The research offers an attacker's view of cybersecurity strategies.
Federal networks aren’t the easiest to crack compared to other sectors but most hackers believe they could breach an agency’s perimeter and find and exfiltrate critical data in under 15 hours, according to the second annual Black Report released Wednesday.
Cybersecurity company Nuix surveyed 112 incident responders, professional penetration testers and self-described hackers. The report notes this is twice the size of last year’s inaugural Black Report survey pool.
“You might think you’re well-protected but the people whose job it is to break in and steal your data think otherwise,” said Chris Pogue, lead author of the report and Nuix’s head of services, security and partner integration. “When organizations develop their cybersecurity strategies, they may have IT, legal, risk and human resources teams at the table but the one person they never invite is the bad guy.”
The majority of respondents (53 percent) said they could breach a federal government network, identify critical data and exfiltrate that data from the system within 15 hours or less. That puts the federal government in the same circle as state and local governments (54 percent), sports and entertainment (54 percent), telecommunications (52 percent), law firms (52 percent) and the cross-industry average (54 percent).
This puts feds behind sectors like aviation, energy and other critical infrastructures, in which less than 50 percent believed they could breach a network and get out with valuable data in under 15 hours. But it put agencies ahead of hospitals and health care providers (61 percent), retail (63 percent), the food and beverage industry (66 percent) and hospitality (73 percent).
Hackers believe navigating federal systems would be the easiest part—62 percent said they could breach a federal network’s perimeter in 10 hours or less. Some 28 percent said they could do it in under five. Cross-industry, 71 percent said they could breach the perimeter of a network within 10 hours.
“This illustrates the reality of ‘candy bar security,’ where an organization’s security posture is crunchy on the outside and chewy in the middle,” the report states. “It’s the result of focusing on hardening the perimeter of a network and assuming that anyone who’s on the inside should be there and is doing what they’re supposed to be doing. These assumptions are clearly not realistic today, if they ever were.”