Slashdot Mirror
Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches
schwit1 writes Federal employees and contractors are unwittingly undermining a $10 billion-per-year effort to protect sensitive government data from cyberattacks, according to a published report. The AP says that workers in more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an analysis of records.
...captain obvious!
If you don't want to watch 4 unrelated videos at once, turn off autoplay before visiting the sites in the summary.
The statistic I have always heard is that 60% of intrusions are internal. So 50% of breaches coming from employees sounds about right. It's a lot easier to steal stuff if you have a key. And as we have learned again over the past 6 years or so, the best way to rob a bank is to own one.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
I believe that in almost all sectors, users are the primary entree into the protected network, either via phishing or other social engineering. You could probably replace the word Government in the phrase "government cyber breeches" with healthcare, financial services, social networking, retail, non-profit, etc.
From TFA: "Since 2006, there have been more than 87 million sensitive or private records exposed by breaches of federal networks, .....
By comparison, retail businesses lost 255 million records during that time, financial and insurance services lost 212 million and educational institutions lost 13 million."
My bank is constantly sending out new credit cards because businesses (hey there Home Depot!) won't implement basic security measures to prevent data theft. Data security is a serious issue that needs to be addressed, but "Blame the incompetent gubmint!!!" isn't where we should start.
Never let a lack of data get in the way of a good rant.
Always one, isn't there.
Never underestimate the power of stupid people in large groups.
... instead of fixing the goddam problem.
FTFA:
"No matter what we do with the technology ... we'll always be vulnerable to the phishing attack and ... human-factor attacks unless we educate the overall workforce," said Eric Rosenbach, Assistant Secretary of Defense for Homeland Defense and Global Security.
Bold is mine.
So much for AI in doing anything useful in protecting systems, and it's not the overall workforce that needs educating ... it's the fucking gate keepers -- IT and software/hardware manufacturers.
It's a bitch that we send people to schools to be experts in their craft and then we have to educate the consumers of our craft because we are so fucking incompetent.
It little behooves the best of us to comment on the rest of us.
Actually, I would hope that it would be even higher, as the alternative is that most of your data breaches are from external attacks.
A "data breach" could be anything from unwittingly clicking on a malware link in a phishing attack (although those are pretty well filtered) to the more common data-spill, where information is transmitted on a system that is not certified for the information, like emailing home a phone listing that contains PII.
And the Russians! Aren't they the chief troublemakers? How can we push our pre-emptive cyberwarfare withouth a boogeyman foreigner?
You don't work in IT do you? Users are fucking idiots, when you can ask a random employee in the street to allow you into their building because you're working on floor X and have forgotten your pass, and they let you in how the fuck do you blame IT?
"You clicked on what?"
"Don't let the door hit you on the way to the unemployment office."
And here I thought those guys didn't do anything all day...
If education could have worked, it would have worked by now.
The problem is that even if the IT people are competent they have to be MORE competent than everyone who can attack them. Why does everything have to be connected to the Internet?
And they have to that competent with the software/hardware that they're using. How many times has the purchasing decision been made before you've even been aware of the issue?
Which leads to the issues that the software/hardware vendors have within their own companies. Ship today and we'll patch tomorrow. Got to get to market before the competition.
And that isn't considering the problems that "management" at the company you work for keeps introducing. I cannot tell you how many times some executive simply had to have admin access on his laptop which resulted in massive infections being brought onto the network.
Security is easy --- in theory.
But it depends upon hundreds or thousands of decisions being made correctly. By people who have no incentive to protect the security of the systems you support.
Dear US military and federal contracting wanker-sphere,
I know you were 30 years late discovering this whole internet thing, so imagery and phrases from 1980s cyberpunk still sound super-duper-cutting-edge to you, but can you please stop using "cyber" as a catch-all for everything connected to computers? Thanks.
PS: When you leave a laptop full of citizen's private information on the bus, and a million people's social security numbers turn up on pastebin the next day, that's called "negligence" not "a cyberattack".
0 1 - just my two bits
....the average person can keep track of the latest and greatest threats/ patches /updates etc and still have time to do their job.
IMHO the current state of affairs is due to senior management in all industries/government because IT departments are seen as cost centers to be minimized at all cost.
#1 They refuse to spend the $$$ to implement things correctly. Everything must be done on the quick and CHEAP.
#2 They refuse to spend the $$$ to train their personnel correctly on the basics of using a computer.
