Government agencies are faced with cybersecurity challenges from all sides. Digital transformation initiatives can expose weak points in an attack surface, putting pressure on agencies’ IT teams to get it just right. And from insider threats to persistent vulnerabilities within networks and operating systems, public sector leaders feel the urgency to obtain a clear picture of what’s most at-risk.

As we kick off 2023, the Synack Red Team reviewed the most common vulnerabilities found in 2022. Each of these vulnerabilities have the potential to pose significant threats to large organizations—governments and beyond—and will continue to be monitored as we move through 2023.

Here are the top 5 vulnerability categories found by Synack in government accounts in 2022:

#5: Remote Execution

Remote Code Execution refers to a vulnerability where an unauthenticated attacker can remotely execute commands to place malware or malicious code on your network or hardware.

#4: Brute Force

In a brute force attack, attackers utilize exhaustive key searches to constantly search and systematically check possible passwords or passphrases until the correct one is found. This can lead to successful phishing attacks and more.

#3: SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

 #2: Authorization Permissions

The second most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS, or arbitrary code execution.

#1: Cross Site Scripting XSS 

The most found vulnerability among Synack’s government missions in 2022 was cross-site scripting (XSS). According to NIST, this vulnerability “allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.”

Government organizations need to stay on top of these and countless other vulnerabilities, and mandates are pushing security teams to address this head on by adopting a zero trust model. At a high level, a Zero Trust Architecture provides a framework and structural guidance to ensure that only the individuals and systems who need access, have access. Dedicated and continuous application security testing programs are a critical piece to achieving a zero trust paradigm, and investment in security testing is critical to ensuring agencies in the United States have minimized known vulnerabilities and are adhering to Executive Order 14028 and Memorandum 22-09.

How can my team reduce found vulnerabilities?

• Understand your attack surface. Ensure you have a clear picture of your dynamic assets and that your attack surface is defined. This is key to managing cyber risk. 
• Set your vulnerability alerts. Stay aware of the latest active exploits, vulnerabilities and security issues affecting government and industry-specific verticals by signing up for alerts from CISA.
• TEST! Does your security testing plan include testing for the 5 common vulnerabilities above? Synack can help. Chat with a Synack public sector representative today to learn how the Synack platform empowers in-house teams to scale and protect your mission continuously in a FedRAMP Moderate In Process environment.
• Double down on Vulnerability Management. Make sure you are prioritizing vulnerabilities according to their criticality, patching them and then independently verifying that those patches have worked.
• Orchestrate. Your SOAR has defensive security data from logging, alerting, threat intel and more. You should also integrate Synack continuous penetration testing data to automate your offensive security practices within the SOC. Such an integration will enable continuous, defensive improvements so you can truly grade and improve your security posture.

Additional Resources

READ: Our Guide to Zero Trust
WATCH: Webinar with HHS’ Matthew Shallbetter
LEARN: Synack’s FedRAMP Moderate In Process Certification

The post The Top 5 Cybersecurity Vulnerabilities for Government Agencies in 2022 appeared first on Synack.

Cybersecurity officers tasked with finding and mitigating vulnerabilities in government organizations are already operating at capacity—and it’s not getting any easier.

First, the constant push for fast paced, develop-test-deploy cycles continuously introduces risk of new vulnerabilities. Then there are changes in mission at the agency level, plus competing priorities to develop while simultaneously trying to secure everything (heard of DevSecOps?). Without additional capacity, it’s difficult to find exploitable critical vulnerabilities, remediate at scale and execute human-led offensive testing of the entire attack surface. 

The traditional remedy for increased security demands has been to increase penetration testing in the tried and true fashion: hire a consulting firm or a single (and usually junior) FTE to pentest the assets that are glaring red. That method worked for most agencies, through 2007 anyway. In 2022, however, traditional methodology isn’t realistic. It doesn’t address the ongoing deficiencies in security testing capacity or capability. It’s also too slow and doesn’t scale for government agencies.

So in the face of an acute cybersecurity talent shortage, what’s a mission leader’s best option if they want to improve and expand their cybersecurity testing program, discover and mitigate vulnerabilities rapidly, and incorporate findings into their overall intelligence collection management framework? 

Security leaders should ask themselves the following questions as they look to scale their offensive and vulnerability intelligence programs:

• Do we have continuous oversight into which assets are being tested, where and how much? 
• Are we assessing vulnerabilities based on the Cybersecurity Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog, or are we assessing vulnerabilities using the Common Vulnerability Scoring System (CVSS) calculator? 
• Are we operationalizing penetration test results by integrating them into our SIEM/SOAR and security ops workflow, so we can visualize the big picture of vulnerabilities across our various assets? 
• Are we prioritizing and mitigating the most critical vulnerabilities to our mission expediently? 

