IT Seen As Vulnerable As Shutdown Ends'Bad Guys Have Time to Hone Their Tools'
(This story has been modified from an earlier version to reflect the end of the shutdown)
IT systems shuttered during the partial government shutdown will be more vulnerable than usual to cyber-attacks as they're restored, security experts familiar with government IT systems say.
Hackers likely have used the weeks during the shutdown to plan ways to exploit vulnerabilities in systems when they're restored after the shutdown ends. "The bad guys have had time to hone their tools," says Alan Paller, research director of the SANS Institute, an information security education and certification organization.
Studies conducted by SANS have shown that an unpatched system going live on the Internet could be vulnerable to attacks within 21 minutes. "Twenty-one minutes is less than the time it takes to patch it," Paller says.
Since the shutdown began Oct. 1, the first day of fiscal year 2014, Adobe and Microsoft have revealed vulnerabilities in their software and offered patches to fix them (see Shutdown's Impact on Federal IT Security). But, Paller says, it could take agencies days - if not longer - to patch all their applications when systems are brought back up, giving attackers time to exploit systems.
Congress approved and President Obama signed a continuing resolution to fund government operations on Oct. 16, ending the partial shutdown.
With systems being restored, they could be less secure than normal because they had to be shuttered quickly.
"We're talking about people being told to leave on a Monday morning, and having four hours to clear out," says Bruce Brody, former chief information security officer at the Energy and Veterans Affairs departments. "I'm not sure the first thought on their mind was, 'Let's make sure all of the security settings are tweaked before we leave.'"
And it's not just patches that present security challenges. Systems brought back online could resort to their default settings that do not include security protections that were added over the years.
"Default configurations can be inherently non-secure, and I doubt configuration management is the first thing people think of when they bring their operations back online," says Brody, CISO at defense contractor DRS Technologies.
In addition, Brody points out that, in many cases, outside contractors have responsibility for the security of government IT systems, but some of these non-government workers have sought other jobs outside of government because their employers couldn't afford to pay them during the shutdown. "That could be significant if those are the individuals responsible for managing security configurations," he says.
Brody identifies other potential vulnerabilities that could cause problems as systems are restored. For example, when some employees leave government service, their user accounts remain active, making them vulnerable to exploits. In addition, passwords that are required to be reset after a specified time - say, 90 days - could remain active, which hackers could exploit.
Paller says most of the vulnerabilities that agencies might face as they restore their systems could be avoided if the agencies used the Australian Signals Director's four top controls for mitigating information security risks:
- Patching applications and using the latest version of an application,
- Patching operating systems,
- Keeping administration rights under strict control, including the use of administrative accounts for e-mail and browsing, and
- Whitelisting applications.
Paller says whitelisting applications would prevent attackers from installing malicious apps because only applications previously approved could run on the system. "That's what stops this problem," he says.