recommended reading

Who Needs Heartbleed When Many Dot-Govs Don't Even Encrypt Communications?

igor.stevanovic/Shutterstock.com

More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study. 

Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered.  

The study, released Wednesday, looked at 50 cabinet-level and other high-traffic, consumer-oriented federal websites, as well as purported federal sites set up by fraudsters. Phishing emails luring citizens to the bogus sites also were examined.

Industrywide, the average score for so-called SSL configuration was 83.4 on a 100-point scale, whereas the government average was 70.5. The government rating was dragged down by the large number of sites, 26 percent, that scored lower than 50, said Craig Spiezle, founder of the alliance and a study co-author. About 10 of the sites had no discernible SSL connection, he said. 

An SSL connection secures data transmitted when a citizen fills out, for instance, an online application for veteran benefits. This year, the results of the annual online trust audit incorporated tests for the infamous Heartbleed bug, a hole in SSL software that went unnoticed for two years. Social media and financial institution sites tied for first place in SSL use, with 86 points.

The study does not name the 50 government sites studied or list individual scores for security reasons. 



"There's a risk if you start calling these things out, you could expose a vulnerability of a site -- and that's the last thing we want to do," Spiezle said. "We're using tools that are readily available that anyone can use" to assess systems, “which means the cyber criminals can certainly use the same exact tools to evaluate how strong a site is or how weak it is." 



In addition to neglecting site security, many federal agencies failed to seal employee email addresses with technology to prevent mimicry, or "spoofing," the researchers found. One-third of agencies did not use email authentication, a technique that locks down email domains so swindlers can't impersonate a legitimate email sender.

By comparison,100 percent of e-commerce sites used some form of email authentication, as did 96 percent of social media sites. Because the federal sector has yet to fully embrace email authentication, "government sites are ripe for spoofing and spear-phishing attacks not only against constituents but also employees at other agencies," Spiezle said.



He cited a scenario of a criminal searching LinkedIn to find the name of a division director and someone who works for him, and then spoofing the boss' email address to send the employee an email fishing for sensitive information.

Many lower-level employees have public email addresses. The message purportedly from the boss could say something such as, "Great job on that presentation last week. Can you send me all the background details?" Spiezle offered as an example. 



A bright spot in the assessment is the government's supremacy in converting sites to Domain Name System Security Extension, a configuration that thwarts “man-in-the-middle” attacks where hackers redirect visitors to copycat sites.

Of the federal sites, 92 percent used DNSSEC, up from 88 percent last year. No other sector had transitioned more than 5 percent of sites. In 2008, the White House required all agencies to apply the system throughout the dot-gov domain by December 2009.

Obama administration officials did not respond to a request for comment on this year's report.  



To conduct the study, researchers reviewed more than 300 million email headers and about 8,500 Web pages, across sectors, between April 15 and May 23. The report has a least two limitations, the researchers acknowledged. A site's security practices might have changed since the sampling, and some sites might have been using security technologies the alliance's tools could not detect.

(Image via igor.stevanovic/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.