CDE14 WHITE PAPER Laserfiche

---

A WHITE PAPER FROM

Sustainable Security How public sector organizations can make strategic investments to safeguard against today’s advanced cyber threats 3 Government cybersecurity investments are not keeping pace with targeted and sophisticated threats.

3 Budgets and insufficient funding remain the leading barriers to battling cyber threats.

3 Cybersecurity should be a top priority, but agencies need help identifying the most appropriate strategies and tools.

This white paper explains what agency officials should consider when scouting next-generation cybersecurity and information protection technologies, and why a focus on high-risk attack vectors, such as email systems and social media, is critical.

Cybersecurity Upgrades Lag Behind Modern Threats While most government budgets are stabilizing and even increasing, cybersecurity capabilities in state and local agencies often lag behind what’s needed to thwart today’s threats. According to the National Association of State Budget Officers (NASBO), 86 percent of states enacted higher general fund spending levels in fiscal year 2015 compared to fiscal year 2014.1 However, the National Association of State Chief Information Officers (NASCIO) reports almost half of chief information security officers (CISOs) say they’re seeing only incremental increases to cybersecurity budgets and insufficient funding remains the leading barrier to battling cyber threats. 2 This is troubling as security threats become more targeted and difficult to defend against. In the NASCIO study, approximately 60 percent of CISOs say the sophistication of threats is increasing, up from approximately 50 percent in a previous survey. 3 No public sector organization understands this better than the U.S. Office of Personnel Management (OPM), which was recently under fire after hackers stole the personal data of more than 22 million federal employees, contractors, family members and job applicants.4 The disclosures came shortly after an Inspector General’s audit in late 2014 warned of potential security breaches due to inadequate safeguards. 5 OPM Director Katherine Archuleta stepped down in the wake of the data breaches, saying she had been aware of shortcomings in legacy security systems, but hadn’t been able to make the necessary updates in time.6 The message is clear: Cybersecurity investments need to be a top priority for government leaders. Developing a strategy and choosing technologies and solutions that deliver the most value and provide the highest level of protection is the hard part. This Center for Digital Government (CDG) white paper explains what agency officials should consider when scouting next-generation cybersecurity and information protection technologies, and why they should focus on high-risk attack vectors such as email systems and social media. It also explains how public sector CISOs and other senior leaders can develop a comprehensive security plan to reduce their attack

2

Sustainable Security

Public Sector Security Breaches  More than 50,000 public sector security incidents occurred in 2014 with more than 300 incidents of confirmed data losses  60% of public sector CISOs say the sophistication of threats is increasing  Public sector security breaches significantly outpace other industries

surface. By using the latest in encryption, data discovery and modern archiving solutions, governments can keep sensitive and classified information secure.

Why Hackers Are Targeting the Public Sector The story goes that when William Francis “Slick Willie” Sutton, Jr., was asked why he robbed banks, his response was, “because that’s where the money is.”7 Similarly, cyber thieves and nation state attackers see public sector systems as high-value targets. These international black hats understand government agencies offer a rich trove of data they can exploit for financial or political gain. Not surprisingly, according to the Verizon 2015 Data Breach Investigations Report, the public sector is once again the industry most affected by cyber attacks, with more than 50,000 security incidents in 2014 and more than 300 cases of confirmed data losses. 8 These numbers far outpace those for information and financial services, the two industries with the next highest incidence numbers. But the volume of attacks is only part of the story. During the Great Recession and subsequent budgetary restraints, many governments couldn’t make sufficient investments in IT security policies and technologies to stay current — leaving them even more vulnerable. According to NASBO, state spending is projected to rise a modest 3.1 percent overall in 2015.9 This relatively small uptick will likely leave state and local CIOs and CISOs still struggling to defend against threats. Because of this, advanced threats remain a top risk.

