by Nick Kael
Posted on February 28, 2023
Cybercriminals have varied objectives for launching cyberattacks against the public sector. In some cases, attacks are an effective new weapon to leverage in conflicts between nation states. In other cases, cyberattacks are simply a way to turn a profit; the public sector holds large volumes of valuable data, and getting access to that data can generate ongoing returns. Ransomware and selling data are just two ways to make crime pay, when it comes to public sector breaches.
Threats to government agencies represent a clear and present danger. A response to a recent Freedom of Information (FOI) request revealed that public councils in the UK faced approximately 10,000 attacks per day on average throughout August 2022. 2.3 million attacks were detected from the start of the year until that point, representing a 14% increase over to the previous year.
The sheer volume of attacks makes securing public resources a matter of utmost importance. The first step required to protect agencies is to identify the vectors most commonly used for attacks, so a targeted security strategy can be developed and a strong security stack built to address the very real threats public sector organizations most frequently face.
A startling 86% of cyberattacks are initiated through one of only three vectors. This means that hardening these vectors can prevent the majority of attacks. Let’s start by taking a hard look at each one, including how each is most often exploited.
The increasing – and ongoing – digital transformation of the public sector and adoption of app-based service provision has enhanced agility and scalability, enabling better, more efficient government services for citizens and businesses. It also leaves the public sector more vulnerable to attacks. Public-facing applications are designed for easy internet access, meaning that unless they are properly locked down, they also enable relatively easy access for cybercriminals.
Attackers can exploit these apps through vulnerabilities like misconfigurations and insecure open-source code. Developers may inadvertently deploy apps that contain credentials and secrets used to streamline internal processes, but which enable over-privileged access once the apps are deployed. Malicious code injection, cross-site scripting (XSS), CSRF attacks, DDOS attacks, and exploitation of unpatched vulnerabilities are just some of the techniques attackers may use to breach government apps.
For public sector agencies, as for all organizations, ensuring that all software is up to date and patches applied is essential cyber hygiene, and a key way to safeguard against many attacks. In fact, a recently issued report indicates that over three fourths of vulnerabilities that are currently being exploited by ransomware groups were discovered between 2010 and 2019.
In addition, organizations should regularly run tests to identify vulnerabilities as well as avoiding vulnerable connectivity solutions, like VPNs. Finally, the security stack should include solutions that protect the surfaces of public-facing apps, like ZTEdge Web Application Isolation.
The Verizon DBIR 2022 report identifies system intrusion as the dominant and fastest growing attack pattern for Public Administration. According to Verizon, this includes social engineering, malware and hacking, with a focus on credentials (for account compromise), and malware.
It’s easy to understand why compromised accounts are a preferred attack vector for cybercriminals. Attackers appear as legitimate users, enabling them to easily progress laterally in the network without raising suspicion. Compromised accounts also provide social proof that makes social engineering attacks more effective. This is especially important for BEC attacks, in which the (seeming) legitimacy of the sender is essential for tricking recipients into sharing credentials or transferring funds. For hackers, compromised accounts that have high privilege levels and provide access to sensitive information are most valuable, since they enable the greatest network access and most opportunities to inject malware, exfiltrate data or establish persistence.
Accounts may be compromised through brute force attacks, password spraying, credential stuffing, phishing, malware, or other methods. Supply chain attacks on government vendors, like in the case of SolarWinds, are also becoming an increasingly common way to compromise accounts.
Security controls like MFA, password vaults, and posture-aware access restrictions are important ways to protect your agency from breach and attack via stolen credentials. Microsegmenting networks and leveraging identity and access management (IAM) to apply the Zero Trust principle of least privilege access can strictly limit lateral movement even if a criminal succeeds manages to log in with stolen employee credentials.
Unmanaged devices present a particular threat in regard to credential theft, since malware such as keyloggers and other spyware may be present on the device. Clientless, cloud-based ZTEdge WAI addresses this risk by enabling access from unmanaged devices solely via the ZTEdge cloud platform, where isolation is applied to protect agency apps from malware, as well as preventing access via stolen credentials.
Phishing remains one of the most popular and widely used attack vectors for criminals. These types of attacks are easy to execute, do not require advanced security or technological know-how, and depend on the fact that if huge quantities of emails are sent, based on sheer probability, some valuable targets will open the email and click through to the site. In some cases, that’s all it takes to download malware. In others, users may innocently “log in” and thereby share their credentials or click to download malware or a weaponized attachment. Keep in mind that it takes only one “successful” phishing email to compromise the organization.
As demonstrated by the continuing success of phishing, despite widespread anti-phishing training programs, humans are the most vulnerable element of any system. Isolation-based anti-phishing solutions, which open uncertified sites in read-only mode, airgap endpoints from website content, and apply CDR to sanitize downloads, must therefore be a cornerstone of public sector security.
Public sector agencies are in cybercriminals’ crosshairs. For governments and the citizens they serve, the cost of a successful attack is high.
For more insights into how public sector agencies like yours can prevent the most common types of attacks, our To Secure the Public Sector from Cyberattacks, in Zero We Trust white paper is a must-read. Download it now.
Using black hat SEO to achieve high rankings for particular search terms, threat actors can sit back as victims flock to their malware-infected websites.
As one of the keys to implementing least-privilege access, microsegmentation is an essential element in the Zero Trust toolbox.
In this post, we update the layered security concept for the age of Zero Trust, cloud computing, application-based work and work-from-anywhere.