Linda Punch
Hobbled by limited resources and other handicaps, government units are struggling to combat a rising onslaught from online data thieves.
When news of a data breach hits the national headlines, it usually involves retailers, processors, and others in the private sector. But government entities from park districts and municipalities to states and the federal government also hold sensitive data, including Social Security numbers and credit and debit card account numbers. And like the private sector, they can be vulnerable to attacks from fraudsters seeking to steal consumers’ personal data.
Just what percentage of data breaches involves government entities is unclear. With the multitudes of government units at all levels, it is almost impossible to track such data. But at least one organization—the Open Security Foundation’s DataLossDB—estimates that government units account for at least 18% of breaches worldwide. The foundation gathers information on incidents around the world involving the loss, theft, or exposure of personally identifiable information.
In the U.S., government agencies lost more than 94 million records of citizens between Jan. 1, 2009, and May 31, 2012, according to a September 2012 report by Rapid7, a Boston-based cybersecurity risk-management company. There was a 50% increase in the number of compromises affecting the government sector from 2009 to 2010, with the number tripling from 2010 to 2011, Rapid7 said. The leading causes of breaches were the loss or theft of portable devices, physical loss, and hacking.
Not Very Confident
Between Jan. 1, 2012, and May 31, 2012, government agencies reported more hacking incidents than any other type of incident, according to Rapid7. The number of personally identifiable information (PII) records exposed from 2010 to 2011 increased by 169%. The number of PII records exposed from 2011 to May 31, 2012, increased by 138%.
Some states appear to be more vulnerable to data breaches than others, Rapid7 found. California reported 21 incidents, with District of Columbia reporting 20 incidents and Texas, 16 incidents. Kentucky, Montana, Nevada, North Dakota, and South Dakota reported no data breaches between Jan. 1, 2009 and May 31, 2012, while Alaska, Delaware, Idaho, New Hampshire, Rhode Island, and West Virginia reported one incident each.
Rapid7 based its report on analysis of data collected by the Privacy Rights Clearinghouse Chronology of Data Breaches.
The vulnerability of personal data held by many state agencies can be seen in the 2012 biennial cybersecurity study from Deloitte & Touche LLP and the National Association of State Chief Information Officers. Fewer than one-quarter of CISOs responding to the report said they were very confident in their states’ ability to guard data against external threats.
Based on such data, analysts say governments are just as vulnerable to data-breach attacks as private businesses. Data security for government units “is about equal, and in fact, in some ways it’s probably worse [than the private sector], depending on what level of government we’re talking about,” says Paul Ferguson, vice president of threat intelligence for Internet Identity, a cybersecurity firm.
While working in the San Francisco Bay area, Ferguson says he saw small municipal and county government sites compromised because they didn’t take basic security measures such as keeping up with security patches on the software used to publish bus schedules and similar public information on the Internet.
A complicating factor is the lack of a single standard for government agencies for protecting sensitive consumer information. While any agency that accepts card payments or stores account data is subject to the Payment Card Industry data-security standard (PCI), other government bodies are subject to standards, regulations, and guidance such as the National Institute of Standards and Technology standards, Federal Information Security Management Act regulations, and International Standards Organization 2700 series.
“There are enough laws on the books today and enough regulations in the industries today that are not known, understood, and being followed,” says Wenlock Free, vice president of business development at Orem, Utah-based SecurityMetrics. “There’s a problem with the enforcement and understanding and implementation of those rules.”
While threats to database security continue to grow and become more sophisticated, government agencies are faced with tight budgets for meeting those threats. More than four out of five CISOs reported that insufficient funding posed the most significant barriers to addressing cybersecurity issues at the state level, according to the Deloitte-NASCIO study. The inadequate availability of cybersecurity professionals ranked among the top five barriers.
Because of budget constraints, some small municipal governments “don’t even have an IT staff,” Ferguson says. “They’ve outsourced the creation of their Web sites or their databases or what have you. So a third-party contractor will come in, do the work for them, and go on their way. And if there are any security vulnerabilities or updates in software that need to happen, nobody’s there to do it.”
‘An Eye-Opener’
“Without a standard mandated by an outside group, financially strapped government units have no incentive to implement data-protection measures,” says Avivah Litan, a technology analyst at Gartner Research. “Nothing’s really driving them to spend money. They don’t have money to spend and their IT resources are very, very thin compared to retailers and processors. They don’t have the money, they don’t have the people, and they don’t have a mandate.”
A data breach last summer at the South Carolina Department of Revenue demonstrates just how vulnerable government databases can be. That breach—which exposed the personal data of nearly 4 million individual filers and 700,000 businesses—began with a malicious e-mail sent Aug. 13 to multiple Revenue Dept. employees, according to a report from Mandiant, a cybersecurity firm hired by the state to investigate the incident. At least one employee clicked on an embedded link that released malware that stole the employee’s username and password.
Two weeks later, the hacker used the stolen credentials to log into the machine using a remote access service. The attacker then reached deeper into the network by installing password grabbing software, possibly a key-logging tool, to obtain more passwords to connect to more servers. On Sept. 12, the hacker breached the department’s database backup and copied its contents to a remote computer over a two-day period.
On Oct. 10, the U.S. Secret Service notified the department of the breach. The compromised data included tax records electronically filed since 2002, though some records went back as far as 1998. About 3.6 million Social Security numbers, 387,000 credit and debit card numbers, and other personally identifiable pieces of information on 1.9 million dependents were exposed in the breach.
South Carolina Gov. Nikki Haley blamed outdated Internal Revenue Service guidelines for contributing to the breach, according to published reports. The IRS didn’t return calls for comment.
The IRS publishes Tax Information Security Guidelines for Federal State and Local Agencies and Entities, a 128-page publication. The guidelines, issued by the IRS Safeguards Office, are designed to protect federal tax information. They cover areas such as secure storage of data, restricting access to data, information-technology security, and flow of data. A section on computer-system security outlines procedures for access control, security assessment and authorization, identification and authentication, and personnel security.
While South Carolina was compliant with IRS rule, the IRS does not require Social Security numbers to be encrypted, Haley said. The Revenue Dept. also was using 1970s-era equipment, exacerbating the problem.
South Carolina now encrypts Social Security numbers and is in the process of revamping its tax systems with stronger security controls, she said.
The South Carolina breach “is probably an eye-opener because a lot of the critical data was unencrypted,” says Ram Pemmaraju, chief technology officer at StrikeForce Technologies, an Edison, N.J., provider of anti-keylogging keystroke encryption.
Once the hacker got the user name and password, “the hacker was able to burrow deeper in and access one of the databases,” Pemmaraju says. “And critical data was unencrypted.”
‘The Golden Goose’
The challenges of implementing data-protection standards for government agencies are daunting because of the varied nature of the units, budget limitations, and other factors, analysts say. For one thing, units within a government may fall under different jurisdictions—the revenue department collecting tax information might be subject to the IRS guidelines while the clerk’s office accepting credit card payments for vehicle stickers would fall under the PCI standard.
In some cases, an agency might fall under multiple jurisdictions. The state health department, for example, might be subject to PCI and health-care privacy regulations like HIPAA.
But regardless of the jurisdiction, no standard will work unless there are penalties for failure to comply, Litan says. “PCI used to be a guideline when it was Visa’s and MasterCard’s standard, and nobody paid attention to it until it was enforced,” she says. “Guidelines are great but no one knows they’re out there. It doesn’t matter how many guidelines there are—it’s what’s enforced.”
The PCI standard has 12 major requirements and more than 200 sub-requirements addressing everything from technology to security practices. Merchants that fail to comply with the standard face stiff penalties and can lose card-accepting privileges.
Periodic qualitative assessments of security measures like those required by the PCI standard also are critical to improving database protection by government units, Ferguson says. Under PCI, retailers must be periodically audited to ensure they are in compliance with the standard.
“The same type of quality assessment should be done at various government agencies, whether it’s at the state level, federal level, or whatever, and there should be some penalty if they’re not in compliance,” he says. “The penalties could range from having to be [subjected] to more assessments or it could even be tied to funding. There should be some penalty other than saying, ‘Whoops, I’m sorry, we’ll do better next time.’”
But many government agencies already are serious about improving data-security measures. Ninety-two percent of state business and elected officials ranked cybersecurity as “most important” or “very important,” according to the Deloitte-NASCIO survey.
And some states have adopted more stringent regulations on data security, including Nevada, which has incorporated the PCI standard into its state law, Free says.
Other states, such as Michigan, West Virginia, and Pennsylvania have been recognized by the information officers association for taking steps to improve data security.
But until more government units have the resources to upgrade data security, breaches similar to the South Carolina incident will continue. And as private companies become more adept at preventing breaches, government will be the low-hanging fruit favored by hackers.
“There doesn’t seem to be a prejudice from the hacker as to whether they’re going after government or private databases,” Free says. “They’re all just looking for the golden goose.”
How Phishing Is Growing More Insidious
Phishing, the tactic used by the hacker in the massive data breach at the South Carolina Department of Revenue last summer, continues to flourish in the U.S. and globally, according to the Anti-Phishing Working Group, an organization that tracks phishing and malicious code.
The APWG’s latest trend report, published in October and covering the first half of 2012, indicates that there were at least 93,462 unique phishing attacks worldwide, up from the 83,083 attacks observed in the second half of 2011. The increase was due in part to a rise in phishing attacks that leveraged shared virtual servers to compromise multiple domains at once.
APWG defines an attack as a phishing site that targets a specific brand or entity. One domain name can host several discrete attacks.
Phishing is a means by which criminals use social engineering or technology to steal consumers’ personal identity data or financial account credentials. Social-engineering schemes use e-mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit Web sites. At those sites, recipients are tricked into revealing user names and passwords.
Technical subterfuge involves planting crimeware onto personal computers to steal credentials directly. It often involves using systems to intercept consumers’ online account user names and passwords.
The APWG survey found that phishers attacked fewer targets in the first half of 2012, concentrating on larger, more prominent targets in an effort to make more money. “It is easier for phishers to sell stolen credentials associated with more popular institutions, and there is a growing emphasis on gaining access to e-mail accounts, which enable phishers to spam from whitelisted services such as Gmail, Hotmail, Yahoo! and so on,” the report said.
The report also found that attackers used 64,204 unique domain names, up from 50,298 in 2011’s second half. Only about 2% of all domain names that were used for phishing contained a brand name or variation thereof.
Phishing attacks are becoming sophisticated, says Paul Ferguson, vice president of threat intelligence at phishing mitigation firm Internet Identity.
“They’re masquerading now not necessarily as banks but as bulletins from the Better Business Bureau, or a FedEx or UPS saying they tried to deliver a package to your house, please open this attachment to get additional details for delivering your package,” he says. The e-mail recipients then are asked to click on a link that puts a Trojan on their computers which collects log-in credentials.
One piece of good news: During the first half of 2012, the average uptimes of phishing attacks dropped to a record low, the lowest level since APWG began measuring in January 2008. The so-called uptimes or live times of phishing attacks measure how damaging phishing attacks are and are a measure of the success of mitigation efforts. The average uptime in 2012’s first half was 23 hours and 10 minutes, compared to 46 hours and 3 minutes in the first half of 2011 and a high of 73 hours in the second half of 2010.
Still, Ferguson says his company gets phishing reports “in the thousands per month. And these are just the ones we handle on behalf of our customer base,” he says. “That’s just a small percentage of the overall phishing landscape.”