These sophisticated and often targeted attacks, typically launched by nation states or organized cybercriminals, regularly use spear-phishing techniques and infected email messages to deliver links and attachments that send victims to malicious websites or trick them into downloading dangerous files. These tactics are often successful. According to the Verizon report, in a phishing campaign of just 10 emails there is a 90 percent chance at least one person will fall

prey to the attacker. Other risk vectors include sensitive and unencrypted data that’s captured as it’s being communicated over breached networks, stored in the cloud, or in improperly accessible file shares and other repositories. Government security safeguards have to advance to keep pace with the ingenuity and resources of hackers. How can agencies make targeted investments to data security? The three strategies below can help agencies get the most value out of their security investment.

3 Strategies to Maximize Security Investments 1.

DETECT AND BLOCK ADVANCED KNOWN THREATS. Although security managers rightfully focus on the specter of increasingly sophisticated hackers unveiling ingenious threats, the reality is many organizations are breached by incursions already known to the threat intelligence community. Agencies can increase security by adapting technologies that block known threats before they reach users, regardless of whether they are targeted via email, social media or other channels. In addition, despite all the hype around zero-day attacks and advanced malware, many hacking attempts start with credential phishing, which does not employ malware.10

2.

MITIGATE UNKNOWN THREATS. Stopping known threats is important, but it is not the entire answer to security. Targeted threats — involving new or polymorphic malware that surfaces before antivirus tools can be updated to defend against it — require advanced detection technologies and processes to prevent agencies from getting infected or leaking sensitive information.

3. IMPLEMENT PRACTICAL THREAT RESPONSE PLANS. The amount of information security personnel receive regarding new security alerts, unusual traffic, suspicious emails and a host of other potential problems can be overwhelming. To avoid playing a risky game of security whack-a-mole, agencies need intelligent tools and orchestrated processes to effectively prioritize their actions. A practical response plan can employ centralized management to bring the entire security framework within a single management console. Centralizing essential information helps security officials quickly identify and prioritize alerts and anomalous activities, so they can act on the biggest threats before hackers gain a foothold. Dashboards can summarize top threats and the status of open incidents, and can automatically update the importance of existing threats as new information becomes available. Workflow tools within threat response platforms can assign new incidents to appropriate staff members and streamline their activities, including confirming compromises and taking action to quarantine or otherwise contain infected users and devices. Reporting tools provide further insight into malware threats, areas where infections may have been uncovered and the steps being taken to mitigate the problems.

3

Focus Security Efforts on Email for the Greatest Benefit Security managers should identify specific areas within their operations that require close attention. At the top of the list is a threat vector that’s all too familiar to experienced security managers — namely, email systems and the ways in which government staff members use them. Email has long been the weakest and most popular link for hackers to exploit and email-based breaches still occur at alarming rates despite ongoing employee training regarding safe email practices. Verizon’s 2013 Data Breach Investigations Report concluded email systems are the most vulnerable to targeted attacks, enabling both direct and indirect malware infections.11 The report also noted more than 95 percent of state-sponsored espionage attacks relied on email-based phishing tactics. One way to proactively protect against email-based attacks is by filtering email messages before they arrive in user inboxes. Secure email gateways, or SEGs, do not rely on gateway antivirus solutions — they safeguard agencies by leveraging advanced threat detection techniques such as attachment and URL sandboxing, often augmented by correlation-based approaches that identify attackers based on the myriad tools they use. These protection systems are designed to do far more than spot spam and help prevent advanced attacks.

Advanced SEGs Close Today’s Biggest Security Gap SEGs are not new, however, it’s important agencies consider them as a sophisticated solution to thwart evolving threats. Security officials should evaluate options carefully to ensure they’re taking advantage of the latest innovations. The following list identifies some of the most important capabilities of SEGs.

One way to proactively protect against email-based attacks is with secure email gateways, which leverage advanced threat detection and correlation-based techniques.

