By now CIOs across the federal government have seen Emergency Directive 19-1 issued by the Department of Homeland Security, which was issued in response to cyberattacks on DNS infrastructure for several executive branch agency domains. In these attacks, outsiders compromised user accounts that were authorized to change or manipulate DNS records. The attackers were able to alter those records and direct user traffic to their own infrastructure for manipulation. As the DNS changes originated from a known good account with proper credentials, the attacks did not trigger any alerts. They also were not visible to the end user. 

Once upon a time, all it took to keep your agency protected against these types of attacks was to build a really good perimeter that stood between everything in your enterprise and anything that didn’t belong. Threats had to break through the firewall to gain access to your information. Now, as these recent attacks expose, they can come through the front door undetected. And this certainly isn’t the first example. A 2017 Verizon Breach Investigative Report found that 80% of hacking-related breaches leveraged weak, default, or stolen passwords. The State of Cybersecurity Report 2018 notes that 29% of breaches used personally identifiable information combined with user credentials. The headlines are full of data losses that originate from inside of well-built perimeters.

What does this mean for CIOs? We are back to security basics. Attackers will often search for the weakest link in the agency’s security posture. With the ever growing sprawl of user accounts, critical resources, and touch points into the network, focusing on the perimeter is completely inadequate. Even the best perimeter can’t protect you from inside threats, which occur not only because of rogue employees, but because of theft of employee personal information and passwords that grant attackers access to the inside of your perimeter. Passwords are vulnerable to hackers because they are often created using personal information – which in today’s world is no longer “secret” knowledge. Biographical and geographical data is just as accessible to hackers as it is to the owners of the data themselves.

NIST agrees. In 2017, NIST published Digital Identity Guidelines, which requires government agencies and contractors who process, store, and transmit data to implement strong authentication controls. The Levels of Assurance measures are gone, and have been replaced with more rigorous security measures for the authentication process segmented into three Authenticator Assurance levels as determined by the sensitivity of the information.

These recent attacks should serve as a wake-up call for technology professionals to re-examine the policies and methodologies of cyber threat hunting. Federal agencies need to tighten security via identity proofing and strict authenticators on the inside so that the perimeter isn’t the only thing keeping would be attackers from accessing your precious information.

Security at the Application Level, Not the User Level

Both multi-factor and zero-trust authentication offer a security model that shifts the point of access conversation from traditional, perimeter-based security where anyone with the credentials can access everything inside from any device to individual application security. Application-based security utilizes user identity, the trustworthiness of the device, and established security policies to grant access to that one application. It is a more scalable approach to security that protects every attack surface by validating every point of access.

The latest trends in authentication don’t rely on privacy-protected personal information. They use biometric information that is unique to that individual user – and is hard to compromise. Authentication can occur through applications specifically designed for that purpose, offering another level of secured user verification.

Meeting the Directive and Achieving Mission Success

Looking back to the directive, federal agencies have been charged with some clear remediation steps for this latest attack:

  • Audit DNS records for change
  • Change passwords of all accounts with access to manipulate DNS records
  • Layer multi-factor authentication (MFA) onto all accounts with such access
  • Monitor certificate logs

Given the possible breadth of the data compromise and the severity of the directive, facilitating a reasonable method to quickly add MFA or the stronger zero-factor authentication to all accounts is imperative. To achieve mission success, agencies should take a close look at DUO Security, which was recently acquired by Cisco. Duo offers an impressively easy way to layer on MFA with a minimal disruption to the user while incorporating the latest methods of authentication. Through its authentication application, DUO sits between your points of access and your network. Authentication operates via Universal 2nd Factor (U2F), a more secure means of authentication facilitating push notifications in comparison with less secure SMS (text) based methods. DUO works with PIV/CAC and meets common federal technology requirements, including NIST 800-63-3 and 53/63/171 authentication. DUO can also provide an additional layer of control by limiting account access to known methods of attacks – blocking access based on location of request or anonymous networks. These capabilities will protect agencies from the types of attacks that caused this recent directive.

Zero-Trust Authentication in the Cloud

Adopting MFA will meet the immediate DHS directive. The ultimate goal should be zero-trust authentication. As agencies develop and implement plans to move their applications to the cloud to meet federal mandates, this is the perfect time to get the tightest security offered by zero-trust authentication because applications are already being reviewed to ensure they are cloud ready. This review should include a full security analysis, with an eye on the best way to keep that application safe against threats both inside and outside of your perimeter. Adopting a zero-trust authentication solution is a good way to ensure that only the people who are authorized to access your information are doing so.  

