In last year’s SolarWinds hack, Russia-backed attackers hijacked a routine update for the company’s remote monitoring software in order to launch what Microsoft president Brad Smith called "the largest and most sophisticated attack the world has ever seen.” Approximately 18,000 SolarWinds customers were compromised, including dozens of federal government agencies such as the Pentagon, the Department of Homeland Security, the Department of Energy and the National Nuclear Security Administration.
Security researchers now say it may have all started with a weak password — “solarwinds123” — that exposed the company’s update server.
President Biden cited the SolarWinds attack, along with the more recent Microsoft Exchange and Colonial Pipeline hacks, when he issued a recent executive order aimed at improving the nation’s cybersecurity. Among other provisions, the order mandates that government agencies address deficient password practices by adopting multifactor authentication (MFA) within six months.
A Recurring Problem
Poor password hygiene is a longstanding issue for government agencies, stemming from what one senior administration official called “a laissez-faire attitude towards cybersecurity.” A 2014 Senate study found that many cyberattacks on government systems were exploiting “mundane weaknesses” such as weak or default passwords on critical servers. A 2018 WatchGuard report found that half of the government accounts they examined used easy-to-guess passwords such as “123456” and “password.”
Also in 2018, federal auditors found that the Department of State wasn’t complying with existing password requirements. Although the Federal Cybersecurity Enhancement Act of 2016 required the State Department to adopt MFA for all accounts with “elevated privileges,” almost 90 percent of agency devices were still using password-only protection.
While Biden’s executive order addresses federal agencies, administration officials are encouraging state and local government entities to follow suit. They noted that the economic stimulus bill passed in March allocates nearly $2 billion for state and local governments to use for cybersecurity and IT modernization efforts.
MFA solutions should be an investment priority. State and local agencies are under siege from ransomware attacks that often use weak or stolen passwords to infiltrate systems. According to recent research, ransomware attacks have cost local and state governments more than $52 billion over the past three years.
MFA addresses these vulnerabilities by requiring users to provide two or three other verification factors in addition to passwords. Sending a confirmation code to a user’s mobile phone is probably the most common secondary authentication technique. Lightweight mobile apps allow users to get one-time passwords or PINs via a text message. Security is improved because passwords or PINs are encrypted and randomly generated rather than stored on the device or in a vendor’s database.
Smartphone authentication can be a challenge for some state and local government employees who work in rural areas with inconsistent cellular coverages. Others who work with particularly sensitive information may be restricted from using a personal smartphone on the job.
If phone authentication isn’t an option, hardware tokens are good alternatives. Classic tokens are small devices that generate one-time codes based on a cryptographic key stored inside the device. Because tokens have no Internet connections, they are generally very secure options. However, some users may have to carry multiple tokens for different accounts, which can become a bit of a hassle.
Most MFA solutions still rely on passwords as one verification factor, so agencies must continue to encourage strong password use. Passwords should include special characters, numbers and even misspelled words to make them more difficult to crack. Passphrases are even better. These are strings of words that are longer than passwords, typically at least 15 characters.
Poor password practices continue to be the leading trigger for cybersecurity incidents. To learn more about how to implement MFA in your agency, give us a call.