Over the past few years, several critical cybersecurity frameworks have been introduced to help agency IT professionals detect and deter stealthy intruders. These include the Cyber Threat Framework (CTF), the Federal Risk and Authorization Management Program (FedRAMP), and the Continuous Diagnostics and Mitigation (CDM) Program. Let’s take a look at each of these and identify strategies you can employ to support and strengthen these frameworks.
CTF Strategies: Assessment and Intelligence
The CTF is about learning hackers’ patterns and trends. Administrators should strive to gain as much information as possible about their own networks and the known and unknown security threats putting their systems and data at risk.
Begin by establishing a baseline inventory of the systems and applications on the network. This assessment can help establish “normal” network behaviors and patterns. From there, you can better detect if something is amiss—an unauthorized user or device, for example—raising a flag.
Take time to understand the breadth and depth of the attacks being used by malicious actors to attack unsuspecting users. Online security forums and websites are a good starting point.
FedRAMP Strategies: Patching and Education
FedRAMP is as vital today as it was when it was first introduced nearly a decade ago. FedRAMP provides useful guidance on different factors, but one of the most important is the need for frequent patching. Vendors are required to patch their systems on a routine basis and report those actions to retain their FedRAMP designations.
Beyond patching, FedRAMP also makes a case for continuing education. Administrators are required to do monthly system scans and annual assessments, reviewing system changes and updates. Stay informed about threats and the latest techniques and technologies to combat those threats.
CDM Strategies: Monitoring Activity and Devices
The CDM program asks you to continuously monitor activity, including data at rest and in transit, user behaviors, and more. You must be able to see who’s connected, when they’re connected, and what they’re connected to, and be able to discern deviations from the norm. This requires mechanisms to detect odd usage and irregular behaviors and issue alerts when an unknown or unauthorized device is detected. You must be prepared to respond quickly to these incidents or be able to automatically remediate the problem.
Ideally, administrators should also go beyond simple device monitoring to a more in-depth analysis of device behavior. A simple printer could be used as an information-sharing device. Administrators must be able to detect when something is being used in an unusual way.
Each framework approaches cybersecurity from a slightly different direction, but they all have one thing in common: the need for constant vigilance and complete awareness. Administrators must do whatever it takes to gain complete visibility into their network operations using all the tools at their disposal to shine a light on those areas and keep intruders out.
Find the full article on GovLoop.