The government of the Unites States of America is perhaps the largest target on Earth for cyber attacks. The US has plenty of enemies, a track record of perpetrating cyber warfare and espionage (even upon its allies), numerous recent instances of susceptibility to such attacks, countless official documents attesting to its weakness against cyber attacks, and, of course, the US government leads the wealthiest nation with the most powerful military. These facts are not lost on the good people responsible for the well being of American citizens and people all over the world.
The US government is not an island, though, and it does what it does through relationships with a network of vendors and third parties. In this regard, the US government is like any other organization; every business depends on peers to provide services that are outside of its core competency. But, as a government, it also interacts differently with those suppliers. Effectively bidding on government contracts requires significant investment from a business, frequently creating separate markets for those who pursue government contracts and those who operate in the market at large.
Perhaps that difference in incentive– and really, that difference in how they are held accountable– can help explain the kinds of insecure configurations UpGuard has found among the riskiest government contractors*. Rather than naming these vendors, this report uses real but anonymous data to point out the ways in which these vendors– like many vendors– have made themselves and their clients more likely to be breached. Such data can be used to compile security ratings capable of accurately communicating the real cyber risk carried by such entitites - the third-party vendor risk faced whenever doing business with external partners. Cyber resilience can only be fostered with an awareness of the risks.
Exposing server headers is a configuration setting that is defensible in the worst way. There once was a reason to expose these headers– because you didn't really expect the internet to work and needed it for debugging– and now it is sometimes criticized as "security through obscurity." That's not false, but it is an academic defense of a bad practice. Especially with the rise of infrastructure indexing, you cannot afford to give extra information about your vulnerabilities to the horde of script kiddies.
In this vendor's CyberRisk report we found numerous instances of exposed header information.
Looking more closely at one of those sites, we see the server they are using:
Next we flip over to Google to learn more about that web server. The autocomplete suggestions give some idea of the search volume of hacker interest in this software.
Encryption of data in transit is one of the foundations of modern web security. When traffic is not encrypted, anyone intercepting it can read the contents as plain text. If sufficiently strong encryption is used, intercepting the traffic is rendered useless as an attack vector. Encryption is vital to protecting passwords, credit card numbers, and other pieces of valuable information.
This vendor had numerous risks that would contribute to data being intercepted, stolen, or falsified.
And so it was especially shocking to see it on this vendor's contact form. The kind of people who would be submitting this form are exactly the people whose private information could most easily be used to harm national interests.
Large contractors operate around the world and own domains for the different countries in which they operate. Google, for example, owns google.fr, google.co.uk, google.com.au, and so on for virtually every top level national domain. Companies that specialize in working for governments do the same. The difference is that when they do not protect their domain adequately, they open it up for attackers (often operating in less hospitable political environments) to take control of domains that indicate authority within the contractor's organization. Allowing domains to expire is one surprisingly common mistake. Less obviously but more frequently, domains that are not transfer locked and lack email fraud protections can be obtained by combining the vectors discovered in this contractor's digital profile.
The only thing keeping encryption from being the top dog of security practices is the need to keep unnecessary ports closed. Whether they offer remote administrative access, access to databases, or, as in this case, file servers, these additional services should not be publicly exposed. Without revealing too much about this vendor, the port was available on a domain that has since been redirected to their main site– but both the domain and the redirected URL named the client whose data is stored in this file share.
This vendor has a number of issues. One in particular that stands out is the low employee satisfaction and low CEO approval rating. Depending on a large contractor work force means that sensitive data passes through the hands of many people. Dissatisfaction with their work life and the leaders of their organization can only increase leaks like those of Edward Snowden, a government contract employee at the time.
Upgrading software is a necessary tax on using technology. It takes time and requires planning, but it has benefits too– not just new features that make your applications faster, more reliable, and easier to develop, but security enhancements that address the vulnerabilities constantly being discovered. And so when a business does not update the version of their programming language used on their website since March of 2014 (and shows this information publicly), it exposes them to an bevy of potential lines of attack.
Insecure configurations, like those found on these vendors and more, appear to be minor or even inconsequential in isolation, but these are the building blocks that add up to the epidemic of breaches we read about every day. Gaining visibility into your own properties can allow you to start remediating your risk factors and lower your likelihood of being breached. Having that same visibility for your third party vendors, like these contractors, is equally imperative. This information can be used to make buying decisions between vendors, but really it should be used to raise the bar for all businesses. Every business has some private data, and insecure digital surfaces should not be acceptable for anyone. By holding ourselves and each other accountable for lowering cyber risk, we can build a cyber resilient digital society.
*The riskiest vendors were selected by gathering the top 100 US government contractors and then looking at those with lowest overall CSTAR scores. These are, by definition, the vendors with the most insecure configurations. This report uses those findings to select and explore exemplars of doing it wrong.