MeriTalk recently connected with Infoblox’s Ralph Havens, President, Federal, and Chris Usserman, Principal Security Architect, on the current government-wide shift to telework during the COVID-19 pandemic. Havens’ expertise lies in DDI, DNS security, and network automation solutions, while Usserman is proficient in cyber and intelligence operations, offering a vast background to discuss the common cybersecurity challenges and solutions happening daily during this time.
MeriTalk: The Office of Management and Budget has released a number of memos encouraging Federal agency employees, both inside and outside the Beltway, to maximize telework during the current COVID-19 pandemic. Can you talk about some of the inherent risks of working at home during this unprecedented time?
Ralph: To start with, there’s an increase in vulnerability to phishing scams and malware attacks. We’ve heard from customers that there’s a lack of training and experience from the workforce in teleworking. How do I use my home desktop that I now share with my spouse or significant other who also works from home? Not leaving work interfaces up on your computer when you go to get something to eat and your kid jumps on the computer and go to the wrong website is important. Regardless, your network is always only as good as your least common denominator, whether it be your infrastructure or software security. This working from home scenario just extends that problem, because of how many different types of networks and access points are open between the enterprise and that user’s home desktop.
Chris: Federal agencies have made substantial investments in enterprise-grade security to protect the enterprise that traditionally has been centered within a “brick and mortar” facility. But now, they’re relying upon just the user’s SOHO router or the ISP’s router, and that’s the only protection users have against the actors trying to gain access to their systems. That’s the problem, as well as the rest of the devices on the home network, for example, your kid’s Nintendo Switch, or the Xbox, or the refrigerator. Each of those devices may be used as a launch point for local attacks against the user’s work computer.
MeriTalk: The OMB guidance has since extended to Federal contractors as well. I’m curious how contractors like Infoblox are working to safeguard Federal networks in this time. Maybe put some of the government readers here at ease…
Ralph: One is just recognition – in the last couple of weeks it’s been encouraging to see our ecosystem of contractors and technology alliance partners working together to solve this problem. The first thing that Infoblox has done is to offer free trials of our BloxOne Threat Defense, which enables customers to block malicious DNS requests, DNS exfiltration, and better manage and monitor their workers to have purer visibility. Basically, extending enterprise security permissions to those remote users in real time.
Chris: We in the private sector have been at home for about a month now due to this pandemic. We have all these people that aren’t used to working from home and outside the enterprise security boundary on a regular basis, and it may be another month, or more, before their IT resource comes back on the enterprise network. We can’t wait that long to know what’s going on with that device before it comes back on the network. As a security company, we’re obviously taking advantage of our own products to best defend our own resources – those same resources we use to communicate with our government customers.
In Infoblox’s case, we’re pushing Federal agencies to maximize their security posture by taking advantage of several initiatives: what we’re doing, through an enterprise license agreement, is providing all our threat intelligence to eligible Federal civilian departments and agencies, at no cost. Second, we’re providing free full-featured 90-day licenses to our BloxOne Threat Defense-Cloud product, which is essentially a configurable cloud-based DNS resolver with built-in firewall and DNS exfiltration prevention. Federal civilian agencies use these together or independently to help protect, defend, and mitigate threats at the DNS layer and inform other components of the security ecosystem.
MeriTalk: What kind of attacks and exploits are becoming more common during this period, and how can agencies guard against them?
Ralph: Attackers always seem to be two steps ahead. And the biggest, most widely talked about attack is bogus COVID-19 information shared on the web. So, it’s important to educate the working from home individual on how to recognize phishing attacks. Being able to break down how they’re written, targeted, and to be able to understand what could be a bogus website – for example, if it’s a .kom instead of .com – knowing the language is huge. One thing I recently read about is the proliferation of attacks on Zoom. We all use it now every day. And bad actors have figured out how to “Zoom bomb”, which simply means hijacking Zoom sessions. I’m on half a dozen Zoom meetings before lunch, so if I see a meeting request, I’m most likely going to accept it and that may open my network to malware.
