Recent large-scale attacks on enterprise and infrastructure security have led the federal government and private businesses to rethink the way they manage security.
Last month’s ransomware attack on the Colonial Pipeline shut down the main part of its network for five days, affecting fuel supplies across the United States.
Additionally, an attack on SolarWinds infrastructure last year comprised a number of federal agencies and businesses.
Dale Gardner, senior director and analyst at analysis firm Gartner, said lax security around infrastructure code is in large part to blame. Infrastructure code tends not to be locked down very tightly because that makes it much easier for developers to go in and make alterations, but on the flipside, it also makes it easier for attackers to gain access.
The International Association of IT Asset Managers (IAITAM) pointed to weak IT asset management within organizations as the cause of these attacks.
“This country is way behind where it needs to be in ensuring that every single device and piece of software associated with these infrastructure projects is accounted for, secure, and up to date. Old infrastructure is already under attack today because of a lack of rigorous IT Asset Management, and the prospect of the federal government adding billions of dollars to infrastructure without proper management will only add to the problem and open up more security loopholes. The government ratings on asset management are already low compared to private firms and we see that in GAO reports every year.,” said Dr. Barbara Rembiesa, the president and CEO of IAITAM.
The distributed workforce brought on by the pandemic has increased the attack surface area, since not all employees are operating behind a company’s firewall and monitoring access is much more difficult. The hackers just need to find someone who is running a laptop in an unsecure fashion as their point of attack.
Instead of leaving a wide attack surface for hacks, organizations need to make sure that they have an incident response plan that includes the stakeholders within the company with decision-making authority, according to Robert Cattanach, a partner at the international law firm Dorsey & Whitney.
Organizations also need to review their key contracts and see what obligations they have to their business partners and customers to ensure that the proper security measures were instituted, and to constantly communicate with industry groups and regulators to make sure that the organization doesn’t fall into commonly exploited patterns, Cattanach added.
Gartner has seen a growing trend for adopting a cybersecurity mesh, which is a modern security approach that consists of deploying controls where they are most needed and identity-first security, which puts security at the center of security design by taking a zero-trust approach.
President Biden’s administration responded to the increased attacks by enacting a cybersecurity executive order, in which the federal government will partner with the private sector to create a more secure cyberspace amid a continuously changing threat environment. It calls for updated recommendations on contracts, the removal of contractual barriers and increased sharing of information about threats.
In addition, the government aims to release a standard playbook for responding to cyber incidents by federal departments and agencies and to create a cybersecurity committee.
Gardner said that this executive order could propel the security industry through its far-reaching provisions and the fact that the mandates will be incorporated into the Federal Acquisition Regulation (FAR), which will force agencies to remove software that doesn’t meet the new requirements from a wide range of contracting and acquisition vehicles.
“Much will depend on the final form of the proposed regulations, but the prospect of the US federal government using its considerable “power of the purse” to force improved software security practices will ripple through corporate and consumer markets,” Gardner said. “It looks very promising.”