19 platforms used by government agencies have vulnerabilities

Image via Unsplash

A security researcher has discovered vulnerabilities in commercial platforms used by United States government agencies and courts. The vulnerabilities were found in 19 commercial platforms and could allow malicious actors to gain access to government and legal systems. Malicious actors could gain access to confidential data, compromise personal information and adjust documents. The research suggests these vulnerabilities could be leveraged to falsify voter registration databases.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, says, “Jason Parker’s findings highlight a deep issue: government and legal systems rely on outdated infrastructure unfit for modern cybersecurity threats. Penetration testing is useful, but it is not enough. It uncovers flaws, however, it doesn’t fix the core weaknesses in legacy systems or address the need for proactive security. While rip and replace may not be possible for these systems, penetration testing can help to point out where more monitoring is needed, but it may be impossible to employ the security controls that are necessary.

“Many systems, 20 to 30 years old, lack modern features like strong authentication, encryption, and access controls. These gaps make them vulnerable to attacks. The fact that attackers can easily alter voter databases or access legal records shows the limits of relying on reactive measures like penetration testing.

“Government agencies should consider developing or adopting standardized security frameworks and guidelines that all vendors must follow. Procurement policies, with stated goals and outcomes needs to be part of the plan going forward.”

To manage these vulnerabilities, the research suggests that government entities should focus on penetration testing, employee training and software audits.

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, comments, “I partly agree with Jason about pentesting. These systems need more eyes on the target, however, and more importantly, there needs to be accountability around fixing what is found. In the case of election security, that is true at both the vendor AND the owner level.

“Pentesting addresses the eyes on the target problem, but not the accountability one. Such a vast and disparate set of systems requires the implementation of vulnerability disclosure programs with coordinated disclosure policies and safe harbor, such as those implemented by the voting machine manufacturers in 2020 and mandated into Federal Civilian Agencies by CISA in BOD 20-01.”

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.