Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Securing Classified Telework: 3 Principles for Protecting Sensitive Data

Securing Classified Telework: 3 Principles for Protecting Sensitive Data

As pandemic restrictions linger, federal agencies are preparing for a rise in classified telework. Here’s why a continued focus on cybersecurity fundamentals is imperative.

The COVID-19 pandemic accelerated the move to remote work beyond all prior expectations. While there were many exceptions to the rule in the early days of the pandemic response, we are seeing those exceptions decrease as the remote work environment matures. The sudden need for secure remote work drove innovation and flexibility as necessary attributes of a successful transition. Leaders at the Defense Information Systems Agency (DISA), for example, commented that this demand, and the resultant security upgrades, were a sort of "silver lining" within the pandemic “cloud.”

The pandemic has restricted all organizations from working in their traditional ways, and the Pentagon is no exception. Approximately one million personnel are now working remotely as a result of the Department of Defense (DoD) expanding its telework capabilities. Currently, the majority of remote work done by DoD employees is low-risk and unclassified. But as the pandemic lingers, the Pentagon and its agencies are being pushed to do more classified telework. For example, former DoD chief information officer Dana Deasy signaled that the Pentagon aimed to support sensitive, classified telework for its employees by the end of 2020. Classified work – which is defined as handling secret or top-secret designated data – has historically been completed by DoD personnel in physical facilities. These sensitive compartmented information facilities (SCIFs) safeguard classified data with physical barriers.

As the DoD looks ahead, enhancing secure telework capabilities is at the top of its “to do” list.

The quick transition to remote work across organizations has bad actors ready to take advantage, and the increase in sensitive – even classified – information being accessed remotely will frame the Pentagon and its employees as a larger target, making it even more important for the DoD to secure its cyber infrastructure.

As always, regardless of how many security measures are built into a network, continued focus on the fundamentals is necessary to maintain security. Below are three critical elements of a successful and secure remote work program that should continue to be priorities for DoD as the move to classified telework accelerates.

1. Maintain good cyber hygiene

Getting the basics right – maintaining good cyber hygiene – is essential to a successful cybersecurity program. An increased attack surface due to more telework means that before any new programs can be implemented or classified documents can be viewed remotely, the Pentagon must have a clear image of its whole environment, where it’s exposed and how those vulnerabilities could impact the organization. Good cybersecurity requires basic cyber hygiene, something that requires discipline – a foundational DoD strength – but is not unreasonably difficult to achieve. If the DoD can get the basics right, they can prevent most breaches and attacks on their systems.

Shiny new cyber tools don’t improve cybersecurity if organizations aren’t maintaining that critical focus on the fundamentals. One great resource for cyber basics is the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Essentials Toolkits, which outline the steps IT and executive leaders need to work toward to fully implement basic cybersecurity. Maintaining good cyber hygiene must be a top priority for both the DoD and other organizations doing more telework during this time. 

2. Outline vulnerability management procedures

The vast majority of breaches occur as a result of known but unpatched vulnerabilities. According to one recent study, 60% of security breaches were linked to a vulnerability for which a patch was available but not applied. Additionally, Tenable Research has found that 26% of vulnerabilities are never fixed. These exposures pose a significant threat to organizations, and better prioritization methods are needed to focus remediation efforts on the risks that matter most . 

Risk-based vulnerability management may seem complicated at first, but it can be relatively easy to implement if organizations know what to expect and plan accordingly. This includes building good authentication and identity management practices, establishing strong cyber hygiene and having unified visibility across your attack surface, including dynamic environments such as cloud instances or web applications.

Pentagon leadership must have strong management to identify and fix vulnerabilities. This will help agencies proactively manage their cyber risk, instead of making retroactive efforts in times of emergency.

3. Establish streamlined network visibility  

Breaking down silos is another critical step for organizations to achieve network visibility. Too many organizations see their cybersecurity and other critical initiatives go in opposite directions because security and executive leaders are not communicating effectively or understanding each other.

According to our recently commissioned study of more than 800 business and cybersecurity leaders, conducted by Forrester Consulting on behalf of Tenable, when security and business leaders are aligned, they deliver demonstrable results in their ability to assess and manage critical cyber risks. Aligning overall organization and cybersecurity objectives not only improves security posture, but it also advances agency goals and benefits the entire organization. 

There will be challenges in breaking down these silos and establishing better network visibility for the DoD, just as there are for private industry. But the benefits for personnel and the organization as a whole are significant, and agencies should work to make it a top priority. Without alignment, security teams risk chasing down issues that may pose little risk, while leaving their most critical assets and systems exposed. 

Conclusion

As the DoD moves to increase the number of employees doing sensitive, classified telework at home instead of in SCIFs, it is critical for DoD leadership to reinforce secure remote work practices. Good cyber hygiene, strong vulnerability management and central network visibility must remain top of mind for the DoD as they continue to move toward more classified telework.

The recent SolarWinds breach added an exclamation point to the importance of network visibility, as noted recently by CISA’s acting director, Brandon Wales. Mr. Wales cited insufficient visibility into agency networks and cloud deployments as “blind spots” that prevented early detection and needed to be eliminated to prevent similar breaches in the future. With increased telework expanding the enterprise network, the risk of more blind spots becomes even greater, heightening the importance of this essential step in the process.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.