There is a way to kick-start a better security testing experience—in a FedRAMP Moderate environment with a diverse community of security researchers that provide scale to support the largest of directorates with global footprints. The Synack Platform pairs the talents of the Synack Red Team, a group of elite bug hunters, with continuous scanning and reporting capabilities.

Together, this pairing empowers cybersecurity officers to know what’s being tested, where it’s happening, and how much testing is being done with vulnerability intelligence. Correlated with publicly available information (PAI) and threat intelligence feeds, the blend of insights can further enhance an agency’s offensive cybersecurity stance and improve risk reduction efforts.

Synack helps government agencies mitigate cybersecurity hiring hurdles and the talent gap by delivering the offensive workforce needed quickly and at scale to ensure compliance and reduce risk. And we’re trusted by dozens of government agencies. By adding Synack Red Team mission findings into workflows for vulnerability assessment, security operations teams are given the vulnerability data needed to make faster and more informed decisions.

Intrigued? Let’s set up an intelligent demo. If you’re attending the Intelligence & National Security Summit at the Gaylord in National Harbor, Md., next week, we’ll be there attending sessions and chatting with officers at Kiosk 124. We hope to see you there! 

Luke Luckett is Senior Product Marketing Manager at Synack.

The post Accelerated Decision-making in Cybersecurity Requires Actionable Vulnerability Intelligence appeared first on Synack.

The U.S. Department of Health and Human Services (HHS) draws on Synack’s trusted security researchers and smart pentesting platform to stay nimble in the face of fast-moving cyberthreats. 

With 84,000 federal employees, the agency’s sheer size poses challenges when it comes to addressing the cyber talent gap or pentesting its most critical networks. It’s the largest U.S. civilian agency by spending.

“We have an enormous footprint on the internet,” said Matthew Shallbetter, director of security design and innovation at HHS, during a webinar Wednesday hosted by Synack. “Across the board, HHS is both vast and well-known – and so a good target for troublemakers and hackers.” 

He cited constant cyberthreats to the National Institutes of Health, HealthCare.gov and the Centers for Disease Control and Prevention – some of the most recognizable federal research centers and government services. All those resources fall under HHS’s purview.

So how does the agency hire for mission-critical cybersecurity roles, stay on top of shifting zero-trust requirements and satisfy the need for continuous security testing?

Shallbetter shared his insights with Synack’s Scott Ormiston, a federal solutions architect who’s no stranger to the challenges facing public sector organizations globally.

With an estimated 2.72 million unfilled cybersecurity jobs worldwide, government agencies are struggling more than ever to meet diverse infosec hiring needs.  

“Attackers are responding so much faster today than they were even five years ago,” Ormiston pointed out. “In the time that a vulnerability is released to the public, within minutes of that release, attackers are out scanning your systems. If you don’t have enough skilled personnel to run a continuous testing program and to continuously be looking at your assets, how do you address that challenge?”

Here are a few themes and highlights from the webinar:

Continuous pentesting is a must

It can take weeks to spin up a traditional pentest to find and fix urgent software bugs. Meanwhile, bad actors almost immediately start scanning to exploit those same vulnerabilities, whether they’re blockbuster flaws like Log4j or lesser-known CVEs.

Against that backdrop, traditional pentesting clearly falls short. But is continuous pentesting realistic?

“The short answer is yes, because your adversaries are doing it every day: They’re continuously testing your environment,” Ormiston said.

Shallbetter noted that HHS has its own set of pentesting teams that are centrally located and focus on high-value assets. But there isn’t enough in-house talent to keep up with regular testing, scanning and patching.

“If we could focus on what’s really, really important and test those [assets], we might have enough bodies,” he said. “But it’s really a challenge to try to patch vulnerabilities… The footprint never shrinks; it’s always expanding.” 

To augment his own agency’s workforce capabilities, Shallbetter pulls from Synack’s community of world-class researchers. The diverse members of the Synack Red Team (SRT) allow HHS security testing to keep up with rapid software development cycles and the unrelenting pace of digital transformation.

HHS led 196 assessments using Synack’s platform, adding up to over 45,000 hours of testing on its perimeter services as part of an established vulnerability disclosure process.

There’s no match for human insight

That adds up to a lot of actionable data.

“We really couldn’t have done the VDP the way we did… without using a centralized platform like Synack,” Shallbetter said. “The human insight was key.”

