The U.S. Senate released a 99-page report last week accusing eight critical agencies of failing to apply basic defenses to cyber attacks, putting public safety and personal data at high risk. 

The report claims eight critical agencies, including the Department of Homeland Security, the State Department, and the Social Security Administration, have several basic security failures, including: 

- Relying on outdated systems - one being nearly 50 years old 

- Failing to keep track of hardware and software (CIS Control 1 & 2) 

- Failing to apply mandatory security patches (CIS Control 3)

- Ignoring well-known security threats and weaknesses, in extreme cases for more than a decade

In 2006, federal agencies reported 5,500 cyber incidents. That number exploded in 2015, as federal agencies reported more than 77,000 cyber incidents. Reported incidents dropped by 56% in 2017, but many believe this decrease was a result of rules being changed to allow agencies to report fewer kinds of attacks, like hostile network scans and probes. 

The report revealed that all kinds of sensitive data have been at risk for years, including financial data of students and parents applying for student loans, payroll and banking data of individuals looking to qualify for home loans, and U.S. citizens' travel records. 

All eight agencies were found to be using incredibly outdated systems, including the Department of Homeland Security which still uses Windows VP and Windows Server 2003 on many of its critical systems. Support for Windows VP ended in 2014 and in 2015 for Server 2003. The Transporation Department was found to be storing hazardous materials data on a system that was over 48 years old until just last month. And the Social Security Administration uses a system to store retirement and disability information that uses programming language from the 1950s. Most people who know how to use this kind of system have either retired or are about to. 

At the Education Department, systems have been unable to prevent unauthorized outside devices from easily connecting to the department's networks since 2011. 

The report recommended several changes to the government cybersecurity programs, including new budget procedures to ensure critical threats are addressed and remediated, consolidating security processes to speed reaction time, and to prioritize cybersecurity expertise in hiring. 

A great place to start would be implementing the CIS Controls, specifically the Basic Security Controls. These represent the first six CIS Controls and have been found to prevent up to 90% of pervasive and dangerous cyber attacks.

CIS Control 1: Inventory of Authorized and Unauthorized Devices, requires identifying all devices, documenting the inventory, and keeping the inventory current. CIS Control 2: Inventory of Authorized and Unauthorized Software, requires identifying and documenting all software, developing a whitelist of approved software, and managing the software on the system through regular scanning and updated. 

CIS Control 3: Continuous Vulnerability Management, includes guidelines around conducting vulnerability scans, highlights the importance of monitoring and correlating logs, discusses how to stay on top of new and emerging vulnerabilities and remediation steps, and developing a process to assign risk ratings to vulnerabilities. 

CIS Control 4: Controlled Use of Administrative Privileges, highlights the importance of tracking, controlling, preventing, and correcting the use, assignment, and configuration of administrative privileges on computers, networks, and applications. 

CIS Control 5, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, focuses on the need to establish, implement, and manage the security configurations of laptops, servers, and workstations using Configuration Management and Change Control processes to prevent attackers from exploiting vulnerable services and settings.

To learn more about CIS Control 5, register for our upcoming webinar What can we learn about cybersecurity from the Death Star: CIS Control 5 Explained in 30 Minutes where NNT CTO Mark Kedgley and SVP and Chief Evangelist of the Center for Internet Security Tony Sager discuss CIS Control 5 and explore the requirements of an effective SecureOps strategy. 

The last basic control, CIS Control 6, Maintenance, Monitoring, and Analysis of Audit Logs,  emphasizes the need to collect, managed, and analyze event logs to detect suspicious activity, investigate possible security incidents, and recover from an attack. 

To learn more about the Basic CIS Controls, read our blog post Understanding the Basic CIS Controls. 

 

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.