Software

Ongoing concern over Pentagon network attack

In June 2007, a network intrusion at the Pentagon resulted in the theft of an “amazing amount” of information. The incident continues to be a national security concern according to Dennis Clem, Office of the Secretary of Defense (OSD) CIO.

In June 2007, a network intrusion at the Pentagon resulted in the theft of an “amazing amount” of information. The incident continues to be a national security concern according to Dennis Clem, Office of the Secretary of Defense (OSD) CIO.

The OSD detected malicious code in various portions of the network infrastructure during a project to consolidate resources. Over the following two months, the code infiltrated multiple systems, culminating in an intrusion that exploited a vulnerability in Microsoft Windows.

Through the attack, spoofed e-mail containing recognizable names were sent to OSD employees. Because they appeared safe, employees opened the e-mail that allowed user IDs and passwords to be stolen. As a result, sensitive data housed on Defense systems was accessed, copied, and sent to the intruder.

From GovernmentExecutive.com:

"This was a very bad day," said Clem during a panel discussion at the Information Processing Interagency Conference Tuesday. The breach continues to pose a threat, he added. "We don't know when they'll use the information they stole, [which was] an amazing amount, [including] processes and procedures that will be valuable to adversaries."

Clem didn't give any indication that the source of the attack was identified, nor did he provide details about what data was accessed. He noted that the network used by the office of John Grimes, Defense CIO and assistant secretary of networks and information infrastructure, is maintained separately, and therefore was not compromised.

“They used every tool they could against us,” Clem said at the Information Processing Interagency Conference. While Clem did not identify the source of the code, later reports identified it as most likely coming from the Chinese government.

From FCW.com (Federal Computer Worker):

It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.

“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.

The Pentagon manages around 70,000 illegal-entry attempts daily that range from small innocuous probes to full-blown attack attempts. Attackers know, often within minutes, when a new server or new software is introduced.

Also from FCW.com:

Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.

Information technology security has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”

The information provided by Dennis Clem in this presentation tells us a few things. It tells us that the government tried hard to avoid the hack but were met with a determined foe. It tells us that the government was taking steps to improve their situation even while being attacked. It tells us that while the government employs some pretty bright people, anyone can be vulnerable. And the government is a target.

What is the right approach? What would you have done different to mitigate an attack in progress? What steps does your company take to avoid a breach?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

70 comments
Cliffsull
Cliffsull

It beggars belief that the US government and especially the Pentagon still don't see that the fault is 'their's' ? When the guy accused of the 'Biggest Military hack' in history accessed their systems in 2002/2003 he gained entry using simple kiddy-scripts and by taking advantage of the Networks administrators laziness in not changing 'default' password built into the Hardware they employ. its been almost a decade and they still (the u.s. and u.k. Lawmakers) are intent on ruining Gary Mckinnon's life. Shame on the Admins who allow(ed) this to happen. Shame on the Pentagon. http://www.freegary.org.uk

dirtylaundry
dirtylaundry

???They used every tool they could against us,??? Clem said at the Information Processing Interagency Conference." Well, Sir Idiot, you were using M$ Windoze on the Country's most important systems. They didn't need to use that many *tools* in their arsenal to crack this one. This is the classic *not learning from History and having it doomed to repeat* situation. It may not be the best Literary piece, but Cliff Stoll's "The Cuckoo's Egg" is excellent reading as a cautionary tale. And to think, the wonderful M$ also has their software in Ford cars and looking to get some Bio-tech patents - scary stuff indeed. We're all Doomed.

photoj
photoj

Why is the Pentagon depending on Windows for security and data integrity? Can you say oxymoron.. If the average spammer knew they were running windows they would probably hack in just for access to emails to spam :) You would think that with a couple hundred billion dollar budget they would make a new operating system or heck just use Linux..

TheAngelsOfMicrosoft
TheAngelsOfMicrosoft

How about some help for a novice? I've simular attacks for years and can't get anyone to look at the data. Download files at www.justice4ditto.spaces.live.com There are lots of files in the SkyDrive. Just check it out. Mark jensen mark@animaldentalcare.info

mike_patburgess
mike_patburgess

During the 80's the military used to use proprietary systems for their business. Now, they use COTS stuff and they deserve what they get. MS is not a system they should be using.. Go back to proprietary systems, dumb terminals on everyone's desk and eliminate or at least minimize the problems. Anyone remember MULTICS...?

