Unapproved mobile use and unpatched systems are just two of the end-user security problems admins could face during the ongoing U.S. government shutdown.
With thousands of federal employees out of work, IT departments are left to determine how to manage those users' access to business resources. The shutdown provides ample opportunity for users to turn to personal devices that may not be IT-approved. And with some IT staff on furlough, vulnerabilities on desktops, websites and other systems could go unpatched.
These end-user security holes leave the door open for attackers to take advantage of devices and data. Left unchecked, exploits could worsen as the shutdown drags on, and they could continue to do damage long after it's over, said Maurice Turner, senior technologist at the Center for Democracy and Technology, a nonprofit in Washington, D.C., that influences and promotes technology policy legislation.
In this Q&A, Turner discusses the effects of the shutdown on end-user security.
How is the shutdown affecting IT departments in federal organizations whose staff are furloughed or working with limitations?
Turner: Having this indefinite shutdown puts an extraordinary strain on IT resources from the operational standpoint of making sure all these computers and these systems on the back end are up and running. We've seen indications where external-facing websites are inaccessible because their security certificates have expired and there's no staff around to be able to renew them.
IT needs constant attention and monitoring to make sure that we minimize the number of bad actors who are looking to exploit the situation.
What are the end-user security risks cropping up because of the shutdown?
Turner: One could be the exploitation of vulnerabilities. If there are new vulnerabilities that are discovered and there are new patches that are issued, those patches can be reverse-engineered. If some of these federal agencies have these vulnerabilities and they're not patched, that's very obvious for an attacker that that's a vector they need to take advantage of.
The shutdown creates a situation that's ripe for misinformation, [and] that can be used when it comes to phishing attacks. For example, a furloughed worker might receive a fake email saying they need to log into a different website or, conversely, there may be customers who receive emails that are purported to be from a government agency that asks them to log onto a website that's an attempt to get credentials.
Without these federal IT workers monitoring these types of emails going in and out, there's an opportunity for these emails to actually gain traction and be effective.
How else might the shutdown affect IT pros that manage furloughed employees? Do they need to ensure that those users' work resources are restricted, given that they're not permitted to work during the shutdown?
Turner: It depends on the designation of that staff being essential or nonessential. Restricting access could be troublesome in that people might start relying on their mobile devices for communication and may be circumventing some of that protection that's built into their government devices.
So instead of checking your government email on your government phone, people might be tempted to just use their personal email on their personal device, and it can be difficult to have the same level of security policies in place on personal devices. That could open up those employees and the systems to a greater degree of risk.
How should IT address that potential problem?
Turner: They'd need to have those policies in place before the shutdown happened. It would be tough to go back and change policies. Reminders about safe practices when it comes to accessing devices and clearly communicating what the expectations are is important.
But the caveat is, if employees aren't allowed to check their email, how are you going to send them a reminder about the policy on not checking their email during a shutdown?
What are the effects on end-user management when IT pros themselves are not able to work?
Turner: Even if specific job functions are deemed as being essential, there may be the case where there are multiple [IT] employees who are rotating through to perform a singular function in a way that doesn't have the same consistency when it comes to having similar skill sets or similar experiences. If you have four different people filling in on a rotating basis, all four of those people aren't necessarily going to have the same background and training. Those differences might show up in the way work is being performed.
Criminals and other malicious actors -- they're not furloughed. They're still going to be looking for ways to infiltrate systems and export data.
The worst case scenario is that during the shutdown, we have a number of systems that are accessed by malicious actors, and then those actors simply stay in the system and avoid detection during this time of lower defenses. The longer they can hang out in the system, the more likely they are to find interesting information and spread into other connected systems and potentially find more important information.