August 6, 2015 -
The Department of Defense is implementing new security measures including multifactor authentication and biometrics to make it harder and more costly for adversaries to attack its resources, according to security experts cited in a report by C4ISR & Networks.
“The approach to cyber defense is expanding from its original roots, which was to defend the network technically at the point of entry from the public Internet using firewalls and malware signature recognition,” said Mark Testoni, president and CEO of SAP National Security Services. “Instead, cyber is now being understood as a warfare domain, much like the other domains of air, sea, land and space.”
Intel’s federal chief technologist Steve Orrin suggests that the DoD and other agencies consider multifactor authentication (MFA) to help decrease exposure caused by phishing campaigns and login compromise.
He also recommended that federal agencies consider altering MFA methods by adding contextual security controls such as location, device identity, device trust attestation and network access point.
“Adding these controls to existing or new MFA-based approaches will provide better security posture and allow for more granular controls and policy enforcement,” said Orrin.
The DoD has been meaning to expand the use of MFA for several years now, with plans to eventually adopt the system across the entire agency, said Adam Firestone, president and GM of Kaspersky Government Security Solutions.
Firestone added that the agency is slowly increasing its use of biometric authentication technologies throughout its operations.
“CERDEC also recognizes challenges in using biometrics at the tactical edge in the middle of active fighting,” said Bharat Doshi, CERDEC’s senior cybersecurity research scientist. “In this environment, soldiers may be required to operate in various levels of stress and mission-oriented protective postures, which hinder the use of biometrics.”
By combining a strong MFA with an attribute-based access control, the DoD would force attackers to devote significantly greater resources to penetrating and impacting lateral movement within a network, Firestone said.
“Encrypting everything reduces or eliminates the payoff for an attack,” said Firestone. “Continuous monitoring reduces the amount of time an adversary has to exploit a breach, and a trap, or honeypot, causes the attacker to expend resources on a useless and potentially dangerous — to them — target.”
Previously reported, the Department of Defense is currently re-assessing and updating its Identity and Access Management (IdAM) strategy to improve its overall network access security without making the authorization process more difficult for authorized users.