RU_Trustified
RU_Trustified

MB, I am from Ottawa too. We should chat. Contact me. Trustifier works with all COTS platforms to provide scalable multi-level security, so it is not necessary to migrate backwards. All that is needed is a means to add internal controls where they have been lacking so far.

dawgit
dawgit

I do believe, IMHO, that if you were to use your own Nik, (Like the rest of us here) instead of your company as a nik, it might help in the credibility department. You might have a kick-a$$ pruduct, -or- you might not, I don't know, and wouldn't say here if I did. But if your here to advertise, pay. (TR needs the money for Coffee Cups) Now, don't take that personally, it's not meant that way. just a tip. So as to keep the Troll /rat smell to a minimum. (my thinking anyway, BTW) -d

JCitizen
JCitizen

But someone else might turn you in as a spammer.

RU_Trustified
RU_Trustified

...about the fact that this technology clearly influences the position that I take on certain issues. I had a previous moniker but after an absence from the forum could not remember it or my password. I simply put that down quickly one day to respond to something that came in the newsletter, without putting any time into it. I will go on record that I do not attempt to "sell" on these forums, but I do attempt to put the concept forward for people's awareness and future consideration. So if you want to shoot the messenger, go right ahead, be my guest. I have a thick skin (and probably a thick head as well) :)

JCitizen
JCitizen

there also! Having a moniker that matches the product is even more distasteful. :(

binarypc
binarypc

If Linux or Unix was the primary desktop of choice, it would get hacked too. It would just be a matter of time. As I see it, the DoD is more like the largest corporation in the world, with the highest turnover rate ever. Deploying systems and updates to them takes longer than to anyone else. They have a need for systems that the majority of personell are already going to be trained on when they "hire" in. Hence cookie-cutter systems such as Windows. What is really going to keep them from this type of problem are principles that are practiced, no matter what Operating Systems they choose to use. To me, it looks like everyone needs the ability to have an unsecure system that contains no, none at all, secure data. As information or data turns secure and/or is collected into what pertains a secret, the compilation or collection of that piece gets moved to the secure network and can no longer be discussed or utilized on the unsecured, vulnerable network. The back-end of that secure network would never, ever be plugged into the internet true. We go back to the $500 hammer so the govt can pay for their own global "almost unhackable" network.

NickNielsen
NickNielsen

[i]To me, it looks like everyone needs the ability to have an unsecure system that contains no, none at all, secure data. As information or data turns secure and/or is collected into what pertains a secret, the compilation or collection of that piece gets moved to the secure network and can no longer be discussed or utilized on the unsecured, vulnerable network.[/i] The problem with your suggestion is that there is not one central source for this information. Intruders can gain access to individual PCs at Base A, Camp B, Fort C, etc., etc. Each PC may not have enough information to be considered classified, but putting together enough pieces can form a complete (and often classified) picture. Policies and procedures are in place to prevent intrusion, but given the size of the target and the potential payoff, there will always be intrusion attempts. Ironically, the only way to completely eliminate the electronic threat is to disconnect DoD from the network they created. Aside: DoD's secure network (SIPRNet) uses the same network trunks as the rest of the internet, but uses fully private keys and encryption techniques that leave publicly available methods in the dust. Edit: clarify

RU_Trustified
RU_Trustified

When you are able to scale MLS, you can achieve either trusted zones in a DAC environment or have end-to-end trusted networks if you need them. You might agree that this could be a formidable defense against intrusion. The fact that we are touting defense against all authorized insiders, including the system administrators and security officers, which is much harder to do, should cue you to the fact that this is an advanced technology. It would be hard to discuss a technology and not "sell" when it is your exclusive development would it not? I try not to cross the line, but if someone says we should throw out everything we have and go back to (whatever), I think I should add my personal knowledge about a new technology that can be used with current IT infrastructure. When you have white list technology at the data level for all authorized user-roles, and deny-by default trusted systems to prevent privilege escalation that acts as a behavior enforcer, so that even previously unseen malware can not execute, it means that no external attackers get anything in an unauthorized fashion either, if they are not on that white list. Contact me via this site or email myself (rob) at the site you list and I will gladly send you links to explain why we can take this position and how it works. I am always looking for feedback.

