UPDATE (Jan. 25): Recent news reports state a deal has been reached to re-open the federal government through Feb 15. The issues outlined in this blog continue to apply to public and private sector organizations.
As many of you may have read in the news recently, the government shutdown has had a negative impact on both federal and enterprise security. Krebs on Security has reported possible consequences of the government shutdown on the talent pool, such as federal employees actively being recruited by the private sector, as well as delays on security clearances. Duo Security’s news arm, Decipher, has also done a great job laying out potential government shutdown impacts on enterprise security, including delays on NIST guidelines and standards, and closure of FIPS validation sites.
What is clear is that when more than federal 800,000 workers are furloughed or working without pay, malicious actors will be more incentivized to speed up malicious operations. In fact, the Department of Homeland Security (DHS) issued an emergency directive on Tuesday, giving organizations a four-step plan to protect against DNS hijacking campaigns affecting federal agencies during the shutdown. Enterprises that depend on federal organizations like NIST for guidance and threat intelligence will no doubt be affected by the lack of service during the shutdown. In addition, many correlated security challenges (such as outdated federal website certificates and exposed federal passwords) can cause headaches for private organizations during this extraordinary time. Let’s break down three ways how organizations can respond to some of these challenges.
1. Deal with outdated website certificates
According to Netcraft, more than 130 TLS certificates that are used by the U.S. government have expired without being renewed. Some of these websites are completely inaccessible because leading browsers, e.g. Google Chrome, discourage users to visit sites that have expired security certificates. Organizations that need key government documents or information for daily operations from websites like manufacturing.gov (now restored) will be impacted. Techcrunch has listed the expired websites and all the websites set to expire as a result of the shutdown.
Essentially what these website certificates do is allow for the encrypted exchange of information between the requesting party and the website, in order to protect sensitive details like bank account information, login credentials, or credit card information over the web. Website certificates exist to instill trust in the legitimacy of that website and to let you know that attacks like man-in-the-middle (MITM) are less likely to happen. When a website has an expired security certificate, it simply means that you can no longer trust that website. With the shortage of federal staff to maintain these websites, there is a greater chance that an attacker could be leveraging this security shortage to use these sites to stage a MITM attack, and in turn steal credentials.
What you can do: rather than just blocking all websites that have untrusted URLs, try to utilize web isolation products like Symantec’s Web Gateway, which allows for users to access these websites through an isolated container. This method prevents your machine from downloading malware, and websites can be rendered in read-only mode to protect against the harvesting of credentials. In addition to web isolation products, organizations need to monitor user access traffic to ensure that if a credential was compromised, it is not being used maliciously in their organization. Just like websites need to verify their legitimacy and establish trust with a web certificate, users should be prompted with multi-factor authentication to verify their identity as well to ensure their credentials are not being inappropriately used.
2. Know that NIST standards aren't being updated
Anyone going onto the NIST website will be greeted with a message that most of the site isn’t being updated until further notice because of a lack of government funding. The NIST documentation on cybersecurity is critical for any organization’s security professionals, as it offers a framework for how to architect a sound security program. A dirty secret in the security industry is the unnecessary vendor noise on how organizations should achieve good security posture. NIST helps CISOs and their information security teams cut through this noise by following the NIST framework, giving organizations an actionable, objective path forward that isn’t driven by vendor interest.
Although updates to NIST guidelines and standards will be delayed for now, organizations can still find NIST’s cybersecurity framework, which remains accessible on their site. And while work on NIST’s Risk Assessment Framework (RMF) will be delayed, the National Vulnerability Database and the National Cybersecurity Center of Excellence (NCCoE) will be available for security professionals during this time. Here are some other security resources that will be available during the shutdown:
The National Cybersecurity and Communications Integration Center (NCCIS) will keep their service desk open to accept calls.
The National Technical Information Service (NTIS) will remain open.
The Small Business Administration (SBA) will continue to offer recommendations and guidance through their website.
Even though the shutdown presents considerable challenges, organizations looking for threat mitigation strategies must continue to understand where their most sensitive applications and systems are and who is accessing them. Just as NIST recommends a risk-based approach, organizations must prioritize threats both on-premises and in the cloud based on risk. A good strategy at the moment is to understand where your risk is at all times and to prioritize user access behavior which puts your most sensitive information at risk of breach. Preempt’s risk identification features can help security-minded organizations navigate the challenges brought on by the shutdown.
3. Protect against DNS hijacking campaigns
So far, 6 federal agencies have been affected by the DNS hijacking campaigns, which according to FireEye started two years ago and have affected organizations around the world. These attacks tend to start with a credential compromise, usually in the form of a phishing attack, that allow the malicious actors onto an organization’s DNS records.
Attackers use the Domain Name System (DNS) to translate a domain name to a valid IP address, sending a user to the website they are trying to access. The attacker then modifies the DNS records to replace the organization’s legitimate website address with a malicious address, where unsuspecting users would be redirected. In addition to redirecting to a malicious address, the attackers would also gather encryption certifications for the website’s domain names so that they can see sensitive data that is directed towards their malicious websites.
With furloughs causing a government staff shortage, it will be more difficult for federal agencies to abide by the four directives laid out by the Cybersecurity and Infrastructure Agency (CISA), an arm of the Department of Homeland Security:
Audit DNS records for all .gov and agency-managed domains
Change DNS account passwords for all accounts on systems that can make changes to agency DNS records
Implement Multi-Factor Authentication (MFA) to all accounts on systems that can make changes to agency DNS records.
Monitor certificate transparency (CT) logs for certificates issued and report unauthorized certificates
While the emergency directive is issued to all federal agencies to complete no later than Feb. 5, all organizations can benefit from following components of the four-step plan: auditing certificates, requiring DNS account password changes, and implementing MFA. Enterprises can leverage Facebook’s open framework to help log, audit, and monitor publicly-trusted TLS certificates on the Internet.
Preempt Any App can help organizations ensure that administrators who are logging into DNS Servers are verified by MFA, without any changes to the login sequence of the DNS servers or to any other modification to network infrastructure. Preempt does this by acting as an LDAP or Kerberos proxy, holding the authentication request to the domain controller until the user is verified by a second factor, and verifying login credentials with the Active Directory domain controller. In addition, Preempt audits passwords being used by accounts accessing DNS Servers and can enforce a password reset. For government departments that need to quickly respond to the directive, this is an effective approach. Otherwise, code modifications or shims need to be added to the login sequences, which add complexity and time, as well as being prone to errors.Take the necessary steps to limit the impact on your security organization during the shutdown, and feel free to contact us at firstname.lastname@example.org for strategies and tips on mitigating risks.