Even as cybercriminals take aim at critical infrastructure, many of the United States’ top 100 federal contractors are inadequately prepared to repel ransomware attacks.
These were among the findings of a report from Black Kite, which assessed the cybersecurity risk posture of U.S. defense contractors and found 20% of the country’s largest 100 contractors were highly susceptible to a ransomware attack.
The study found 42% of defense contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an “F” grade in credential management.
Overall, the top 100 federal contractors averaged a “ransomware susceptibility index” score of 0.39, but 20% scored above the critical threshold of 0.6, according to the report.
Crossing the Threshold
By comparison, earlier Black Kite reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above what Black Kite considered a critical threshold, indicating they were highly susceptible to ransomware attacks.
“We’re continuing to see the exact same issues pop up through industries—issues that should be addressed by basic cybersecurity hygiene,” said Bob Maley, chief security officer at Black Kite. “These are defense contractors that should be taking advice from the Department of Homeland Security. The attack vectors for ransomware aren’t new.”
He pointed out that Homeland Security has been issuing alerts on what people should be doing to protect themselves in these particular areas over the past decade.
“So, it’s not that bad actors are finding new things to exploit to make ransomware effective,” he said. “They’re exploiting issues that have been around for a long time that people just aren’t paying attention to.”
Maley explained there is no single category of malicious actor perpetuating threats against federal contractors: Generally speaking, the types of actors that are a threat here are the people that may not necessarily target defense contractors specifically because they may not even know that they are doing so.
“They’re bad actors that will target a company that is vulnerable and that looks like they have enough financials to be able to pay the ransom. That’s the problem here,” he said. “It’s not so much that they are going to target defense contractors. Defense contractors happen to be in that pool of businesses that happen to be vulnerable and therefore will become victims of ransomware.”
Based on Blake Kite’s assessment, the top 100 averaged a “C+” grade for information disclosure and reported SSL/TLS strength and application security are both lagging, with an overall “C” grade among defense contractors.
Maley explained the reasons why SSL/TLS strength and application security are both lagging among defense contractors is because customers don’t have the ability to connect with the most recent versions, he said.
“So, simply, they allow for fallback to older, vulnerable versions to allow easier connectivity from their customers,” he said.
The study also found nearly 43% of federal defense contractors have out-of-date systems, contributing to a “D+” rating in patch management. The report noted that not only are security patches critical to reducing ransomware risk, fixing software and application vulnerabilities is a key part of diminishing an organization’s cybersecurity risk.
“It’s not necessary patch management. It is more around the fact that older operating systems on servers are still prolific,” Maley said. “The reason why that is a problem is that older operating systems—and some we see that are at end-of-life—people can say that they are 100% compliant with a patch management program because they apply all the patches to this operating system.”
He explained the reason why you can do this is that there are no new patches coming out for it, and that’s one of the main problems with older operating systems. It’s a major security loophole.
“Another one is that there are far more patches for operating systems the older they get, which introduces the probability that there may be patches that were missed or didn’t apply correctly,” he said. “A robust patch management system would still say they are patched correctly even though a patch failed, and they aren’t.”
Maley also pointed out that the continued use and proliferation of mobile devices is serving to expand the attack surface.
“Not only do IT administrators have to be concerned about server operating systems and workstation operating systems, but now mobile devices get thrown into the mix,” he said. “So, it complicates the issue because it expands the attack surface.”