By Heman Mehta, Director of Product Management, Faronics Corporation
The Office of Personnel Management (OPM) breach of 21.5 million plus records was perhaps the most notorious hack of government agencies, but it was far from the only one or even the largest.
A hack of the U.S. voter database affected 191 million records and a breach at the Georgia Secretary of State office impacted 6.2 million records.
These breaches all occurred in 2015 alone!
(More than 21 million Americans had personal data stolen from files held by the Office of Personnel Management. Anyone who went through background checks to apply for a government position since 2000 has been affected, according to the OPM. That makes the data breach six times larger than was originally disclosed. Courtesy of PBS NewsHour and YouTube. Posted on Jul 9, 2015)
Most government agencies have deployed a sophisticated information security infrastructure that includes a “layered defense” – generally a combination of prevention technologies, such as firewalls, antivirus, secure gateways, and some type of intrusion detection solution.
One piece of this security infrastructure that is sometimes overlooked is an application whitelisting solution that adds a more proactive security layer to prevent increasingly sophisticated and frequent cyber attacks.
Application whitelisting solutions prevent the execution of files based on hash value, digital signatures and publishers.
The most advanced solutions accelerate recovery of the network after a breach with an instant restore function that eradicates all malicious changes with a simple restart.
As government IT and security teams research application whitelisting solutions, they should demand three critical performance capabilities, including:
Proactive Security Barrier
- The solution should only allow approved programs to go through and stops threats like targeted attacks, zero-day threats and mutated viruses.
- Anti-ransomware measures should include the ability to stop processes from trying to rename file extensions that are known to be set by ransomware exploits.
Active Antivirus Protection
- The solution should provide advanced antivirus to stop all known malware, like viruses, worms, and Trojans if they somehow breach the prevention barrier.
- The antivirus should also include advanced firewall protection.
Restorative Remediation Measures
- The solution should provide a powerful reset mechanism.
- Just rebooting systems should destroy any malware and restore systems to normal instantly.
Additional key features of application whitelisting solutions that government IT teams should look for:
- Machine learning-assisted whitelist for “dirty environments,” existing environments with applications already installed on computers.
- A multi-phase deployment approach gives IT and security teams the ability to deploy the solution in an “audit” mode and build a custom control list.
- This enables teams to effectively deploy into active environments without requiring IT teams to re-image computers.
- Teams can build a control list configuration from a “template” computer, allowing them to build a single system containing all the files to allow, and then apply that list to systems and prevent any other files from running.
- Algorithms can suggest when teams should switch deployments modes from low to high without affecting day-to-day operations.
Advanced Granular Control
- In addition to .exe, .scr, .jar, .bat, and .com extensions, IT teams should be able to monitor files like DLL, JAR, VB Scripts and PowerShell executables.
- Ransomware protection settings, which provide the ability to easily implement restrictions on an endpoint, help protect against threat vectors that fall outside of malicious applications, such as forcing pop-up blockers, disabling Windows Scripting Host, disabling VB Scripts, etc.
- Active alerting should enable IT teams to define behaviors and thresholds that proactively notify the team if malicious or unwanted activity is taking place within the environment.
- The ability to have alerts sent via push notification to the mobile app as well as through email and central console can be a plus.
Cloud Administration and Dashboarding
- This feature offers granular control of policies applied.
- IT teams can retrieve and manipulate a local control list from the cloud.
- A dashboard containing widgets that provides visual information at a glance, shows trends and can help teams to make micro-modifications easily.
Cyber attacks on government institutions are not going away.
Hackers know many government agencies are still modernizing their cyber defenses and data may be vulnerable.
It pays for government agencies that rely on information assets to operate to be extra vigilant.