Federal Agencies are Failing at Cyber Security Basics

The U.S. Senate released a 99-page report last week accusing eight critical agencies of failing to apply basic defenses to cyber attacks, putting public safety and personal data at high risk. 

The report claims eight critical agencies, including the Department of Homeland Security, the State Department, and the Social Security Administration, have several basic security failures, including: 

- Relying on outdated systems - one being nearly 50 years old 

- Failing to keep track of hardware and software (CIS Control 1 & 2) 

- Failing to apply mandatory security patches (CIS Control 3)

- Ignoring well-known security threats and weaknesses, in extreme cases for more than a decade

In 2006, federal agencies reported 5,500 cyber incidents. That number exploded in 2015, as federal agencies reported more than 77,000 cyber incidents. Reported incidents dropped by 56% in 2017, but many believe this decrease was a result of rules being changed to allow agencies to report fewer kinds of attacks, like hostile network scans and probes. 

The report revealed that all kinds of sensitive data have been at risk for years, including financial data of students and parents applying for student loans, payroll and banking data of individuals looking to qualify for home loans, and U.S. citizens' travel records. 

All eight agencies were found to be using incredibly outdated systems, including the Department of Homeland Security which still uses Windows VP and Windows Server 2003 on many of its critical systems. Support for Windows VP ended in 2014 and in 2015 for Server 2003. The Transporation Department was found to be storing hazardous materials data on a system that was over 48 years old until just last month. And the Social Security Administration uses a system to store retirement and disability information that uses programming language from the 1950s. Most people who know how to use this kind of system have either retired or are about to. 

At the Education Department, systems have been unable to prevent unauthorized outside devices from easily connecting to the department's networks since 2011. 

The report recommended several changes to the government cybersecurity programs, including new budget procedures to ensure critical threats are addressed and remediated, consolidating security processes to speed reaction time, and to prioritize cybersecurity expertise in hiring. 

A great place to start would be implementing the CIS Controls, specifically the Basic Security Controls. These represent the first six CIS Controls and have been found to prevent up to 90% of pervasive and dangerous cyber attacks.

CIS Control 1: Inventory of Authorized and Unauthorized Devices, requires identifying all devices, documenting the inventory, and keeping the inventory current. CIS Control 2: Inventory of Authorized and Unauthorized Softwarerequires identifying and documenting all software, developing a whitelist of approved software, and managing the software on the system through regular scanning and updated. 

CIS Control 3: Continuous Vulnerability Management, includes guidelines around conducting vulnerability scans, highlights the importance of monitoring and correlating logs, discusses how to stay on top of new and emerging vulnerabilities and remediation steps, and developing a process to assign risk ratings to vulnerabilities. 

CIS Control 4: Controlled Use of Administrative Privileges, highlights the importance of tracking, controlling, preventing, and correcting the use, assignment, and configuration of administrative privileges on computers, networks, and applications. 

CIS Control 5, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, focuses on the need to establish, implement, and manage the security configurations of laptops, servers, and workstations using Configuration Management and Change Control processes to prevent attackers from exploiting vulnerable services and settings.

To learn more about CIS Control 5, watch our webinar What can we learn about cybersecurity from the Death Star: CIS Control 5 Explained in 30 Minutes where NNT CTO Mark Kedgley and SVP and Chief Evangelist of the Center for Internet Security Tony Sager discuss CIS Control 5 and explore the requirements of an effective SecureOps strategy. 

The last basic control, CIS Control 6, Maintenance, Monitoring, and Analysis of Audit Logs,  emphasizes the need to collect, managed, and analyze event logs to detect suspicious activity, investigate possible security incidents, and recover from an attack. 

To learn more about the Basic CIS Controls, read our blog post Understanding the Basic CIS Controls. 

 

Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.