CIS 608/301 – Week 9 Blog Post: Pentagon Email Hacked

The Pentagon was the target of a recent and successful breach involving the Joint Chiefs of Staff email system. The attack occurred sometime around July 25th and the email system, affecting over 4000 personnel, has been down since that time (Vanden Brook & Winter, 2015). The attack vector used to penetrate the network was spear-phishing and it was noted that a new and different vulnerability was exploited, one that has not been seen before. Based on this, officials believe that a state actor was involved in the breach. To date, the Pentagon and other federal agencies have been under attack from suspected state-sponsored actors with the most recent breach involving the Office of Personnel Management (OPM) resulting in the compromise of information of an estimated 22 million people. 

For this most recent attack, officials are pointing to Russia based on the nature of the attack, which does not appear to be in line with suspected Chinese attack behavior. The attack employed an automated system to rapidly gather a massive amount of data within a minute and distribute it to thousands of accounts across the Internet with coordination of encrypted social media accounts being involved. This would not represent the first venture of Russia into federal email systems as Russia is also suspected of a breach at the State department back in October 2014. While no classified information was suspected to have been compromised given that the system was unclassified, a great deal of sensitive information was likely compromised, including the president’s personal schedule. 

Spear phishing has been on the rise in the past few years across all organizations and cyber-espionage incidents have involved spear phishing in nearly two thirds of such attacks (Verizon, 2015). Also, as noted above, it appears that the government is well aware of the intent of multiple state actors’ intent to breach federal organizations and compromise information. The federal government took only a matter of a couple of weeks to attribute this latest attack to Russia, though of course there is rarely a smoking gun in such cases as this. Also, the government is taking very specific steps in remedying this massive breach including scrubbing the entire system, revamping part of the system, creating mock hacking scenarios, performing red team evaluations, conducting training for all personnel and distributing information to the federal government (Youssef, 2015). 

Given the response actions taken and the short time-frame involved, this would indicate that the government has a very good idea how it will be attacked and also how to prepare and respond to such attacks. What this does not explain is why with such a firm understanding of the adversary and the types of attacks that will be involved these attacks continue to be so successful and continue to result in massive breaches of federal organizations. Each organization in the federal government is charged with the proper execution of precious and scarce resources and these continuing failures indicate this is not the case. Hopefully the government will be taking a very hard look at the continuing causes of these failures and begin to hold organizations accountable for them. It is likely that the response of the organizations will be that they do not have the resources necessary to protect their systems. However, cyber security is part of the mission of every organization and any organization that cannot execute its mission should be held accountable and either shut down or have its mission transferred to another organization within the federal government that can execute. Only with accountability will these organizations begin to really take cyber security seriously and really work to implement what they apparently already know.

Works Cited

Vanden Brook, T., & Winter, M. (2015, August 7). Hackers penetrated Pentagon email. Retrieved August 7, 2015, from usatoday.com: http://www.usatoday.com/story/news/nation/2015/08/06/russia-reportedly-hacks-pentagon-email-system/31228625/

Verizon. (2015). 2015 Data Breach Investigations Report. Retrieved August 7, 2015, from cyberactive.bellevue.edu: https://cyberactive.bellevue.edu/bbcswebdav/pid-7308760-dt-content-rid-9574545_2/courses/CIS608-T301_2157_1/CIS608-T301_2157_1_ImportedContent_20150529052136/Verizon-DBIR-2015.pdf

Youssef, N. A. (2015, August 5). Pentagon Hack ‘Most Sophisticated’ Ever. Retrieved August 7, 2015, from thedailybeast.com: http://www.thedailybeast.com/cheats/2015/08/05/joint-chiefs-of-staff-hacked.html

CIS 608/301 – Week 8 Blog Post: The New NIST 1800 Series

The National Institute of Technology and Standards (NIST) recently announced a new series of Special Publications in addition to the existing 800 and 500 series and will be known as the 1800 series. NIST is charged with developing security standards for the federal government, which was further bolstered by passage of FISMA (NIST, 2015). This new line of special publications is in-line with that mission and should further enhance NIST’s ability to provide sound guidance to the federal government. The stated purpose of the new series is to complement the SP 800 documents, target specific cyber security challenges and facilitate adoption of the standards-based approaches to cyber security. The current draft document is actually a series of documents 1800-1a through 1800-1e (NIST, 2015) and encompass a summary, architecture, how-to guide for security engineers, standards and controls mapping as well as risk assessment document.

The draft 1800-1 series is based on securing health records on mobile devices but goes beyond what the related SP 800-66 “An Introductory Resource Guide for Implementing Health Insurance Portability and Accountability Act (HIPAA) Security Rule” states. While a beneficial guide, 800-66 is a standards-based document that intentionally leaves a lot of details out. However, 1800-1, includes a significant amount of details for cyber security professionals and management as well. As stated, the 1800 series seeks to aid in implementation of the 800 series and this first set of documents appears to do just that. The 1800-1 documents provide specific examples of implementing a method for securing heath records on mobile devices. This is something that has been missing for some time in trying to implement NIST guides. An example of another agency that does provide specific details in configuring systems is the Department of Defense Security Technical Implementation Guides, which provides detailed configurations for securing many types of information systems as well as implementing associated and necessary policies and related documentation.

This new series is a welcome addition to the NIST Publication line of documents. Given this first document’s draft version, NIST is right on point with providing details that will aid anyone implementing NIST guidelines and in achieving that goal. While 1800-1 is only in draft form and is the only document, or series as previously noted, to be released thus far, there are numerous other areas of interest to the community and hopefully we will not have to wait too long before these are addressed in the new 1800 series.

Works Cited

NIST. (2015, July 28). DRAFT Securing Electronic Health Records on Mobile Devices. Retrieved August 1, 2015, from csrc.nist.gov: http://csrc.nist.gov/publications/PubsDrafts.html#SP-1800-1

NIST. (2015). Federal Information Security Management Act (FISMA) Implementation Project. Retrieved 8 1, 2015, from nist.gov: http://www.nist.gov/itl/csd/soi/fisma.cfm