windows laptop, it comes with Windows Hello, which can be used as a biometric-based password. How it works is that the webcam can be trained to recognize valid users, only letting someone login after it verifies who they are. Lots of those same devices have fingerprint scanners, which can be a second verification method. And finally, the aging password can be used to add a third factor. Passwords are problematic, sure. You would not want a password to be the only gatekeeper these days. But as a third authentication factor behind two other stronger methods, it will do just fine.

For agencies, two-factor authentication has been the norm for a while now. But don’t forget that this resolution calls for multi-factor authentication, which in this case is more than two elements. For the most part, agencies have been achieving two-factor authentication by requiring users to login using both a password and some type of token, like a badge ID. That can work, but highly skilled hackers these days, especially those well-funded by nation-states, can sometimes find ways around that level of security. For example, they can launch a phishing attack against an active and already authenticated user. It’s no wonder that some agencies are thinking about moving past two-factor authentication. 

Unfortunately for agencies, simply stacking up more front-end authentication methods probably won’t work. For one, it can bog down users just trying to log in and do their jobs. For another, it might not even be effective. In the above example of a user getting compromised through a phishing attack, it wouldn’t matter how many hoops they had to jump through before getting hacked.

For agencies, the solution might be continuing authentication, which is a process whereby user behavior is profiled while they work. It’s invisible to users, so it won’t get in the way but keeps the network safe even after they have logged in. This can be as simple as geofencing, ensuring that users are accessing assets from a specific office or at least from within the United States. Or it can be behavior-based. If a user who logs in to check their email every day and not much else suddenly starts downloading critical files or accessing a restricted database, there is a good chance that their identity has been hijacked. 

This pairs well with zero-trust networking, whereby users are assigned the least privilege needed to do their jobs on a network. In any case, adding more protections is a fine resolution that is both achievable and sustainable.

2. I resolve to practice better email hygiene.

While at first this resolution might seem tailored just to users, in truth, many agency employees could probably use a little help achieving this one. By now almost everyone knows that Nigerian princes are not going to deposit gold bullion in their bank accounts. But phishers have moved on from those scattergun types of attacks to crafting more targeted, intelligent strikes that can sometimes snare even advanced users in their net.

For users, the biggest thing they can do is to exercise caution when browsing their email or other communications platforms like direct messaging. The key is to take a beat and study the mail before zipping off a reply, and especially before taking an action like clicking on a link or providing a password. Ask yourself why the CIO of your agency is emailing you from a Gmail account, or why your system administrator needs to make an urgent plea to get your password. Most phishing scams, even very good ones, don’t hold up to scrutiny, which is why many of them come with time-sensitive requests.

On the agency side, users must be seen as their first line of defense against those kinds of attacks. It’s important to have cybersecurity programs monitoring for suspicious activity, but if users reject attacks, then most hackers won’t even get a shot, at least when phishing. The key to helping foster a good human firewall is effective email training. 

Traditionally, that kind of training has been pretty heavy-handed and inefficient. But it, like phishing attacks, is also evolving. I’ve reviewed quite a few really good enterprise-level email hygiene training programs over the past year. They are not only unobtrusive these days, but use automation to ensure continuous improvement, and many are even self-auditing. You will actually see your users becoming more effective frontline fighters in the war against phishing.

3. I promise to practice protected powering. 

This last one is mostly for the users, although I could see it being a boon for agencies. One of my predictions for next year is the rise of a specific kind of attack known as “juice jacking.” Right now this attack has been demonstrated as possible, but no cases of it have been found out there in the real world. But it’s a problem waiting to happen.

If you look around almost anywhere, you will find public USB charging stations. They are in airports, hotel lobbies, coffee shops, buses, shopping malls and plenty of other places. And they are really useful. If you are down to a 10% charge, ducking into a coffee shop to fuel yourself and your device can be a real lifesaver. 

However, charging cords can carry power as well as data. The hack comes if someone has compromised a public port by adding some type of storage device to distribute spyware or malware. Again, this has not happened yet, but it's possible, and probably tempting given how many of these chargers are popping up everywhere.

The other danger is that someone with an infected phone might plug it into an agency asset to get a charge and accidentally infect the network. I have seen that happen at a private company before. 

Apple and Android phone makers have taken steps to stop this kind of attack by disabling the data transfer capabilities of the charger port by default. Instead, users will be asked if they want to transfer data before the sharing process begins. That could be helpful, but I could see malware figuring out how to override it, or even some clever social engineering ploy to get users to approve the transfer. 

Instead, everyone should consider investing in a USB condom. Yes, it sounds kind of silly, but these little devices, most sell for about $10, are pretty ingenious. You plug your device into the condom and then into the public or agency asset you want to charge from. The condom blocks off the wires that make up the data cables, while allowing the power wires to connect normally. And just like that, you get safe charging with no risk of data leakage or being impregnated by malware.

And with that amusing image, I am going to wrap up my column for another year. I hope you all enjoyed my sometimes unusual insights about government technology, and I look forward to many more good times in 2020. 

Happy New Year everyone!

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys