It’s Time to Start Getting Serious About Privileges
According to the Cybersecurity and Infrastructure Security Agency, the SolarWinds breach was one of historic proportions, posing massive risks to federal, state and local governments, in addition to private companies.
With the expertise to gain access to privileges over highly sensitive information, these hackers were sophisticated, patient and ultimately left unchecked.
Anybody who has been following cybersecurity for the past few years can put a few common threads together: First, a hacker gets access to your internal systems through a nonprivileged account. Then, they move from server to server looking for a privileged account to do something more nefarious.
Identity access, governance and privileged account access is a huge area involved in these breaches. Why wouldn’t you be auditing your systems for embedded passwords, like those used in the SolarWinds attack?
Multifactor authentication is one simple way to enforce better governance practices and protect the log-in process. One of the barriers to MFA adoption is ease of use, so be sure that the evidence beyond a password is something easy to remember or that the employee can access at all times, like a unique code sent to a user’s mobile device, rather than a physical token.
Oldsmar Hack Shows Network Visibility and Self-Auditing Are Crucial
Having open ports or the capability to allow open ports, as was the case at the Oldsmar water treatment plant, presents a big vulnerability to state-run IT systems. Investigators suspected a desktop sharing software was likely used to access the Oldsmar facility system, which was running on Windows 7.
According to Florida Agriculture Commissioner Nikki Fried, Florida comes in fourth when it comes to the number of local government cyberattacks it has faced relative to all states, with the median cost of cyber breaches as high as $1.8 million. This is simply not a cost that’s sustainable to keep up with.
At a federal level, we have red teams that attack and test the safety of our own systems. On a state, municipal, and even private sector level, that’s not happening as readily as it should be.
Penetration testing can help safeguard against these intrusions by assessing the risk exposure of servers and identifying other holes in a system and before someone less desirable does. It’s crucial to maintain visibility into all of the systems and devices that make up a control system operating critical infrastructure.
Being aware of what devices are on your networks, how they are configured, who is making changes and when is vital to getting to the root causes of any issues and resolving them before worse activities occur.
We Need to Centralize Cybersecurity Efforts
Accellion, a collaboration technology and one of the Washington State Auditor’s software vendors, compromised millions of constituents who filed for unemployment benefits during the pandemic.
While the extent of the breach is not yet fully understood, having a decentralized IT security division rather than one cohesive entity is partly to blame. Washington hasn’t been the only state grappling with pandemic-related IT complications; the state of Nevada reported that its IT capabilities are six to eight years behind those of other states, according to its top technology official. Again, this is in part due to siloed IT protocols being used by different departments within the government.
As a response, many states have made serious strides in centralizing their IT departments, consolidating their IT under one single entity. With all corporate IT functions under the care of one agency, it’s arguably easier to control consistency, cost, vendor relationships and the customer experience.
While other states have opted for a federated hybrid model, it’s important that there’s collaboration among all departments — or an investment in software that can monitor activity across servers — to make sure everyone is working together and adhering to the same security practices and protocols. After all, if attackers find their way in, there’s no telling what else they’ll be able to gain access to.
Unfortunately, with the increasing sophistication of attackers and the pace of new technology, it’s not a matter of if, but rather when cyber criminals will strike. Whether for financial gain, espionage or to cause real harm to government infrastructure, breaches will continue to persist and will likely become more severe in nature.
That said, we understand the threat landscape and already have tools in our arsenal to build better security practices and guidelines. The question is which states will actually implement them, and which will wait until it’s too late?