The Privileged Access Problem: GAO Report Points to Vulnerabilities in Pentagon’s Advanced Weapon Systems
October 26, 2018 | Reports | Kevin Corbett
The Government Accountability Office (GAO) recently released a scathing report highlighting the critical vulnerabilities that malicious attackers could exploit to take complete control of Defense Department advanced weapon systems. Many of the findings point to poor privileged access security practices – a major underlying problem that has long existed throughout federal IT infrastructure.
The failure to secure privileged access is at the heart of the most damaging security breaches. It’s absolutely critical that agencies and the organizations they do business with lock down privileged access, which includes credentials and accounts.
I wrote a piece for GCN outlining three steps agencies should take to better protect their most sensitive credentials and strengthen their overall security posture. Following are some excerpts:
- Admit there’s a problem. In the last three years, the GAO has issued multiple reports that indicated an agency or system had pervasive problems with privileged access security. The Office of Management and Budget (OMB) issued its own report in April in partnership with the Department of Homeland Security (DHS), revealing that only 55 percent of agencies limit access based on user attributes and roles – and only 57 percent review and track administrative privileges at all. The first step to better security is understanding – and admitting – there’s a problem. Then taking action.
- Change default passwords. Default passwords are the factory-set passwords for the administrative accounts of a system. They exist so that developers and administrators can easily set up a technology ‘out of the box,’ and they exist everywhere – on home routers, networked printers and even advanced weapon systems. The Pentagon used off-the-shelf and open-source software with default passwords, but never changed them. As the GAO testers found out, default passwords are typically easy to find through a simple internet search – which mean that not changing them is a failure of basic security hygiene.
- Secure near-siders. While the Pentagon was able to prevent exploitation of the weapon system from remote users, it struggled in stopping potential insiders and near-siders (contractors and third parties who function as an insider with the same privileged access as someone inside the organization). Attackers seek both insider and near-siders to steal their access credentials and then escalate privileges until they’re able to take control of a system.
Establishing a strong security posture starts with ensuring good cyber hygiene, and securing these known vulnerabilities is a must. The privileged access problem is a clear and present threat, and the government simply can’t afford to wait for disaster to strike before addressing it.
Editor’s Note: Read the full GCN piece to delve deeper into the GAO report’s findings and explore ways agencies and government organizations can address the privileged access problem.