NickNielsen
NickNielsen

You're pushing a product that is advertised as preventing unauthorized [u]insider[/u] access in a discussion about network intrusion. http://www.googgun.com/products/trustifier/ Why did I not have to check your profile to conclude that you're in marketing?

RU_Trustified
RU_Trustified

This is the problem of aggregate data. Having foreign nation states hack into unclassified networks does not mean that aggregated data from unclassified networks can not be inferred to classified level importance educated guesses. MLS is not widely understood in commercial space but it is a data fail safe method of controlling the flow of business data. If you are not on the whitelist, you get nothing. It is deny by default, as it should be. We now have the ability to scale across the enterprise with existing infrastructure, creating trusted COTS networks, or trusted zones within existing DAC environments, which may be all that is necessary in some cases.

chaz15
chaz15

Some kind of serious hardware mitigation of networked computers accessing sensitive information ie Computers with outside internet links do NOT have access to sensitive information except perhaps by limited flash drive uploads when ESSENTIAL. You need extra computers for this, those linked outside the internal network are individual computers, NOT networked, with an outside link. Eg one or two per office, AND users having SEPARATE ID's / Passwords to use these computers. Such a system CANNOT be software compromised. Networked computer's have no external links. Defense system consultants and military chiefs/ military advisers please note !!!!!! Also governments etc who handle mass sensitive data OK there is some inconvenience and cost, but what price sensitive data protection!!!!

reisen55
reisen55

At a small medical office I support, the doctors wanted internet but secure. So I put in an internet box downstairs and left the two office systems upstairs WITHOUT CONNECT TO THE INTERNET SYSTEM at all. Totally safe and secure. And their office staff is smart, takes home nightly offsites too.

ramuvr
ramuvr

"exploited a vulnerability in Microsoft Windows" .. interesting, do they use MS still... I heard that Indian Army never uses MS Products due to such risks, they have created (and run) their own stuff, possibly Linux, Unix based systems..

csmith
csmith

It seems to me that the government is always a step behind and or a patch behind. I am sure they have a contract with MS to get them the latest fixes and patches. I know of one agency still using Novell client 4.14 and Novell is at 4.93. It is hard to keep 100's of thousands of machines up to date but it IT's job to keep up with them. Also I think that email could be treated through vpn or a RDP where internet is not allowed evryone would have to either VPN and RDP onto a virtual server and nly allow email through these methods. This keeps the threat on away from the local machine unless you allow the attachment of drives.

Tig2
Tig2

In June 2007, a network intrusion at the Pentagon resulted in the theft of an ?amazing amount? of information. The incident continues to be a national security concern according to Dennis Clem, Office of the Secretary of Defense (OSD) CIO. The OSD detected malicious code in various portions of the network infrastructure during a project to consolidate resources. Over the following two months the code infiltrated multiple systems culminating in an intrusion that exploited a vulnerability in Microsoft Windows. So how do you avoid being the target of malicious attack?

reisen55
reisen55

The White House has now admitted that it does not have an effective system for storing and preserving emails. This is no mere technicality; it is this failure that led to the likely destruction of over 10 million email. What the White House has not explained is why it abandoned the electronic record-keeping system used by the prior administration ? a system that properly preserved White House email ? but did not replace it with another effective and appropriate system. ***** Somebody in IT is asleep at the switch at 1600 Pennsylvania.

reisen55
reisen55

Government and security is a rich motherload of cash for this horrid firm. Here is a recent contract win. Read this and weap: ***** EL SEGUNDO, Calif., March 17 /PRNewswire-FirstCall/ -- Computer Sciences Corporation (NYSE: CSC - News) announced today that it has won a contract to expand the scope of its SureTrak surveillance system for the Naval Air Systems Command, located in Lexington Park, Md. CSC estimates the value of the five-year contract to be approximately $45 million. This award follows and is incremental to a contract CSC signed with the command in May 2006 ***** And this is just one contract. Look up the relationship between CSC and the IRS sometime.

RU_Trustified
RU_Trustified

I pitched our product to the CTO of the local branch of CSC a few years ago. His response was that our product would make a customer so secure there would be no follow -on, or additional sales. I guess that is some sort of admission that what they were selling was not. So much for concern for the customer. Unfortunately I received this response several times.

