October is National Cybersecurity Awareness Month. It’s too bad that Congress didn’t get the memo – it might have been useful to consider prior to shutting down the government.
Regardless of where you stand on the political spectrum and your view on the shutdown, there’s one thing that is not open for debate – shutting down the federal government makes the US and its critical infrastructure less secure.
One of the biggest security concerns is found in how government agencies are managing and controlling access to privileged accounts. According to research from leading security firms such as Mandiant and CyberSheath, cyber-attackers immediately target privileged and administrative accounts once they breach the perimeter. This is because these accounts provide a gateway to an organization’s most sensitive data.
In the past two years, cyber-attackers have stolen and abused privileged credentials to perpetrate some of the biggest breaches government organizations have seen – including the South Carolina Department of Revenue, the NASA Jet Propulsion Library, and the Utah Department of Health, among others.
In addition, abuse of privileged accounts is one of the leading causes for insider breaches. One needs to look no further than the recent revelations around the NSA and how Edward Snowden was able to access, acquire and leak sensitive documents. As a systems administrator, Snowden had access and passwords to privileged accounts that, if abused, can provide almost unfettered access to everything across a targeted system. The results of that unmanaged access are self evident.
These are issues that every single businesses faces – it’s not unique to the government. Privileged accounts exist everywhere. Our own research shows that the amount of privileged accounts are typically 3-4x the number of employees in an organization. This means that an agency with 1,000 people is likely to have 3000-4000 of these accounts.
Outside attackers and insiders target these accounts because they know they can not achieve their goal of stealing data or causing damage without first stealing the privileged credentials of an authorized user.
So what does this have to do with the federal government shutdown? Understanding these vulnerabilities exist, security organizations such as SANS strongly recommend that every privileged account is isolated, monitored and controlled to immediately identify any misuse. While automation exists, many agencies and businesses still do this through manual processes. In a government agency, it’s traditionally the IT staff that this job falls to. With the government shut down, it’s unknown whether this is still happening. If an outside attacker were to steal the privileged credentials of an authorized user, it could be days before this is realized. Days in which the attacker has to steal as much info as possible.
On the other end of the spectrum, we have the specter of employees with legitimate privileged access being sent home without pay. It only takes one person to become disgruntled and misuse this access to cause significant damage to any organization. As the Snowden incident demonstrates, the results can be devastating and far reaching.
Regardlesss of the current debate on Congress, one thing is clear – the government may be shut down, but cyber attackers are still open for business. And business is good. It’s a dereliction in duty to contribute to this.