Ransomware Remains a Top Issue for Montana
Despite its pervasiveness and the attention it has received over the past several years, ransomware remains a key cybersecurity risk for Montana, Hanks says. That is why the state has implemented behavior-based anti-virus software on government endpoints and enhanced its logging and digital forensic capabilities.
State and local governments still remain top targets for ransomware attacks, Hanks says. In the past, conducting successful ransomware attacks took some level of technical skill, he notes, but now there are “products out there that don’t require a lot of technical skill to implement a ransomware attack.” Those are the kinds of Ransomware as a Service payloads that DarkSide provides to attackers for a price.
“I think that’s one of the differences in the pervasiveness of it, of the actual ransomware and its ability to probe across your network — it’s getting better and better each year,” he says. “Putting in controls to help identify that is very important.”
In 2018, Montana started deploying behavior-based anti-virus tools from SentinelOne, which, as StateTech has reported, use artificial intelligence and machine learning “to not only examine traffic and identify threats” but also “to automatically perform remediation, allowing the state to reallocate its staff time to other IT projects.” Behavior-based anti-virus tools scout for abnormal behavior in the systems themselves instead of looking for suspicious file types and attack signatures.
“We think some ransomware attacks could have been prevented if the target was running behavior-based anti-virus instead of signature-based anti-virus,” Hanks argues.
Montana Starts Moving to a Zero-Trust Architecture
Although there have been indications recently that state and local governments are interested in adopting a zero-trust approach to cybersecurity, it is much more widely discussed (and deployed) at the federal level right now.
Zero-trust cybersecurity departs from traditional network-centric security, in which users are trusted once they have gained access to an agency’s network. In a zero-trust architecture, which is based on data security, no user or endpoint is trusted, access controls are granular and users and devices are continuously required to authenticate themselves — enabling a motto of “never trust, always verify.”
Montana has been “slowly putting the people, processes and technology in place that will help us achieve zero trust or get as close to zero trust as you can,” Hanks says, over the next three to four years.
The state is exploring the different pillars of a zero trust, including users, devices, networks, applications, automation and analytics. Montana is considering adopting new governance and management practices to protect the data, including continuous authentication.
That boils down to authenticating every access request, Hanks says. “Just because somebody is authenticated to one data store doesn’t mean that they can automatically access another one,” he says.
With continuous authentication, organizations can look at consolidating their identity management and also at segmenting their access management, creating different trust zones. Users would need to reauthenticate to enter each zone each time they made requests, Hanks says. It also includes using multifactor authentication.
Hanks notes that zero-trust implementations will vary from state to state, since it is a concept and not a singular technology. “A lot of what organizations already have in place can be used for zero trust, but one of the things that most organizations are going need to add to is logging,” he says. “There’s a substantial amount of more logging required for zero trust. Then, the continuous authentication mechanisms are something else that is really important.”
The Role of Enterprise Governance, Risk and Compliance
Another key priority for Hanks this year is finishing the deployment of an enterprise governance, risk and compliance program for the state. In 2019, the state legislature allocated $6.3 million to enhance Montana’s cybersecurity posture.
One of the initiatives in that project was to implement an enterprise GRC approach. In state government, Hanks notes, each agency has its mission and business objectives and processes. They also have technology in place to support those objectives, and they need to secure that technology.
GRC, Hanks explains, allows Montana to “view a real-time, holistic risk posture at the agency level and at the state level.” For example, the CIO of a particular state agency can log in to the GRC solution and view his or her agency to see which vulnerabilities exist, Hanks says, as well as any compliance issues and residual risk.
The state CIO can also log in to the GRC tool and get a statewide view of all agencies. “The real value of this investment comes from being able to prioritize risk and prioritize risk management applications to address risk,” Hanks says. “Seeing what your current risk is and knowing if you can accept any more risk is a key feature of it as well.”
Montana is about 95 percent complete on its enterprise GRC implementation, Hanks says. Most, but not all, of the state’s systems are in the solution, and most of the dashboards have been created. “What it’s about is giving the agencies more control and visibility of the risk,” he says.