State Says it Needs to Rebuild Classified Computer Networks after Hack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nextgov.com/cybersecurity/2015/03/state-rebuild-classified-computer-networks-after-hack/107157/

The State Department says it needs to reconstruct its classified computer
systems after suffering a hack the agency has said only affected its
unclassified networks.

This detail, buried in a 2016 funding request document, combined with
State’s failing data protection grades on a recent governmentwide report
card, paints a picture of an agency ripe for another attack, security
experts say.

"I assume (and hope) that emails sent between the President and Secretary
of State are heavily encrypted and never touch the public Internet,"
Christopher Soghoian, principal technologist for the American Civil
Liberties Union, tweeted Monday.

That might not be the case. Zero percent of State's email was sent via
systems configured to encrypt messages -- or code the contents so they are
unreadable if intercepted, according the White House's annualreport to
Congress on agency information security. The messages were all sent in
clear text.

It’s unclear what kind of data protections former State Secretary Hillary
Clinton had in place when she emailed President Barack Obama from her
homemade email system.

State has asked Congress for $10 million to support "the necessary
re-architecting of the classified and unclassified networks” at the
department, according to current Secretary of State John Kerry's budget
justification. The budget request also proposes spending $17.3 million on
"architecture services." The overhaul will establish new security controls
and help reduce "known security vulnerabilities."

One weakness in all department systems is the absence of two-step identity
verification, according to the cyber score-sheet. Under a 2004 presidential
directive, all agency login screens must require users to enter passwords
and a second credential, like a smart card, for access. The 2016 budget
states State is aiming to establish the two-step process by 2018.

On Tuesday, State declined to comment on the extent of the reconstruction
of its classified and unclassified  information technology systems.

Coming enhancements “will add additional protections and provide IT
modernization to meet industry best practices,” a department official said
in an email. State is remodeling the classified networks now because the
agency “continually looks for ways of modernizing our infrastructure to
better protect its data,” the official said.

"I think that it’s fair to say that State doesn’t have reliable security
practices, if it was at zero percent” for encryption and two-factor
identification, said David Brumley, a Carnegie Mellon University computer
engineering professor.

"A lot of the times when things are compromised, it’s not because there
wasn’t already a technology solution out there -- it was because there
weren't enough people to support the technical solution" or teach employees
to follow security rules in a way that doesn't interrupt their jobs, he
added. "My guess is that that is where a lot of the money is going.”

State also plans to install more barriers between business-sensitive data
and other types of information, so hackers who prop open the door to one
system can't push their way into higher-value systems. The $10 million in
part would go toward completing "a private cloud infrastructure" designed
to create secure enclaves that would add "perimeters around business
critical applications and data," the justification states.

The Doomsday Scenario

One of the stumbling blocks in trying to recover from a network attack is
trust. What hardware and software is safe? Uncertainty about the presence
of malware in devices makes organizations consider rebuilding from top to
bottom, which is "the doomsday scenario," said John Dickson, an information
security analyst and former U.S. Air Force intelligence officer.

"What we understand happened at Sony is they ended up just starting over,
with getting new servers and new devices because they simply could not
trust the hardware that they had at a certain point," said Dickson,
comparing State’s 2016 budget explanation to a breach at the entertainment
giant that aired Hollywood's dirty laundry and sensitive personal
information on employees.

As previously reported, State replaced some 30,000 keychain login fobs
after the penetration of its unclassified email system last fall, which
happened at the same time the White House was hacked. It’s uncertain what
the original or replacement credentials grant access to.

Some computer science experts say the IT do-over reflects a realization
that State’s past security investments might not be enough to prevent
another intrusion.

"It may very well be the case that there are some things that they don’t
trust anymore because they are compromised and they want to replace them,
but my guess is that they have just devoted insufficient funds to
protection previously, because it was compromised," said Brumley, who also
heads cyber startup ForAllSecure. "A lot of the security expense is in the
people and the training. If they already have bad practices and grades, you
know, getting rid of those."

Purchasing new devices is not that costly, but arranging the proper
technical support so people actually use it is, he said.

The Fake “KerryJF () state gov”

Right now, State is incapable of "digitally signing" outgoing email to
citizens and colleagues, the cyber score sheet found.

This means anyone might be able to "spoof," or copy, an official "@state.gov"
email address to fool people into thinking they are being contacted by a
legitimate high-ranking official.

In theory, an email purportedly from Kerry at "KerryJF () state gov” that asks
a staffer to send him an internal PowerPoint presentation on Iran actually
might be from a foreign cyberspy.

"Clinton’s own staff had been targeted with such highly targeted 'spear
phishing' emails as early as 2009, the year she took office," Shane Harris
writes in the Daily Beast.

Some reformed black hat hackers say it goes without saying that any system
-- government or personal -- is vulnerable without multistep ID checks.

 "Without these protections, it only takes one successful malware or
phishing attack," said Jennifer Emick, a former member of the hacktivist
group Anonymous who now works as an independent security researcher. "I
wouldn't think it would be easy" to crack a secretary of state's state.gov
account, "but a suitably determined intruder isn't going to find the task
insurmountable."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!