Whether it’s hactivists, organised crime perpetrators, script-kiddies or terrorists, governments across the world are facing a significant cyber threat. With the sheer quantity and sensitive nature of much of the information it holds, it is indisputable that public data is of significant value to cyber criminals.
The full magnitude of this threat was recently demonstrated by the mega-breach of the US Office of Personnel Management, in which sensitive information of over 21 million federal employees and co-habitants was stolen.
Whilst much of the post-breach discussion centred on accusations of the culprits, there needs to be a serious discussion on how governing bodies should respond to this great threat.
Governments across the globe are walking a tightrope between innovation and security. In the UK, the government’s investment in its Digital by Default agenda is a clear priority and offers significant opportunities to optimise the array of different services that it provides. However, digitisation massively increases the risk of breaches and information exfiltration.
The digitisation of healthcare is a clear example of where great initiatives are facing the challenges of information security. The government’s Care.data programme, which aims to digitise all patient records, is still struggling to fully demonstrate it can ensure the security and privacy of sensitive patient data.
Not a matter of quick fixes
Companies have had their arm bent backwards into accepting a duty of care over their stakeholders’ data. And those companies that have grievously neglected their security responsibilities are largely hung-out to dry in the media after suffering a breach, with countless executives falling on their sword. In fact, the Cebr report into the economic consequences of inadequate cyber security found that 57% of British CEOs hold themselves accountable for major cyber security breaches.
It is perhaps for that reason that many industries have well and truly overtaken the government in its cyber security spending. Even though the 2014 Information Security Breaches Survey shows that 77% of the total cost of cybercrime in the UK is related to security breaches in the government, the British government remains only the fifth largest spender on cyber security across all industries.
But it is not only when compared to other industries that the government’s cyber security investment is called into question. Current cyber security spending figures show that investment is below that of what was previously predicted, for instance the PSN Protected services market (those services which protect sensitive information in government) is at only one seventh of the government’s previous predictions. All in the face of a growing cyber threat.
But it’s not about just spending money to fix the problem. Whilst investing in the best firewalls, Domain Name Server (DNS) defences and best-practice training for employees will help any organisation reduce their cyber risk, companies must also look at their own programmes and web applications to ensure it secure by default.
Web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35% of breaches in some industries, according to the 2015 Verizon Data Breach Investigations Report. And yet many organisations are only assessing a small number of their total applications, leaving the backdoor open to the threat of data exfiltration or malware injection.
Veracode’s recent State of Software Security report found that, globally, government organisations fare poorly compared to their private industry peers. Of those assessed, only 24% of government organisations’ web applications were compliant with the OWASP Top 10 Policy on First Risk Assessment.
The OWASP Top 10 is a list of the most important vulnerability categories in web applications, compiled through community consensus by the security practitioners at the Open Web Application Security Project (OWASP), including SQL Injection and Cross-Site Scripting (XSS).
The research also found only 27% of identified vulnerabilities in government applications get remediated – coming in last among all industry sectors. Plus, government applications have the highest prevalence of SQL Injection and cryptographic issues.
Their standing in this report may in part be explained by the higher use of scripting languages and older languages (i.e. ColdFusion) by government bodies, which are known to produce more vulnerabilities. However, other factors, such as the lack of regulatory demands that are present in other sectors, may also explain the lower first-pass rate.
Call to action
But whilst there are improvements to be made, there is no doubt that the British government should be applauded for its cyber defences and for avoiding a mega-breach up until this point. Especially when considering the NTT Com Security's 2015 Global Threat Intelligence Report released earlier this year reported that the public sector is now the prime target for malware attacks in the UK, accounting for 40% of all malware attacks 2014.
However, the British government must learn from its friends across the pond and understand that a mega-breach could be just moments away.
Nothing connected is unhackable. And leaving web applications vulnerable is like leaving the back door wide open. That’s why it’s crucial that all organisations – no matter how big or small, private or public – not only check their applications for flaws, but also act to remediate them.
Sourced from Chris Wysopal, Veracode