Unpacking Motifs in Federal Government Security
Recently, a few interesting federal government security stories have popped up in the news:
- The payment card and travel information of 30,000 Department of Defense (DoD) military and civil personnel was stolen from a third-party contractor (Reuters)
- New DoD computerized weapon systems can be easily hacked, according to a report from the U.S. Government Accountability Office (GAO) (ZDNet)
- Voter records from 19 U.S. states were found up for sale on a hacking forum - with the seller stating the records are being updated on a weekly basis (SCMagazine)
- A North Carolina water utility's computer systems were subjected to a ransomware attack, prompting the FBI and Department of Homeland Security to investigate (TheState)
This slew of rather grim news always comes with just a few lessons learned and many recurring motifs. Let me break it down:
Third-party vendors - Not a lot of information was made available due to pending investigation, but the DoD breach was due to single, unnamed commercial vendor of the executive branch department. It's well-known that attackers often target the lower-hanging fruit of small contractors that may have weaker or nonexistent security in place, granting attackers an easy proxy to larger organizations like the DoD.
In 2017, many security standards for federal contractors were made mandatory, as part of the final rule clarification of the Defense Federal Acquisition Regulation Supplement (DFARS). Among those controls include multi-factor authentication for local and network access, employing the principle of least privilege, retaining audit records and more - see an overview of those rules here.
Related resources on third-party vendors security:
Security Best Practices for Third-Parties: Protecting the Enterprise
Privileged access - In the GAO tests against the DoD weapons systems, test teams were able to easily move throughout a system and escalate their privileges until they'd taken over the system. One test indicated they were able to guess an administrator password in nine seconds. Other actions included copying, changing, deleting and scanning entire system data while disrupting and manipulating system operations.
Implementing the rule of least privilege - giving users access only to that which they need to complete their job function - can be done several ways. Controlling which users and user groups can access which applications, while granting access only after checking a combination of their verified identity and trusted device gives administrators the flexibility of an adaptive authentication solution.
Managing Risk With Adaptive Authentication
Data profiling for identity fraud - While state voter registration lists aren't strictly confidential, the usage of them is restricted. When this list of personally identifiable information (PII) is paired with other breached data lists of more sensitive information (like Social Security Numbers), malicious actors can create a target profile of the U.S. electorate for malicious means, as Anomali stated in a blog post on their findings.
The political repercussions could include identity fraud or fraudulent changes to online voter registrations - potentially rendering legitimate voters ineligible to cast ballots, or allowing attackers to delete voter registrations, request absentee ballots, etc.
This all highlights the need to keep access to sensitive data restricted with adaptive access policies that limit access to the users and devices that meet your organization's specific risk tolerance levels. With these, you can restrict access based on geolocation, user roles, network type and more.
Adaptive Authentication & Policy Enforcement
Credential-stealing (among other destructive behaviors) malware - In a media release from the targeted water utility company, Onslow Water and Sewer Authority (ONWASA), their CEO stated that their servers and personal computers had been experiencing persistent virus attacks from Emotet, a wormlike malware variant referred to as a modular banking Trojan by the U.S. Computer Emergency Readiness Team (US-CERT).
Emotet has a spambot module that enables itself to spread quickly, using email templates, attachments and email credentials downloaded from its host server. And yet another module steals credentials from web browsers and email clients, sending passwords to the host server to enable attackers to log in and spread spam emails, according to a Blueliv report.
While early detection and backups can somewhat help mitigate ransomware infections, backing up primary authentication with multi-factor authentication - a second factor in addition to passwords to verify users’ identities - can further block attackers from leveraging stolen credentials to log into email accounts and spread malware.
Critical vulnerabilities - Nearly all of the DoD computerized weapon systems were also found to be rife with vulnerabilities, according to the GAO report, rather aptly titled DOD Just Beginning to Grapple with Scale of Vulnerabilities(PDF).
Many of the vulnerabilities exploited by the test teams had already been identified in previous assessments - only one in 20 cyber vulnerabilities had been corrected since, and yet another test report indicated that the team exploited 10 total previously-identified vulnerabilities.
What does all of that mean? It means that for some reason, the DoD weapon systems weren’t updating or implementing solutions to close security gaps, making it trivial to exploit them to gain access or control of their systems. Many vulnerabilities exist in older versions of software, like operating systems, plugins and browsers. Knowing this, attackers are able to leverage out-of-date devices to compromise or install malware on them to steal data or gain entry to organizations' systems.
Getting visibility into all of the different endpoints accessing your environment - from managed to unmanaged; mobile to desktop; etc. - is essential to understanding which devices are out of date, and which require security remediation. Coupled with device access policies, admins can block and notify users to update their devices before granting access, protecting your apps and data from exposure.
Mobile Device Security Made Easy with Duo’s Security Checkup