JCitizen
JCitizen

they will never base contracting on performance in Washington; sometimes it just seems like a lost cause. Since McCain seems to be the only one interested in reform; he's our last chance.

dawgit
dawgit

Lately all I've heard is more of the same folks. He doesn't want to upset the apple cart, inspite of the rotten ones. just another turn of the screw. :( -d

gballard
gballard

This intrusion discussed in the article did not occur solely because of a vulnerability within Microsoft. However, it occurred because the environment (people, processes, technologies, and organizations) were not operating as an integrated entity. A recipe for success includes a full security model that integrates technical, functional, and cross-agency components. Below, at a high-level, are the components that must be in place (and be working in a concerted effort) to ensure a secure environment. Technical: - Virtualization - Defense in depth approach - predictive monitoring - Asset and property Management - RBAC - Patch management - Intellegent technologies - physical security - .... DR/COOP, Configuration Mgmt, Change control Functional: - security as a centralized service - an approach/architecture that "enables the business" -- by streamlining and centralizing; this ultimately will reduce costs and improve an organization's ability to continue to enhance their secure environments - flexible architecture (no dependence on one technology) - unified management - Regular risk and threat assessments - anti-fraud / anti-cyberterrorism risk and fraud detection models - Security included at all stages of the systems lifecycle: initial phase to operations to decommissions. Security should not be an after thought. - data classification and handling (e.g., controls in place for every piece of data within the environment based on how it is classified -- encryption, unencrypted, etc) - highly skilled and trained staff - reduced reliance on single points of failures within business and technical processes - Communications and awareness: in-depth security training of ALL staff no matter what their roles are; Consistent and regular communications - comprehensive governance/policy and compliance - Policy enforcement - workflows Within a Department / Cross-Department integration - executive insight / reporting / dashboards of all security, IT, and business functions - logical and physical security - seamlessly integrated - Cooperate and share investigations with other organizations: FBI, CIA, DHS, Secret Service, First Responders, state, localities, homeland allies

wratholix
wratholix

Perhaps it is a shady deal. Trade of sensitive information. Most of the comments ive read here show that even us have enough of a brain to how to secure data out of harms way. But how would one sell/trade sensitive info? Stage a breach and supply the data. Keep reports down to a minimal for the public and throw some sand over it. We always assume our goverment will do what is best for us. Yet we all know that this world is made of money and power. That never came from doing that what is always right.

DanLM
DanLM

Isn't that called spying? Isn't there a history of governments doing that against other governments throughout the ages? Long before computers? I am inclined to think: 1). It did occur. 2). It was another government that initiated the break in's. 3). That no matter what government, the week point is the personnel that use the systems not who set up the security. In this day and age of my government suspecting your government, and vice versa... I am quite sure that both are actively trying to break into each other's systems, and this was a case of a government succeeding. To gloss it over like you did is naive. Dan

Peconet Tietokoneet-217038187993258194678069903632
Peconet Tietokoneet-217038187993258194678069903632

http://www.anonymizer.com/consumer/support/ I have this on my networked systems and with no adware/botnets or any nasty programs trying to infiltrate my system. The program makes your system very hard to trace on the internet. Please give it a go.

Neon Samurai
Neon Samurai

I remember looking at it long ago and figuring it was basically a proxy chain that covered your source IP. These days, I'd probably go TORR if I was going to use such a thing; even the US Mil is using it for solders to connect home through I hear.

Neon Samurai
Neon Samurai

True though, I've used the torr enabled portable firefox a few times and you can tell your running through encryption and a randomized web of onion proxies.

catseverywhere
catseverywhere

tor is painfully slow, probably all those Australian child porn/bestiality fans clogging it up.

JCitizen
JCitizen

situation! Why didn't I remember that? I don't know Neon. I think I seriously need a check for Alzheimers, if they got one yet!

