The federal government faces a cybersecurity threat that is more capable and relentless than at any time in recent history. And yet, agencies responsible for operating high-security networks and data centers continue to struggle with passwords, physical security, access control and a host of other relatively basic security precautions.
Greg Wilshusen, director of Information Security Issues at the Government Accountability Office (GAO), the investigative arm of Congress, told a gathering of federal and industry security officials on Dec. 3 that the number of security incidents reported to the US Computer Emergency Readiness Team (US-CERT) is on course to surpass 48,000 in 2012 – a 782 percent increase since 2006.
And that could spell real trouble this year for federal network security, especially because of the basic security weaknesses identified by GAO during multiple agency audits last year. For example, Wilshusen, who spoke at the Government Technology Research Alliance (GTRA) forum on government security, said every one of the top 24 federal agencies had weaknesses in basic access controls.
“This is the area where we find most of the computer system vulnerabilities,” said Wilshusen. “These are controls that relate to protecting an organization’s boundaries, [and] also include those procedures that agencies have to identify and authenticate the identity of their users and the devices that connect to their systems, use of encryption and physical security to control physical access to the data facilities and information resources.”
In addition, GAO last year regularly uncovered significant problems with other basic security precautions, such as passwords, physical security control and outdated user accounts that had not been deleted.
Passwords used by agency employees were often found to be “relatively easy to crack,” Wilshusen stressed. And, surprisingly, those employees found to have the least secure passwords were often the system administrators, he added. More troubling, however, was the large number of old user accounts and default accounts that remained accessible.
“Agencies also often do not change or delete vendor supplied passwords and IDs,” Wilshusen said, referring to the default accounts that often ship with new computers and operating systems. Likewise, GAO investigators often found “hundreds and sometimes thousands” of instances where training accounts or accounts belonging to former employees had not been deleted.
But even the users who had legitimate access to systems often had too much access, said Wilshusen. Referring to the so-called “principle of least privilege,” where users are given only the access they require to do their jobs effectively, Wilshusen said GAO investigators “often find instances, particularly in databases, where users are given access to all of the data to either write, read or update the data when generally they don’t need that level of access.”
Other weaknesses in basic security procedures that GAO encountered regularly last year include:
- Insufficient access controls for firewalls, switches, and routers;
- Agencies are slow to deploy the infrastructure to support logical access control devices, such as Common Access Cards and the Personal Identity Verification (PIV) card;
- Monitoring system configurations and the assets on the network still is not being done on a regular basis; and
- Inadequate physical security at highly-secure data centers (e.g. doors propped open with chairs so employees can take smoke breaks, and guards who did not check credentials properly).
But Ron Ross, a senior computer scientist and fellow at the National Institute of Standards and Technology (NIST), pointed to other basic precautions and policies that have been stymied by a combination of cultural impediments and the vast, complex federal IT architecture.
“There’s a new saying that the offense should be informing the defense,” said Ross. “But yet we find out that a lot of our CISOs and CIOs don’t even have [top secret compartmented] security clearances. So, how can you be informed of what the threat can do if you can’t even get the information that allows you to understand what that threat looks like? It’s a very serious problem.”
In January, NIST will release revision 4 of its Special Publication 800-53, Recommended Security Controls for Federal Information Systems and Organizations. “And there’s going to be a lot of gnashing of teeth when you see the number of controls and enhancements being added,” said Ross. The new version adds about 250 new controls, moving the total number from 600 to 850.
One such new control that will be added is firmware integrity. “The adversary is down at the firmware level now and probably even the hardware in some cases,” warned Ross. “Firmware integrity is critical. The adversary has demonstrated the capability to get into that firmware.”
But while hackers have demonstrated the ability to attack federal networks in more complex and sophisticated ways, federal security professionals have been unable to keep up with the challenges posed by complexity, said Ross. Because of the complexity of federal network architectures, “we ask our CISOs and CIOs to defend systems that are largely indefensible,” he explained.
Complexity, he said, “is ground zero of our problems today.”