Security “sampling” puts US federal agencies at risk
Titania launched an independent research report that uncovers the impact of exploitable misconfigurations on the security of networks in the US federal government.
The study, “The impact of exploitable misconfigurations on the security of agencies’ networks and current approaches to mitigating risks in the US Federal Government“, finds that network professionals report that they are meeting their security and compliance practices, but data suggest that risk remains elevated. A result which, according to the findings from the report, is likely to be costing billions of dollars each year.
Notably, the research disclosed that federal government respondents were the only sector representatives to say that they exclusively assessed the configurations of their firewalls. Switches and routers were not included in their network checks. So, in effect, the agencies are sampling the security of their fleets of network devices. According to zero trust best practice, continuous assessment of all devices is essential when it comes to preventing intrusion and inhibiting lateral movement across networks. Sampling is an inherently risky approach to configuration security that leaves agencies open to the threat of configuration drift taking down networks.
In addition, the survey found most federal government respondents cite the inability to prioritize risk (81%) and inaccurate automation (44%) as their top two challenges in meeting their enterprise security and external compliance requirements. Federal respondents also indicated that financial resources allocated to mitigating network configuration risks, which currently stands at around 3.4% of the total IT budget, are a limiting factor in configuration management.
Specifically, the study, which surveyed senior cybersecurity decision-makers across the US federal government, revealed:
- Confidence in compliance and practices. Every respondent from the federal government sector is confident that they meet their enterprise security and external compliance requirements. More than 88% agreed that their agency relies on compliance to deliver security. However, based on other findings, this reveals a disconnect between network security perception and reality.
- Expansive networks, infrequent assessments. Federal agencies reported a vast number of devices within their networks – over 1,000 on average. This is approximately 160 more than other industries, such as banking and financial services. 59% of the respondents assess the configuration of network devices on an annual basis, 12% on a bi-monthly cycle, and 0% more frequently. Respondents felt these practices are sufficient to meet their security and compliance requirements.
- Risk and remediation prioritization is a challenge. 71% reported that their network security tools meant that they could effectively categorize and prioritize compliance risks. This is at odds with the fact that 81% said an inability to prioritize remediation based on risk is a top challenge.
- Frequent configuration issues identified. Respondents reported they had detected an average of 51 misconfigurations in the previous year; 4% of which were deemed “critical,” and could have led to a severe security breach that could take the network down. As many as 83% reported having detected at least one critical configuration issue in the last two years.
- Routers and switches overlooked. When validating network device configuration settings, 100% federal organizations only assess firewalls, not switches or routers.
- Low confidence in compliance in the supply chain. Only 18% of respondents were confident that other players in their organization’s supply chains take a rigorous and robust approach to network configuration security. The federal government also made up the highest percentage (71%) of respondents that reported relying on suppliers’ external accreditations from CMMC, DISA, NIST, FISMA and ISO to gain assurances regarding supply chain risk management.
“A determined attacker will try every way to access a network until they gain entry,” said Matt Malarkey, VP, Strategic Alliances, Titania. “A known vulnerability or misconfiguration is an easy way in. As our report uncovers, the US federal government is not immune. Government agencies need to adopt a zero trust approach to cybersecurity – hardening networks from the inside-out to make it significantly harder for intruders to gain entry and move laterally.”
“Other proactive security practices, like attack surface management, encourage organizations to show continuous vigilance. So, it’s important that government agencies adopt them, especially since the recent joint Cybersecurity Advisory from the NSA, CISA and FBI pointed to enemies altering network device configurations to enable and scale attacks,” added Malarkey. “Increasing the frequency of risk assessments and remediation of all network devices is the first step to preventing configuration drift from taking down US government networks and allowing intruders to gain access to sensitive systems and data.”
“Government networks are changing every single day as agencies embrace digital transformation and shift to the cloud,” said Dean Webb, cybersecurity engineer at Merlin Cyber. “However, if federal agencies are not continuously monitoring their network device configurations, they are in essence inherently trusting the operation of those devices. This practice is not only counter to zero trust principles, but it also is proving to be a very soft target for bad actors to exploit and to gain a foothold into sensitive government systems and data.”