4

Sustainable Security

7 Advantages of Advanced Security Investments

Combining advanced secure email gateways with related security solutions and best practices scores big benefits: 1. Faster response times to unfolding threats and direct attacks on the agency 2. More effective investment of limited cybersecurity funds 3. A framework for successfully allocating staff to address and remediate threats 4. Less time wasted responding to false security threats 5. Reduced impact from incursion attempts and data losses 6. Reduction in help desk inquiries resulting from high volumes of spam 7. Relief from legal risks caused by offensive materials in agency inboxes

Big data analytics and effective sandboxing. Advanced SEGs now employ big data analytics as a weapon against known and unknown threats. These analysis capabilities can help agencies quickly identify dangers, including highly targeted attacks and malicious URLs, by matching incoming emails against content previously identified as dangerous and rating the likely threat level. When a suspicious email is detected, leading SEGs can “sandbox” problem URLs and attachments, which means they’re automatically analyzed in a protected area and quarantined from end users. Security managers can then view forensics on the messages to assess the risk and characteristics of the software. Predictive and “time-of-click” sandboxing can quarantine problems before end users have a chance to download malware. Proactive or predictive capabilities lessen the chance of infections compared to traditional time-of-delivery tools, which work as the content enters the organization and therefore cannot block it, even if it is found to be malicious. Phishing and spam filters. Advanced SEG solutions excel in addressing spam and phishing attacks. They do this by offering a wide variety of content filters that perform detailed inspections of the routing instructions, content and attachments associated with each email message. These filters can quickly detect whether a suspicious message is

Related Solutions Round Out Cyber Safety Closely managing email systems is a cornerstone of a comprehensive security strategy. But agencies should also look to complementary safeguards that address risks outside the email flow, including next-generation firewalls (NGFs). Traditional firewalls inspect traffic associated with only a small portion of the entire network protocol stack. NGFs provide a more complete picture of all applications and data coming into the network from outside sources. In addition, NGFs can use security policies programmed by security managers to warn organizations about suspicious traffic. Agencies must also continue to bolster mobile and endpoint security systems with the same results they expect from SEGs: block the biggest threats — including malicious attachments, URLs and credential phishing — before they cause damage to agency assets. Effective data archiving will strengthen public sector security and compliance strategies. Some SEG vendors offer archiving solutions that make it easy to expand and update policies to address changes in internal requirements or regulations, leaving scarce IT security resources available to fight advanced threats. The best archiving options also provide flexible policy management tools, including utilities for automating policy enforcement and disposal activities.

This ensures prevailing policies are applied to data as it’s being archived to reduce timeconsuming manual tasks and human error. Also important is the ability to collect a full history of policy changes and audit trails that document actions taken by authorized officers. In addition, agencies will benefit from successfully leveraging world-class intelligence about the latest security threats and responses. For example, third-party data sources, including reputation data, malware samples and even attacker reconnaissance made available by security solution vendors, can be merged with an agency’s internal information. The breadth of this security intelligence can help identify threats seen on communications such as social media. This creates an accurate picture of the threat landscape, which helps officials determine where to deploy security resources.

5

pornography, a malicious URL, credential phish or other problem. The detailed filters in advanced SEGs can help defend against the multiple types of threats agencies face each day. CIOs and CISOs should look for SEGs that allow for custom filters so agencies can address unique security and compliance policies. Email data defense. Closely analyzing incoming messages isn’t the only requirement for keeping agencies safe. SEGs can monitor messages as they’re leaving the enterprise, ensuring sensitive information of any type does not leave the organization via email, either unintentionally or maliciously. Policies related to securing confidential data should be integrated with encryption capabilities to control the action dependent on content and email recipient. Data encryption. Data encryption is another important differentiator for the best SEGs. Making information unreadable to anyone other than an authorized recipient, especially if the email contains sensitive information, reduces the consequences of data leaks and files being intercepted as they’re traveling over the network. SEGs that offer the ability to control encrypted emails through revocation of encryption keys further extend the control of the agency if sensitive data is accidentally sent to an incorrect recipient, for example. Alignment with industry standards. SEG solutions should support industry standards, including DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF). Each of these standards helps agencies guard against spoofing, a hacking technique that makes URLs and content appear to come from legitimate sources. Platform options. Finally, choosing advanced security systems isn’t only a matter of finding the best features for cyber safety. Agencies must have a variety of options to access desired features. Choices range from using traditional, on-premises appliances or virtual machines running on agency servers to cloud solutions or a hybrid approach that mixes these alternatives. Agencies should ensure their strategy and solution is flexible and can adapt to changing security needs. Relying on a mix of on-premises and cloud deployments can strengthen business continuity by reducing the chances that a disaster or security breach that impacts the physical operations doesn’t leave the agency defenseless.

