(Washington, DC) Despite vulnerabilities such as Heartbleed grabbing headlines, the best methods for ensuring adequate system security are often the most basic forms of cyber hygiene, such as patching systems and ensuring strong passwords, a group of government cybersecurity experts agreed today. Speaking at the GovSec conference here, Ron Layton, Deputy Chief Information Officer, U.S. Secret Service said "what's the best investment for our resource dollar? Patch your system. The vast majority of successful breaches use very low-level techniques."
"We are still at the precipice of one of the most disruptive forces in our society [b]ut just do a strong password and you're good," he added.
"You don't necessarily need to worry about the most recent APT [advanced persistent threat] if you have 20% of your computers that are unpatched that can be had by a hacker with no skill whatsoever," Patrick Morrissey, Former Director of Investigations and Protective Operations, Blackberry, and Former CISO, U.S. Secret Service, said. "That is where the bad guys are going to come in. The sophisticated hacker is not going to waste his technique on you. Don't worry so much about being exploited by the latest and greatest. Just stay up to date on your patches."
The best method for ensuring adequate cybersecurity within the federal government is information sharing and collaboration, something that is bolstered by trust but hampered when no crisis is pressing on the nation. "Trust and relationships is what it’s all about," Dave Pekoske, Chairman of the FBI-private sector partnership InfraGard National, said.
However, "the agencies are not going to be giving up the keys to the kingdom" to other agencies, Morrissey said, particularly if a truly collaborative relationship is absent. "People are going to be reluctant to share information with those agencies if they don't believe the agencies are going to protect them as they should."
Information sharing among government agencies is problematic for a number of reasons, not the least of which are the varying definitions of security clearance and "need to know" statuses across agencies. But agencies do collaborate better in the midst of a crisis. "The government does work well in crises but the farther we get away from 9/11 it becomes a problem," Morrissey said.
Another perennial problem that hampers work across agencies is the lack of qualified cybersecurity personnel, who tend to steer clear of the government or bolt for the higher paid private sector after relatively short stints. "It's a huge challenge for us right now," Eric Strom, Unit Chief, Cyber Initiative and Resource Fusion, NCFTA, FBI, said. "It's hard to take an investigator and teach them cyber skills."