SecurityScorecard’s annual U.S. State and Federal Government Cybersecurity Report was released today, and it paints a very grim picture of the government’s cyber health status.

Across all of the industries surveyed, including transportation, retail, and healthcare, government organizations received one of the lowest security scores. Cybersecurity incidents show no signs of slowing down, and as technology becomes more advanced and hackers become smarter, it’s up to organizations to take the right steps towards effective security defenses — especially today’s government agencies.

SecurityScorecard, a third party risk management company, looked into the strongest and weakest security standards based on security hygiene and security reaction time of various organizations, along with their 100 public-facing IP addresses. According to SecurityScorecard’s cofounder and COO, Sam Kassoumeh, the report is designed to educate officials, agency leaders, and government security personnel about the current state of security in the government sector.

“On an almost daily basis, the institutions that underpin the nation’s election system, military, finances, emergency response, transportation, and many more, are under constant attack from nation-states, criminal organizations, and hacktivists,” said Kassoumeh. “Government agencies provide mission-critical services that, until they are compromised, most people take for granted.”

Overall, the findings show government organizations struggled with several categories of security measurements: endpoint security, IP reputation, and patching cadence.

Compared to last year’s report, government organizations moved up from the lowest performing industry, past telecommunications and education. This year, government agencies are still the third lowest performing industry when compared to the other industries. One of the main reasons the government scores so low is the result of legacy systems and applications, which are defined as systems that were set up and now considered “antiquated technologies that are vulnerable to exploitation,” said Alex Heid, chief research officer at SecurityScorecard.

“The U.S. government is one of the original entities that invented the Internet, along with the university and education vertical,” said Heid. “It is therefore a natural result that the availability of old, exploitable technologies are mixed into an environment of recently implemented, possibly misconfigured new technologies.”

And besides its use of legacy technologies, the government may also run into security challenges (like network security and patching cadence) because of smaller budgets and resource shortages. However, increasing the availability of resources and personnel available is a way for the government to make progress with its cybersecurity efforts, according to Heid. He said that sometimes small cities or townships may only have a small staff of IT engineers, who have to double-task as being in charge of security as well. On the other hand, large agencies will most likely have the staff size, but the networks are so massive that not everything can be continuously accounted for at the same time, added Heid.

The good news is, government agencies seem to be taking steps towards better cybersecurity strategies and continuous solutions, and many on both federal and local levels are bringing attention to the importance of strong security practices, said Heid. The problem is, agencies are taking too long to ramp up cybersecurity efforts.

“Many government agencies are aware that information security is an area of concern across the board, and many are taking proactive steps to address the problems,” said Heid. “However, these efforts will oftentimes move at the ‘speed of government,’ which can be considerably lacking when it comes to the rapid developing world of emerging threats.”

Potential security risks and how hackers can get in
There are many ways that hackers can get into an organization, but according to Heid, it appears that default password use, as well as password reuse, are the most common and effective methods of pulling off an enterprise breach. Hardware devices and applications typically ship with default passwords in place, said Heid, and often times these passwords are never changed. And on some embedded systems, it’s not possible to change default passwords, he said.

“For password reuse attacks, over three billion email password combinations have been made available from publicly circulating data breaches, and attackers have been using these lists to find login portals where users have re-used accounts credentials,” said Heid. “Lower skilled attackers usually look for Netflix or Amazon logins, organized crime groups may look for banking credentials that have been reused, and state sponsored hacking groups would leverage the available .gov/.mil credentials to gain access to those respective resources, and the resources of third party contractors and services.”

Also, poor network security can lead to network level attacks, which Heid said can come in several forms. One way is where a hacker will exploit vulnerabilities within the protocol (FTP, telnet, SMB, etc.) with the goal of executing arbitrary code, like with a buffer overflow attack, he said.

“These types of attacks are considered high value, as they provide instant access to systems running vulnerable software,” said Heid. “A more common network attack is a brute force attack that leverages circulating email address : username : password combinations. Attackers will use information from hacked databases to attempt to access other services that may be using the same credentials.”

Enterprises and agencies should also take a look at their patching cadence score, which is defined as the measurement of frequency for the implementation of software updates. The patching cadence score indicates if there is a significant delay from the time a vulnerability patch is made to the time when the patch gets implemented into the enterprise’s network, said Heid.

Agencies or organizations that want to dig into the granular details of their particular scorecard can get an immediate view of the issue factors that affect their enterprise, according to Heid. They can claim their scorecard to engage in a “collaborative remediation process for their own enterprise, as well as that of their partners and business ecosystem,” he added.

But from a network security standpoint, Heid and SecurityScorecard advise agencies to conduct continuous availability audits on their external network assets in order to ensure that proper segmentation is always in place, he said.