Lesson learned from the US Marshals Service cyber incident: we’re all targets – and the stakes are high

US Marshals breach

The cyber incident at the United States Marshals Service (USMS) last month made it abundantly clear that all organizations are at risk today.

USMS performs critical duties related to federal law enforcement, such as hunting down fugitives, prisoner transport, and protecting federal judges and court personnel. It also operates the federal witness protection program. The thought of that inside information being compromised made hearts in the law enforcement community skip a beat.

Fortunately, there was good news based on past good decisions: the ransomware and data exfiltration attacks affected a single stand-alone system. That was promptly disconnected from the larger federal network, says Drew Wade, chief of the public affairs office at USMS. The information in the witness protection program–the agency’s most sensitive data–was unaffected, potentially saving lives.

But as we in the cybersecurity industry know, an event like this will likely happen again.

I’m not pointing a finger at the USMS because it did many things right. Consider it another example of a "not if, but when" scenario for the rest of us. Despite decades of focus and investment, cyber threats aren’t letting up and those ramifications are huge. The average cost of a data breach in the U.S. is $9.4 million, according to IBM.  

Every week seems to reveal a new data breach or assault. According to our research, 98% of organizations experienced a cyberattack in the last year, and 52% of these organizations had to deal with a data breach.

The consequences are potentially devastating. The report reveals that 98% of IT and security leaders are concerned they won’t maintain business continuity after a cyberattack. And 33% say their board and C-suite leadership have little or no confidence in the organization’s ability to recover critical data and business applications in the event of a cyberattack.  

There are a lot of cybersecurity challenges and we have to prioritize where to place our efforts. Now, more than ever, we need to focus on resiliency and think about solving problems before the intrusion. Do the risk reduction before the response. Learn from the experiences of others. That should become part of a collaborative cross-industry learning process, and the USMS breach offers several important lessons.  

Those who focus on the fundamentals will be well-suited for a range of cyberattack issues. The fundamentals are often boring, but they matter in crunch time. The USMS event highlights several recurring lessons:

  • Have a cybersecurity strategy. Sounds basic, but it’s not always the case at many organizations. Sometimes the data security maturity model  comes into play. This divides all organizations into two categories: those that can implement essential cybersecurity measures and those that can’t. It’s often used when discussing budgets, security architectures, and institutional capabilities. What can the company afford? And ask another question: what can the company afford to lose? So have a resiliency plan. That’s the only way the organizations will come out ahead against these detrimental intrusions.
  • Segment all data. Every IT professional knows the value of network segmentation and it’s no different for data. Prioritize data so the organization can make smarter decisions on how to secure it and respond when it’s attacked. This reduces the risk if an intrusion occurs, but comes with challenges — it’s costly and requires deep research into an organization’s operations. But it’s essential because the sensitivity of data varies by type. The USMS placed the critical witness protection material, for instance, in a different location than that impacted by the breach, rendering it a non-issue in this serious event. As unsettling as this attack was, it could have been much worse. Also make this segmenting approach part of a zero-trust security framework, in which requests to access resources are authenticated and authorized before they are allowed. By using these controls, organizations can limit the potential damage caused by security breaches and reduce the risk of data theft or other cyberattacks.
  • Don’t set it and forget it. Many of us have a misconception that once a cybersecurity solution gets deployed, there’s no need for ongoing maintenance or updates. We know this isn’t true after years of intrusions. Just like the network segmentation analogy, every IT professional understands environment creep. Again, data grows, moves, and shifts. Verify that the data is protected the way the organization needs it both for today and tomorrow. Because the data load increases at organizations daily. Think about how much data the company protected last year. The company will have more today and even more tomorrow. Meanwhile, cybersecurity threats and attack methods evolve. Organizations need to regularly assess and update their security measures to stay protected. Once the USMS segmented the data, they kept an eye on it. They didn't wait for an attack to go back and see if everything was alright. That paid off.

That’s just the beginning. Cyberattacks like the USMS incursion remind us that there’s no replacement for getting the fundamentals of good cybersecurity right. Make preparation the organization’s secret weapon. Lives may depend on it. 

Steve Stone, head, Rubrik Zero Labs.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.