He pointed out that HHS has automated tools across the board to help developers weed out vulnerabilities and drive down risk.  

But over and over, SRT members would find more.

Shallbetter said his favorite examples are when a system owner engages the Synack Platform to validate that HHS has really fixed a vulnerability. “They ask for a retest and the researcher says, ‘Oh, I did X, Y, and Z, but I did it again…’ And the system owner says, ‘Wow, that’s really cool.’”

Those exchanges also build trust between the SRT community and HHS developers who appreciate researchers’ ability to find the vulnerabilities that matter, cutting through the background noise of automation. An average of 30 SRT members contribute their expertise to each HHS assessment, according to Shallbetter.

“When you put a bunch of humans on a target, even if it’s been scanned and pentested by an automated tool, you will find new problems and new issues,” he said.

Zero trust is no longer just a buzzword

The White House early this year unveiled its highly anticipated zero trust strategy, M-22-09, which set federal agencies on a path to achieve a slate of zero-trust principles.

Those five security pillars include identity, devices, applications and workloads, networks and data.

“It’s great to have this architecture,” Ormiston said of M-22-09. “But this also means additional stress on a cyber workforce that’s under pressure.”

Zero trust is a “hot topic” at HHS, as Shallbetter noted.

“It doesn’t feel like a marketing term; people are really beginning to understand what it means and how to implement it in certain ways,” he said.

And pentesting has emerged as “a significant part” of meeting HHS’s zero trust goals. 

“I do think the scope and scale of technology now means the real vision for zero trust is possible,” he said. “For HHS, penetration testing has been an important part of speeding our deployment processes.”

Agencies have until the end of fiscal 2024 to reach the pillars of the zero trust paradigm described in the White House memo.

In the meantime, Synack will continue working as a trusted partner with HHS, delivering on-demand security expertise and a premier pentesting experience.

“I love being able to sort of toss the schedule over the fence and say, ‘hey, Synack, we need four more [assessments], what are we going to do?’—and have it happen,” Shallbetter said.

Access the recording of the webinar here. To learn more about why the public sector deserves a better way to pentest, click here or schedule a demo with Synack here.

The post Inside the Biggest U.S. Civilian Agency’s Pentesting Strategy appeared first on Synack.

Government agencies and public sector organizations have often struggled to compete with private companies for talent, a struggle only exacerbated by the COVID pandemic. A recent  Bureau of Labor Statistics report found that about half of government jobs in the U.S. remain unfilled compared to pre-pandemic numbers. 

This creates an even tighter squeeze on the already spent cybersecurity workforce; the White House reported a staggering 700,000 open cybersecurity roles in the U.S. The public sector continues to battle smaller budgets and fewer technical resources, while the challenge to protect the attack surface and anticipate new vulnerabilities becomes increasingly complex. 

Public-private partnerships can alleviate the pressure felt by the public sector globally by infusing top-tier talent into critical cybersecurity operations and providing consistent, readily available technology and support.

Government and public sector organizations are charged with keeping a country’s digital borders safe and secure. They’re needed to help keep the lights on, along with a myriad of other critical functions. To do that, organizations routinely test the health of their cybersecurity defenses. But are they getting the results and insight to keep up with today’s sophisticated cyber adversaries?  

Stale security practices keep public sector organizations in the past at a time when they need partners to help them operate on par with private companies.

Penetration testing, otherwise known as pentesting, is a technology that is fortunately evolving for the better.

Gone are the days of two people on-site with two laptops who take weeks to deliver a point-in-time report with few actionable insights. 

Here’s what modern pentesting can look like: a continuous process to sniff out critical vulnerabilities as they’re known, actionable results built into a seamless platform, and an ability to scale to respond to critical vulnerabilities like Log4j.   

The choice between outdated security testing and an agile, responsive pentesting solution to tackle a nation’s most pressing cybersecurity concerns is obvious. Synack provides premier security testing to keep public sector organizations at the top of their game, reducing risk while helping to keep critical data and infrastructure out of adversaries’ hands. Our innovative pentesting solution utilizes the Synack Red Team, a diverse community of more than 1,500 security researchers, and our secure platform to dig deep into web applications, cloud resources and other attack surfaces to find the vulnerabilities that matter most.  

Our recent whitepaper, “Government Agencies Deserve a Better Way to Pentest,” lays out the challenge with traditional pentesting and how public sector organizations can respond with maximum efficiency and limited budget. 

For U.S. government agencies

For U.K. public sector organisations 

The post No Time to Waste: Why the Public Sector Needs a Better Way to Pentest appeared first on Synack.