As the US Government shutdown continues and federal employees remain on furlough, some experts are concerned about the cybersecurity implications of cutbacks in IT staffing, particularly with regard to software security. Government IT agencies are already hampered by slow update processes, which make them targets for hackers, so further interruption could pose a particular risk. With regular patch cycles interrupted, the threat of unaddressed zero-day vulnerabilities is in the spotlight, and the need for software design that emphasizes quality from the outset is particularly clear.
Recent days have seen the release of important updates such as Microsoft’s monthly vulnerability patches, but interrupted workflows and the simple fact that many end users have their computers turned off will prevent these patches from being deployed, experts told Computerworld. While security staff has been kept on as an essential service, the overall organizational changes make it difficult to ensure normally smooth patch rollouts go as planned, John Pescatore, director of emerging technologies at the SANS Institute, explained. The result is that many systems will be vulnerable or buggy when they are brought back online following the shutdown, according to Richard Stiennon, principal at security consulting firm IT-Harvest.
“Best practice would be to isolate these machines until they can be brought up to the most recent patch level,” he told Computerworld. “I suspect that most agencies do not have best practice patch management where they deploy patches quickly anyway.”
Of particular interest to hackers are agency websites, Stiennon suggested, noting that while most systems remain idle, websites are displaying shutdown notices that mark them as easy targets for tampering or DDoS attacks. The threat of more subtle attacks is likely to be greater as well due to the reduction in monitoring prompted by staffing cutbacks, Larry Slobodzian, a senior solutions engineer at security firm LockPath, told SC Magazine.
“Zero-day vulnerabilities, or unknown vulnerabilities that are fresh on the [black] market, are likely to be exploited because you can be fairly certain they are not going to be patched,” he said. He added that patch cycles that already tend to be lengthy due to bureaucratic barriers or functionality concerns will be the most appealing, noting “There’s patches that require more than just an automated tool, like changing a password, or it takes a [privileged] staff member to complete. A malicious entity would probably be targeting something like that – a complex task that’s not going to be done or is delayed.”
Buggy software has already been a concern of government agencies, with U.S. Marine Corps CIO Robert Jack recently noting that vendor practices of rolling out incomplete programs and relying on patches to solve problems create substantial costs in the public sector. With many government IT processes impacted by the shutdown, the effects of unpatched software may become even clearer, underscoring the importance of building in quality design. Using tools like static analysis software as part of a secure development lifecycle, vendors can build in better software security from the outset, minimizing the threat of unpatched zero-days in the event business concerns or bureaucracy get in the way of technology updates for their users.