The government is a big target for threat actors who level their campaigns at federal websites and official apps every day to steal credentials from workers and exploit ordinary people who think they are interacting with real agencies.
If you think about it, the fact that the government is targeted so often isn’t surprising—agencies are mandated to do more with less, so they constantly turn to the cloud and digital channels to help them meet their goals. And with ever-changing administrations and initiatives, those in control of projects for today’s agencies aren’t necessarily the people who started them. The result is a digital debris field of assets—websites, third-party components, mobile apps, social media profiles, etc.—that security teams aren’t aware they own and therefore can’t reasonably defend.
Unfortunately, not enough resources are being spent on securing this modern digital attack surface. The cybersecurity executive order that was recently issued by President Donald Trump is a nice first step in updating the U.S.’s digital infrastructure and protecting against more modern threats, but it doesn’t quite cover enough.
Many major threats no longer need to traverse the traditional computing environments that they control. For example, even the hardest, most robust network defenses couldn’t have stopped the relatively simple phishing campaign targeting former Chairman of the Democratic National Committee John Podesta, which resulted in the outing of private communication that shook the political foundation of the U.S.
In fact, phishing remains one of the most efficient ways for threat actors to compromise legitimate credentials and gain access to sensitive information, financial details and critical systems—RiskIQ detected 158,904 phishing incidents a day in 2016—but there’s a whole laundry list of threats that do not directly target corporate networks.
How many dot-gov websites employ compromised third-party components like content delivery networks (CDNs) in their digital supply chain? How many are asking for personal identifiable information (PII) but don’t have a current secure sockets layer (SSL) certificate? How many were registered outside of compliance?
Given this new threat landscape, government organizations need to keep digital channels in mind while revamping their cybersecurity tools to comply with the order. Every day, global adversaries—nation-states, hacktivists, and cybercriminals—are leveraging the same technologies used by the government across digital channels to perform reconnaissance, propagate malware, fool users into giving up credentials and other sensitive information. To protect government networks, they must be able to discover and monitor assets across all channels, including all mobile apps, portals, social media properties, DNS changes and Web content.
Allegations that Russian hackers influenced the 2016 election cycle have caused a lack of trust in the government’s ability to defend its attack surfaces.
This dilemma doesn’t affect agencies only, and the private sector will also be expected to revamp its security tools and processes to comply with the executive order. According to the 2017 Verizon Data Breach Investigations Report, more than 75 percent of the incidents that lead to data breaches originate externally, almost half of which target unknown—and thus unmanaged—digital assets. And according to a recent SANS survey, 70 percent of organizations lack the tools and means to reduce their attack surface.
Security teams lack visibility into all of the ways that they can be attacked externally, and struggle to answer the question, “Where are the weaknesses in the armor?”
The answer lies in understanding what belongs to your organization, how it’s connected to the rest of your asset inventory and what potential vulnerabilities are exposed to compromise.
Before, defenders had to manually perform reconnaissance on their own organization, spending hours collecting and analyzing Internet data, scanning ports, looking for externally accessible assets that are vulnerable to compromise. However, platforms that leverage virtual users that crawl the internet and interact with organizations’ digital assets make this manual discovery and analysis work automatic.
While most cybersecurity focuses on core assets, this technology can instead look at areas outside of an agency’s direct control to find threats or vulnerabilities. This can be suppliers working with unpatched or vulnerable equipment, or outright criminals trying to impersonate government agencies, designed to find all of them, wherever they may be hiding on the internet.
Jason Zann is vice president and head of platform for RiskIQ, a digital threat management firm.