Even with the best technology and processes available, more needs to be done to educate U.S. senators and their staff on why they need to take cybersecurity seriously, according to the Senate’s IT security branch manager.
Linus Barloon II spoke Tuesday at a media breakfast where he outlined how he drives the security strategy for 100 elected officials, their staffers and state and committee offices, and the multiple devices they use to connect to the senate.gov network. He highlighted how his defenses have had to move from checklist configuration and patch monitoring to a nebulous perimeter that needs to be evaluated using a risk-based assessment.
“Cyber isn’t just something that you can sit back and say ‘ho-hum,’” Barloon said. “Cyber isn’t something where I just install a bunch of patches and install a set of configurations, and then when a breach happens we throw up our hands and say ‘how did that happen?’”
Yet even as Barloon moves toward providing context-based risk assessments, he has found that the Senate and their staffers have been slow to catch on to best practices.
“I’m not sure that we as cybersecurity professionals have educated the users on why [cybersecurity] is a big deal,” he said.
HIs office has tried over the course of the past few years, inviting people to seminars where experts from the National Security Administration, Virginia Tech and private sector firms have educated staffers on issues like SSL and multi-factor authentication. Yet even with those efforts, Barloon compared his office’s role to being in a state police force, with jurisdiction over only a certain part of the country — or chunk of the network.
“Our security to some degree stops at the doorstep of the member’s office,” Barloon said. “[Senators] have their system administrators that perform their own system administration. We control the pipes, but we have the challenge of advising that member and their staff that we offer that security procedure to them. Based on their operational model, it’s their option on what they implement.”
When it comes to a baseline security measure like SSL, the majority of Senate offices apparently believe there is little risk. FedScoop found that only 29 senators deploy SSL certificates on their senate.gov websites (and several of those use SHA-1 certificates, which are considered outdated), even as Barloon’s office offers certificates through Comodo.
Barloon said there is only so much they can do when it comes to each Senate office.
“We don’t have the authority to direct downward policy,” Barloon said. “We are there and we provide that security guidance, and we work with system administrators to do so.”
For the network that Barloon has control over, he’s moved to providing context via risk-based assessments, letting people know what vulnerabilities to prioritize and how it could affect a network that is used by approximately 20,000 people. He uses a mix of frameworks from NIST, ISACA, ISO 27000 and the Open FAIR Body of Knowledge and RedSeal’s network visualization to get a daily picture of where the gaps lie on the network.
“Do I truly know what the network looks like?” Barloon said, reeling off an example of what his daily assessment help him look for. “Do I truly know where my users have joined? Do I know where my data is? Do I know what the crown jewels are? Do I know what my mitigation strategies are?”
Being able to use these risk-based reports is what Barloon says gives him the ability to secure the network better than he ever could before.
“Many organizations, when they make a tech investment, they stop doing anything with the technology once they implement it past 20 percent of its capability,” he said. “They never really leverage that capability holistically. Now I can be continuous and iterative. I’m not doing [an assessment] once every three years. I’m doing it once every day.”