105 senior IT professionals working for federal agencies were asked about their computing infrastructure, security, breaches and IT modernization. A summary of the findings is included below.
Federal IT managers concerned about antiquated infrastructure.
An overwhelming majority of Federal IT managers (81 percent) say aging IT infrastructures have a somewhat to extremely large impact on their cyber-security risk. Further, three of five (61 percent) say aging infrastructure is a roadblock to achieving federal cyber-security mandate compliance.
We found ample examples of aging infrastructure in our survey. For example, a surprising 47 percent of Federal agencies still use Windows XP, driving a third of respondents (35 percent) to report that this kind of aging infrastructure had a somewhat to large impact on their ability to affect vulnerability patching.
The impacts of aging federal infrastructure don’t stop there …
· Three of four say aging infrastructure is a somewhat to extremely large risk to their ability to achieve their mission.
· The biggest impacts include inefficiency, increased cyber risk and problems with compliance.
· Specific to cyber-security, the top impacts of an aging infrastructure are difficulty with patching, password management and privileged account management (PAM).
· Respondents cite aging infrastructure as the top roadblock in the way of achieving federal cyber-security mandates
Aging Infrastructure Leads to Breaches
Aging infrastructure is not just a problem in theory; aging infrastructure makes federal systems more vulnerable to attack, which has led to an environment that could be rife for breaches.
· 42 percent have experienced a data breach within the past 6 months.
· A staggering one in eight has experienced a data breach within the past 30 days.
· Put another way, the typical federal IT system experiences one breach every 347 days.
· Respondents report that the typical data breach costs more than $91,000.
· The total cost due for data breaches is $637 million every year.
· The most frequently reported costs include loss of productivity, loss of reputation and pure monetary damages.
Privileged Account Management: Gap Between Theory and Practice
We asked respondents what tools were most important to them in terms of securing their information environment. Here they ranked privileged access management and vulnerability patching as most important. This is significant as these technologies restrict user privileges and close off security weaknesses in systems.
Yet, despite understanding the importance of such measures, most (56 percent) use alternate solutions to manage privileged passwords and nearly two-thirds (63 percent) report less than fully mature vulnerability remediation programs. In fact, 6 percent have NO remediation plan, and another 14 percent do only the bare minimum required by compliance mandates.
What IT Can Do Mitigate the Security Risk of Aging Federal Infrastructure
The BeyondTrust 2017 US federal government study points to four best practices that any agency can implement.
· Manage privileged credentials with greater discipline, eliminate administrator rights and enforce least privilege
Thirty percent of respondents believe that insider threats pose a significant threat and 35 percent believe their users have more privileges than are required. To mitigate insider threats and the exploitation of privileges, adopt a least privilege model by removing admin rights from users and storing all privileged credentials in a secure safe. Known escalation attacks have been around for years and are still being used. These attacks require local administrator rights. It’s not just about insiders. Enforcing least privilege prevents lateral movement within an organization if a breach does occur.
· Isolate Legacy Systems to reduce attack surfaces
Modernization of federal IT infrastructure is a priority for most survey respondents, but realistically this will not happen quickly. These aging systems have known risks. Reduce the attack surface by isolating legacy systems. Segment these systems to force all traffic through a proxy to reduce attack vectors. Deploy an automated password and session management solution that provides secure access control, auditing, alerting and recording for any privileged account. This will provide segmented access to critical systems, manage passwords, and monitor when tasks and operations are committed to a managed system.
· Improve the maturity of vulnerability management through automated patching
Even in today’s sophisticated threat landscape, the majority of attacks target known vulnerabilities that can be easily patched. Effective patch management goes a long way in reducing a network’s overall attack surface. To be truly effective, patch management requires intelligent prioritization and broad coverage for common business applications. To improve the efficiency and effectiveness of an agency patch process deploy a solution that provides integrated, automated patching. Implementing a solution that delivers analytics and trending across the threat lifecycle for multi-dimensional reports on assets, vulnerabilities, attacks and remediation allows prioritized patch management based or risk profile.
· Unite threat intelligence from multiple sources to better prioritize risks across the environment
Since the asset risk-to-user privilege risk pattern is a common attack vector, deploy solutions that correlate asset-based risk with user-based activity to gain a more complete picture of risks, gaining needed prioritization of the most impactful risks. For example, advanced persistent threats (APTs) can be analyzed against privileged password, user, and account activity, along with asset characteristics such as vulnerability count, vulnerability level, attacks detected, risk score, applications, services, software and ports. Consuming multiple data feeds from in-place solutions into a single console can help mitigate additional costs and reduce complexity.
“The federal government is moving to modernize its aging infrastructure,” said Kevin Hickey, President and CEO at BeyondTrust. “But that takes time, and in the meantime, federal systems face a real risk. These are simple steps IT can take today to help mitigate that risk.”
