The challenges: Municipalities and governments find themselves in an interesting situation as often the IT and information security departments are a generic city or county service, however based on the numerous departments they support they have very nuanced information security requirements. In addition the goal is always to cut down on taxpayer burden so they are generally run on shoestring budgets. Many of these networks are very old and have grown organically rather than by specific design. Recently Foresite performed a general network security assessment for one such entity and found that many of these challenges were present.
The assessment: Foresite first looked at the network from the standpoint of an anonymous user. The consultant plugged in his laptop and was able to find some shares they could access without any authentication. These folders included old network policies and diagrams, which gave the consultant extra information about the IP scheme, and other internal subnets, and information about boundaries and protections. The consultant also began to sniff the wire and due to the fact that the county was running old protocols to support legacy applications, Foresite was able to gain numerous credentials in a short period of time. This was made even easier by very simple passwords and numerous devices that were using default credentials that allowed the consultant to access devices at an administrator level.
Foresite was able to obtain an elevated privilege account during the anonymous phase and setup a new basic user in order to view what any user allowed on the network would see. The basic user was able to scan all sections of the network; including areas of the network that had regulated data, HIPAA, CJIS, Personnel records, etc. The consultant found device configurations including firewalls with embedded passwords, and clear text lists of other passwords.
Foresite was not detected during the entire engagement, this was not an attempt to be quiet, and the consultant used very ‘noisy’ approaches and created accounts throughout the environment. Security monitoring was clearly not properly implemented.
The Results: Foresite’s Reseller and the client are now working on plans for better data governance that include network segregation, and ACLs to prevent unauthorized access, removal of legacy protocols and applications, and much better network monitoring and detection. A training program is being put in place as well as special polices for privileged access.
Conculsion: Governments are a case where the concept of minimizing data is almost impossible. Taxpayer records, police files and investigations, public health records are just some of the data types that they must maintain. It’s important for those responsible for securing this data understand the unique risk of each type of regulated data. An assessment such as this can help expose blind spots and keep all of our data secured vigilantly.