One Quarter of US Federal Agencies’ Privileged Users Still at Risk After ‘Security Sprint’

Large sections of the US government remain exposed to hackers following the end of the 30-day Cybersecurity Sprint initiative launched last month in response recent major data breach of the US Office of Personnel Management (OPM).

On Friday, US CIO Tony Scott announced some of the results of the Sprint Initiative, which was intended to patch critical flaws in US Govt. cybersecurity by  improving policies and best practices for privileged users and accelerating government adoption of two-factor authentication (2FA) for those users.

According to Scott’s statement, the Sprint Initiative made significant progress in reducing the overall number of privileged users in federal govt. IT systems.

Scott claims that many federal agencies now require employees to use “a hardware-based Personal Identity Verification (PIV) card or an alternative form of strong authentication” when accessing government IT infrastructure and networks.

Federal civilian agencies increased their use of 2FA for both privileged and unprivileged users by 30 percent during the 30-day sprint initiative. 72% of all users in those agencies now use 2FA.

The increase in 2FA use was even more impressive when it comes to privileged users alone, with a 40 percent increase up to 75% using 2FA during the 30-day period.

Scott also noted that over half of the federal government’s largest agencies—including the Department of the Interior, Transportation, and Veterans Affairs—have implemented strong authentication measures for 95% of their privileged users.

While these numbers seem impressive, they raise questions over the remaining 25 percent of privileged users who are not protected by 2FA, and whose privileged accounts and capabilities are, presumably, unmanaged.

Protecting 75 percent of privileged users is like building a fence around 75 percent of your yard—it may look good, but there’s still a gaping hole for potential intruders to enter through.

High-privilege access may be the most sensitive aspect of IT, if misused, privileged capabilities can cause massive organizational damage, and leave millions of sensitive data points vulnerable to theft, as seen in the OPM hack.

Privileged accounts are on hackers critical path to success 100% of the time in every attack, regardless of the threat, according to a white paper from Cyber Sheath Services International. If we leave just one percent of  these accounts vulnerable, they will be attacked.