#3 They refuse to listen to advice and policies implemented by IT. Often times if one senior vp or somebody of sufficient status complains that something is too difficult, time consuming or troublesome, the policy is dropped/ignored.
#4 They refuse to hire enough IT staff and pay the market price for their expertise. Often times every IT department I have worked for has been understaffed and barely able to keep up with the daily support requests......And by keeping them close to 110% load 100% of the time, you end up burning out your most skilled personnel who leave for greener pastures....or change fields altogether.....
#5 They refuse to spend $$$ to train their IT personnel for an ever evolving industry. They somehow expect him to keep up to date on his own time (after of course putting in a 90 hour work week).
All off the above leads to the clusterfuck mess we have today....
Quite honestly there is not easy solution to all of this...
Sorry, but I don't believe any story where the source is Fox News, even if it is stating the obvious.
They have misstated the truth too many times for me to credit them.
In any case, I'm puzzled. Since they're saying that if a site is attacked, the person responsible is the victim, for having been vulnerable, surely the correct statistic is that 100% of the breaches are due to employees or contractors.
All attacks are because somebody, somewhere, left a vulnerability. Not half: all. A hundred percent.
They need to be taking proactive steps to securing their systems not only against outside threats, but from the idiots using their systems/networks. Isn't this like common knowledge, your users are your worst enemy?
Oh wait, its the guberment. All bets are all, I guess. Common sense need not apply.
at every opportunity, often to shine light away from the NSA's own global malfeasance.
All of it can be overcome by a janitor with a USB drive with penetration software.
Security culture is worse. Elaborate passwords. Two or three factor identification. Putting the security burden on the user in general. All you do is:
1) Inconvenience users and make productivity next to impossible.
2) Create an entire culture of employees who must, in order to get any work done, know how to hack their way into corporate systems from outside (I know of two ways. My IT guy knows about 6 entirely different ways), and frequently, inside.
The problem is that security guys get bonuses for reducing intrusions (as they count them). Everyone else gets bonuses for getting their work done and being productive, which frequently isn't something that ever gets on a spreadsheet.
And upper management, as usual, is too stupid, distracted with power politics and just plain pig-ignorant to understand this.
Please do not read this sig. Thank you.
Why are government employees web surfing. Don't the have anything better to do?
I want to be a cyber ranger
remote controlling all the danger
cyber ranger
remote danger
captcha: ferocity
If you IA types understood how a network actually maybe we could talk but get your CISSP and make big bucks saying NO.
Example:
Backup program needs Port X open to initiate backups on remote servers (remember we are an Enterprise, Remote Management and all). Vendor did not adequately document port but our firewall logs and sniffer clearly indicate this message originates from the control server and goes to the Media server to initiate the backup.
What does IA do? Stops all backups until paperwork is finished, six months without backups and guess what once the vendor documents turn it back on. No thought about the data risk just turn it off.
Further details if you want but why not allow us a firewall rule from control server to destination server locked to IP addresses and maybe only during a defined time window to allow the backups.
But IA has the hammer and enjoys using it.
Workers are responsible for half of cyber incidents? Well, if opening an email or clicking a link as described in the article makes the worker responsible, then so be it. But, in the days before the internet, when corporate (or government) espionage was the issue, it wasn't the worker who created the report that was responsible for it being stolen, but the actual thief. So, other than another attempt to denigrate government workers, why if somebody sends a malicious link is it not the person who sent the link responsible versus the unknowing end user?
Saying the government workers are the cause of the problem is like saying the woman wearing a short skirt was the cause of the rape. Blaming the victim just diverts attention from the real problem.
... a person in the workforce asks me if an email is safe.
I grab their email.
The sender is apparently UPS, and the package ain't going nowhere until I click on the attached invoice and correct the ship-to address and stuff.
NOW PAY ATTENTION:
I look at the attachment and it's a .zip file. I double-click the .zip and, inside, there's a goddam .exe.
UPS isn't going to send an attachment in the first place, and it damn sure isn't going to be an .exe, right?
Why in Sam Hill can't a small, fast AI scrubber do this simple task?
Why can't AI follow a link, intercept a download (either with or without the operator's permission), let the code execute in a sandbox to see what it WOULD do and say, "I don't think so?"
We don't need to educate the workforce.
We just need to do our jobs.
It little behooves the best of us to comment on the rest of us.
"Report: Federal Workers, Contractors Behind Half of Government Cyber Breaches"
Since the government employs about half of the people in the US this is probably statistically correct for anything :)