The past several years have seen an explosion in the number of endpoints as more and more Internet-enabled devices are connecting to federal networks. However, federal agencies are not taking the necessary steps to secure their endpoints, according to a recent survey by MeriTalk, a public-private partnership focused on improving the outcomes of government IT.
The study, Endpoint Epidemic, underwritten by Palo Alto Networks, is based on an online survey of 100 US federal IT managers and 100 federal employees. The respondents were asked to discuss current endpoint security strategies and efforts across the Federal government.
The report revealed 44 percent of endpoints across the federal government are unknown or unprotected, leaving the agencies vulnerable to a number of threats, including advanced persistent threats (APTs) — a particularly insidious category of threats in which an unauthorized person gains access to a network and stays there undetected for a long period of time.
In fact, one third of those surveyed said they have experienced a breach due to an APT or zero day attack. Moreover, they estimate that 30 percent of their network-connected devices have been infected with some type of malware.
“Endpoints are an increasingly important vector to secure in the cyberattack life cycle,” said Pamela Warren, director, government and industry initiatives at Palo Alto Networks. “Unfortunately, these study results indicate that trust and visibility are much too often absent on this frontier. Applying the ‘Zero Trust’ model from the network to the endpoint with a natively integrated and automated next-generation security platform can dramatically improve visibility and prevent threats to government networks.”
With the increasing number of endpoints, the definition has evolved to encompass not only traditional endpoints — such as laptops, servers, and desktops — but also new endpoint types, such as ATM machines, medical devices and military sensors.
However, federal IT managers said their agency has not updated their formal definition of an endpoint in the past 10 years. Before agencies can defend their endpoints, they need to define them.
The report defined an endpoint as, “Any Internet-capable hardware device that can connect to a network, from servers to mobile devices (laptops, smartphones, etc.) to customer interface devices (POS, ATMs, Kiosks, etc.) to Machine-to-Machine devices (ICS/SCADA, connected medical devices, building automation, security systems, etc.) and other sensors.”
The respondents believe agencies are missing opportunities to improve endpoint security. Eighty percent of those surveyed said they don’t micro or virtually segment endpoints; 59 percent don’t employ real-time patching for high priority vulnerability disclosures; and 44 percent don’t scan for infected endpoints.
Respondents indicated the National Institute of Standards and Technology (NIST) cybersecurity framework and continuous diagnostic mitigation (CDM) efforts can also play an important role in improving endpoint security.
Just over half of federal IT managers said their current policies and standards are effective for securing their endpoints, but 89 percent admitted their agency’s policies need improvement. To build an effective, practical and enforceable endpoint strategy, agencies need to incorporate endpoint security policies and standards into their agency’s broader cyber security strategy.
Bring your own device (BYOD) policies pose a particularly difficult hurdle to endpoint security. Not even half of federal employees who use personal devices for work have reviewed their BYOD policy or even know their agency has one. In agencies that do have a BYOD policy, 61 percent do not apply their network security policies to mobile devices; 60 percent do not require device encryption; 52 percent do not enroll devices with the IT department; 50 percent do not ban public Wi-Fi; and 47 percent do not require anti-malware or anti-virus software.
Despite this risky behavior, federal employees recognize the need for stricter consequences for violating BYOD policies. Seventy-nine percent would be willing to have their device inspected for malware, and 78 percent suggest removing telework privileges for employees that do not comply.
“Telework is terrific – and the Internet of Things promises to change the world as we know it,” said Steve O’Keeffe, founder of MeriTalk. “To stay secure, we need to recognize the importance of automation and preventative medicine in cyber security measures — to ensure the health of our government — and the body politic.”