Jun 15 2021

Penetration Testing May Reveal Critical Vulnerabilities for Agencies to Prioritize

State and local governments seeking resources can turn to the U.S. Department of Homeland Security for assistance.

State governments are an attractive target for cyberattacks. Recent estimates show that state governments are attacked 300 million times a day. States confront ransomware attacks, phishing, misuse of compromised credentials and advanced persistent attacks on a daily basis.

In the face of such a large volume of threats, it’s more important than ever to practice good cybersecurity and to find and patch vulnerabilities. However, the sheer number of vulnerabilities that could affect applications and systems is overwhelming. Finding and patching the vulnerabilities that matter is difficult, especially in the face of budget shortfalls and a lack of skilled personnel. Still, there is hope: A federal program may help state and local governments assess and harden their critical systems.

RELATED: How to combat the threat of social engineering attacks. 

Finding Vulnerabilities in Critical Systems

One of the biggest problems facing state and local governments is that systems, applications and networks have weaknesses that can be exploited by attackers to gain unauthorized access, run code, install malware, or reach and exfiltrate sensitive data.

Some vulnerabilities are difficult to exploit or are found in information systems that have low value to an agency, meaning that there isn’t a lot of risk. Conversely, vulnerabilities present in high-value systems that are easy to exploit result in risks growing exponentially.

State and local governments confront challenges in finding and prioritizing the most important vulnerabilities. Which critical systems have known vulnerabilities, and of those, which ones pose the greatest risk? Which systems should be patched first? How should patching efforts be prioritized and scheduled? It takes time and effort to go through the many lists of known vulnerabilities and map them to critical government systems.

Enter penetration testing, also known as pen testing. This is the discipline of testing systems, networks and applications to tease out vulnerabilities a hacker could exploit. In essence, pen testing attempts to breach the systems themselves to find the weak spots. The process involves gathering information about the target system or application, identifying possible vulnerabilities and attempting to exploit them.

Best Practices for Penetration Testing 

Pen testing is often called ethical hacking or white hat hacking because it represents an ethical attempt to identify weak spots in an organization’s security posture and show how easily they could be exploited — before bad actors have a chance to do so. The results of pen testing are aggregated and reported to IT and network system managers; based on this information, they can prioritize efforts at remediation.

It is recommended that pen testing be performed at least once a year, and more frequently if an IT organization adds new applications, upgrades infrastructure or applies security patches.

In the best of times, state and local governments are hard-pressed to carry out all the activities required for good cyber hygiene. Today, the task is even more difficult than usual.

280 days

The average number of days required to identify a breach

Source: IBM Security, “Cost of a Data Breach Report 2020,” July 2020

Unemployment, plummeting tax ­revenue and the impact of the ­coronavirus pandemic all conspire to create budget shortfalls. If they are to embark on pen testing, government organizations need to select the proper tools, learn how to use them and spend time defining the scope and goals of the exercise. Then they need to gather information on all the systems to be tested, run the scans, find vulnerabilities and perform the overall analysis. This requires time, effort, budget and ­expertise — all of which are often in short supply.

EXPLORE: Why phishing and identity attacks pose a threat to remote government workers.

Partnering with CISA on Penetration Testing 

Fortunately, a program at the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency helps governments at all levels improve the cybersecurity of their systems. CISA provides hundreds of services each year to state, local and tribal government entities and private sector companies. One of the primary objectives of its Cybersecurity Assessments program is to conduct ­penetration testing.

The team simulates a cyberattack to expose gaps in security, identifying and analyzing vulnerabilities. It can also ­perform the overall analysis: What vulnerabilities were found and exploited during pen testing, and what types of sensitive data were accessed?

One key factor in the team’s pen testing is the ability to determine how long the tester was able to remain in the system ­without being detected. This is crucial information, since attackers can stay hidden inside networks and systems for a long time before being detected. In 2020, the ­average length of time it took for organizations to discover an intruder was 280 days, according to an IBM study. Armed with this valuable information, the organization can take steps to patch the riskiest known vulnerabilities quickly. Best of all, the penetration testing can be done remotely.

With the accelerating rate of new cyberthreats, it only makes sense to get ahead of the curve. Thanks to the Cybersecurity Assessments program at CISA, state and local governments can start their pen testing programs ­immediately. They will be able to see what would happen if a real-world adversary were to find and exploit ­vulnerabilities, so they can quickly p­rioritize and patch them.

Olemedia/Getty Images