The clocks are ticking down and the masks have been gathered for Nov. 5, a day now unavoidably associated with the hacker group Anonymous and their momentary but memorable acts of civil disobedience.
Anonymous and its members are linked to multiple attacks on that date since the international network of hackers and activists was established in the early 2000s. The group’s targets have ranged from various industries, to religious denominations and government organizations. And as such, CIOs and security officers are on watch.
Jerry Irvine, CIO and IT and security expert at Prescient Solutions and a member of the National Cyber Security Task Force, has been focused on the attacks for years. He says they are part of a trend toward more sophisticated attacks.
“The distributed nature of cyberattacks today is really different than it’s been,” Irvine said. “They’re no longer being performed by individuals, or ‘script kiddies,’ but rather by organizations, city states and political groups like Anonymous.”
Just like Anonymous, Irvine is taking advantage of the day, but in an opposing direction to call attention to a few tips that agencies can use to protect their data and digital networks.
1. Nov. 5 Translates to a Double Check
For those brushing up on their cyberhistory, Nov. 5 commemorates Britain’s Gunpowder Plot of 1605, a.k.a. Guy Fawkes Day, when a band of revolutionaries nearly blew up the Houses of Parliament. Hackers now use the date as a vehicle for political mischievousness, and Irvine says this means it’s time for agencies to double check their information security measures.
Irvine recommends a review of current security measures, allocating some time to make sure the latest software updates are in place and functioning properly. But he cautions against knee-jerk reactions or hasty security add-ons.
“Cybersecurity must be baked into the platform, infrastructure and application environments at the time of concept and implemented throughout the entire development and implementation life cycle,” Irvine said.
He advises agencies to conduct detailed, periodic cybersecurity system tests throughout the year that are performed both by in-house and independent third-party specialists.
2. Collaboration Is Key
Cybersecurity is a moving target. There are no one-time fixes, one-time security plans or one-time software purchases that will permanently keep data safe and IT infrastructure protected. In today’s digital world, most people understand this. What many overlook, Irvine said, is the need to invest not just in software and hardware protection but in the cybersecurity community.
“Organizations should be involved within their community and industry’s cybersecurity collaboration organizations to be kept updated on current threats,” Irvine said.
As examples, Irvine listed to Infragard, the FBI’s support organization for businesses, and the nonprofit Multi-State Information Sharing and Analysis Center, which is dedicated to government collaboration against cyber threats.
He also suggested developing a familiarity with tips and tools provided on the DHS site us-cert.gov, or the United States Computer Emergency Readiness Team, and nist.gov, the National Institute of Standards and Technology, operated by the US Department of Commerce.
3. Identify and Limit Access
Security access isn’t just about deciding which user gets to see what, Irvine said. It’s also about how data is accessible to specific devices such as outside computers and mobile devices.
“End point devices (the electronic devices where data is finally delivered) should be limited in what they’re able to take away from sensitive data and information systems,” Irvine said.
The push to make many types of government data more accessible complicates access control, Irvine said, because it can require organizations to open their security firewalls. That can create vulnerabilities if agencies don't change their security approach.
“It’s like cutting holes in the fence,” Irvine said. “What has to happen is a completely different mindset of security, a move from perimeter-based solutions to data-centric solutions.”
Data-centric solutions focuses on protecting specific data types instead of safeguarding the entry points to where data is located, he said. Examples of data-centric protection techniques include virtual data environments and representations of data information versus complete access.
4. Classify Data
This technique is like teaching a new dog an old trick. For years, larger government entities have classified data and limited access based on need. But now Irvine says it’s smart and in some cases absolutely critical for smaller governments to begin the practice.
“To do this, smaller government entities need to classify access and degrees of sensitivity for each set of information and data,” Irvine said. “And it’s not just financial data but intellectual property too.”
Personal contact information and anything that personally identifies employees must be included in this list, he added.
5. Pick up the Pieces
In some cases, it may be too late to prevent an attack. If this happens, Irvine says it’s all about damage control and analysis. If an attack is detected, IT security teams must do whatever it takes to halt the breach and attempt to do as much forensic analysis as possible. This might mean isolating a system or even a full shutdown.
“As much forensic information as possible should be retained to enable systems professionals to define the source of the breach and potential opportunities to mitigate these from happening in the future,” Irvine said.
6. Create a Security Budget
As a final note, Irvine said it’s important to remember that information security rarely comes cheap. The growing need for greater security, Irvine said, requires funding as much as it does technical knowhow so organizations don’t find themselves beneath the cybersecurity poverty line.
“The bottom line is it isn’t a specific industry or a specific type of organization or size of organization that is at risk,” Irvine said, “It’s everybody.”