State Department Joins NOAA, USPS In Club of Hacked Federal Agencies

Hot on the heels of recent cyber attacks on NOAA, the USPS, and the White House, the New York Times reports that the U.S. State Department has also suffered an online security breach, though it's not clear who to blame. “This has impacted some of our unclassified email traffic and our access to public websites from our main unclassified system,” said one senior State Department official, adding that the department expected its systems to be up soon. ....The breach at the White House was believed to be the work of hackers in Russia, while the breaches at NOAA and the Postal Service were believed to the work of hackers inside China. Attributing attacks to a group or nation is difficult because hackers typically tend to route their attack through compromised web servers all over the world. A senior State Department official said the breach was discovered after “activity of concern” was detected on portions of its unclassified computer system. Officials did not say how long hackers may have been lurking in those systems, but security improvements were being added to them on Sunday.

FISMA Security huh

[Eosi]

All of these agencies had to follow FISMA (among others regs). Perhaps its time to stop letting politicians tell us how to do security?

Security in any organization is an afterthought

[ErichTheRed]

I can see 2 things as the main root cause of this:
- Layers and layers of outsourced IT. Especially when dealing with a federal agency, almost every IT service in any agency has been outsourced. Those outsourcers hire other outsourcers and it becomes a big mess when you try to do anything that affects multiple parts of a system. I see this in the private sector as well working for an outsourcer...our team does their best to help but it's really maddening to see how much things slow down when the control gets dispersed. The network team has to talk to the storage team, who has to talk to the server team, who needs to open a ticket with the field services team to implement change #C9348673634. I do systems architecture work, so it's really painful to have to design around a garbage system like this rather than having a few smart people who know the system end-to-end.
- Security is tough and no one wants to be bothered. It wouldn't be impossible to enable 802.1x on a network, implement proper PKI to enable its effective use, and encrypt hard drives. But often, it either becomes too difficult to support or no one has the will to say things must be done in a certain way. Plus, user education is impossible. No matter how stringent the password policy is, they just write them down. People leave unencrypted laptops on trains with company data on them. It's just not possible to get them to care, full stop. They could be working with top secret nuclear weapons designs and it would mean nothing to them.

Of these two, I think the first is the hardest to overcome. Once a company or government agency has given up control of its IT environment to a company that needs to squeeze every nickel out of a contract, nothing difficult will get done. If an organization retains some sort of control and mandates change, it can be done at least to some degree. Look at how the attack on Target was carried out -- the group responsible figured out that the outsourced HVAC repair company had a connection to the store network, which (idiotically,) the POS systems were also directly attached to. So by the time the outsourced IT services team figured out they had a problem, it was too late. This is what leads companies to delay things like patching and updates to equipment, because the process is too painful when dealing with the 25 third parties you have to line up for such a change.