The steady news in 2014 of so many companies disclosing that their computer networks were breached by hackers or nation-states in many cases stems from not following best practices or using good cyber hygiene, a Department of Homeland Security (DHS) official said on March 17.
Even when companies and other organizations implement network security best practices, they often fail to do the necessary monitoring, Ann Barron-DiCamillo, director of the United States Computer Emergency Readiness Team (US-CERT) at DHS, said at the Security Through Innovation Summit sponsored by Intel’s [INTC] Intel Security division. She called 2014 the Year of Breaches, which is the “new normal” in terms of cyber attacks.
And all too often the malware and other viruses used in successful cyber attacks is well known yet defenses that should have been put in place haven’t, DiCamillo said. These best practices that are often lacking include things like application whitelisting, patching, and network segmentation, she said.
US-CERT, which does cyber incident response and accounts for more than half the manpower of the DHS National Cybersecurity and Communications Integration Center (NCCIC), “preaches” about the use of best practices because it would rather leverage its resources on bigger events and not have to deal with incidents where it’s a matter of hygiene and best practices that are lacking, DiCamillo said.
Common vulnerabilities are often not being patched or fixed, she said.
The NCCIC is a key conduit between the private sector and federal government for the sharing of cyber threat indicators. This information sharing is seen as a critical component in helping the government and industry better manage network security and cope with cyber attacks.
DiCamillo said that the federal government is increasingly doing a better job at sharing threat data with the private sector, in some cases reducing the time to share actionable information that the intelligence community has gathered from several weeks to less than an hour. The sharing also includes analytics, not just threat indicators, she also said.