With ever increasing information security and privacy risks, we must make our systems and processes more robust. Several federal agencies and well-established institutions have legacy systems built using an architecture that was deemed vigorous 40 years ago, but stand no chance exposed to the modern security threats and real time interactions of today. Our mission essential functions are performed in a legacy mainframe environment that is costly and extremely resource heavy in order to protect high value assets and customer data from increasing cyber threats. This concern is compounded by our aging workforce and the scant number of individuals with these legacy skills in the job market today. Cybersecurity is not a onetime activity, but rather a continuous effort requiring vigilance at all times. We can close 1,000 windows, but the bad guys will get in through the 1 window we missed. To improve their security posture, federal agencies continue to make progress towards a compliant information security program.
Federal agencies are mandated to manage risk in critical infrastructure, whether it is in asset management, identity management, remote access, or network protection. We have made it a top priority to strengthen Identity, Credential, and Access Management (ICAM), better manage user permissions, prevent data loss, secure remote access, and address insider threats.
"Cybersecurity and privacy has been in the news on several fronts this past year, and our objective is to proactively identify cyber-attacks or intrusions"
Asset Management – Agencies must mitigate the risk of unauthorized hardware and software in their environment. An automated hardware and software inventory is essential to properly account for all assets, including their purpose for being on the network, and who owns them. Our participation in the Department of Homeland Security (DHS) Continuous Diagnostic and Mitigation (CDM) ensures that we address these cybersecurity risks. We have also started the incremental and iterative process to transform our legacy mainframe software systems. By adopting the central management of hard drive encryption through the Microsoft BitLocker Administration and Monitoring (MBAM), we are ensuring that by default all agency laptops and mobile devices have the necessary data encryption.
Identity Management – We ensure that all federal and contractor staff establish their identity using the PIV card. We have also built a partnership with Login.gov for identity proofing and identity management solutions for all our external customers from the railroad community. Currently we are transitioning our external self-service digital solutions to use identity proofing and Multi-Factor Authentication (MFA) via Login.gov. This is planned for all public-centric services implemented on our external website and customer portal. Just like online banking services, these self-service solutions are built using secure communications with strong MFA and identity management. With the recent data breach at a major credit bureau, and assuming that personal financial information and credit histories may have been compromised, we are working with Login.gov to use alternate proofing solutions.
Remote Access – Having deployed managed services for hardware encryption along with upgraded network firewalls, the agency has strengthened the information security controls for VPN remote access. We enforce MFA and all users login using the PIV card. At any time during an average work day, about 85-90 percent of our users, in our Chicago headquarters or from remote work-at-home locations, are logged in this way. Our target is to achieve 98-100 percent. Besides the compliance factor, our agency is better protected using MFA. With the support of our senior leadership, we continue to take significant steps to further enhance the security aspects of our remote access solution. We have also made new mandatory “always on” VPN profiles for all remote connections. From the outside, when an agency employee connects to the Internet using the agency-issued workstation, such as a laptop or mobile device, the VPN connection is established, thereby greatly enhancing the security of both the workstation and the agency network. As an added layer of security, this standard VPN profile also requires the use of the employee’s government-issued PIV card to connect to the VPN.
Network Protection – As part of the ISCM, strategy we perform routine activities such as scanning our internal network for the published Indicators of Compromise (IOC); patching all known critical vulnerabilities; reducing the number of privileged system accounts; accelerating enforcement of multi-factor authentication using the PIV card; and performing an inventory of high-value assets. Our defense-in-depth configuration is based on the Intrusion Prevention System (IPS), Network Admission Control (NAC), and the Security Information and Event Management (SIEM). We have deployed the essential Data Loss Prevention (DLP) solution to encrypt all external email messages that contain PII. Last year we expanded our DLP solution to scan for PII in the subject line of all emails. This enhancement has reduced the amount of false-positive incidents to less than 7 per month. Without proper encryption controls, these emails would have resulted in significant privacy risks.
Security Operations Center (SOC) - Our SOC is equipped with robust infrastructure to support real-time monitoring and Network Admission Control (NAC). Our authentication and authorization process is three fold – first the device must have a trusted certificate; second, the user must have a trusted identity in the network; and third, the Active Directory and NAC look for the trusted agreement of the user-device combination. Leveraging the Certificate Authority (CA) server, we generate agency tailored certificates for all of our devices. In general, all agency staff have federal PIV cards. In the limited scenarios where these PIV cards are not available, such as the case of a privileged login, or a new employee, the agency issues smart cards with certificates from the CA server. Our goal is to improve cybersecurity performance by focusing on the data and information entering and exiting our network, knowing what components are on this network and when their status changes, and who is logged on to our systems. We continue to manage the risk of the critical infrastructure and improve our response times to critical status alerts. Our SOC has large screen dashboards with multiple feeds related to InfoSec monitoring along with real time notifications sent to the mobile devices of the Incident Handler staff.
Senior Leadership Support - With the establishment of the Senior Agency Official (SAO) for Risk Management, the agency’s leadership is actively involved in risk-based decisions. CISOs today are implementing a risk scoring system that assists decision-making, and encourages involvement from the system owners with data transparency and information sharing. Our risk management aim is to prevent high-risk material impact, and to establish a potent threat prevention, detection, and threat eradication program. Building partnerships with DHS/CDM, we embrace cybersecurity intelligence collection and ubiquitous sharing.
Cybersecurity and privacy has been in the news on several fronts this past year, and our objective is to proactively identify cyber-attacks or intrusions. My mantra to stay ahead of the cyber-attacks is to act like we are breached. Continuous monitoring is the new firewall. With the DHS partnership, our SOC is elevated to use threat intelligence, advanced analytics, and automation. Our systems engineers are educated to purposely segment the network using different domain controller accounts for routine network maintenance, thereby limiting the intruder traversing the network with compromised credentials. Users are often the weakest link, and besides raising awareness through continuous education, we are implementing Advanced Threat Analytics (ATA) as an on-premise Windows defender to protect links in email messages and on the Internet. With limited SOC resources we cannot fix everything, and the best risk management approach is to automate with current technology such as enhanced DLP with User Entity Based behavior. Last, but not least, my cybersecurity team is our greatest asset – we influence, develop, retain, and expand the cybersecurity skill set by investing in staff training and certifications in rapidly evolving technologies.