A Year of Old Foes, New Tactics, and Increased Cooperation
The abrupt shift to remote work in 2020 created a torrent of challenges for security professionals. Security systems and strategies designed primarily to support an on-premises workforce suddenly needed modification or enhancement. Recognizing an opportunity, adversaries aggressively upped their efforts to compromise systems and data in both the public and private sectors.
Bad actors also shifted tactics. Ransomware continued to be the primary threat, but the vector of attack and motives changed. Phishing emerged as the tool of choice. Adversaries tended to be less likely to stop at locking down computers for ransom. They made a deliberate shift to theft and sale (on the dark web) of critical data before executing ransomware attacks. Network defenders faced enormous pressure to improve detection capabilities and trim incident response times.
Supply chain security also demanded fuller attention over the past year. The much-publicized SolarWinds compromise impacted thousands of organizations and highlighted how an attack on commonly used tools potentially multiplies the damage across more victims.
What does it all mean for Georgia’s cybersecurity posture and the way forward?
Fortunately, and unfortunately, our experiences with ransomware didn’t begin in 2021. Defense and response plans built in the last couple years have paid big dividends for the state. Incidents continued to increase this year, but we were able to resolve them at a much lower severity level. That lowered the impact to operations and service delivery for affected agencies. It’s thanks to increased compliance, continued investment in monitoring, and increased collaboration across all agencies to address issues and gaps. That teamwork extends to our partners in the procurement community to address supply chain security for technology we rely on daily for network defense.
Achievements below from 2021 illustrate the great strides the state of Georgia is making in cyber defense. It’s enabled by a group of dedicated government professionals with a strong desire to serve our state and nation in cybersecurity.
Managed security services continue to make important capabilities available to state agencies.
SOC and SIEM offer centralized, 24/7 security monitoring and proactive response to any threats to help keep them from spreading. In 2021, we onboarded the AIsaac Cloud platform system. The Atos AIsaac platform is a cloud-native solution with hybrid and multi-cloud support. AIsaac combines award-winning artificial intelligence for cybersecurity, proven high-performance computing, and innovations in edge AI.
Improvements in security incident response—specifically in end-user-compute (EUC) protection and email protection—have led to fewer SEV1 or SEV2 security incidents and more resolution at the SEV3 level. This has been achieved even with increased security activity and attacks.
In 2021, a major integration took place by setting up imports into the Atos VMS System where AT&T data is imported daily into the Atos Tenable.SC system. Work orders for issues to be fixed are generated via this system and sent to the relevant service provider. Additionally, we migrated EUC devices to cloud agent handler offerings to limit risk to data.
AT&T physically installed new firewalls, switches, and load balancers as a first step in modernizing the state’s data center network. Security enhancements include a richer feature set for firewall services in the data center using DNS-based firewall policy construction (versus pure IP-based), malware inspection, and integrated IPS services.
NTT DATA improved the McAfee enterprise solution for endpoints. All agencies participating in the GETS program have implemented Threat Prevention, Exploit Prevention, ATP, Web Control, TIE, and MAR. NTT DATA also upgraded to MEM (Microsoft Endpoint Manger), improving automated delivery of operating system and Office patching, including delivery to internet-only-facing devices managed under GETS.
GTA’s Office of Information Security facilitated responses for state and local government agencies hit by ransomware attacks in 2020. Such incidents continue to result from spear-phishing emails and poor cyber hygiene in internet-facing systems. OIS, in cooperation with GEMA/HS and the GISAC, continues to facilitate evaluation of local reported incidents and provide recommendations for next steps. This successful partnership and process received significant support from the legislature and the Governor’s office with the passage of HB156, requiring incident reporting by government entities and managers of certain critical infrastructure. When appropriate, OIS facilitates a handoff to the Georgia National Guard Cyber Protection Team and partners with the DOD to improve incident response processes. OIS has developed its own incident response capability, enabling OIS to directly respond to incidents impacting executive branch agencies. This means significant cost savings for the state.
GTA’s OIS also coordinated the third annual Cyber Dawg exercise in cooperation with the Georgia Cyber Center and the Georgia National Guard. The five-day, multi-agency security training exercise aimed to sharpen cybersecurity skills across a multitude of tools agencies can use in their IT environments. This year’s event drew 60 participants from 20 organizations. State agencies participated, as did Argentina and the Eastern European country of Georgia via the Georgia National Guard’s State Partnership Program.
With new funding allocated in 2020, GTA OIS continued IT security assessments to determine the state’s overall cybersecurity risk posture. Assessments are part of ongoing operations, and findings are reviewed by the State Government Systems Cybersecurity Board, which sets statewide priority for addressing recommendations for closing gaps. Security assessments resumed in 2021 and will expand toward a goal of agencies being assessed every three years.
Continuous vulnerability management is the cornerstone of any information security program. In 2021, OIS completed rollout of the BitSight Technologies platform to all executive branch agencies at no cost to them. For the first time, the state has the capability to identify vulnerabilities in internet-facing infrastructure in real time. Already it has proved its worth by preventing attacks on our infrastructure or limiting their damage. Another aspect of this effort is the Vulnerability Disclosure Program, endorsed by the Cyber Board and approved by the GTA Board of Directors to allow internet researchers to test systems for vulnerabilities simple scanning cannot detect. Through the disclosure program, more than a dozen issues have been remediated – issues that otherwise would have been unknown, potentially resulting in a major incident.
The State Government Systems Cybersecurity Board reviews the cybersecurity of executive branch agencies to identify risks, promote best practices, and audit for cybersecurity training compliance. The board is chaired by the Governor’s Technology Advisor and includes the Adjutant General, the State Chief Information Security Officer from GTA, the Director of the Georgia Bureau of Investigation (GBI), the Director of the Georgia Emergency Management and Homeland Security Agency (GEMA/HS), and the Executive Director of the Georgia Cyber Center at Augusta University. In 2021 the board’s efforts included: 1) increased mock phishing campaigns for state personnel, 2) support for the adoption of MFA across the enterprise, 3) support of improvements in supply chain security, and 4) support of centralized vulnerability scanning across all agencies.
The Georgia Cyber Center at Augusta University is the nation’s single largest investment in a cybersecurity facility by a state government. The $100 million, state-owned facility is a unique public/private collaboration among academia, state and federal government, law enforcement, the U.S. Army, and the private sector. It is equipped to keep up with the changing face of cybersecurity and provides needed focus in key areas:
- Education and training for agencies, the military, and the private sector
- Incubation of new security ideas
- Research and development with an emphasis on cyber defense
- IT security information sharing among Georgia agencies, homeland security, and the private sector
- Public-private partnerships for cybersecurity innovations
- The Georgia Cyber Range helps strengthen the stability, security, and performance of cyber infrastructure. It is available to students, industry, and government professionals for education and training, product development, offensive activity and competition, detection and defensive competition, response and recovery, and evaluation and benchmarking. This capability is used in the annual Cyber Dawg exercise and is being positioned to support multiple annual events to train even more cyber professionals.
- The GBI Cyber Crime Unit allows law enforcement professionals throughout the state to take advantage of the GBI’s expertise in digital forensics.
The Cyber Center positions the Augusta community and the state of Georgia as the nation’s leader in the critically important field of cybersecurity.