JCitizen
JCitizen

than the DOD secure networks. The enemy would re-acquire your now insecure information there and monitor it without your knowledge. They don't have enough business history to know if someone couldn't compromise personal information within the data center there, let alone pick up your communications before you get to their server farm. Other than that, it is fine for homesurfers. I would think if anyone would have a solution IBM would sooner be a candidate than anyone else except maybe Google.

m4rk.gm4il
m4rk.gm4il

I dont believe that incident resulted in theft of "amazing amount of information"...it was exaggerated. If Pentagon had breached in security, the origin might be from the inside. Anyway, to avoid being a target of such a malicious attack I always advise MY clients: 1> The IT security policies must be strictly implemented... 2> The IT security policies constantly reviewed... 3> Log files reviewed everytime... 4> I study the details of the previous attack and the possible attacks... 5> I write my own application that will monitor network intrusion based on #4. 6> I write my own application that will monitor behaviors of windows processes or service applications running on windows machine... 7> Then sell that application to clients! =========================================== No matter how secure your network is, a breach will result if somebody did not do his/her job efficiently !

seanferd
seanferd

Don't use commercial hardware and software? Gov't specialized Unix? What, no DPI watching their own network connection? The gov't used to have specialized 'everything'. What happened? Any special network that can be attacked from the outside is just stupid. Isolate it.

tungstendiadem
tungstendiadem

If I were the Pentagon ISS i would of planted a honey pot with an 'amazing amount' of information for potential inturders to steal, while sneakernetting (handcuffed briefcases) vital information across an air barrier and through pat downs and biometric door locks using the amazing amount of intrusion time to trace and detect intruders so that a course of action could be developed that might involve cruise missiles or a call to SOCOM to schedule a data retrieval 'exercise.'

don.gulledge
don.gulledge

As Vista points out, there's not much if anything that can be done that can really protect you. Firewalls, virus software and the like have failed over and over to really protect us. The only way we can protect ourselves is to think in another reality that blocks hackers from getting what they want. Call it Data Dislocation. You create master list of data and under them you have subordinate systems that access the master list with PKI where the PKI manages the access and access rights in the master list. The subordinate system keeps a copy of a pointer the data in the master list and not a copy of the real data. So, even if the master list is breached, or the subordinate system is breached, the theft would be useless since the two pieces of data have to come together in order to do them any good. Example: Master List of People with SSNs Subordinate system: Drivers License issuance. The subordinate system doesn't contain the name or the SSN, just pointers to the master list. An embeded object of the driver would be like Driver.Name(pointer) which would translate via a libary into (Get name from Master List and replace pointer in stream) So, the only time the information of the master list would exist in the subordinate system would be when you browse a list or edit a record or print a product. Otherwise, if a theft hacked it, they'd only get a bunch of pointers stored there. We have to begin to think in different terms of defense than the traditional ways because no one is really safe. And, the traditional ways have failed. Every time you hear of a breach, the first thing they point out is they weren't up to date with patches, Windows is too insecure, and on and on. But, the reality is that no matter how much of a firewall you have, hackers will find a way around it. ie Botnets. We need to outsmart them and use the tech that is at hand. I call this Object Data Dislocation or ODD for short.

catseverywhere
catseverywhere

Great idea. I also think just having more people on the job controlling and monitoring data flow is an overlooked security measure. Everybody is locked in this mindset that you always have to more with less as time marches on. I never understood an economy that seeks to put ever more people OUT OF WORK as it's primary incentive.

Neon Samurai
Neon Samurai

" The only way we can protect ourselves is to think in another reality that blocks hackers from getting what they want. " I would have chosen not to use Hacker as a prejoritive. What Hackers want is to legally explore what they can do with whatever technology captures there interest. Provided they have approval, your system is offering a much more interesting puzzle than a basic network. Sympantics aside though, it is an interesting idea. If I undestand, and I probably need to read it again first, the idea is basically a variable name that draws the data from an encrypted source as needed. The only holes I can think of on first glance would be capturing the stream, finding residue in ram or finding residue in cache/swap. Of course it only takes one user dumb/lazy enough to save there query to a local file and your wide open again. All of that can be mitigated with good coding on the database server and client sides though.

gruch_s
gruch_s

You may want to Google "Titan Rain" and "Shawn Carpenter"

jmgarvin
jmgarvin

I mean, honestly, we've been through this song and dance multiple times before, why are we doing it AGAIN? The NSA has helped to develop SELinux for a REASON. Why has the rest of the government not switched to thin clients or Linux/Unix desktops?

