Government institutions were clobbered by data breaches in 2018. The Identity Theft and Resource Center reports that 99 breaches occurred in the sector, revealing more than 18.2 million records of personally identifiable information (PII). This represents a 25.3 percent increase in the number of breaches that occurred in 2017, and a massive 202.4 percent increase in the number of records exposed.
The sensitivity of citizens’ PII housed by government agencies makes them a high-value target for cyber criminals. Information like names, addresses, Social Security numbers, payment card information, dates of birth and more are stored by the government for taxation and providing healthcare, emergency services and critical infrastructure services to the public. In fact, almost half of all government data breaches in 2018 exposed Social Security numbers. If this data were to fall into the wrong hands, a hacker could quickly sell it on the dark web or use it to open new lines of credit, take out loans, intercept tax refunds, cover medical treatment, steal airline miles, open utility accounts and more.
Government institutions continue to suffer breaches due to a variety of reasons. U.S. Customs and Border Protection, the City of Tallahassee and the Federal Emergency Management Agency (FEMA) are just three examples of agencies that have suffered cyberattacks in 2019. However, one attack vector that continues to plague this sector is misconfigured servers. Hackers can easily find databases that are publicly accessible and left without a password with tools such as the Shodan search engine. The OWASP Top 10 Most Critical Web Application Security Risks list even mentions misconfigurations as the sixth-highest threat facing all organizations today. Government organizations that have suffered data breaches due to misconfigured servers include:
- Oklahoma Department of Securities. The department exposed millions of files of FBI investigations information from cases dating back to 1986 and up to 2016.
- Maryland Department of Labor. Hackers were able to access PII for 78,000 users of the state’s unemployment insurance services and Literacy Works Information System without any authorization.
Due to the sensitive data stored by government agencies and the repercussions that exposure can have toward citizens, one may wonder why breaches due to misconfigurations continue to occur. Just like public and private companies, the government has also been rapidly migrating its assets to the cloud in order to deploy applications and services faster, and to better serve citizens. Unfortunately, as these agencies are eager to take advantage of the speed and agility of the cloud, appropriate security processes and protocols are often bypassed in the name of innovation. Often, these agencies aren’t prepared for the rapid rate of change that occurs in cloud environments, making it easy to overlook misconfigurations. Additionally, developers and engineers who have self-service access to cloud services may not be fully educated on the critical security steps that must be followed when creating new services or making changes in cloud environments.
Also, government organizations still rely on manual configurations to security and compliance issues by humans and, unfortunately, people are prone to error. While manual configurations may have been effective in a traditional data center, the dynamic nature and ever-evolving rate of change boasted by software-defined infrastructure has outstripped human capacity. Government agencies need to be able to deal with misconfigurations and other vulnerabilities in real time.
Fortunately, there is a solution for preventing misconfigurations and resulting data leaks of citizens’ PII. Automated cloud security solutions give government entities, and other organizations alike, the ability to detect misconfigurations and either alert the appropriate personnel to correct the issue or trigger automated remediation in real time. Automation also grants the ability to enforce policy, provide governance, impose compliance and provide a framework for the processes everyone in a government agency should follow on a continuous and consistent basis. The right automated solution will ensure the security of the public’s data with which local government organizations are entrusted, and it will allow those agencies to maintain the integrity of their technology stack, apply the policies necessary to continue business operations and enable developers to remain agile and innovative without compromising security.
Automated cloud security solutions would have been able to detect server misconfigurations at the Oklahoma Department of Securities and Maryland Department of Labor in real time, allowing for the errors to be remediated before bad actors had the chance to exploit the weakness and extract citizens’ PII. Even though local government agencies may be strapped for IT resources, they should still be able to leverage the benefits of the cloud while ensuring the security of the public’s sensitive information.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email HSTodayMag@gtscoalition.com. Our editorial guidelines can be found here.