New Report Reveals U.S. Federal Government Exposed to Significant Cybersecurity Risks Due to Exploitable Network Misconfigurations
Research shows an average of 51 network device misconfigurations were discovered in the last two years with 4% deemed to be critical vulnerabilities that could take down the network
WORCESTER, UK and ARLINGTON, VA, November 1 2022 – Titania, specialists in accurate network security and compliance assessments and risk remediation software, launched a new independent research report that uncovers the impact of exploitable misconfigurations on the security of networks in the U.S. federal government.
The study, The impact of exploitable misconfigurations on the security of agencies’ networks and current approaches to mitigating risks in the U.S. Federal Government, finds that network professionals report that they are meeting their security and compliance practices, but data suggest that risk remains elevated. A result which, according to the findings from the report, is likely to be costing billions of dollars each year.
Notably, the research disclosed that federal government respondents were the only sector representatives to say that they exclusively assessed the configurations of their firewalls. Switches and routers were not included in their network checks. So, in effect, the agencies are sampling the security of their fleets of network devices. According to Zero Trust best practice, continuous assessment of all devices is essential when it comes to preventing intrusion and inhibiting lateral movement across networks. Sampling is an inherently risky approach to configuration security that leaves agencies open to the threat of configuration drift taking down networks.
In addition, the survey found most federal government respondents cite the inability to prioritize risk (81%) and inaccurate automation (44%) as their top two challenges in meeting their enterprise security and external compliance requirements. Federal respondents also indicated that financial resources allocated to mitigating network configuration risks, which currently stands at around 3.4% of the total IT budget, are a limiting factor in configuration management.
Specifically, the study, which surveyed senior cybersecurity decision-makers across the U.S. federal government, revealed:
- Confidence in compliance and practices. Every respondent from the federal government sector is confident that they meet their enterprise security and external compliance requirements. More than 88% agreed that their agency relies on compliance to deliver security. However, based on other findings, this reveals a disconnect between network security perception and reality.
- Expansive networks, infrequent assessments. Federal agencies reported a vast number of devices within their networks – over 1,000 on average. This is approximately 160 more than other industries, such as banking and financial services. More than half (59%) of the respondents assess the configuration of network devices on an annual basis, 12% on a bi-monthly cycle, and 0% more frequently. Respondents felt these practices are sufficient to meet their security and compliance requirements.
- Risk and remediation prioritization is a challenge. Almost three-quarters (71%) reported that their network security tools meant that they could effectively categorize and prioritize compliance risks. This is at odds with the fact that 81% said an inability to prioritize remediation based on risk is a top challenge.
- Frequent configuration issues identified. Respondents reported they had detected an average of 51 misconfigurations in the previous year; 4% of which were deemed “critical,” and could have led to a severe security breach that could take the network down. As many as 83% reported having detected at least one critical configuration issue in the last two years.
- Routers and switches overlooked. When validating network device configuration settings, all (100%) federal organizations only assess firewalls, not switches or routers.
- Low confidence in compliance in the supply chain. Only 18% of respondents were confident that other players in their organization’s supply chains take a rigorous and robust approach to network configuration security. The federal government also made up the highest percentage (71%) of respondents that reported relying on suppliers’ external accreditations from CMMC, DISA, NIST, FISMA and ISO to gain assurances regarding supply chain risk management.
“A determined attacker will try every way to access a network until they gain entry,” said Matt Malarkey, VP, Strategic Alliances, Titania. “A known vulnerability or misconfiguration is an easy way in. As our report uncovers, the U.S. federal government is not immune. Government agencies need to adopt a Zero Trust approach to cybersecurity – hardening networks from the inside-out to make it significantly harder for intruders to gain entry and move laterally.”
“Other proactive security practices, like attack surface management, encourage organizations to show continuous vigilance. So, it’s important that government agencies adopt them, especially since the recent joint Cybersecurity Advisory from the NSA, CISA and FBI pointed to enemies altering network device configurations to enable and scale attacks,” added Malarkey. “Increasing the frequency of risk assessments and remediation of all network devices is the first step to preventing configuration drift from taking down U.S. government networks and allowing intruders to gain access to sensitive systems and data.”
To continue helping the public sector close the gap on cybersecurity weaknesses related to misconfigurations, Titania has partnered with Merlin Cyber, a company focused on innovation, technical expertise and go-to-market acceleration that enables the U.S. Government to solve critical cybersecurity challenges with best-in-class and emerging solutions.
“Government networks are changing every single day as agencies embrace digital transformation and shift to the cloud,” said Dean Webb, cybersecurity engineer at Merlin Cyber. “However, if federal agencies are not continuously monitoring their network device configurations, they are in essence inherently trusting the operation of those devices. This practice is not only counter to Zero Trust principles, but it also is proving to be a very soft target for bad actors to exploit and to gain a foothold into sensitive government systems and data.”
About the Research
Titania commissioned an independent B2B research specialist, Coleman Parkes, to conduct the study. The firm surveyed 160 CIOs, Heads of Networks, Network Architects, and other experts across the U.S. federal government and other U.S. critical national infrastructure sectors (military, oil & gas, telecoms, and financial services), for comparison purposes. The survey asked how organizations currently detect and mitigate vulnerabilities in the specified part of the network. And how confident they are that devices always maintain a secure configuration. The full report can be downloaded here: https://info.titania.com/impact-of-exploitable-misconfigurations-federal.
Merlin is a powerful ecosystem of cybersecurity investment, innovation, technical expertise, and go-to-market acceleration with 25 years of experience working with the U.S. Public Sector. Through Merlin, federal civilian, defense, state, local and education customers access innovative cybersecurity solutions that have been strategically curated due to their ability to effectively meet public sector requirements and mission priorities. Merlin does this by selectively partnering with best-in-class cybersecurity brands, investing in visionary emerging technologies and accelerating growth and value creation for its partners. This enables the U.S. Public Sector to successfully keep ahead of today’s critical threats, accelerate modernization initiatives, and defend our nation. Learn more at merlincyber.com.
Based in the UK and Arlington, VA, Titania delivers essential cybersecurity automation software to thousands of organizations, including 30+ federal agencies within the US government, global telcos, multinational financial institutions, and the world’s largest oil and gas companies. Specializing in the accurate security and compliance risk assessment and remediation for networking devices – firewalls, switches, and routers – Titania helps organizations defend their networks from preventable attacks by identifying configuration drift and prioritizing the remediation of their most critical risks first. The company is best known for its award-winning solution, Nipper, which also overlays its security risk findings onto RMF assessments to assure compliance for CDM, DISA RMF, NIST, CMMC, and PCI DSS. To meet the growing market need for continuous accurate risk and remediation prioritized assessments, Titania is now focusing on scaling Nipper for enterprises to support their zero trust security strategies. Visit Titania at www.titania.com
For more information, please contact:
CCgroup for Titania
Beth Fichtel/Cassandra Hegarty
T: +1 914.588.2695
E: [email protected]