RU_Trustified
RU_Trustified

DOD does recognize that windows brings too many threats, but nobody believes that SELinux is the way to go anymore either due to its excessive complexity and lack of scalability.

jmgarvin
jmgarvin

But SELinux is a pretty damn good tool. While there are problems, I think everyone knows that, it is a HUGE step in the right direction. If you don't mind me asking, what product do you sell?

RU_Trustified
RU_Trustified

No, I think the effort was worthwhile, and it has become better for limited use, but it was really just an experiment to get people thinking about security. It is definitely not suitable for commercial business, or widescale government use, as it is still a windows world out there. My information is from following this aspect of the market for a number or years as I am with a security vendor in this space. Disclaimer: I am actually with a commercial competitor to SELinux. We offer an alternative product that works with all platforms and requires about 2 orders of magnitude less administrative overhead (ie.labelling) to manage, and converts commercial systems into trusted systems with scalable multilevel security. It is not my intention to de-value SELinux, or the contributions that many people have made to it. It is our contention that SELinux has simply not advanced enough to be considered for wide-scale use. Through design innovations, we are bringing a security sub-system to the table that solves real problems in government and business world, and is understandable by even non-technical managers.

jmgarvin
jmgarvin

The point of the research is so that SELinux isn't so kludgy. SELinux has gotten a LOT better in recent iterations and is far more useful. On the flip side, migrating to SELinux, in the future, will be far easier than it is now. The roadmap has basically said that a GPO type system will be in place where you push the security policy to the clients, you don't have to manual configure every client. Did SELinux rape your sister or what man?

RU_Trustified
RU_Trustified

Sure NSA and now RH have put millions of dollars and a lot of man-years of work into it, but does that make it a success? SELinux is still too complex, requires too many rules, has too much administrative overhead due to explicit labelling, does not have auditing, and does not scale. An advanced Linux user can not use it without additional training, (an intermediate user can lock himself out of his own system quite easily), and offers nothing for MS users, it breaks apps, etc. Just read the SELinux user group forums and you will find that people so not want to use it. If they do not want to use it, or can't use it, then what makes it a good choice? The chinese are hacking in now. So how many decades will it take to migrate 4 million+ computers, administrators and users to SELinux?

JCitizen
JCitizen

based. Of course this doesn't apply to this particular news item; but I would think it would reflect department wide that most of the secure networks are Unix based. Compartmentalization was the theme at that time. In fact some information could only be transferred with disc media; no wire connections except within the internal topology.

pgm554
pgm554

There are lots of more secure email packages out there,that run on a variety of platforms,but the government has got to use one of the historically most hacked and insecure email systems out there. But hey,it's the government and it's not their money ,it's ours. What about those "lost" White House emails? I've consulted for quite a few government entities and am amazed at the lack of skill set and forethought of the management of those departments. They seem to have been more interested in diversity ,rather than hiring somebody with the correct skill set. So they bring me in at 2 or 3 times the pay rate to fill in the skill set gaps. In the end,you get what you pay for. Maybe they should outsource to India.

catseverywhere
catseverywhere

...unless the skill in question is how to commit treason and not get caught.

pgm554
pgm554

If your minions are perceived as incompetent,the blame game is easier to play.

seanferd
seanferd

Lost on purpose, several times. Refused to back up. Destroyed existing backups. Argued that the Administration's e-mail was private, not subject to government regulations like everything else. That particular thing isn't related to lack of skills.

reisen55
reisen55

The US government outsources much IT support through COMPUTER SCIENCES CORPORATION and from what I saw them do to an insurance company I used to work for --- I am not surprised. Over 200 servers were infected by a rampant worm in 2007. Under the care of CSC. Case closed there. I read that the White House disposes of backup tapes by tossing them out. Not smart. What I do for my accounts: Secure Firewall Secure AntiSpyware updated always Secure Antivirus updated always Minimal access to sensitive data Encrypted backups OffSite storage on MY network. Systems with critical data I leave TURNED OFF all of the time unless I am transferring data. My 2 cents.

catseverywhere
catseverywhere

I push a few folk's data with rsync over ssh (public key) here to my servers. The biggest risk is from the cats we keep around the office. One difference is my servers are always on, and I isolate at the switch when not transferring. I moved ssh to a non standard port, keeps most of the script kiddie dictionary attacks away. The firewall says ssh is closed. Of course a quick nmap will reveal the open port, but it seems to me most of the garbage comes from free download "lookit me I'm a hacker!" software some 14 year old in China has launched at random. Mostly automated, and looking for 22. I bet most of the kiddies don't know what a port is. Now, isn't CSC somebody's nepotist reward? Seems like any contractor that lands goobermint cheese has someone not far removed from some politician at the helm. Airport security at Dulles and at the WTC was run by one of the Bush children. Look at the great job they did.

