A Government Accountability Office (GAO) report in late June noted findings from a security survey of “high impact systems” holding sensitive information “the loss of which could cause individuals, the government or the nation catastrophic harm.”
It noted that the 24 agencies governed by the Chief Financial Officers Act have 912 high-impact systems – amounting to nearly 10 percent of their systems overall – with 18 of those agencies reporting 2,267 security incidents that targeted high impact systems.
And while the attack vectors varied, it was the web and email based phishing attempts (risky clicks) the led to the most breaches. Combating these risky clicks typically involves frequent patching during off hours that still leaves an organization exposed during operations.
The report noted that it also took a closer look at NASA, the Office of Personnel Management (OPM) the Department of Veteran Affairs and the Nuclear Regulatory Commission. Of these, the report found that authorization and boundary protection were weak in every system and warned the OPM specifically that without comprehensive security control assessments, OPM was at increased risk that it may not be able to detect vulnerabilities in its system.
The report concluded that federal agencies are not fulfilling their responsibilities under the law to secure federal information systems.
It should be noted, and security professionals will agree, that for the last 15 years, the security industry has followed the notion that if you 1) continually patched and fixed your vulnerabilities, 2) performed good configuration management of your systems, 3) knew your hardware inventory, and 4) knew your software inventory, that you would eliminate 80% of your attack surface. In reality, those four things have proven too difficult to manage and are now getting harder, leading us to the situation we are in and needing a different approach.
The solution lies in implementing connection-based architectures such as web application gateways and software defined perimeters that automatically verify every connection during run time allowing access only to authorized users. Software defined perimeters are proven to be 100% impenetrable and far more scalable.
Watch this blog for more info and check out this white paper on Software Defined Perimeters.