Snyk Pilot Flags Hacking Vulnerabilities
We all take measures to protect our homes and personal belongings from harm. Likewise, OIT works around the clock to protect the enormous amount of data CMS collects every day from cyber-attacks.
Cybersecurity measures protect all categories of data from theft and damage. For OIT, this may include sensitive data, personally identifiable information (PII), protected health information (PHI), personal information, and information systems.
One example of how we are constantly working to ensure our data stays safe is a recently completed pilot using a cybersecurity analysis tool called Snyk (pronounced “sneak”). The results from this pilot are a true game-changer in the fight to protect our sensitive data from hackers.
Initially proposed as a supply chain remediation initiative in 2020, the pilot successfully identified and fixed nearly 2,000 systemwide vulnerabilities that exposed CMS to widespread hacking attacks.
The initiative is notable because it showed for the first time how vulnerable CMS was to cyber threats from hackers who access information through shared code embedded in open-source application development tools. The pilot was so successful that it has since become part of the CMS portfolio offering Enterprise Security services.
Snyk is a cybersecurity analysis tool that helps developers find, prioritize and fix vulnerabilities and license issues stemming from open-source dependencies.
We asked Andrés Colón, CMS Chief Technology Architect, and manager of the Snyk pilot, to discuss what the program means for CMS as a whole and how OIT is using it to protect data from cyberterrorism.
Q: How big of a threat is cyberterrorism for CMS?
A: Cybersecurity has become very complex over the years. Hackers are constantly looking for new ways to compromise systems. There are new potential threats that could put CMS systems at risk every day. Information security is a quickly evolving landscape, and for us, it’s an arms race to protect systems.
Q: What are hackers looking for?
A: They can do a couple of things. They can steal data or run code in our systems, they can gain access inside our systems and start moving things around. Most hacking attacks come from organized groups with vested interests in stealing data, infiltrating data, and running malicious code. Attacks are coming from nation-states, terrorist groups, and criminal organizations that are trying to acquire computing power. So if our systems are compromised, they might use that to launch additional attacks.
Q: How do they gain access?
A: Attacking a system from the outside can be difficult because defense and firewall systems have gotten better at keeping hackers out over the last couple of decades. So hackers look for vulnerabilities in the external third-party codes that developers are pulling in for the projects they are working on and then find ways to get into our systems. The big thing is vulnerabilities are being introduced into our systems from outside sources by developers without them knowing about it. These vulnerabilities are massive problems because anybody can use them to access our systems.
Q: How does the Snyk pilot protect our systems from attack?
A: The purpose of the Snyk pilot was to help developers identify vulnerabilities that they are introducing into the code because they don’t want to reinvent the wheel. So instead of writing all that functionality from scratch, the world of open-source (software development) has battle-tested, shared code available for free. As a result, sometimes, you will have 80 percent of your codebase coming from outside the organization.
Q: How exactly does Snyk work?
A: Snyk gives developers the ability to scan as they are creating code and it will automatically tell the developer there is an issue in the code they are writing. This allows the developer to use the latest version of the code that has remediated all those vulnerabilities or find another version instead. The goal is to help developers develop fast before the tool has been shipped but at the same time, we want them to stay secure. So Snyk allows us to “shift left,” which means in the software development cycle, we’re trying to go as far to the left as possible so vulnerabilities can be caught early.
Q: How were vulnerabilities detected before the pilot?
A: As an agency, we didn’t have any tools to remediate supply chain vulnerabilities. We should always be in a position where we know about our vulnerabilities and be prepared to remediate them. So I proposed a pilot in 2020 between my group in Technology, Engineering and Architecture (TEA) and the Cloud group in OIT. They saw the supply chain as an issue and wanted to help their customers. So we decided to try this in a pilot, and that’s where my group came in and put up the money so we could test it with 50 developers for a year.
Q: What were the initial findings?
A: We quickly discovered that CMS had projects out in the open that were public and vulnerable that nobody knew about. The pilot identified nearly 2,000 system vulnerabilities – some of which were critical vulnerabilities -- and many were previously unknown to the agency. And we estimated more than 10,000 vulnerabilities were prevented from being introduced, all thanks to the pilot. So obviously, CMS needs to have good hygiene, especially for things that are very clearly visible to everybody.
Q: Have there been any recent attacks on CMS?
A: A very scary vulnerability called Log4J occurred across the entire industry just a month ago. Because we had Snyk already in place, we had the information we needed to quickly focus our rapid response teams on managing the risk to CMS.
Q: How did the pilot come about?
A: The pilot started as a joint project between the Infrastructure and User Services Group (IUSG) and the Information Security and Privacy Group (ISPG) and eventually expanded to a collaborative effort with the Enterprise Architecture and Data Group (EADG) and the OIT Front Office. By September 2021, we ended up engaging six business groups across many different offices, and nine product teams actively using Snyk.
The collaboration around this program has been extraordinary. Our Chief Information Security Officer, Robert Wood, saw an enormous value in the pilot and provided significant funds to help us take it to the next level. Leo Thomas from Security and Operations in ISPG and Thomas Park and Amine Raounak from IUSG have also been very active in helping take this initiative to the entire enterprise.
Q: What is the status of the initiative now?
A: The pilot is complete and is now part of the CMS portfolio offering Enterprise Security services. The Information Security and Privacy Group and the Cloud Group both saw so much volume in the pilot that they decided to pull together funding to ship this at scale as part of the CMS portfolio of services in December at no cost to the organization.
But there is more work to be done. It’s essential to keep in mind that there’s more to cybersecurity than just fixing vulnerabilities. The problem is determining your window of exposure. If you find and close the vulnerability minutes after it is opened, chances are nobody got it. But if the vulnerability was open for three or six months, you can close it. You don’t know if somebody is already in the house. So now that we have closed all these vulnerabilities, we have to act to reduce the exposure. The moment we know about it, we’ve got to act.
For more information on Snyk, go to https://snyk.cms.gov/.