Federal Insecurity

Months after the devastating Office of Personnel Management (OPM) hack came to light — in which 21.5 million personnel records were stolen — the Government Accountability Office (GAO) has issued a report on the extent that US Federal Government is experiencing breaches. The report revealed that the number of security incidents impacting Federal agencies has grown from 5,503 in 2006 to 67,168 in 2014 — a massive 12x increase in 8 years — and that the US government is looking to hire 10,000 cyber professionals in the next year. In this blog post I will go over some of the highlights of the report and some of the short-term fixes being implemented.

So what are the threats facing the US Government? The Feds list out bot-network operators, criminal groups, hackers and hacktivists, malicious insiders, other nations and terrorists. In other words, not a trivial list of adversaries.

And what techniques or exploits are the bad guys using? You name it, they are facing it: cross-site scripting, denial of service attacks, malware, phishing, passive wiretapping, spamming, spoofing, SQL injection, war driving and zero-day exploits. Basically everything is being thrown at our government systems.

The net result is a 1121% increase in 8 years in security incidents that government knows about.

Incidents reported

The GAO has quantified the five challenges that Federal agencies must address:

  1. limiting, preventing, and detecting inappropriate access to computer resources;
  2. managing the configuration of software and hardware;
  3. segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation;
  4. planning for continuity of operations in the event of a disaster or disruption;
  5. implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.

And those challenges were fairly consistent across the 24 agencies of the US Government:

Infosec weaknessesSome of the examples of weaknesses included:

  1. granting users access permissions that exceed the level required to perform their legitimate job-related functions;
  2. not ensuring that only authorized users can access an agency’s systems;
  3. not using encryption to protect sensitive data from being intercepted and compromised;
  4. not updating software with the current versions and latest security patches to protect against known vulnerabilities;
  5. not ensuring employees were trained commensurate with their responsibilities.

In effect, if you look at the top two weaknesses, in effect the US Government has a problem with privilege: too many users have too much privilege and there is insufficient auditing.   So it is no surprise that the OPM hack was made possible by a compromised privileged account:

“The breach did not happen because of a vulnerability at the DOI data center. It happened because of compromised credentials of a privileged user on the OPM side who then moved into DOI’s environment through a trusted connection,” Burns said.

[Addressing this problem with privilege is exactly what our privileged account management solutions focus on, but I digress.]

So what are the short-term initiatives that the US Federal Government and its CIO Tony Scott are trying to implement to address the deluge of cyber threats? His cyber “sprint” initiative is mandating the use of two-factor authentication and for all employees to use Personal Identity Verification (PIV) smart cards for employees accessing government networks.

Centrify offers MFA for application and system access, and the only solution on the market to enable PIV smart card support for Mac and Linux. So we have been in this market for a while, but it was interesting to read these stats about PIV usage:

In February 2015, OMB reported that, as of the end of fiscal year 2014, only 41 percent of agency user accounts at the 23 civilian CFO Act agencies required PIV cards for accessing agency systems.

And then the killer quote:

“At OPM, only 1 percent of user accounts required PIV cards for such access.”

Ouch.

Federal CIO Tony Scott definitely has his hands full. He was appointed in late February of this year, and immediately inherited the response to the OPM hack. Besides focusing on MFA and PIV cards, he is also looking to hire an estimated 10,000 cyber professionals. So, a great time to be a security professional.

Longer term, it appears Scott will try to overhaul IT within the US Government by getting agencies to share services, with the thought process being that consolidation will make it easier to secure all the systems. This may be a boon to cloud service providers and SaaS vendors who can help with that consolidation of distinct and separate email systems, networks, etc.

At the end of a recent speech Scott said:

“We just don’t have available to use the number of cyber resources that are required to do a really good job.”

I believe him, but solving their privilege management problem and implementing multi-factor authentication via PIV smart cards will be a big step forward.