Cyber security demands real answers — Another View

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thetowntalk.com/story/opinion/2015/07/11/cyber-security-demands-real-answers-another-view/29999479/

The Internet era is giving way to the age of cyber vulnerability.

The long list of private companies that have been patsies for hackers
includes Target, Home Depot and most recently health insurer Anthem, which
exposed the records of a breathtaking 80 million of its customers and
employees. Though hackers didn't seem to be the cause Wednesday, there were
serious computer problems at United Airlines, the New York Stock Exchange
and The Wall Street Journal.

As infuriating as it is when business computer systems crash, or when
credit card data are stolen, attacks on the government are far more serious
because they threaten national security. Witness the epic theft of
sensitive data from computers at the Office of Personnel Management, the
government's human resources department.

Hackers, whom government officials have linked to China, broke into
computers at OPM and stayed there undetected for months, downloading vast
amounts of information on millions of current and former federal employees.
The hackers took millions of the forms used by people to disclose intimate
details of their lives for national security clearances. The information
could be used to unmask covert agents or to blackmail Americans into spying
for an enemy.

Michael Hayden, the former head of the NSA and the CIA, told The Wall
Street Journal that the embarrassing theft was "a tremendously big deal."
How did it happen? "Raw incompetence," he said.

That sounds about right.

Last fall, OPM's inspector general detailed numerous longstanding flaws in
the agency's computer security systems. An analysis by the tech site Ars
Technica said the break-in probably began as a phishing email, which
typically tries to get an employee to click on a link or open an attachment
that then secretly installs malware.

That let the hackers in, and eventually they had the run of OPM's
computers. Government computers are guarded by a system called "Einstein"
that sadly doesn't seem as smart as its namesake: It looks for suspicious
network activity based largely on known attacks, but isn't skilled at
identifying new ones.

If the government isn't going to play offense — or isn't going to publicize
it if it does — it's going to have to get much better at defense. This
situation simply cannot continue.

Whether it's the rollout of the Obamacare website or these attacks on an
unforgivably vulnerable computer system, the administration seems to need a
disaster before it wakes up and gets technology right. It certainly has
another one on its hands now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!