In June 2007, a network intrusion at the Pentagon resulted in the theft of an "amazing amount" of information. The incident continues to be a national security concern according to Dennis Clem, Office of the Secretary of Defense (OSD) CIO.
The OSD detected malicious code in various portions of the network infrastructure during a project to consolidate resources. Over the following two months, the code infiltrated multiple systems, culminating in an intrusion that exploited a vulnerability in Microsoft Windows.
Through the attack, spoofed e-mail containing recognizable names were sent to OSD employees. Because they appeared safe, employees opened the e-mail that allowed user IDs and passwords to be stolen. As a result, sensitive data housed on Defense systems was accessed, copied, and sent to the intruder.
"This was a very bad day," said Clem during a panel discussion at the Information Processing Interagency Conference Tuesday. The breach continues to pose a threat, he added. "We don't know when they'll use the information they stole, [which was] an amazing amount, [including] processes and procedures that will be valuable to adversaries."
Clem didn't give any indication that the source of the attack was identified, nor did he provide details about what data was accessed. He noted that the network used by the office of John Grimes, Defense CIO and assistant secretary of networks and information infrastructure, is maintained separately, and therefore was not compromised.
"They used every tool they could against us," Clem said at the Information Processing Interagency Conference. While Clem did not identify the source of the code, later reports identified it as most likely coming from the Chinese government.
From FCW.com (Federal Computer Worker):
It was a judgment call on Clem's part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.
"It was a huge gamble," he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office's network, Clem said.
The Pentagon manages around 70,000 illegal-entry attempts daily that range from small innocuous probes to full-blown attack attempts. Attackers know, often within minutes, when a new server or new software is introduced.
Also from FCW.com:
Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.
Information technology security has to be comprehensive to be effective. "You have to close every possible door that can be opened," Clem said, but cautioned, "Even the best intrusion detection program can't stop all of them."
The information provided by Dennis Clem in this presentation tells us a few things. It tells us that the government tried hard to avoid the hack but were met with a determined foe. It tells us that the government was taking steps to improve their situation even while being attacked. It tells us that while the government employs some pretty bright people, anyone can be vulnerable. And the government is a target.
What is the right approach? What would you have done different to mitigate an attack in progress? What steps does your company take to avoid a breach?
————————————————————————————————————————Stay on top of the latest tech news
Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!