The U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security. The Information Technology & Innovation Foundation’s (ITIF) Benchmarking U.S. Government Websites report showed that there was plenty of room for concern but it wasn’t all gloom and doom. For instance an analysis of federal websites Secure Sockets Layer (SSL) certificates (which ensure that all data being sent between the browser and server is encrypted), found that around three quarters were making use of the certificates, bettering the result of the previous year. But there were areas where the federal websites could certainly use improvement when it comes to security vulnerabilities.
Federal websites – The tip of the iceberg?
With an estimated 4,500 federal websites which allow access to critical services and general information, the problem is very real. It all comes down to the old saying about numbers used by statisticians. Mark Twain attributed a scathing critique of statistical methods to the British Prime Minister Benjamin Disraeli when he wrote “There are three kinds of lies: lies, damned lies, and statistics.” The problem might extend further than so called ‘federal’ websites and security issues that affect these sites may have a trickle-down effect.
The fact of the matter is that U.S. citizens depend on those federal websites to access critical government services and information. This latest report finds that 91 percent of the most popular agency websites are failing to perform well in at least one key performance metric with one of the most important being web security.
The analysts responsible for the report found that of the hundreds of websites under scrutiny more than one-third did not have security measures to prevent hackers from accessing visitors’ sensitive information or redirecting traffic to malicious phishing websites.
Now these are ‘federal’ sites – but like much else involving governments across the globe, definitions can be slippery. At the core of many of these sites are databases that gather and supposedly protect information that can run the gamut from medical records, government hiring practices and the results of job interviews to location information. Social security numbers and other very sensitive information are just the tip of the iceberg. But dig a little deeper and the definition of a ‘Federal Website’ may be misleading. It could be said that these sites are the leaders of the marching band of data custodianship – but local and state sites are built on the foundation of the federal approach to security. If federal government sites fall prey to hackers the entire house of cards is at risk.
Web security – Are federal websites a ticking bomb?
In one of two tests administered on the sites, the analysts used Qualys SSL Labs’ “SSL Server Test,” which analyzes a website’s Secure Sockets Layer (SSL) certificates. The news was good – 71 percent of the sites passed the test, up from 67 percent the previous year.
SSL certificates ensure that all data being sent between the browser and server is encrypted. Should the lack of such certificates worry experts in security issues and users of federal websites? Yes it should. Websites use an SSL certificate to authenticate the identity of web servers and ensures that you are connecting to the official website. Users sharing sensitive information have peace of mind as the information you provide is encrypted and transmitted securely to ensure that hackers cannot intercept communications from a user, such as sensitive credit card information or other personal data, or alter data between the browser and the server.
In the second test, analysts examined each site to determine whether it had enabled the Domain Name System Security (DNSSEC).
Using Verisign Labs’ “DNSSEC Debugger,” which is a web-based tool that determines whether a website has enabled the security feature, the analysts found 88 percent of the websites they tested enabled DNSSEC, down from 90 percent in the previous year.
The security measure stops DNS attacks such as cache poisoning, which hackers use to redirect users to other webpages under the DNS. This sort of attack allows hackers to set up spoofed pages that are identical to actual federal websites in order to gather sensitive information from visitors or infect their computers with malware.
These security features also prevent distributed denial of service (DDoS) attacks. In these attacks hackers flood a website with botnet traffic and overload the website for extended periods of time. This tactic has been around for years and is a favorite attack strategy of foreign players who wish to cripple government sites.