When it comes to cyber security the public sector sure has taken the lead. Consistently being the innovator year over year. Through strong bipartisan commitment to security and investment to match political commitments there has been a surge of innovation to develop. This should come as no surprise as cyber security falls under the umbrella of national security which the United States has always had to be creative with. From bug bounty programs first developing from defense agencies to the formation of CERT to help organizations address insider threats, the public sector has truly been at the cutting edge for cyber security. However, this does not mean the government is without faults. According to Owl Cyber security’s Darknet Index the U.S. government has about five times the data leaked on the darknet as the average Fortune 500 company. While some areas of government are better than others, in aggregate the US government remains at risk despite leading cyber security innovation. This is consistent with the ongoing Government Accountability Office (GAO) and Inspector General (IG) reports that highlight major vulnerabilities in public sector agency cyber security practices.
One way to measure how successful an organization’s cyber security efforts are going is to determine their data’s footprint on the darknet. The U.S. government’s most vulnerable agencies all outscore global U.S. fortune 500 companies by fives times when it comes to sensitive data on the Darknet. The firms evaluated in the Darknet Index include: US Navy, US Army, Department of Defense, Department of Justice, Department of Homeland Security, US Marine Corps, NASA, IRS, Department of Veteran Affairs, and Department of State. The actual index includes 59 agencies of the US government. These agencies have all been victims of data breaches. While each agency faces different conditions, each has had to deal with their own set of insider threats. A sizable portion of the data on the darknet from the US government are credentials. Even if the insider themselves have no malicious intent, any malicious actor on the darknet can purchase the credentials to and use them to act as the insider.
With a darknet footprint larger than any private sector company, the U.S government is extremely vulnerable with ongoing security issues. These human and technical vulnerabilities are at the root of the data breaches the U.S government is facing across all of its departments
The key takeaways from the analysis of the Federal Government’s footprint on the darknet are:
Federal Government vs Private Sector
There is an age-old argument about which sector produces better outcomes. In this case, the private sector team would be happy. The U.S. government has a massive darknet footprint on the darknet by a factor of 5 in comparison to the private sector. However, much of the private sector’s security knowledge and practices have come from federal defense agencies.
US Military’s Cyber Security Is in Trouble
The federal agencies with the largest footprint happens to be none other than the U.S. Navy and the U.S. Army. The darknet footprint size is comparable to Amazon or Apple who both have more than four times the personnel that the U.S. Navy and U.S. Army have. There are many factors for why this has happened, but malicious and negligent insider threats are likely a part of the problem. Thankfully the U.S. military is working on this issue.
Darknet’s Most Wanted: Defense Agencies
When it comes to sensitive data no federal agency is targeted more than defense agencies. While it’s true there has been leaps of security innovation that came from these institutions, most of that innovation was out of necessity. These developments have helped other organizations avoid the same fate, but it does not erase the leaked data on the darknet. Some of the reasons that defense agencies are targeted the most tie back to state actors on the darknet and agents of state actors. For the common data peddler the information that defense agencies hold may not be worth as much as let’s say medical data. However, for a hacker or data peddler with a state actor for a client, that data is very valuable.
The data that was stolen from defense and cabinet agencies was primarily credentials and some intellectual property. The fact that most of the darknet footprint is comprised of credentials is a problem because anyone can purchase those and login to have access to a variety of state secrets and data that places lives at risk. This is an insider threat issue mainly because an insider may start demonstrating odd behavior while on the network and no one would be able to detect it from their account without the proper software. Meanwhile the person whose credentials have been compromised may have no idea what their own account is doing when their not at the computer.
In the GAO report released earlier this year, it would seem that of the 23 government departments audited there was an average of 9.2% of the IT budget spent on security. 20 years ago the GAO declared information security a high-risk area. Year after year the GAO has audited the security performance of government agencies and have issued several warnings to each agency. Unfortunately, these warnings are not taken as seriously as they need to be. Recently agencies, including the Federal Deposit Insurance Corporation (FDIC) and the Security Exchange Commission (SEC), were victims of multiple data breaches. The SEC is receiving criticism for not implementing past recommendations from the Inspector General (IG). While the SEC has been one of the most criticized agencies, they are not alone in poor cyber security practice.
For well over a decade now the GAO has stressed how critical cyber security is in federal agencies. However, year after year federal agencies fail to change much of anything. Just in the past few months the GAO released another report bluntly titled “Weaknesses Continue to Indicate Need for Effective Implementation of Policies and Practices” to Congress. The issues continue to be the same as well: access controls, configuration management, segregation of duties, contingency planning, and security management.
As threats have become far more advanced than they were a decade ago the urgency to implement stronger cyber security solutions have never been more pressing. However, as agencies are failing or ignoring the need to improve their cyber security practices they place the nation at greater risk.
The GAO has concluded that a discussion needs to be held if the cyber security maturity models developed for information security systems is enough to bring an agency beyond simply meeting compliance. However, for federal and other government agencies that would like to remedy their systems in the near future some points of discussion to bring up with managers and directors are the following:
User and Entity Behavior Analysis
Technology today already logs every event that happens on your network or on a single workstation. However many businesses simply do not access it or examine it. Without a reasonable way to read analyze these events that happen every second, valuable security data goes missing. By using the tool of user and entity behavior analysis organizations can easily detect insider threats and abnormal behavior Once a pattern of activity is established a behavior profile is developed and can be measured against deviations from “normal” behavior. By having a network behavior profile and an individual behavior profile, insider threat detection is now possible based on behavior.
Rule-Based Risk Analysis
Risk is at the core of everything for both the public sector and the private sector. The difference is that in the public sector risks revolve around protecting existing capital. In this case that existing capital is data. Rule-based Risk Analysis provides a snapshot of an agency and helps to identify which individuals demonstrate the most negligent or malicious threat behavior. Rules are developed for activities that happen on your network. This includes the use of personal email, accessing unauthorized websites, or even downloading unauthorized software. The technology allows administrators and agency directors to act on threats before they actually accomplish a compromise of sensitive information.
Data Loss Prevention Software (DLP)
DLP software detects and prevents data breaches and leaks by enforcing policies that monitor and filter content, control where information goes, encrypts data at rest and in motion, and helps identify very sensitive data. With a DLP solution, your agency will be able to enforce policies designed to prevent insiders from using information in unauthorized manners. It goes beyond detection and is a means of preventing insider breaches.
Data breaches are always terrible, but when the U.S. government has five times the amount of leaked data on the darknet than some of the largest private sector organizations, there is a crisis. Right now agencies can take preemptive steps to stop any further breaches. While it is good that at least there are attempts to meet compliance, it is not enough. The best places to start for federal agencies were outlined in the GAO reports. However to best prevent insider caused data breaches agencies will need to improve their technology and integrate security into all processes. Click below to learn more about Teramind.