BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Cyberattackers breach USPS security, but what were they after?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 14 Nov 2014 13:29:03 -0700
http://searchcio.techtarget.com/news/2240234734/Cyberattackers-breach-USPS-security-but-what-were-they-after

Another federal agency has been the target of cybercrime. Just a couple of
weeks after it was revealed the White House's unclassified computer
networks were breached, the United States Postal Service (USPS) announced
Monday that cyberattackers had stolen data on all its 800,000-plus
employees, including their names, addresses and Social Security numbers.

The USPS security breach was discovered in September, officials said, and
though they didn't confirm a perpetrator, many security experts speculate
that Chinese hackers were responsible because the hack's signature was
similar to recent breaches connected to the Chinese government.

What's noteworthy about this attack is that it's unclear what the thieves
were after. The USPS doesn't handle classified government information, nor
is the stolen employee data as obviously marketable as the credit card
information purloined from retail giants such as Target and Home Depot
(which this week disclosed further information on its massive cybertheft).

"It's an unfortunate fact of life these days that every organization
connected to the Internet is a constant target for cyberintrusion activity.
The United States Postal Service is no different," said Postmaster General
Patrick Donahoe in a statement. In other words, you exist, therefore you're
vulnerable.

If everyone is vulnerable, what are businesses to do?

According to a panel of experts at the recent Advanced Cyber Security
Center Conference in Boston, instead of trying to predict if and when
you'll get hit and what form that cyberattack is likely to take, plan for
left of boom.The military term, coined by The Washington Post's Rick
Atkinson, refers to the moment before a bomb explodes. Applied to
cybersecurity, it refers to how well your organization is prepared just
before the "boom," or cyberattack, to ideally prevent it from happening --
or at the minimum, contain the damage.

State Street Corp. CIO Christopher Perretta, part of a diverse panel of
experts, offered his thoughts on what constitutes a left-of-boom defense.

For starters, many companies today have heterogeneous infrastructures --
the new stuff that is fairly resilient and the old stuff that you worry
about, Perretta said.

"It's about owning that entire response," he said.

In addition, cybersecurity is not about checking the compliance box. It is
about having a full-fledged, disciplined risk strategy that recognizes
residual risk, the portion of risk left after all that can be done is done,
Perretta said.

This starts with understanding that low-probability, high-risk events can
happen, that these risks have large implications, and that resources
proportionate with those risk levels need to be applied. The governance
mechanisms organizations have in place will be the difference between being
able to handle residual risk and being undone by it.

Another piece of advice? CIOs must think of themselves as stewards of the
company's business operations, not just the service providers for those
business operations.

Sometimes this involves hard decisions, such as shutting down a
transaction, regardless of what's on the other end, if there's anything
suspicious at play, Perretta said. "It's a debate that says, 'What are the
things I'm willing to seriously disrupt my business to protect?' It's an
exercise that typically happens in disaster recovery, but should happen day
to day," he said.

The bottom line is to think of security not just as an IT responsibility,
but something that transcends tools and processes and is built into the
fabric of the organization, he said. That's easier said than done, though.

"Changing the way people think about the business is much harder than the
technology changes that we do."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: