The recent compromise of a state government organization's network through an administrator account belonging to a former employee has raised concerns about the cybersecurity practices of government agencies. Eric Woodruff, a Technical Specialist at Semperis, expressed his concerns, stating, "Clearly, a government agency being hacked isn’t the type of headline that garners confidence of the American people. The government agency should explain what happened as it makes you question what their oversight and governance around privilege access is?"
The breach, which allowed threat actors to access the internal virtual private network (VPN) and blend in with legitimate traffic, was not deemed highly sophisticated. Woodruff pointed out a series of basic security lapses, such as the absence of multi-factor authentication (MFA) on the VPN and the availability of a workstation belonging to a former employee. "Look at it this way, would you buy a home and not make changing the locks a top priority when you moved in? In essence, the gov’t failed to change the locks on the account of the former employee," he remarked.
Woodruff also highlighted a concerning attitude among some administrators with privileged access, where a 'do as I say, not as I do' mentality prevails, leading to rules being bent for themselves. This can result in accounts remaining open even after the employees leave the agency, without any malicious intent from the former employee.
To prevent future breaches, Woodruff recommends a layered approach to cybersecurity. "Processes can be improved and when an employee leaves, especially an admin, shut down their access and immediately change the passwords of the accounts," he advised. However, he noted that in some organizations, access isn't immediately terminated when employees leave, and updates by third-party service providers may only be rolled out every few days.
The breach serves as a reminder of the importance of maintaining strict cybersecurity practices, especially in government agencies, to protect sensitive information and maintain public confidence.