Significant parts of the US government still remain exposed to hackers after the completion of the 30-day Cybersecurity Sprint launched last month following the major OPM data breach.
Last Friday, US government CIO Tony Scott revealed some of the results of the Sprint initiative, which was designed to: patch critical flaws immediately; tighten policies and practices for privileged users; accelerate two factor authentication (2FA) for those users; and improve scanning for threat actor Techniques, Tactics and Procedures.
Some progress has obviously been made. For example, Scott claimed that agencies are reducing the number of privileged users, and working with the Department for Homeland Security (DHS) to scan regularly for critical vulnerabilities, as well as training employees to recognize and report phishing attempts.
There have also been major steps taken by some agencies to mandate the use of “a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication” when logging into networks.
Specifically, federal civilian agencies increased their use of 2FA for both privileged and unprivileged users from 42% to 72%—a 30% increase since before the 30-day sprint.
When it comes to privileged users alone, the figures for agencies using 2FA have risen even further, from 33% to 75%.
However, these stats mean that around a quarter of US government agencies are still exposed to attack because users are forced to remember and use passwords to log-in to networks.
Scott added:
“Thirteen agencies, or more than half of the largest agencies—including the Departments of Transportation, Veterans Affairs, and the Interior—have implemented the same level of strong authentication for nearly 95% of their privileged users.”
However, there are question marks over the state of play at the remaining agencies.
“The 30-day sprint is undoubtedly a step in the right direction, but the results show that trying to patch up federal cybersecurity vulnerabilities in 30 days is like trying to heal a bullet wound with a band aid,” argued Richard Parris, CEO of ID management firm, Intercede.
“While the fundamentals of America’s cybersecurity infrastructure are in place, there is still a long way to go before federal agencies are effectively protected against cyber-criminals.”
Lancope CTO, TK Keanini, told Infosecurity that it’s difficult for security managers to deduce their overall security posture from just one aspect of their defense.
“Credential abuse is the attackers’ favorite method, and not only should authentication be improved but proper monitoring for misuse also deployed,” he added. “With almost certainty you can assume that one or more accounts are compromised on a weekly basis these days, if you disagree it is just because you have not found it yet.”