Cybersecurity continues to be a persistent problem for government agencies, including those operating in the public safety and justice sectors. These entities must be constantly vigilant in their efforts to prevent breaches, a task made incredibly difficult given the ingenuity of cyberattackers, the fact that the number of attacks continues to increase at a dizzying pace, and the reality that attack vectors evolve seemingly by the hour. Nevertheless, while fighting the battle isn’t easy, it is essential.
This is the time of year when most of us resolve to make positive changes. In that spirit, the rest of this blog is devoted to cybersecurity resolutions that every government, public safety and justice agency should embrace for 2021.
- Enhance passcode complexity—This is low-hanging fruit for every agency. It doesn’t cost anything, and it doesn’t require much in the way of information technology (IT) acumen. Simple passcodes are easy to guess, and passcode-cracking tools are becoming increasingly sophisticated, so the more complex your passcodes are, the better. Passcodes should be at least 12 characters in length, and should contain at least one of the following: upper-case letter, lower-case letter, number and special character; the more numbers and special characters the better. Regarding numbers, avoid strings that align with easily guessed milestones or special events, e.g., birthdays and anniversaries.
Also give thought to where in the passcode that numbers and special characters appear. Typically when people are asked to add complexity to their passcodes, they put all of the complexity at the end of the string. So, once the passcode-cracking tool does its thing—which happens in a matter of seconds when the passcode is a word only—it doesn’t take much time or effort to figure out what the numbers and special symbols are when they are placed at the end of the string. The much better approach is to insert them throughout the passcode.
- Implement multifactor authentication—While passcode complexity is important, no matter how complex they are, sooner or later a cyberattacker using a passcode-cracking tool will break the code. Consequently, implementing multifactor authentication is an excellent idea. Ideally, this would involve retinal and/or fingerprint scans. But that can be complicated and costly to implement. For that reason, many organizations opt for challenge questions—i.e., what was the make and model of your first car, what was the name of your first pet, in what hospital were you born? This is an inexpensive, easy to implement, and very effective approach to multifactor authentication.
- Conduct network and system assessments on a regular basis—Myriad ways exist for cyberattackers to infiltrate networks and systems. In the case of the recent Solar Winds Orion beach, the cyberattackers were very clever in that they designed the malware to look like Orion software files with a signed certificate. When the user deployed what he or she thought was a legitimate software update, the malware was distributed. The traffic looked exactly like Orion traffic, so there were no red flags; consequently, it was easy to overlook the breach, which is why it was so widely distributed. But most cyberattacks are far less sophisticated—for example, cyberattacks often occur because a staff member opened a link or attachment contained in a phishing email or a vendor left a port open after conducting routine maintenance. MCP’s NetInform Secure service, which leverages our Model for Advancing Public Safety™, also known as the MAPS®, framework, would identify network and system vulnerabilities and determine whether breaches have occurred. MAPS is a proprietary assessment methodology that combines the collective body of knowledge gained from MCP’s 100 plus specialized public safety subject matter experts with a variety of mature, broadly accepted public safety and information technology (IT) standards, formalized accreditation programs, and industry best practices.
- Review guidelines compliancy—It always is a good idea to compare the agency’s cybersecurity posture with any state-level guidelines that have been issued, as well as the National Institute of Science and Technology (NIST) Cybersecurity Framework.
- Conduct user training—It is vitally important that network and system users are well-trained on the agency’s cybersecurity policies and procedures, because users represent the first line of defense regarding cybersecurity.
- Monitor the dark web—Areas exist in the internet that are masked from the general public; these areas are known as the “dark web.” Denizens of the dark web generally are bad actors engaged in all sorts of nefarious activities, usually with profit as the motive. Sometimes files that contain personally identifiable information (PII) end up on the dark web. Most often PII is thought of in terms of social security numbers, mailing and email addresses, and phone numbers—a cyberattacker who buys this information on the dark web could launch a series of identity theft campaigns.
But lately, the scope of PII has expanded to include Internet Protocol (IP) addresses, login credentials and passcodes. This is bad news for government, public safety and justice agencies because this sort of information can be used to infiltrate their networks and systems. Let’s consider the aforementioned example of a system port that inadvertently has been left open, which then was discovered by a cyberattacker. Once inside, the cyberattacker can navigate laterally—often undetected—in search of vulnerabilities that can be exploited. Eventually the cyberattacker discovers a database containing PII that was not adequately protected—and now has something that could be sold to the highest bidder on the dark web.
A dark web-monitoring service will search continuously for any sensitive information tied to the agency and then provide an alert when something is discovered, which enables the agency to take mitigation actions—when it comes to cybersecurity, what you don’t know really can hurt you.
- Simulate phishing attacks—The first step involves creating a fake phishing email that looks very real. The next step is to send the email to everyone in the organization. A report then would be generated that indicates who opened the email and whether they clicked on anything within it. A corollary aspect of the simulation is creation of a fake website that looks exactly like the website of the entity that purportedly sent the phishing email. This enables the agency to discover who might have submitted sensitive information; for example, the phishing email might have instructed the recipient to go to the sender’s website to reset login information, i.e., usernames and passcodes.
If this actually occurred, it could pose a grave cybersecurity threat to the agency, because many people use the same usernames and passcodes across multiple applications, in both their professional and private lives. Because multiple types of phishing attacks exist, multiple simulations could be created. Regardless of the path chosen, a phishing simulation would alert the agency regarding which personnel require remedial training on its cybersecurity policies and procedures, and identify the type(s) of attacks to which they are most susceptible—information that would better inform the training regimen.
Many cybersecurity threats exist in the public safety and justice communities, but the risks can be reduced significantly by taking the actions described in the blog. Better still, reach out to us—MCP has numerous subject-matter experts who would value the opportunity to help you enhance your cybersecurity posture.
Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at MikeBeagles@MissionCriticalPartners.com.