NickNielsen
NickNielsen

All official DoD networks are maintained in-house by the respective services. DoD does run two separate networks, one secured and one not secured. But the biggest security threat is still people. http://news.bbc.co.uk/2/hi/americas/7280460.stm

JCitizen
JCitizen

contracting! Good one reisen55!

reisen55
reisen55

Need more be said. My experience with CSC: in August of 2004 Aon group signed a $600 million deal with CSC to outsource everything. Infinite procedures and SLA levels followed and everything got rough but not bad because the in-house staff was still there. Within one year, CSC "OVERCHARGED' by $200 million and was almost thrown out. CSC had a ready answer. They threw all in-house staff out. Result: 200 servers infected by a worm, deliverables went out the window (30 days for a new computer, 90 days for a new email address), staff with a previous career, and this is true, as a PIZZA DELIVERY BOY. WOW, TOP TALENT THERE. And IT at Aon has gone straight to hell. Do you think they would do better for any branch of the Government?

NickNielsen
NickNielsen

That kind of contract was around for years before I retired. When I stated that DoD does not outsource, the subject was the local networks run by the base communications squadron or post signal company. As of my retirement in 1999, those networks were all run in-house by the various services. That has apparently since changed.

reisen55
reisen55

I just posted this below but want you to read this too. CSC won a high level bid for security work.... EL SEGUNDO, Calif., March 17 /PRNewswire-FirstCall/ -- Computer Sciences Corporation (NYSE: CSC - News) announced today that it has won a contract to expand the scope of its SureTrak surveillance system for the Naval Air Systems Command, located in Lexington Park, Md. CSC estimates the value of the five-year contract to be approximately $45 million. This award follows and is incremental to a contract CSC signed with the command in May 2006

jmgarvin
jmgarvin

For instance you have companies like SAIC providing services and they have outsourced as well...beyond strange really

NickNielsen
NickNielsen

If that was your point. Wait, OK, I found it. That's a change. Other than the carrier circuits, which have been contracted for years, base-level networks and intranets were maintained by the owning service. Apparently that has changed. Thanks for the correction.

dawgit
dawgit

They certainly do. check the DISA web site. -d

Neon Samurai
Neon Samurai

I mean, Gov outsourcing of IT gave me a good job for the summer but at least we where closely attached to the base rather than glorified geek-squad.

binarypc
binarypc

There are two possibilities here. Run a secondary physical network that is not allowed on the internet. Cost for this could be minimalized by utilizing the four unused pair of wires in the existing infrastructure. As you stand up parts of this network, you validate the security of the new devices coming up on it. You validate its lack of connectivity to the internet before bringing critical/secure data on line. If you have to connect these "pod" networks from multiple locations, utilize VPN tunnels with "power-switched" connectivity. Make sure critical data is off line, before flipping on the switch. Flip it, validate security, then turn critical/secure data back on for transfers, etc. Turn it (the VPN and hardware allowing it's connectivity) off when the connectivity need is complete. Pretty much act like your management of it is like deploying and connecting troops into hot zones. The secondary approach would be to create a VPN tunneled network within the "real" or "honey" network. This network would be composed of Virtual Workstations residing within the "real" networks and then only connecting to the rest of the network via the Virtual Private Network. VM sessions can be protected from attack by not allowing copies to and from, electronic data only, VM sessions can be frozen, encrypted, no memory stick or CD access, only tunnel access to the "real" network resources.

Timbo Zimbabwe
Timbo Zimbabwe

"Run a secondary physical network that is not allowed on the internet." It is my understanding that the most sensitive of data is stored (and manipulated) on an encapsulated network. Mind you, this is just my understanding of it as I have not worked on military systems.

Editor's Picks