The Cybersecurity and Infrastructure Security Agency is continuing to centralize federal network resiliency efforts with the release of its first capacity enhancement guides.
The seven CEGs released in November advise agencies on how to expand the abilities to counter phishing; guard against malvertising; authenticate users; remotely patch vulnerabilities; protect remote printing; and secure mobile devices.
Rather than mandate that agencies buy specific technologies — as they implement zero-trust security architectures, per the May cybersecurity executive order — the evolving documents encourage a culture shift in building the right cyber stack.
“Anytime that somebody is talking about cyber in this realm, at this level, it’s beneficial, and agencies are going to take notice,” Tony D’Angelo, vice president of public sector at Lookout, told FedScoop. “Depending on where you are as an agency, [the CEGs] will either be a checklist, an affirmation of where you are, or a pretty strong recipe for getting where you need to be.”
The CEGs offer “pretty comprehensive” guidance, and agencies looking for a place to start should consider the counter-phishing recommendations, D’Angelo added.
Phishing and ransomware pose the two biggest threats to agencies, with the former on the rise on mobile devices via text messages as a way to harvest federal credentials. CISA‘s CEG on phishing recommends technical capabilities for hardening email systems, web browsing and mobile endpoints against such attacks.
“If you focus on that threat specifically, you’re going to pick solutions in your security stack that address a lot of the things we’ve been talking about — whether it’s a cloud-based [secure access service edge] solution or down to the endpoint,” D’Angelo said.
The inclusion of mobile device security checklists for organizations and consumers is refreshing because that aspect of cybersecurity went largely unaddressed prior to the rise of remote work during the pandemic, he added.
Bring-your-own-approved-device (BYOAD) initiatives are on the rise, both at civilian agencies and the Department of Defense. But whether an employee is using government-furnished equipment (GFE) or their personal mobile device, management is needed — in the form of a mobile device management (MDM) or mobile application manager (MAM) solution — as is mobile threat defense.
Between 65% and 75% of GFE and personal mobile devices on federal networks lack the latter, which can ride on top of either an unmanaged device or an MDM or MAM solution, D’Angelo said.
The CEGs do a good job of introducing such concepts, although the harder part is getting employee buy-in for BYOAD initiatives.
“That’s always one of the biggest challenges in a BYOAD scenario, is convincing that end user that you’re not spying on them — that you’re only there to protect the device,” D’Angelo said. “And that comes in a couple of different flavors whether it’s phishing; maybe app vulnerability; app scanning; the actual vulnerabilities of the [operating system] itself, whether it’s iOS or Android; and then things like network-based attacks; or free Wi-Fi in coffee shops, airports, things like that.”