Traditional Browsers Put Federal Employees at Risk

dhs-s3-200w.png

CORPORATE

9,000 employees of the Department of Homeland Security (DHS) and more than 20,000 at the FBI - and their families - now face the risk of having their bank accounts emptied. Or worse.

Undercover field agents could even see their lives at risk as the result of a new serious security breach. Joseph Cox reports on Motherboard that a hacker broke into a Department of Justice computer network and published  9,000 personal phone numbers of DHS personnel and their home addresses on the Internet.

To make matters worse, the anonymous hacker then “doxed” - dumped on the Internet for anyone to pick through - 20,000 more files of FBI employees.  He reportedly has  access to military emails and credit card numbers.

This is not the first time that sensitive personal information of key government employees has been lost in a data breach. Only a few months ago, an attack against the Office of Personnel Management (OPM) compromised roughly 23 million records of employees and civilians who had applied for, or managed, Top Secret security clearances.

Following that breach, we wrote about the steps you should take to protect yourself from potential fallout.

All of the above begs the question:

Why hasn’t the government stepped up to the challenge?

What will it take for the federal government to protect the very employees who are supposed to protect the rest of us?

It looks like leadership and management in charge of federal network security simply don’t know where to start. They have to navigate and cope with government computer resources, networks, administration, and user entitlements that are as byzantine a structure as the federal procurement processes.

Like in other massive bureaucracies, government IT managers have to balance myriads of systems, patches, firewall rules, authentication processes, and employees’ needs. One result they can bank on is that whatever updates they applied last time (if any at all), didn’t prevent this new attack, and just “patching it up” again will not prevent the next one.

The reason for this is not surprising.  The current tools that federal IT (as well as enterprise IT) rely on for information security “focus” on everything and the kitchen sink.

Except on the browser.

fbijobs-gov-Home_Engage3.jpg

They may lock down networks and devices and access to applications. But the browser remains the same off-the-shelf non-secure app that came with the federal worker’s computer. At the same time, employees need to access the web to be able to do their job.

The current administration may have finally acknowledged this crisis. It has introduced a $3.1 billion plan to overhaul the government’s outdated IT infrastructure.  The President called to “retire outdated systems”.

I assert that the browser is an outdated system.  It was designed more than 20 years ago for a world that the designers could not imagine.

So here’s my suggestion on where to start, based on the pattern we see emerging from most recent attacks:

Put a secure  virtual web browser on the computer of every federal employee.

Why am I suggesting this? Because in one swift and effective move, government IT would address the underlying problem:

In almost all of the recent attacks,  employees working in their traditional browser unintentionally opened the door for the intruders.

Vulnerability databases list more than 700 security holes in the most common browsers. And market research shows that employee actions are at the root of half of all data breaches.

dhs-s3.jpg

Where  traditional browsers collide with the human factor - like when users manage their own passwords and logins  when they access government web portals and internal resources - the result is predictable.

So stop letting users run their traditional brower.  And stop letting them manage their own credentials. Take the user out of the risk equation, and provide them with  secure browsers that completely shield them from attacks, and leave credentials and permissions to the administrators who can properly manage them.
If your admin won’t help you at work, let us help you at home.

If you’re directly affected by this breach, the inevitable credit monitoring that has become the standard employer-issued band aid in such cases will not be sufficient.

Like after the OPM data breach, Authentic8 will help. We invite you to use our secure virtual browser for all of your online activities.  Go to  getsilo.com/opm2016.  If you like what you see and want a personalized copy of the Silo browser for yourself, sign up for a free personal account!

Gerd Meissner - Gerd writes, produces, edits, and manages content at Authentic8. Before, he covered information technology and data security as a journalist and book author in the US and in Europe.

Topics: Corporate News