Segmenting networks represents a basic cyber security best practice. Firewall configurations that establish segmentation at desired boundaries can limit attack surfaces, stop threats, and prevent attacks from spreading.

An inquiry shows that the Department of Homeland Security’s top cyber security agency does not have any data around the number of federal agencies that are or aren’t segmenting networks. In fact, it looks like most may have skipped this step…

SolarWinds, preventative measures

As you’ll likely recall, the SolarWinds attack affected at least nine US federal agencies and over 100 private groups. More than 18,000 organizations unintentionally downloaded a malicious update delivered through the software supply chain.

Amidst a discussion concerning the SolarWinds incident, Senator Ron Wyden (D-Ore.) asked about why federal agencies lacked properly configured firewalls and corresponding segmentation. “Such a measure would have prevented hackers from implementing the second stage of the SolarWinds attack and using the backdoor they had planted.”

Experts determined that firewall configurations designed to block outgoing connections could have “neutralized the [SolarWinds] malware.”

Acting director of the Cyber Security and Infrastructure Security Agency (CISA), Brandon Wales, wrote in a statement “…this preventative measure…may [simply] not be feasible given operational requirements for some agencies.”

Segmenting with firewall configurations

“CISA has now confirmed that organizations with properly configured firewalls –a 1990’s technology- successfully neutralized Russia’s SolarWinds malware,” said Senator Wyden, in a statement.

In expounding upon the issue, Wyden expressed that the US government should not weaken privacy laws in order to promote surveillance projects. Rather, the government should mandate that all federal agencies take basic cyber security precautions.

Nonetheless, “…[CISA] does not have any immediate plans to direct individual agencies to use firewalls.” CISA contends that issuing a blanket requirement in this way would be “impractical” given the specific operational requirements of individual agencies.

More preventative measures

In a letter to CISA’s acting director, Brandon Wales, senator Wyden questioned how a major attack evaded federal detection. The National Cybersecurity Protection System, which includes a monitoring and early-warning intrusion alert system known as Einstein, appears to have failed.

CISA responded to Wyden’s concerns about the failures of its $6 billion dollar Einstein cyber defense system. The Einstein system will be shifted from the perimeter to deeper inside federal networks, broadly enhancing threat detection capabilities.

“It bears noting that commercial capabilities using non-signature-based detection techniques were similarly unable to detect the SolarWinds intrusions at government and private sector victims,” wrote Wales.

However, according to the Government Accountability Office, issues related to Einstein and its malware detection functions began to emerge in 2016. To improve Einstein’s functionalities, CISA intends to leverage $650 million acquired through the American Recovery Act. This will enable CISA to be “better situated to identify threat activity within federal networks in near-real-time,” wrote Brandon Wales.

In May, President Biden presented a 2022 budget blueprint allotting $750 million for the federal response to the SolarWinds incident. Other federal opportunities to upgrade cyber security infrastructure remain under continued evaluation.

For more on firewall configurations, CISA, SolarWinds, and new preventative measures, visit Cyberscoop.com.