Embarrassing reminders about the South Carolina Department of Revenue (SCDOR) breach continue. The Associated Press reports on testimony in yesterday’s hearing by the state’s House oversight panel:
Revenue has been criticized for not using the state information technology division’s computer monitoring services — which are offered but not required — before the hacking. While the IT division’s monitors weren’t on revenue’s servers, the agency was using the service on the desktop computers that were initially infected after an employee clicked on a phishing email.
Why, you reasonably ask, did the DOR decline the offer of free monitoring services on its systems before the breach? Good question, and I have yet to see an answer to that in the media coverage I’ve read. Nor do I know why – after knowing that they had had 22 computers infected – they decided that they still didn’t need full monitoring of their system. As one consequence of their decision-making, the DOR did not even know it had been breached and only learned of the problem when the Secret Service notified them a month and a half later. And even then, they didn’t deploy full system monitoring for another 10 days.
State IT division director Jim Earley said revenue’s former chief information officer and current computer security chief were told Aug. 13 that malicious codes were being downloaded on 22 computers. Resetting passwords was among the division’s recommendations.
Revenue officials didn’t do that. Earley told legislators he’s unsure if that would’ve prevented the data theft.
And why, you ask, didn’t they just reset their passwords when they knew that 22 computers had been infected and the state’s IT division just recommended they do that? Another fair question for which we have been given no explanation.
Read more on GoUpstate.com while I contemplate my belly button and wonder whether SCDOR would have made different decisions if they risked big salary cuts or jail time for negligent security of the public’s data.
If I was there, the first thing that should have been done was reporting the issue. This is the Department of Revenue. What the hell do you think these hackers were after ? Jelly doughnuts?
Ummm, resetting passwords to thwart a malicious code outbreak? Its way too late at that point. they are INSIDE your freakin network already ! Once malicious code gets into a system, its compromised and should NEVER be trusted again. if they own the box, they will probably see these changes and you think HA! trying getting in now !! And they type in the new password and boom. Your guard is around your ankles once again.
This organization is probably considered a ripe, prime target. These hackers know, that eventually, after all the dust settles, there will probably be a way to get back in to these systems once again. I am sure organizations are probably marked as for a revisit after the Feds leave, or the info is sold to another hacker that is more of a risk taker.
TYPICALLY hacks like this are from outside the USA. So, tell me…why the heck do you have your network – especially a DOR network, communicating with the rest of the world? Put your important stuff on a network that does not allow ANY communication outside the USA. period. No inbound or outbound comms. Maybe have a few computers on a small LAN that communicate with the entire world if that is important.
One thing that should be done is buy a ton of new hard drives and finding a good stable, clean load. Plan to redo all the workstations. On that new load, change all default passwords, ensure Antivirus, Anti-Spam and a software firewall is enabled and updated. All users should have MINIMUM privileges, enough to perform their duties.
Malicious Code is bad news. If your antivirus, Network Intrusion Protection System (NIPS) and other security controls that should have been protecting the network failed – you better scramble because this particular event may not be the last. What other very severe issues exist? I would HIGHLY HIGHLY suggest looking over your vulnerability towards SQL injection attacks, as that is another area that could be used against them as well.
Malicious code that is typically loaded up on machines is only one step of the proccess. These compromised machines, can contact other networked machines and try to infect them as well. Some of the infected machines may have additional issues like rootkits and other foul code on the machines and these are extremely difficult to find.
A Stereotypical malware set can infest a computer. from there it can be updated – which is scary because the hackers have a way in again without fighting back in. These computers can initiate the call home, and most networks allow connections to be opened from the inside out, and these connections may have been ignored.
From there, the reason all of these computers are infect is because, i would have to say are NOT adequately patched. A malware signature can do a lot of data calls on a network, scanning the network and looking for certain vulnerabilities on the network. Once a computer is found with that specific vulnerability, the malware on an already compromised system will then try to infect this newly found victim. These machines can become Distributed Denial of Service (DDoS) zombies, or have sniffers, or other software that can record the keystrokes of these infected machines. Username and passwords, sensitive email and other conditions could have easily been sent to the hackers on the other end.
Not only that, depending on the severity of the malware type, some of these may have used the email system to send out additional bogus emails, and try to infect others. IF they have PKI – and use it, The malware could have the possibility to steal sensitive information and files.
If the IT Department thinks it can simply scan with a typical commercial grade AV and find all the issues on them, I would have to say they probably will not. I wouldn’t trust the hard drives, the user accounts and passwords of any account – including any system generated password accounts.
I sense that this is a huge mess. The only way to get through all of this safely is to bring in a highly trained team to get them through all of this. Miss one thing and the potential for re-infection is very real.
The BIGGEST thing to do is look at a compromised machine and scan it OFFLINE with a vulnerability scanner. Compare these results with the other systems on your network. I bet many of the computers are in the same sorry state as those that were infected.
The problem with NOT accepting the freebies described above shows either reluctance to comply, possibly due to the, then unknown condition of the network. To add a third party monitoring service into your network means that some one outside the building(s) will be able to potentially find issues that might otherwise go unreported.
Former CIO ? Good. They are after all responsible for what happens within the network. All I can say is that the more you dig in these situations, the more you will find under qualified staff or the minority of the good, hard working staff will throw their arms up in the air and leave or, just not care anymore.
Geezuz. I will shake my head for days on this one.