Security Advice for Government Agencies in the Age of COVID-19

As COVID-19 drives many government agencies to quickly migrate from a centralized to remote workforce, new cybersecurity questions arise. Here are steps government agencies can take to manage these new cyber risks. 

Formerly office-bound employees are using personal devices in today’s necessity-driven remote work environment, introducing new BYOD challenges. This immediate expansion of the attack surface introduces new uncertainties and increased risk, raising important questions:

• How can we manage and secure these new assets?
• How can we make sure cybersecurity gaps don’t emerge in such an uncertain environment? 
• How can our security team keep up with the explosion of assets and vulnerabilities?

These types of questions must be addressed promptly and directly to prevent the potentially catastrophic consequences of cyberattacks. Here are some steps government agencies can take right now to manage these new cyber risks. 

#1. Take stock of newly connected remote assets, including personal devices 

Knowing where your organization is potentially exposed means knowing all your assets. With so many employees teleworking, it’s imperative to understand which new devices are now connecting to the network, even if intermittently. This is especially important given the sudden increase in virtual meetings. One immediate step Tenable customers can take is to use Nessus Agents to expand their visibility into the expanded attack surface and quickly assess new, unprotected assets, including personal laptops, phones and more, which are likely not part of the company’s security or vulnerability management program.

Nessus Agents are lightweight scanners you install locally on hosts to supplement traditional network-based scanning or to provide visibility into assets missed by traditional scanning. They collect vulnerability, compliance and system data and send that information back to a manager for analysis. You can scan hosts without using credentials and run large-scale concurrent agent scans with little network impact.

Although Nessus Agents provide a subset of the coverage in a traditional network scan, they can be useful if you need to:

• Scan transient endpoints that are not always connected to the local network. With schedule-based traditional network scanning, these devices are often missed, causing gaps in visibility. Nessus Agents allow for reliable compliance audits and local vulnerability checks to be performed on these devices, providing some visibility where there previously was none.
• Scan assets for which you do not have credentials or could not easily obtain credentials. When installed on the local system, Nessus Agents can run the local checks.
• Improve overall scan performance. Since agents operate in parallel using local resources to perform local checks, the network scan can be reduced to just remote network checks, speeding scan completion time.

#2. Focus on cyber hygiene fundamentals

As change accelerates and new challenges emerge daily, it is beneficial to stop and review the basics. We revisited past Tenable advisories regarding the importance of maintaining sound cyber hygiene in state, local, tribal and territorial governments, and found these important and still relevant top five priorities that provide another way to look at the challenges of the current situation:

1. Count: Know what’s connected to – and running on – your network (as discussed in #1 above, this is the primary and most important step)
2. Configure: Implement key security settings to help protect your systems 
3. Control: Limit and manage those who have admin privileges for security settings 
4. Patch: Regularly update all apps, software and operating systems 
5. Repeat: Regularly revisit these top priorities and your organization’s security policy to form a solid foundation of cybersecurity 

Now, more than ever, sharpening the focus on these basic cybersecurity fundamentals is the most essential action a government agency can take to protect its network environment.

#3. Focus first on what matters most

Even in the best of times, patching every vulnerability in every network device is an impossible dream. In the current environment, with networks expanding and resources being strained to the breaking point, many vulnerabilities are likely to remain unpatched for prolonged periods of time. But, here’s the good news: You don’t have to patch every vulnerability to effectively reduce your risk. You just need to patch the vulnerabilities that matter. Predictive Prioritization can help you become more secure by guiding you to the vulnerabilities that matter most.

Predictive Prioritization is a data science-based process that goes beyond CVSS and re-prioritizes each vulnerability based on the likelihood it will be leveraged in a cyberattack. Predictive Prioritization assigns a Vulnerability Priority Rating (VPR) for every disclosed vulnerability, including vulnerabilities that have yet to be published in the U.S. National Vulnerability Database (NVD). Now, here’s even better news: If you are a current Tenable.sc or Tenable.io customer, you already have this capability. To learn more about it, and for help in getting the most out of what you already have, please ask your Tenable customer success manager or join our office hours. 

More information to help secure government telework

Working to adapt your vulnerability management efforts to effectively secure growing telework environments? Here are resources to help you:

• Join Tenable security engineers for biweekly discussions about vulnerability management best practices for securing remote employees and operations
• Watch the on-demand webinar, "Understand and Address the Cybersecurity Impacts of COVID-19"
• Read the how-to blog post on getting started with Nessus Agents
• Review telework guidance from the U.S. National Institute of Standards and Technology (NIST) 

For Tenable.io and Tenable.sc customers

For more information on securing your remote workforce, read the blog post, “We’re Here to Help: Securing Your Remote Workforce”