The U.S. Senate released a 99-page report last week accusing eight critical agencies of failing to apply basic defenses to cyber attacks, putting public safety and personal data at high risk.
The report claims eight critical agencies, including the Department of Homeland Security, the State Department, and the Social Security Administration, have several basic security failures, including:
- Relying on outdated systems - one being nearly 50 years old
- Failing to keep track of hardware and software (CIS Control 1 & 2)
- Failing to apply mandatory security patches (CIS Control 3)
- Ignoring well-known security threats and weaknesses, in extreme cases for more than a decade
In 2006, federal agencies reported 5,500 cyber incidents. That number exploded in 2015, as federal agencies reported more than 77,000 cyber incidents. Reported incidents dropped by 56% in 2017, but many believe this decrease was a result of rules being changed to allow agencies to report fewer kinds of attacks, like hostile network scans and probes.
The report revealed that all kinds of sensitive data have been at risk for years, including financial data of students and parents applying for student loans, payroll and banking data of individuals looking to qualify for home loans, and U.S. citizens' travel records.
All eight agencies were found to be using incredibly outdated systems, including the Department of Homeland Security which still uses Windows VP and Windows Server 2003 on many of its critical systems. Support for Windows VP ended in 2014 and in 2015 for Server 2003. The Transporation Department was found to be storing hazardous materials data on a system that was over 48 years old until just last month. And the Social Security Administration uses a system to store retirement and disability information that uses programming language from the 1950s. Most people who know how to use this kind of system have either retired or are about to.
At the Education Department, systems have been unable to prevent unauthorized outside devices from easily connecting to the department's networks since 2011.
The report recommended several changes to the government cybersecurity programs, including new budget procedures to ensure critical threats are addressed and remediated, consolidating security processes to speed reaction time, and to prioritize cybersecurity expertise in hiring.
A great place to start would be implementing the CIS Controls, specifically the Basic Security Controls. These represent the first six CIS Controls and have been found to prevent up to 90% of pervasive and dangerous cyber attacks.
CIS Control 1: Inventory of Authorized and Unauthorized Devices, requires identifying all devices, documenting the inventory, and keeping the inventory current. CIS Control 2: Inventory of Authorized and Unauthorized Software, requires identifying and documenting all software, developing a whitelist of approved software, and managing the software on the system through regular scanning and updated.
CIS Control 3: Continuous Vulnerability Management, includes guidelines around conducting vulnerability scans, highlights the importance of monitoring and correlating logs, discusses how to stay on top of new and emerging vulnerabilities and remediation steps, and developing a process to assign risk ratings to vulnerabilities.
CIS Control 4: Controlled Use of Administrative Privileges, highlights the importance of tracking, controlling, preventing, and correcting the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CIS Control 5, Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers, focuses on the need to establish, implement, and manage the security configurations of laptops, servers, and workstations using Configuration Management and Change Control processes to prevent attackers from exploiting vulnerable services and settings.
To learn more about CIS Control 5, watch our webinar What can we learn about cybersecurity from the Death Star: CIS Control 5 Explained in 30 Minutes where NNT CTO Mark Kedgley and SVP and Chief Evangelist of the Center for Internet Security Tony Sager discuss CIS Control 5 and explore the requirements of an effective SecureOps strategy.
The last basic control, CIS Control 6, Maintenance, Monitoring, and Analysis of Audit Logs, emphasizes the need to collect, managed, and analyze event logs to detect suspicious activity, investigate possible security incidents, and recover from an attack.
To learn more about the Basic CIS Controls, read our blog post Understanding the Basic CIS Controls.