The government sector continues to struggle with a high rate of machine compromise, malware and file-sharing activity, according to the fourth annual security ratings industry index by Cambridge-based BitSight Technologies.

Looking at the security ratings of organizations in each of six sectors — finance, legal, retail, health care, energy/utilities, and government — BitSight found government had the highest percentage in the Basic security category (more than 20 percent) and the number of reviewed systems in the Advanced category dropped between March and November of 2016. 

Government did not rise out of last overall for average security performance over the last 12 months, based on an examination of security events, diligence data and user behavior, i.e., peer-to-peer file-sharing activity.

BEDEP — a backdoor that arrives via malicious Adobe Flash-based advertisements — is the most common machine compromise across all industries; government ranks within the top three sectors, seeing the highest rate of this botnet. Commands from a remote server then give an attacker partial or complete administrative control of the compromised system.

This is not the only rated botnet shown to have the most exposure within the government sector; ConflickerAB, which targets the Windows operating system, has also been shown to infiltrate 10 percent of organizations.

The survey also found the legal sector has the second-highest percentage of organizations in the Advanced security rating category, but it also shows more than 60 percent of organizations have been exposed to DROWN, a major SSL/TLS vulnerability that can potentially be used to decrypt and expose sensitive information sent over HTTPS. This makes the legal industry a troubling target, as it is one of the most widely used third-party services in the world.

BitSight recommends organizations update their web server configuration's security protocols, invest in training employees against cyber risks while surfing online, look to continuous monitoring of security strategies, establish cybersecurity benchmarks and continue promoting a top-to-bottom organizational cybersecurity dialogue.

The entire study can be viewed on BitSight’s website.