With fewer resources than the private sector, yet faced with the same threats, the U.S. government is dealing with a complex dilemma. Both the public and government employees demand accountability for data breaches, but few understand the challenges that federal CIOs face – hiring and keeping specialized talent, paying for the hardware and software, and keeping pace with changing political agendas.

Attackers are well aware of these challenges too, making the government an increasingly vulnerable target, as the recent massive data breach at OPM showed.

Why the Government is So Vulnerable to Attack

One of the reasons for this vulnerability is that many government organizations have deployed flat network structures that are great for minimizing administrative overhead, but it’s a convenience that comes at the cost of security.

As SANS analyst and certified SANS instructor, Jacob Williams, explains in his new white paper “Practical Threat Management for Government Entities” (a collaboration with DLT partner, AlienVault): “Once an attacker compromises the first endpoint…the lack of segmentation in the network infrastructure means that the attacker has no roadblocks and can pivot mercilessly through the network.”

VLANs can help, says Williams, but adoption has been slow among government agencies. Other characteristics of government organizations that make them vulnerable to attack, include:

  • Lack of realization that they, specifically, are targets
  • Flat networks offering little segmentation
  • Poor inventories of IT resources and critical data
  • Missing patches and poor patch management in general
  • Inadequate funding and/or impacts of budget cuts
  • IT security (and IT in general) understaffed
  • New regulations that increase stress on IT staff, but usually do not come with increased headcount
  • Difficulty competing with private industry for best-of-breed infosec professionals

What a Breach Looks Like

With all or some of these vulnerabilities in place, what does the anatomy of a breach look like?

To help shed some light on how it happens, Williams presents a fictional scenario in which a vulnerable web application, written in Java and residing on a poorly maintained and inadequately patched JBOSS server, is hacked. Exploiting the unpatched vulnerabilities in JBOSS to upload a web shell to the server is a breeze. Here’s how the attack transpires:

Attack Steps

  1. Locate and compromise the web application because it is tied to an old (and vulnerable) JBOSS server.
  2. Install a backdoor web shell.
  3. Exploit users visiting the websites using drive-by downloads.
  4. Compromise the database server using credentials stored on the web server.
  5. Exploit the admin PC.
  6. Locate and compromise the jump server to the classified/sensitive network.
  7. Begin exfiltrating classified/sensitive data from the network.

The compromise is complete, and the attackers can exfiltrate sensitive and classified data in the agency’s custody.

How to Change the Outcome of an Attack

But protection on a human and cost budget is possible. Take a look at Williams’ whitepaper, Practical Threat Management for Government Entities, and learn about security controls that can change the outcome of an attack such as host-based intrusion detection systems (HIDS), software inventory and vulnerability scanning, threat intelligence, and more. Plus, how a careful consideration of TCO can ensure any security deployed isn’t wasted money.