Amazon plans to invest up to $50 billion to expand AI and advanced computing infrastructure for U.S. government agencies, the company announced Monday.

The investment, set to break ground in 2026, will add nearly 1.3 gigawatts of data center capacity to the Amazon Web Services regions Top Secret, AWS Secret, and AWS GovCloud (US) — locations specifically designed for classified and sensitive workloads.

Amazon said federal agencies will gain access to AI tools such as Amazon SageMaker for custom model training and Amazon Bedrock for deploying AI models and building agents. The centers will be equipped with AWS’s own Trainium AI chips and NVIDIA hardware.

The intent is to accelerate discovery and decision-making across government missions, which could mean faster modeling for scientific research, quicker threat analysis for intelligence agencies, or more accurate forecasting for disaster response and climate modeling, according to Amazon.

“Our investment in purpose-built government AI and cloud infrastructure will fundamentally transform how federal agencies leverage supercomputing,” AWS CEO Matt Garman said in a statement. “This investment removes the technology barriers that have held government back and further positions America to lead in the AI era.”

Amazon first launched government-specific cloud infrastructure in 2011. Today the company says it supports more than 11,000 government agencies.

Government agencies are faced with cybersecurity challenges from all sides. Digital transformation initiatives can expose weak points in an attack surface, putting pressure on agencies’ IT teams to get it just right. And from insider threats to persistent vulnerabilities within networks and operating systems, public sector leaders feel the urgency to obtain a clear picture of what’s most at-risk.

As we kick off 2023, the Synack Red Team reviewed the most common vulnerabilities found in 2022. Each of these vulnerabilities have the potential to pose significant threats to large organizations—governments and beyond—and will continue to be monitored as we move through 2023.

Here are the top 5 vulnerability categories found by Synack in government accounts in 2022:

#5: Remote Execution

Remote Code Execution refers to a vulnerability where an unauthenticated attacker can remotely execute commands to place malware or malicious code on your network or hardware.

#4: Brute Force

In a brute force attack, attackers utilize exhaustive key searches to constantly search and systematically check possible passwords or passphrases until the correct one is found. This can lead to successful phishing attacks and more.

#3: SQL Injection

This attack style consists of insertion or injection of a SQL query via the input data from client to application. A successful exploit of this style can read and even modify sensitive data, execute admin functions (including shutting down systems), and in some cases, issue commands to an operating system.

 #2: Authorization Permissions

The second most common vulnerability found in 2022 relates to improper authorizations. With authorizations, a user’s right to “access a given resource [is] based on the user’s privileges and any permissions or other access-control specifications that apply to the resource.” In this case, unauthorized users may gain access to resources or initiate unwanted actions that they should not be allowed to perform, potentially leading to data exposures, DoS, or arbitrary code execution.

#1: Cross Site Scripting XSS 

The most found vulnerability among Synack’s government missions in 2022 was cross-site scripting (XSS). According to NIST, this vulnerability “allows attackers to inject malicious code into an otherwise benign website. These scripts acquire the permissions of scripts generated by the target website and can therefore compromise the confidentiality and integrity of data transfers between website and client. Websites are vulnerable if they display user-supplied data from requests or forms without sanitizing the data so that it is not executable.”

Government organizations need to stay on top of these and countless other vulnerabilities, and mandates are pushing security teams to address this head on by adopting a zero trust model. At a high level, a Zero Trust Architecture provides a framework and structural guidance to ensure that only the individuals and systems who need access, have access. Dedicated and continuous application security testing programs are a critical piece to achieving a zero trust paradigm, and investment in security testing is critical to ensuring agencies in the United States have minimized known vulnerabilities and are adhering to Executive Order 14028 and Memorandum 22-09.

How can my team reduce found vulnerabilities?

• Understand your attack surface. Ensure you have a clear picture of your dynamic assets and that your attack surface is defined. This is key to managing cyber risk. 
• Set your vulnerability alerts. Stay aware of the latest active exploits, vulnerabilities and security issues affecting government and industry-specific verticals by signing up for alerts from CISA.
• TEST! Does your security testing plan include testing for the 5 common vulnerabilities above? Synack can help. Chat with a Synack public sector representative today to learn how the Synack platform empowers in-house teams to scale and protect your mission continuously in a FedRAMP Moderate In Process environment.
• Double down on Vulnerability Management. Make sure you are prioritizing vulnerabilities according to their criticality, patching them and then independently verifying that those patches have worked.
• Orchestrate. Your SOAR has defensive security data from logging, alerting, threat intel and more. You should also integrate Synack continuous penetration testing data to automate your offensive security practices within the SOC. Such an integration will enable continuous, defensive improvements so you can truly grade and improve your security posture.

Additional Resources

READ: Our Guide to Zero Trust
WATCH: Webinar with HHS’ Matthew Shallbetter
LEARN: Synack’s FedRAMP Moderate In Process Certification

The post The Top 5 Cybersecurity Vulnerabilities for Government Agencies in 2022 appeared first on Synack.

Government agencies and public sector organizations have often struggled to compete with private companies for talent, a struggle only exacerbated by the COVID pandemic. A recent  Bureau of Labor Statistics report found that about half of government jobs in the U.S. remain unfilled compared to pre-pandemic numbers. 

This creates an even tighter squeeze on the already spent cybersecurity workforce; the White House reported a staggering 700,000 open cybersecurity roles in the U.S. The public sector continues to battle smaller budgets and fewer technical resources, while the challenge to protect the attack surface and anticipate new vulnerabilities becomes increasingly complex. 

Public-private partnerships can alleviate the pressure felt by the public sector globally by infusing top-tier talent into critical cybersecurity operations and providing consistent, readily available technology and support.

Government and public sector organizations are charged with keeping a country’s digital borders safe and secure. They’re needed to help keep the lights on, along with a myriad of other critical functions. To do that, organizations routinely test the health of their cybersecurity defenses. But are they getting the results and insight to keep up with today’s sophisticated cyber adversaries?  

Stale security practices keep public sector organizations in the past at a time when they need partners to help them operate on par with private companies.

Penetration testing, otherwise known as pentesting, is a technology that is fortunately evolving for the better.

Gone are the days of two people on-site with two laptops who take weeks to deliver a point-in-time report with few actionable insights. 

Here’s what modern pentesting can look like: a continuous process to sniff out critical vulnerabilities as they’re known, actionable results built into a seamless platform, and an ability to scale to respond to critical vulnerabilities like Log4j.   

The choice between outdated security testing and an agile, responsive pentesting solution to tackle a nation’s most pressing cybersecurity concerns is obvious. Synack provides premier security testing to keep public sector organizations at the top of their game, reducing risk while helping to keep critical data and infrastructure out of adversaries’ hands. Our innovative pentesting solution utilizes the Synack Red Team, a diverse community of more than 1,500 security researchers, and our secure platform to dig deep into web applications, cloud resources and other attack surfaces to find the vulnerabilities that matter most.  

Our recent whitepaper, “Government Agencies Deserve a Better Way to Pentest,” lays out the challenge with traditional pentesting and how public sector organizations can respond with maximum efficiency and limited budget. 

For U.S. government agencies

For U.K. public sector organisations 

The post No Time to Waste: Why the Public Sector Needs a Better Way to Pentest appeared first on Synack.