NSA, NOAA and Other Agencies Rethink How They Tackle Endpoint Security

Cybersecurity breaches often share a common trait: Hackers gain access through an unsecured endpoint.

Although many think of endpoints strictly as mobile devices, end-user behavior also fits into that category. With so many endpoints on federal networks, federal IT managers face a wide array of attacks and challenges.

“Endpoints are a critical piece of the security puzzle,” says Larry Reed, cybersecurity director for the National Oceanic and Atmospheric Administration. “The successful attacks against government typically start with a phishing message aimed at an end user and grow from there.”

Nearly nine out of 10 federal leaders say endpoint security policies must improve, according to a recent MeriTalk survey. The same survey revealed that 44 percent of government endpoint devices are unknown or unprotected.

As concerns about endpoint security grow, agencies are rethinking their approach to them. That includes new governmentwide programs and policies, along with addressing end-user vulnerabilities.

Percentage of IT managers who believe negligent or careless employees are the biggest threat to endpoint security

NSA Embraces Defense-In-Depth 

“The endpoint security story is the same across all types of organizations,” says Kevin Beaver, founder of Principle Logic, an IT security consulting firm. “But challenges become more complex in larger organizations like federal agencies.”

The National Security Agency approaches security with a holistic view that incorporates a layered defense strategy, from the network to the endpoint, says Curtis Dukes, the NSA’s information assurance director. This strategy differs from one the agency used a few years ago.

NSA’s defense-in-depth strategy features four mitigation goals: device integrity at the endpoint; application management, such as white listing and configuration; damage containment; and secure data transport.

In the past, the agency tended to install anti-virus software on endpoint devices and sometimes also relied on host-based security systems. The agency also didn’t encrypt data that remained on most devices, so hackers who gained access were rewarded for their efforts.

Those measures provided some, but not enough, security, Dukes says.

In hindsight, he says, NSA now realizes it should have better managed user profiles. Not so long ago, Dukes says, many users operated as admins. When an adversary hacked into a device, they could then establish administrator privileges and launch wide-scale attacks.

“After the attacks of the past 18 months, everyone in government needs to pay better attention to cyber and network hygiene,” Dukes says. “It makes a difference.”

What does that look like? For the NSA, it includes updating patches and configuring endpoints, along with implementing continuous monitoring solutions.

Keeping Track of Threats 

The NSA situation is not unique — in or outside government, says Jon Oltsik, a senior analyst with the Enterprise Strategy Group. He lauds the NSA’s approach and says agencies often fail to treat endpoints differently, a strategy that leaves critical data and systems vulnerable.

“Agencies must determine how endpoints are used and make decisions based on that,” Oltsik says. “They cannot all be treated as one and the same.”

The security teams in government also must remain aggressive with education, for both technology staff and end users, he recommends. Threats continue to grow in complexity, and while IT staff might remain informed on the latest threats, end users likely are not as well educated.

Reed sees the same issues at NOAA. The quality of phishing attacks has rapidly increased, he says. “The adversaries learn and up their game accordingly.”

Working Together on Cyberdefense

As cyberthreats grow, agencies are partnering more to share threat information.

In 2013, the Homeland Security Department and the General Services Administration launched the Continuous Diagnostics and Mitigation (CDM) program, a four-year initiative that provides federal network administrators with tools and capabilities to monitor networks.

CDM provides commercial off-the-shelf tools that provide administrators with updated threat information, such as a dashboard to produce customized reports and alerts on vulnerable systems.

Although CDM focuses on security as a whole, it substantially helps endpoint security, Reed says. A task force will study the early results from the initiative and provide guidance that will bring more resources and best practices.

Reed says that CDM also serves as the endpoint management component of the White House’s cybersecurity recommendations following last summer’s security breach at the Office of Personnel Management, in which more than 19 million records of past and present federal employees were exposed.

As more agencies begin to allow bring-your-own-device programs, CDM and other governmentwide policies grow in importance. Mobile containerization and virtualization can add further security at the endpoint.

A Long Fight Ahead

“If malware is on a device, a container can limit the damage to both the host and, more important, the whole network,” Reed says.

Simple policies, like those the White House mandated following the OPM breach, also can make a big difference, he adds.

Principle Logic’s Beaver, though, quickly points out that such policies and programs serve only as a starting point.

“We’ve known for years — in some instances, decades — what needs to be done to protect networks, computers and information,” he says. “The challenge is to do it.”