Force 3 is the Network Security company and a Cisco Gold Partner. We have a wealth of knowledge and experience with building, integrating, and launching security measures across agencies. We can help protect your agency and meet the requirements of the DHS directive – and achieve your mission.


Co-authored by Force 3’s Eric Stuhl, Director, Security and Enterprise Networking, and JR Silverthorne, Business Development Engineer. Contact us for more information.

Related Blog Posts

See All Blogs

GCN: What’s Next in Network Automation

In 2019, modernization will be a key driver for automation in federal agencies. Previous protocols, while often well understood, were fairly rigid. As agencies move to new technologies that are more malleable and adaptable to change, they must also become…

What You Need to Know about Data Privacy

Data privacy is the crossroads of confidentiality and integrity. When data is shared, either voluntarily or involuntarily, there’s an expectation that the collected information will be kept confidential. In general, data privacy is really about identity—social security numbers, credit card…

GCN: Protecting Critical Internet Infrastructure From IoT Device Risks

As the infiltration of internet-connected devices into nearly every aspect of daily life continues to expand, so do the vulnerabilities and security risks they create for their operational networks. That includes the devices and networks used by federal agencies that…

Federal Times: Ignore the Workforce at Your IT Modernization Peril

Federal agencies are currently faced with the daunting task of modernizing billions of dollars’ worth of outdated technology. On the path to IT modernization success, the investment in technology represents only half the battle though — agencies also need to…

WBJ: Here’s What it Takes for a Mid-Tier Maryland Contractor to Compete in Evolving Federal IT Marketplace

More than three-fourths of federal government agencies — about 77 percent, according to a Government Accountability Office report — will not meet their planned technology modernization goals by the end of the year. Our CEO, Mike Greaney, recently sat down…

The Rally Call for Digital Transformation Is Here: Are You Ready for the Journey?

Today, digital transformation has become the rallying cry for government organizations aiming to innovate and improve operations. The promise of digital transformation is profound: faster and more informed decision-making, improved customer insights, greater cost savings, more reliable products and services,…

3 Tactics to Avoid Insider Threats Posed by Third-Party Contractors

"The balance between too much security and too little is delicate. Overzealous access policies can bring efficiency and productivity to a screeching halt. But an overly lax approach can expose sensitive data to people who don’t need it and shouldn’t…

Improving Insider Threat Detection with Security Integration

With cyber-attacks like Nyetya and WannaCry dominating headlines over the last several months, you’d think malware would top the list of security pro’s biggest concerns. But you’d be wrong, according to the SANS Institute’s 2017 annual data security survey. While…

Unstructured Data: The Threat You Cannot See

In this article for Dark Reading, Force 3 software practice director Charles Fullwood examines why security teams needs to take a cognitive approach to the increasing volumes of data flowing from sources they don't control. Every day, IT security teams…

Expect security, cloud spending in 2018 Federal IT Budget

In recent interviews with TechTarget, industry leaders--including Force 3's Greg Kushto--cited an uptick in federal IT procurement activity during the government's fiscal fourth quarter and expected FY 2018 to feature security and cloud investments. IT solution providers planning to pursue…

NextGov: How to Unleash Federal IT Workers as Changemakers

Written by Force 3's vice president of client solutions Jason Parry, this article was originally published at www.NextGov.com. The public-sector workforce has always been plagued by stereotypes. To the layman, “government job” calls to mind images of a middle-aged bureaucrat,…

SearchITChannel: New tech, old virtues keep server virtualization going

"Server virtualization is well past the peak of the technology adoption curve, but SMB customers, open source technology and hybrid clouds keep demand going." —John Moore, SearchITChannel Server virtualization platforms have been around for ages and would seem to be old…

FedTech: How to Make the Most of the Federal Hiring Freeze

Although the freeze may constrain resources, it is also an opportunity to conduct an IT inventory, invest in training and prioritize projects. In this article for FedTech, writer Phil Goldstein addresses how federal agencies are handling the recently announced federal…

3 Opportunities for IT Teams Dealing With Federal Hiring Freeze

With a federal hiring freeze ordered across the board for federal agencies, government organizations find themselves rethinking operations—including IT. It’s a tough reality for federal IT teams, with civilian agencies seeing the deepest impact. The order heavily affects IT professionals,…