6

Sustainable Security

Secure Email Gateway Feature Checklist Some important features of SEG technology include: Big data and analytics for sandboxing Advanced phishing and spam filters Monitoring of incoming and outgoing email The ability to control encrypted emails through revocation of encryption keys 99 Alignment with industry standards 99 A variety of platform options such as on-premises, cloud or hybrid 99 99 99 99

According to Gartner, many enterprises are looking closely at software-as-a-service (SaaS) SEG solutions. It reports revenue from SaaS solutions account for a little less than 40 percent of the SEG market, while approximately 80 percent of its clients express an interest in migrating to SaaS or cloud-based delivery services.12 Money alone won’t make agencies more secure or stop the leak of sensitive information. Decision-makers must combine the skills they’ve been honing to make smarter investments with the latest security technologies. When that happens, state and local agencies have an opportunity to shore up their vulnerabilities and become more secure than ever before.

Endnotes 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

ww.nasbo.org/sites/default/files/Fall%202014%20Fiscal%20Survey%20of%20States%20Summary.pdf w www.nascio.org/publications/documents/Deloitte-NASCIOCybersecurityStudy_2014.pdf Ibid. www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/new-opm-data-breach-numbers-leave-federal-employeesanguished-outraged/ www.opm.gov/our-inspector-general/reports/2014/federal-information-security-management-act-audit-fy-2014-4a-ci-00-14-016.pdf www.rt.com/usa/267673-house-hearing-opm-security-breaches/ William Francis Sutton, Jr., was a bank robber who stole approximately $2 million over the course of his 40-year career. Although the quote is frequently attributed to him, Sutton later said a reporter fabricated it. www.verizonenterprise.com/DBIR/2015/ www.nasbo.org/sites/default/files/Fall%202014%20Fiscal%20Survey%20of%20States%20Summary.pdf www.reuters.com/article/2015/04/14/usa-cybersecurity-idUSL2N0XB01K20150414 www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf www.proofpoint.com/us/id/Gartner-MQ-Secure-Email-Gateways-32

The Center for Digital Government, a division of e.Republic, is a national research and advisory institute on information technology policies and best practices in state and local government. Through its diverse and dynamic programs and services, the Center provides public and private sector leaders with decision support, knowledge and opportunities to help them effectively incorporate new technologies in the 21st century. www.centerdigitalgov.com

Underwritten by:

Proofpoint Inc. (NASDAQ:PFPT), a next-generation cybersecurity company, enables organizations to protect the way their people work today from advanced threats and compliance risks. Proofpoint helps cybersecurity professionals protect their users from the advanced attacks that target them (via email, mobile apps, and social media), protect the critical information people create, and equip their teams with the right intelligence and tools to respond quickly when things go wrong. Leading organizations of all sizes, including over 50% of the Fortune 100, rely on Proofpoint solutions, which are built for today’s mobile and social enabled IT environment and leverage both the power of the cloud and a big data-driven analytics platform to combat modern advanced threats. More information is available at www.proofpoint.com.

7

© 2015 e.Republic. All rights reserved.