Last week, the Administration released an Executive Order (EO) on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”
There are important elements within this order that will help address two of the most common attack vectors: lost, stolen or weak passwords or credentials and software vulnerabilities.
Within the EO, Federal Agencies will be immediately required to use the NIST Framework for Improving Critical Infrastructure Cybersecurity. The Framework provides guidance to agencies and organizations for reducing cybersecurity risks. The guidance touches many areas of IT and operations, including emphasis on stronger identity and access management (IAM) and authentication, which helps address attacks targeted at compromised credentials.
Here are a few reasons why IAM should be a focus for agencies (and businesses):
- The 2017 Verizon Data Breach Investigations Report cited 80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords. That makes IAM, an area where CA has deep roots and expertise, a critical area of focus for any cybersecurity initiative.
- One specific area of IAM involves privileged access. Analysts have estimated 80 percent of security breaches involve privileged credentials. Once privileged access is compromised, an organization’s most sensitive data is at risk. We’ve seen the damage this kind of infiltration and escalation of privilege can do in the OPM, Sony and Target breaches – when outsiders appear as insiders because of compromised credentials.
- Today, identity is not just who you are, it’s also what you do. We need smarter tools to help keep pace with bad actors and mitigate risk. Behavioral analytics, machine learning and automation make security smarter. CA is committed to adding those capabilities to its entire Security portfolio and has integrated those analytics into several of its IAM products including CA Threat Analytics, to bring behavior assessments and machine learning to our CA Privileged Access Managercustomers.
- In addition, CA has recommended that NIST include a new subcategory in version 1.1 of the Framework on the use of authentication, including both multi-factor and risk-factor authentication, where appropriate. This bolsters any IAM program and further verifies a user is who he or she claims to be.
Building in security from the start
In addition, the EO cites a second common attack vector — software vulnerabilities – as being among the highest cybersecurity risks faced by executive departments and agencies. Whether they’re known vulnerabilities which simply go unpatched – as we’ve seen in the recent ransomware attack– or weaknesses exploited by zero-day attacks, the software that is at the heart of our critical infrastructure is a favorite target for attack.
The best way to combat this vulnerability is a complete change in how software has been developed. Historically, security has often been an afterthought for developers who primarily are focused on delivering features and functionality. Security was often bolted on after the application was deployed. Web application security is a perfect example – applications were deployed, but security and access control wasn’t added until after deployment.
Security shifts left
Security needs to be built into the development process and baked into every aspect of application architecture, design, development and deployment.
With 90 percent of security incidents resulting from exploits against defects in software, addressing this issue could have a significant impact on cybersecurity and our critical infrastructure. CA has jumped into the application security market with its recent acquisition of Veracode, a leader in securing the world’s software.
We know the only way to minimize attacks on application vulnerabilities is to fully integrate application security into the software development lifecycle. Modern paradigms like DevSecOps shift security left, bringing it into the development process sooner.
The executive order is a solid step towards improving cybersecurity for both the federal government and critical infrastructure. CA looks forward to working with both government and private sector entities in adopting the best practices outlined in the Framework, and in addressing known and unknown vulnerabilities in code.