DevOps: An Evolving Approach for Evolving IT Teams

By promoting collaboration and better communication, DevOps practices can help IT teams raise their profile and generate better outcomes for their organization. And here's how: Imagine you’re an architect tasked with designing a massive mixed-used building in Washington D.C. It’s…

Federal Times: Contractors Can Help With Feds’ Security Fears

In a single, average day, the Department of Defense alone experiences an estimated 100,000 cyberattacks. Meanwhile, with accusations of Russian election hacking dominating our national dialogue and new breaches constantly being reported, federal agencies have developed a real and justifiable fear:…

Promoting a Workplace Cybersecurity Culture

Cybersecurity awareness ranks high on the federal government’s agenda and rightly so. Data breaches at federal agencies affect not only the entity in question, but potentially countless U.S. citizens whose private information it might possess. Earlier this year, a hack…

Federal Times: 4 Ways Contractors Can Help Alleviate Feds’ Security Fears

In a single, average day, the Department of Defense alone experiences an estimated 100,000 cyberattacks. Meanwhile, with accusations of Russian election hacking dominating our national dialogue and new breaches constantly being reported, federal agencies have developed a real and justifiable fear:…

Channel technology trends 2017: Cloud, cybersecurity & automation

Channel partners can expect to see plenty of activity next year in cloud computing, multi-cloud in particular, as well as cybersecurity and IT automation. When it comes to channel technology trends, 2017 seems likely to showcase some familiar developments —…

An Ounce Of Prevention Is Worth A Pound Of Reaction

Imagine you’re at a seafood restaurant. One look at the menu, and you know exactly what you want: lobster. Your food arrives, you clean your plate, and then proceed to pull out your EpiPen because you also happen to have…

How to improve government services delivery

It’s a truth as inherently American as NASCAR and as inscrutable as pop music: When it comes to providing citizen services, the government can be technologically challenged.In a recent interview with Wired magazine, even President Barack Obama acknowledged the government’s…

Full speed: Cisco Partner Summit sets the tone for the future

Full speed: The theme from last month’s Cisco Partner Summit speaks volumes about the company’s vision—not to mention it’s understanding and embrace of how quickly our industry is evolving. Most of all, it gives Cisco’s partners in the security and…

Transitioning from the server room to the board room

How can IT professionals balance business goals and information security?For years, businesses and their IT operations experienced a strained symbiosis — each needing the other to thrive, but frequently at odds in matters of prioritization, budgeting, and resources.Fast-forward to the…

If Target or Sony can be a target for cyber criminals, so can you

When hackers breached Sony or Target or the IRS or the U.S. Office of Personnel Management, you probably heard about it.Without fail, data breaches at major organizations always rank high in the news, particularly because so many citizens are often…

Cybersecurity, the election & the conversation we’re not having–but should

Putting aside political discord or controversies (and certainly this year has offered plenty of both), the 2016 election has made history—not to mention provided a major sense of validation—for those of us working in the information security realm.89hsxnWNever before can…

Protecting critical IT infrastructure in the federal realm

For nearly every federal agency, critical IT infrastructure plays a pivotal role. From tax and social security information to connecting military personnel around the world, federal agencies’ networks contain some of the most sensitive, confidential data and are constant targets…

IoT: Mitigating the risks of the revolution

In 2015, the U.S. government increased its spending on the Internet of Things (IoT) by 20 percent—nearly $9 billion—according to a report released last year. It’s a great step forward as the federal space increasingly looks to IoT to increase…

Ransomware infections: Channel toils to defend besieged customers

As ransomware attacks continue to proliferate and escalate, organizations increasingly turn to channel partners to help defend against potential infections. In some cases, companies find themselves reconsidering their IT security posture, Force 3 senior technical consultant Chris Crider tells TechTarget's…

Preparing for and combatting 21st century cyber threats

A report released earlier this year suggests that cybercrime costs consumers and companies between $375 and $575 billion annually. Despite billions of dollars spent fighting it every year, cybercrime continues to rise with another report estimating 200-percent growth in just…

How to Spend It: The Federal Budget Edition

Last year, after five years of decreasing budgets, federal IT departments finally began seeing an influx of funds. Now, with a new budget year on the horizon, they need to decide how to spend it. Of course, with an ever-growing…

How can we help your agency achieve its mission?

Maximize your IT investments. Learn more about solutions and services from Force 3.