How the U.S. Can Begin Securing Its Technology Infrastructure

I just read this article (https://www.linkedin.com/news/story/cyber-jobs-go-begging-in-us-5189868/) and it got me thinking.

From the article:

About 600,000 cyber security jobs are open across the U.S., a Commerce Department database shows, testifying to a severe talent drought. Open positions are numerous in government agencies, such as Homeland Security, where 1,500 vacancies are hampering efforts to deflect a “deluge” of ransomware attacks against public and private entities. To fill in the gaps, employers have adopted non-traditional hiring approaches, including:

Training veterans leaving the military for cybersecurity careers

Considering candidates’ technical skills instead of educational background or experience

This is a complicated and broad-reaching problem to solve and will take an immense amount of strategic effort and manpower to actually resolve. Simply throwing bodies at the issue will not solve the root cause.

I am not saying these professionals won't be needed, but I am saying that they won't magically make the problem go away with wholesale, organization-wide changes in how these systems are dealt with and secured in the first place.

In my opinion, wherever possible, leverage open-source tools to perform these scans.

Also, this is not an exhaustive list/plan. This is just what I can think of in short order.

Step 1: Understand the attack surface

External: Scrape all public IPs and DNS endpoints and add them to a database. Keep this updated. Begin scanning external facing endpoints like a hacker would with tools like OWASP Zap, Stectify, Burp Suite, Nmap, Nessus, Qualys, and others. Rely on many and aggregate the results.

Internal: Do the same as external scan with self-hostable internal tools and possibly more aggressive tools. Attackers don't come from the outside. It is likely that the perimeter has been breached and they are inside your network looking to pivot and gain access to additional systems.

Step 2: Understand The Components and Supply Chain

Once you understand what is running in the network, begin breaking down areas of concern. Some high-level areas to start.

• Hardware: Firewalls, servers, etc
• OS: Windows, Linux, Unix
• Cloud Accounts: AWS, Azure, GCP, OpenStack, or other "Hosting Environments"
• Software: Individual components of the complex systems that make up a "customer-facing" platform. This includes natively installed binaries or systems running in containerized environments.
• Source Code: Gain an understanding of the Software Bill of Materials (SBOM) that goes into all the source code in your environment. Often, pieces of code/packages are pulled from external sources and they need to be verified as secure as well.
• Access Controls: Who even has access to your systems and what access do they have?

Step 3: Change The Way You Deploy and Actively Scan

This one will take Herculean efforts. You will need to integrate with a plethora of segmented systems. These scanning tools will need to live as close to the keyboard of the person writing the software and as far away as outer space, as hacking and other threats in space are now a real thing.

Scan:

• Endpoints
• Operating System configuration
• Cloud account configuration
• Source Code Repositories
• Container Images / Registries
• Actively running processes and containers in all environments
• Application Configuration

Implement:

• End-to-End Testing
• Infrastructure, Configuration and, Security As Code
• SBOM Attestation
• Scanning FROM THE BEGINNING of product development and implementation. Don't wait for it to get to production.

ABScan: Shameless plug

We here at AlphaBravo (https://alphabravo.io) are working on a tool called #ABScan that will simplify scanning of the containers, container images, git repositories, operating systems, Kubernetes environments, and more and output aggregated, easy to read, and actionable data to begin remediating the issues.

Feel free to reach out to us to hear more about how AlphaBravo and the ABScan tool can help your organization.

Step 4: Educate and Actively Remediate

Put together resources around security best practices and share them broadly. Get people talking about security (not just the security professionals) and start introducing them to concepts around approach and hardening of systems in their specific areas. Educate the entire organization as security is everyone's job.

Begin putting together remediation plans, exact courses of action, and aggregated areas that can be attacked at once. Let's say the initial scans identify a vulnerable version of a web server that is used in thousands of scanned endpoints. Maybe simply updating to a single dot version (1.0.0 to 1.0.1) can solve these issues.

Come up with clear remediation steps and contact the owners/operators of these systems aggressively, not with a message of "You have a problem." but with a message of "We have a solution that is easy to implement and will make you more secure".

As I noted earlier, don't just fix these issues and call it good. Make sure you implement these scans and remediations into every part of the technology lifecycle to catch these issues early in the process.

Closing

Thanks for taking a couple of minutes to read my ramblings. Would love to hear more from everyone on what tools you are using to solve this today and what other things you think are important to consider when trying to solve these complex problems.

Looking forward to the opportunity to be a part of solving these issues and making our Nation more secure. 🇺🇸

Mike 'MJ' Johnson