Tuesday, September 25, 2007

DHS Security Breach cont...

I believe that Richard summed up the consensus of the security community with his recent posting at http://taosecurity.blogspot.com/2007/09/dhs-debacle.html, therefore I will only stick to my comments. I would also like to note that I am not taking any sides here, simply commenting on what I read, Contractor Blamed in DHS Data Breaches:

Among the security devices Unisys had been hired to install and monitor were seven "intrusion-detection systems," which flag suspicious or unauthorized computer network activity that may indicate a break-in. The devices were purchased in 2004, but by June 2006 only three had been installed -- and in such a way that they could not provide real-time alerts, according to the committee. The rest were gathering dust in DHS storage closets and under desks in their original packaging, the aide said.

But who made the decision? I have personally seen "critical" equipment in the back of many a corporation and government agencies closet... Was this due to negligence by not being installed, or were DHS personnel involved in mucking up the works, so to speak.

In the 2006 attacks on the DHS systems, hackers often took over computers late at night or early in the morning, "exfiltrating" or copying and sending out data over hours -- in one case more than five hours, according to evidence collected by the committee.

A senior military technology officer warned last fall that China downloaded "10 to 20 terabytes of data" from
the Pentagon's non-classified Internet Protocol router network. "They are looking for your identity so they can get into the network as you," Maj. Gen. William Lord, Director of Information Services and Integration in the Air Force Office of Warfighting Integration, said at an Air Force technology conference. "There is a nation-state threat by the Chinese."

I am curious if DHS or Unisys have the data or capability to review any detailed session data. Just another case for good exfiltration detection tools and techniques. They obviously got something with those "three" sensors that were in-place.

"Through October of that year, Thompson said, 150 DHS computers -- including one in the Office of Procurement Operations, which handles contract data -- were compromised by hackers, who sent an unknown quantity of information to a Chinese-language Web site that appeared to host hacking tools."

I guess not...

In closing, please be sure that your C&A / ST&E and so fourth and so on are conducted by personnel that are not connected to your operations. Further, be sure that you ensure adequate controls are in-place and not just hot air! Seems like I had more to add yesterday when I was worked up about this, but it has subsided. I hope that you find this useful as with my previous posts.


No comments: