Posted on Mar 20, 2017
A look at recent data breaches and how the government is reacting.
It seems like the US government is more and more often falling prey to hackers, whether it’s from nation-sponsored organizations or independent organizations. Two government data breaches made the list of Network World’s list of ‘Biggest data breaches of 2015’ citing an IRS data breach and the massive US Office of Personnel Management data breach.
This year, the attacks haven’t let up, with four major national government organizations falling victim to data breaches.
In this blog post, we’ll be reviewing some of the biggest hacks of recent memory and detailing how the government is aiming to improve cybersecurity.
The biggest US government data breach of 2015 was the Office of Personnel Management data breach (OPM), which was the result of a longstanding hack that started in March 2014 (though as more data is revealed, there are estimates that the breach occurred even before March). The government announced the data breach in June 2015 and estimates of stolen records increased from an initial number of 4 million to 21.5 million. The breach led to the resignation of Katherine Archuleta, director of the Personnel Agency,
The complicated breach was a result of social engineering which led to hackers obtaining credentials of a third-party contractor. A malware package was deployed, creating a backdoor which allowed access to the OPM network. The fallout from the breach is still ongoing, with the Atlantic reporting in September 2015 that the fingerprints of 5.6 million people were compromised, 5 times more than originally reported.
In February, a seemingly rogue hacker targeted the FBI and DHS, publishing contact information for 20k and 9k employees, respectively, on Twitter. The hacker compromised the email of a DoJ employee, which gave him access to the information.
One of NASA’s drones was allegedly hacked by the known hacktivist group Anonsec, and data on over 2,400 employees, along with flight log and aircraft videos were released. A 300-page zine was released, detailing the information and security failings of NASA. The hack was executed through brute-forcing an administrator’s SSH password left with a default password, which led to root access to three network-attached-storage devices.
Lastly, the IRS was hacked in February and an estimated 700,000 social security numbers and other sensitive information was stolen, just months after its most recent hack in May of 2015 (not counting compromised information resulting from a lost flash drive in August 2015). The attack, which took advantage of the ‘Get Transcript’ program, allowing you to check your tax history, severely increased the risk of identity theft for all victims who had data compromised.
The government is already reacting, knowing that no data breach is acceptable that cyber attacks are poised to get worse. However, the government can’t only address the risks and vulnerabilities that led to its most recent hacks. It must also evolve to combat the new security risks each new year brings. McAfee Lab’s 2016 Threats Prediction Report warns that nation-state attackers could target physical infrastructures through digital means, government-targeting ransomware will be on the upswing, and that exploiting employees will continue to be a mainstay target for attackers.
However, it does have a positive outlook given the fact that government organizations and private companies are working closer together to improve security.
The most recent budget proposal put forth by President Obama includes a $19 billion cybersecurity budget, 35% more than current spending, signaling a shift in priority. This coincided with the release of the Cybersecurity National Action Plan a detailed proposal that takes a short and long-term approach towards improving cybersecurity. Recently, the government announced the first Bug Bounty program to start in April, which would reward vetted hackers for testing and finding vulnerabilities in the government’s network.
These programs are common among enterprises and have been essential for finding and fixing vulnerabilities. While criticism has been levied at the government for their restrictions in the program, these movements are a step in the right direction towards improving cybersecurity.
However, the effects of these plans won’t be felt immediately and the new budget allotted for cybersecurity is still in flux as the proposal has not been approved yet. We decided to take a closer look into the state of the government’s cybersecurity posture.
We compiled our research and findings into the 2016 Government Cybersecurity Research report, which measures over 600 government organizations across local, state, and national levels and ranks the top 10 most secure government organizations and 10 least secure organizations accordingly.
We also take a deeper dive into the FBI, NASA, and IRS security postures, analyzing their SecurityScorecard and detailing the vulnerabilities they have yet to solve.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.