Chris: Phishing attacks and infected websites centered around COVID-19, be it masquerading/look-alike sites, fake medical “cure” or prevention sites, etc. In any event, it’s all about visibility, containment, and mitigation. Agencies must have the infrastructure and visibility to know what’s happening at any given point in time, the threat intelligence to be able to put it to action, and the technologies to be able to put it in play in a way that’s proactively defending their network. As agencies become more advanced, there is less they’re having to react to. One of the big challenges is that there is a need for connectedness between individuals at this time, so we are in a race to adopt new technologies that facilitate that – like Zoom. Even though some of us have used Zoom for a long time, it’s new to many organizations, school districts, and Federal agencies alike and they don’t know what the implications are in their particular environment. So, we’re saying, use them if it meets the requirements but manage your risk, understand what the implications are, and adjust as needed.
MeriTalk: Within the $2 trillion stimulus bill that was just signed, telework and cybersecurity enhancements factor in notably. How should the agencies prioritize the additional funding they will receive?
Ralph: Across the board big projects are being delayed. The common focus is on securing remote users. What I would like to see is agency synergy. Bring in your trusted partners, contractors, and vendors to work together collaboratively. The problem is not that terribly unique from agency to agency. Solving 80% of the problem is the basis for every agency, then you can tweak it from there.
Chris: I agree with Ralph. All too often we see endless chasing from contractors following the budget. I think there’s a strong opportunity for cross-sector collaboration. In the cybersecurity sector, the focus needs to be on finding the best solution for the customer and their needs.
MeriTalk: On the technical side of the house in government, things are looking a little grim. NIST released a bulletin that suggested it’s best to assume networks will be compromised during this extended telework period. Are there any specific resources agencies can use to help mitigate?
Chris: I think NIST has it only partially right. It would be best to assume that networks are compromised. The biggest issue is that organizations have already had challenges with understanding what’s happening in their environment and having good visibility, and it’s further exacerbated by security operations having to work remote, as well as the rest of the workforce, where visibility is even further reduced. Agencies will be most successful adopting the methodology of, and eventually rolling out, an architecture that follows Zero Trust.
Ralph: From an Infoblox perspective, our BloxOne Threat Defense, and our threat intelligence platform, are great resource. We can provide this service to eligible Federal agencies, to help them improve securing their remote offices for remote users.
MeriTalk: NIST also suggested agencies develop and enforce a telework security policy with tiered levels of remote access. What else should agencies consider in telework security policies?
Chris: Always monitor VPN activity. Do telework users use GFE [government furnished equipment]? How do you protect the organization from the user? There are many potential impacts of a general telework policy that will have cyber implications you’ll need to address. It’s not just about protecting the organization from cyber attackers but also protecting the enterprise from a federated workforce operating beyond the brick-and-mortar, and protecting the individuals from themselves.
MeriTalk: What advice would you share with agency leaders who are maybe now preparing for a situation they’ve never dealt with before?
Ralph: A quote I heard recently is that this is the new norm. Agency leaders must re-envision and re-employ telework policies. While the current policies are a great framework, there are still things that are poorly represented, or things that aren’t represented at all. There’s a very humbling dialogue with respect to understanding. We have that framework, but it needs to change to fit this type of landscape.
Chris: As Ralph often says, we don’t know what we don’t know. All too often, these policies are there to facilitate a very minor use case of personnel. The challenge here is how do we update our policies to reflect these current changes and still be as efficient and secure as possible? You have to assume that the future enterprise is going to be physically further separated. Gone are the days where “going to work” only meant leaving your residence. Now, telework is often part of the talent acquisition process – so regardless of the reason – organizations’ IT plans must include capacity and security controls inclusive of a decentralized workforce and decentralized assets.
MeriTalk: Any other advice or closing thoughts?
Chris: What’s good for one organization is not necessarily a carbon copy solution for another. There’s a lot of things that go into determining whether or not a proposed security policy will work for an organization. Invite not just us, invite your trusted vendors in, and we can work together to help organizations reach their goals.
Ralph: I’ve seen across a lot of agencies a humble tone. I haven’t seen anybody step up and say, “I’ve got this.” To varying degrees, everybody has stood up and it’s not a panic-stricken thing, but it’s admitting we have weaknesses and vulnerabilities, things that we need to shore up. Nobody has stood up and said, “we’re good”. That’s gratifying just as a citizen to see that we’re not taking it for granted.