An Updated Look at the Security Posture of the U.S. Government in Response to Trump’s Statement
On January 11th, 2017, the President-Elect Donald Trump held his first press conference since the November election. During the press conference, he noted that, regarding cybersecurity, the government was dead last among 17 industries.
Regarding the state of the US cybersecurity posture, CNN marked the President Elect’s statement as true and found the citation originated from SecurityScorecard’s 2016 Government Cybersecurity Research.
Since our research has been pushed to the forefront of the national conversation surrounding cybersecurity, we decided to run an updated analysis of our data, and rate how the US government fared in cybersecurity for the entire year of 2016 and in December 2016.
For a more recent and comprehensive analysis, we analyzed the security posture of the U.S government during the month December 2016. The data points consist of an analysis of 10 security risk factors tracked by the SecurityScorecard platform and provides insight into how the government is currently standing in regards to their externally identifiable information security posture.
Below, you can see our original 2016 graph that informed the President-Elect’s statement during the 2017 press conference.
The U.S. Government Struggles With Network Security and Leaked Passwords.
We looked at the month of December 2016 to understand the current state of the U.S. government’s cybersecurity posture. This time, we decided to focus on distinct issue types plaguing a majority of the organizations making up the U.S government on a local, state, and federal level.
While the U.S government fared decently in Network Security and Information Leak compared to other industries, we still found a number of issues within those factors.
Network Security assesses a wide number of an organization’s vulnerabilities that range from open access ports (the kind that have been exploited in IoT devices), insecure SSL certificate security configurations, and weak TLS security, among other things. Major vulnerabilities such as DROWN, Heartbleed, and Shellshock all take advantage of network vulnerabilities that have not been updated by security patches. Specific vulnerabilities and whether an organization has patched them is measured in the Patching Cadence security factor, where the government ranked 10th, an improvement from its 15th place for the year.
When we looked at the number of U.S government organizations suffered from Network Security issues for the month of December, we found that over 54% had exposed ports, and over 45% had a weak ssh encryption, which, if exploited, can lead to a hacker infiltrating a network.
Information Leak measures the amount of sensitive information that is available publicly on various databases and in hacker forums. We’ve seen the consequences of major data breaches such as the LinkedIn, Dropbox, and Yahoo mega breach. We’re at the point where hackers can lurk on underground sites and purchase sensitive information to reuse it for other nefarious purposes and on other services and accounts. With these mega breaches offering more than 2B in password and account combinations, knowing whether an organization’s sensitive information has leaked is more important than ever.
In our analysis, we found that over 11 percent of U.S government organizations had leaked passwords lurking around the internet. If these organizations aren’t aware that the information has been leaked or haven’t had employees change their password, they are at high risk for a hacker to cause even more damage.
Security areas the U.S. government needs to focus on for 2017
The government has consistently scored high in Social Engineering and DNS Health, which suggests that they have strong employee security awareness training and have set up their domain and email servers to prevent spoofing, which can lead to impersonation attacks.
Despite these strengths and improvements, the government as a whole still has poor marks for Endpoint Security and IP Reputation, ranking 17th and 16th, respectively, for the year, and 18th, and 15th, respectively for the month of December.
Endpoint Security looks at outdated software usage among employees which is a risky practice, as discussed in our End of Life article. Updates to software and products are often linked to discovered vulnerabilities and are necessary to keep individuals and organizations secure. While hackers are always developing new attack techniques, they can make use of old vulnerabilities found in software and target organizations who are still using these outdated products.
We found that over 51% of U.S government organizations were still using out-of-date browsers which can be subject to hacker attack who exploit known vulnerabilities. 45% of U.S. government organizations seemed to lack a standardized browser policy as well. This means that employees are using multiple browsers within an organization, making it more difficult to secure an environment given that there are multiple browsers to account for. Even worse, 23% of U.S government organizations were found to also be using an outdated operating system. Updates to a Mac OS or Windows OS are essential as they include security patches to discovered vulnerabilities. Even if just one employee has not updated their operating system, they’re putting the entire organization at risk.
This coincides with a Patching Cadence issue type that we found plagued most of the organizations tracked here. Patching Cadence measures how quickly an organization applies an update that patches a security vulnerability. However, we found that 76% of U.S organizations have a slow patching cadence for medium severity CVEs (Common Vulnerabilities and Exposures) and 72% have a slow patching cadence for high severity CVEs. CVEDetails, a CVE database site, aggregated a total of 517 CVEs that were published just during the month of December. With such a slow patching cadence, it’s easy to imagine that these unpatched CVEs are putting these organizations at risk.
IP Reputation detects malware presence in a network, blacklisted IPs, and potentially dangerous traffic emanating from an IP stemming from the Tor network or P2P file-sharing services. The assessment takes into consideration how sections of an organization’s network may be flagged as malicious, indicating that they have already been infected by malware or that their communication to the internet has been severely impacted due to its blacklisted nature.
We found that over 80% of U.S government organizations had malware emanating from their network over the past year and as many as 36% of those organizations still suffering from the issue over the past month.
These security issues are fairly representative of a large, slow-moving organization, so it’s easy to see why the government is struggling the most with these factors. Because bureaucracy slows an organization down heavily, many government agencies at local, state and federal level are slow to update legacy software products which leave their systems vulnerable to low-hanging fruit such as malware infections.
If the government hopes to improve its overall security posture, they should focus on moving quicker and having the ability to adapt to new threats and vulnerabilities as they are identified. While they’re doing well in regards to preventing phishing attacks that may target employees, from a wide threat perspective, they’re still vulnerable to attacks that take advantage of long-standing vulnerabilities.
With cybersecurity as one of the major political talking points post-election, we have to adopt a wait-and-see approach to how the new administration will tackle information security on a local, state, and federal level. Our new analysis shows that the government continued to trail behind all industries throughout the duration of 2016.
Whoever ends up being tasked by the new administration, and its appointees with the actual labor of implementing fixes and solutions for US government networks will face a monumental task. The US government’s network spanned the entirety of the globe and was essentially the original Internet, originating with the development of SIPRNET/ARPANET/DARPANET. Furthermore, the US government is always rapidly expanding their networks and adopting new technologies, while still fulfilling critical needs with existing legacy systems. The combination of old, potentially forgotten and vulnerable systems along with the implementation of new, cutting-edge, potentially vulnerable systems mean that information security incidents are going to be a consistent unfortunate reality in the near future.
Therefore, the focus needs to be on exposure reduction, rapid response, and mitigation of vulnerabilities and threats as they are identified and, ideally, before they surface.
Rapid patching of vulnerable systems, timely breach notification and mitigation procedures, comprehensive digital asset tracking, and continuous vulnerability exposure monitoring will assist in these efforts.