Yesterday I was fortunate enough to attend the CNP panel, "Preventing another USIS: Cyber Hygiene and Securing Government Data." The panel brought together security and policy experts from various government agencies as well as the private sector for a discussion around data protection at government agencies.

Panelists included Ann Barron-DiCamillo, Director of US-CERT; Ken Levine, President and CEO at Digital Guardian; Bob Stasio, Truman Project Fellow and formerly at NSA’s Cyber Center, U.S. Cyber Command, and U.S. Army’s Signals Intelligence Corps. The discussion was moderated by John Reed, Managing Editor at Just Security. After the panel there were also talks from Tony Sager, Chief Technologist at Council on Cybersecurity and Chris Cummiskey, Acting Undersecretary for Management at the Department of Homeland Security.

The whole event was a great experience, with lots of important takeaways that should be top of mind for those in information security and/or governments. I decided to share a few of my personal favorites from each panelist.

Ann Barron-DiCarmello preached that basic security hygiene would address 80-85% of known security vulnerabilities. She feels that we're currently not making it tough enough for our adversaries and that more monitoring needs to be done. Specifically, Ann spoke about the need for having the ability to detect anomalous activity MUCH earlier in the kill chain, along with the ability to quarantine systems upon the detection. These issues were talked about on multiple occasions throughout the panel. Ann also called attention to the fact that most compromises take place long before any damage is done. She advised that detecting attacks earlier in the kill chain improves chances of preventing or limiting any damage.

The last point from Ann's discussion that stood out to me was around encryption. Ann recommended encryption as a necessary data protection method, but drew attention to issues that can persist once a system is compromised. Malware's ability to control a system or impersonate an authorized user means that many encryption models are rendered useless once compromised. One solution for this issue is applying encryption alongside other data protection techniques (access control, egress control, etc) based on the context of the activity and the sensitivity of the data involved. By following this approach, organizations can ensure that sensitive data doesn't leave their environment, even if systems or users have been compromised.

Ken Levine agreed with Ann's hygiene statements, but also talked about how more emphasis needs to be placed on securing data through policy enforcement. It's not always easy, but effective policy enforcement requires the ability to apply controls from the endpoint - at the kernel layer to really be sure. He brought up the fact that a large government agency was using real-time security awareness at the endpoint, which provided a considerable reduction in risky behavior. Ken also talked about how "checking boxes" for compliance sake tends to provide a false sense of security.

Tony Sager talked about the SANS list of top 20 controls, emphasizing that they were developed as a security starting point. As a 35 year veteran of the NSA, Tony was on the team that originally drafted these controls and continues to own them through his involvement with the Counsel on Cyber Security, a non-profit organization. He said he uses the threat summaries of the annual Verizon DBIR report along with reports from other major security players to continually double-check and update these controls. As of today, they are as follows:

SANS Critical Security Controls - Version 5

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Malware Defenses
6. Application Software Security
7. Wireless Access Control
8. Data Recovery Capability
9. Security Skills Assessment and Appropriate Training to Fill Gaps
10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11. Limitation and Control of Network Ports, Protocols, and Services
12. Controlled Use of Administrative Privileges
13. Boundary Defense
14. Maintenance, Monitoring, and Analysis of Audit Logs
15. Controlled Access Based on the Need to Know
16. Account Monitoring and Control
17. Data Protection
18. Incident Response and Management
19. Secure Network Engineering
20. Penetration Tests and Red Team Exercises

There were some common threads from each panelist's points as well. Insider threat was discussed, with a consensus was that there was more damage caused by benign employee errors or malware impersonating legitimate users than actual malicious insider activity. Finally, there was a rallying call for actionable intelligence as a key component to more effective security efforts.

That covers my main takeaways, but for more from Thursday's panel, check out the video of the event: