The Office of Inspector General (OIG) recently evaluated the Department of Commerce’s (DOC) cybersecurity program, uncovering critical failures that exposed the DOC to potential risks. Specific issues included the use of default passwords for administrative accounts, compromising over 100,000 pieces of Personal Identifiable Information (PII). These findings emphasize the urgent need for improvements to safeguard the security and integrity of the DOC’s IT infrastructure and send a clarion call to other agencies to shore up their cybersecurity before disaster strikes.
The penetration testing team from the Office of the Inspector General demonstrated that weak password management enabled them to bypass almost all of the firewalls the DOC’s Office of the Secretary (OS) relied on for cybersecurity. By using default passwords to access system admin consoles on target endpoints, the testing team was able to successfully extract over 100,000 pieces of PII. Although this example was a test, the risks posed by poor password security are very real.
For example, in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) fell victim to a ransomware attack. Cybercriminals gained access to the SFMTA network using default vendor passwords for administrative controls that had not been changed. Once inside the system, they deployed the ransomware, locking SFMTA data and demanding a ransom in exchange for the decryption key. This incident underscores the importance of proper security practices, including changing default passwords for all hardware and software. This is especially important in public sector organizations.
The United States federal government is slated to spend nearly $11 billion on cybersecurity defense in 2023. However, without a commitment to enforcing password security best practices, including the resetting of default passwords, money spent on other security measures can be rendered ineffective. To ensure effective defense against cyber threats, it is essential that agencies across the federal government deploy an enterprise-wide password and privileged access management solution.
Eliminating the Use of Default Passwords
A FedRAMP Authorized Privileged Access Management (PAM) solution ensures that default passwords are replaced with unique, strong credentials for every user, account, and device across an organization. By automating the process of password generation and management, PAM tools can simply and effectively prevent unauthorized access to critical systems and applications.
Effective PAM solutions also include features that allow administrators to perform regular password audits. These audits can identify weak or non-compliant passwords, ensuring that all privileged accounts maintain a high level of security.
If a password audit identifies a weak password, such as a default vendor password, a PAM solution can alert system administrators and users to the security risk. Automatic password rotation can be used to enforce an expiration date for passwords, allowing organizations to effectively narrow the timeframe in which compromised credentials can be misused, thereby strengthening their overall cybersecurity stance.
Privileged access management solutions should also provide comprehensive reporting capabilities. This is crucial for meeting various regulatory requirements such as HIPAA, FINRA, SOC, ITAR and more. Advanced security reports deliver insights into the overall security posture of an organization’s privileged accounts including password policy adherence, access history, and password change frequency. By generating detailed compliance reports, organizations can demonstrate their commitment to maintaining robust security standards and proactively addressing potential vulnerabilities.
About Keeper Security Government Cloud
Keeper Security Government Cloud (KSGC) is a FedRAMP Authorized password and PAM solution that enables a zero-trust cybersecurity framework to strengthen any agency’s cybersecurity posture. Keeper improves security at federal agencies by delivering the most important aspects of privileged access management without the complexity of traditional PAM solutions, including:
- Privileged Account and Session Management (PASM)
- Secrets management
- Single Sign-On (SSO) integration
- Privileged account credential management
- Credential vaulting and access control
- Session management, monitoring and recording
- Privileged Elevation and Delegation Management (PEDM)
KeeperPAM helps federal agencies adopt a zero-trust security architecture by unifying three integral products into one SaaS platform that requires limited IT staff and provides the option for on-premises components.
Keeper Enterprise Password Management (EPM) – provides unrivaled cybersecurity through distinct security architecture. This includes patented zero-knowledge security, a zero-trust environment and robust compliance and reporting features.
Keeper Secrets Manager (KSM) – offers a comprehensive, cloud-based, zero-knowledge solution for safeguarding critical infrastructure secrets, including API keys, database passwords, access keys, certificates and sensitive data.
Keeper Connection Manager (KCM) provides an agentless, clientless remote access system that allows for the management of remote desktop connections securely from any location, without the need for a VPN. KCM enables the DevOps and IT teams at federal agencies to securely access RDP, SSH, database and Kubernetes endpoints through a web browser.
By implementing these measures, the federal government can close the front door to its cybersecurity fortress, reduce the risk of cyber attacks and protect PII.