Security ‘sampling’ puts US federal agencies at risk

Titania has launched an independent research report that reveals the impact of exploitable configuration errors on network security in the US federal government.

The study, “The Impact of Exploitable Configuration Errors on Agency Network Security and Current Approaches to Mitigate Risk in the U.S. Federal Government,” finds that network professionals say they adhere to their security practices. security and compliance, but the data suggests that the risk remains high. A result which, according to the conclusions of the report, should cost billions of dollars each year.

Notably, the research found that federal government respondents were the only industry representatives to say that they exclusively evaluate their firewall configurations. Switches and routers were not included in their network checks. So, in effect, agencies test the security of their fleets of network devices. According zero trust best practice, continuous assessment of all devices is essential when it comes to preventing intrusions and inhibiting lateral movement on networks. Sampling is an inherently risky approach to configuration security that exposes agencies to the threat of configuration drift that destroys networks.

Additionally, the survey found that most federal government respondents cite the inability to prioritize risk (81%) and inaccurate automation (44%) as their top two challenges in meeting their organization’s security requirements. company and external compliance. Federal respondents also indicated that the financial resources allocated to network configuration risk mitigation, which currently amount to approximately 3.4% of the total IT budget, are a limiting factor in configuration management.

Specifically, the study, which surveyed key U.S. federal government cybersecurity decision makers, found:

  • Confidence in compliance and practices. All federal government sector respondents are confident that they meet their corporate and external security requirements. compliance requirements. More than 88% agreed that their agency relies on compliance to ensure security. However, based on other results, this reveals a mismatch between the perception of network security and reality.
  • Extensive networks, infrequent assessments. Federal agencies have reported a large number of devices within their networks – more than 1,000 on average. This is about 160 more than in other sectors, such as banking and financial services. 59% of respondents assess the configuration of network devices on an annual basis, 12% on a bi-monthly cycle and 0% more frequently. Respondents believe these practices are sufficient to meet their security and compliance requirements.
  • Prioritizing risks and corrective actions is a challenge. 71% said their network security tools allow them to effectively categorize and prioritize compliance risks. This goes against the fact that 81% said the inability to prioritize corrective actions based on risk is a major challenge.
  • Common configuration issues identified. Respondents said they detected an average of 51 misconfigurations in the past year; 4% of them were deemed “critical” and could have led to a serious security breach that could put the network out of service. A whopping 83% said they had detected at least one critical configuration issue in the past two years.
  • Overlooked routers and switches. When validating network device configuration settings, 100% of federal organizations only evaluate firewalls, not switches or routers.
  • Low confidence in compliance in the supply chain. Only 18% of respondents were convinced that other actors in their organization supply chains take a rigorous and robust approach to network configuration security. The federal government also accounted for the highest percentage (71%) of respondents who said they rely on external vendor accreditations from CMMC, DISA, NIST, FISMA, and ISO for assurances regarding chain risk management. supply.

“A determined attacker will try every means to gain access to a network until he breaks into it,” said Matt MalarkeyVice President, Strategic Alliances, Titania. “A known vulnerability or misconfiguration is an easy way to access it. As our report reveals, the US federal government is not immune. Government agencies must take a zero-trust approach to cybersecurity – harden networks from the inside out to make it much harder for intruders to enter and move laterally.

“Other proactive security practices, such as attack surface management, encourage organizations to be continuously vigilant. It is therefore important that government agencies adopt them, especially since the recent Joint Cybersecurity Advisory from the NSA, CISA and FBI highlighted that enemies modify network device configurations to enable and intensify attacks. Malarkey added. “Increasing the frequency of risk assessments and remediation of all network devices is the first step to preventing configuration drift from taking down US government networks and allowing intruders to access sensitive systems and data. .”

“Government networks are changing every day as agencies embrace digital transformation and move to the cloud,” said Dean Webb, cybersecurity engineer at Merlin Cyber. “However, if federal agencies do not continuously monitor the configuration of their network devices, they are essentially trusting the operation of those devices. This practice is not only contrary to zero trust principles, but it also proves to be a very easy target for bad actors to exploit and gain a foothold in sensitive government systems and data.

Source link