Addressing Federal Cybersecurity Shortcomings

Nowadays, the biggest stories about cybersecurity breaches tend to concern major companies like Facebook, Marriott, and Capital One. But what you may not realize is that now more than ever, government agencies are a popular target for crippling cyber attacks.

According to the U.S. Conference of Mayors, more than 170 government systems have suffered the effects of ransomware attacks since 2013. An additional report by the Senate’s Permanent Subcommittee on Investigations showed that out of eight federal agencies investigated, five could not produce a complete list of IT assets, six could not keep systems patched with security updates, and seven had vulnerabilities that put personal information at risk.

These findings may be alarming, but the agencies in question still have ample opportunity to make a change. Improving your cybersecurity standing can be a complex process, but it never hurts to start simple—and these three steps alone will make all the difference.

Listen to the Experts

The world of cybersecurity evolves so rapidly that most well-intentioned policies fall short simply by way of being outdated. The Internet of Things Cybersecurity Improvement Act, proposed in 2017, required vendors certify their connected devices to have “no vulnerabilities” before going to market. But with attack vectors changing every day, that promise verged on the impossible.

Instead of attempting to pass regulatory policies without understanding the scope of their impact, agencies need to involve individuals with technical and government expertise in the policymaking process. These experts will be able to assist in drafting effective, impactful language.

Out With the Old

As it turned out, all eight of the investigated agencies relied on legacy systems that were so outdated, they no longer received patches to fix vulnerabilities. Modern cybersecurity measures need to be implemented into modern systems, and so to minimize exposure, agencies must upgrade their technology and prioritize modern solutions during the next budget cycle.

Interaction is Key

Of the many advanced attack strategies facing government agencies, the phishing email—one of the most commonly utilized methods—still poses a serious threat, according to the U.K. government’s 2019 Cyber Security Breaches Survey.

To address these threats, agencies need to make use of training that can both reduce the number of malicious emails employees receive and help them to spot those that slip through the cracks. Examples of real phishing emails can assist in picking out red flags. And making the training hands-on, like sending out test emails to provide employees with real-world practice, will increase their overall awareness.

For an expansive, interactive experience, our Red Team Assessment will put your security controls and employee awareness to the test. We use multiple attack methods to evaluate the effectiveness of your system’s defenses in a realistic simulation:

  • Penetration Testing (internal and external)
  • Social Engineering/Phishing Attacks (by phone, email, and in-person; we take this to the next level by attempting an actual breach of your network)
  • Physical Access (perimeter sweep, building access, secure interior room access)
  • Black Box (planting rogue remote-access devices in the production network)
  • Secure Document Disposal (secure/common waste disposal, dumpster inspection)
  • Wireless (forged authentication, encryption testing, device spoofing)

Contact us today to stay up to date and ahead of the game.

Posted in BAI Security Blog, Compliance Requirements, IT Assessment Tools.