Attackers breached the network of the US Census Bureau in January 2020 through its remote-access servers, but the agency did not initially detect the breach, effectively respond to close the exploited vulnerability, or report the breach to the appropriate authorities in a timely manner, a recent report states.
The report, published by the Office of Inspector General (OIG) for the US Department of Commerce, highlights numerous specific errors: The Bureau failed to plug a critical vulnerability in the three weeks before the attack, took two weeks to detect the breach, and operated servers that were no longer supported by its vendors. In another failure, its remote-access systems sent log files to a security information and event management (SIEM) system that had been decommissioned more than 18 months earlier and thus failed to record the incident.
While mishandling of the incident put the agency at risk, attackers did not compromise any systems that had access to the 2020 decennial census networks, personnel told the OIG's office.
"The exploit was partially successful, in that the attacker modified user accounts data on the systems to prepare for remote code execution," the OIG's report states. "However, the attacker's attempts to maintain access to the system by creating a backdoor into the affected servers were unsuccessful."
Federal agencies continue to face criticism of their flawed security operations and problematic cyber defenses. Earlier this month, a report issued by the US Senate Committee on Homeland Security and Governmental Affairs found that agencies faced an 8% increase in attacks but continued to fail to close vulnerabilities. Overall, four federal agencies got a "D" grade for cybersecurity, three received a "C" ranking, and only one — the Department of Homeland Security — got a passable "B." A 2019 report found similar deficiencies in the agencies' cybersecurity programs.
The continuing parade of security operations problems needs to be fixed, said Steve Moore, chief security strategist for security-as-a-service provider Exabeam, in a statement to Dark Reading.
"While it is positive the Census count was not impacted by this brazen attack, it reminds the American people just how fragile the country's critical systems can be," he said. "Reflection on failure is an excellent way to uncover systemic problems, prioritize defensive efforts, and document your security observations - that might otherwise go unnoticed."
The post-mortem report bluntly describes five different areas in which the Census failed to securely manage their systems and respond to the breach. The attack could have been prevented if the agency had patched the vulnerability in the three weeks leading up to it, it states. A member of the Bureau's Computer Incident Response Team (CIRT) had attended briefings given by the Cybersecurity and Infrastructure Security Agency (CISA), where the vulnerability was discussed.
"Despite the publicly available notices released in December and attending two meetings on the issue in January, the Bureau CIRT did not coordinate with the team responsible for implementing these mitigation steps until after the servers had been attacked," the report states. "If the Bureau had implemented the steps on its remote-access servers, the initial compromise would have likely failed."
While the Office of the Inspector General had redacted the vendor of the product, reports indicate the vulnerability appears to be the critical issue found in Citrix's Application Delivery Controller (CVE-2019-19781).
The OIG report also criticizes the Enterprise Security Operations Center (ESOC) for missing signs of the attack and for failing to notify the Census Bureau's management in a timely way, after they knew an attack had been initiated.
These problems are not uncommon in either the government or corporate worlds, said Chris Clements, vice president of solutions architecture for Cerberus Sentinel, in a statement sent to Dark Reading.
"The reality is that the vast majority of organizations only find out they’ve suffered a security breach when alerted by a third party or an unmistakable event like ransomware triggering," he said. "Tools exist, such as SIEMs, for automating collection and analysis of logs that can indicate a security attack is happening, but it can be difficult to ensure that all systems and applications in an organization are properly sending their security logs to them and have personnel experienced in recognizing and investigating suspicious patterns or behavior."
The OIG's office offered nine recommendations, including better communication of security incidents, frequent scanning of assets, regular review of automated alerts, better handling of external alerts, and review of log aggregation procedures.
In its response to the report, the US Census Bureau concurred with all the recommendations and outlined steps that the agency took to improve its cybersecurity.
"Following the attack, the Census Bureau conducted a full assessment of the entire network to ensure all devices were configured correctly to send audit logs to the proper location," the letter stated. "The Bureau would, however, like to underscore the numerous improvements made as a result of informal lessons learned following the January 2020 incident."