http://federaltimes.com/index.php?S=2323081 By DANIEL FRIEDMAN October 31, 2006 WILLIAMSBURG, Va. From the Chinese government to homegrown hackers, groups are increasingly targeting agencies networks, data security experts claim. The Chinese are in half of your agencies systems, Alan Paller, research director of the SANS Institute, told attendees Oct. 30 at the Executive Leadership Conference, which is held here by the American Council for Technology and the Industry Advisory Council. Paller cited 2005 reports that hackers using servers in China stole designs for an aviation mission-planning system for Army helicopters, and, on one night in 2004, found vulnerabilities in computers at the Defense Information Systems Agency, the Naval Ocean Systems Center in San Diego, the Army Information Systems Engineering Command at Fort Huachuca, Ariz., and the Army Space and Strategic Defense Installation in Huntsville, Ala. Paller said officials believe the attacks were sponsored by the Chinese government. And the problem extends to civilian agencies, he argued. The State Department said last July that hackers in China had broken into its computers in Washington and abroad. The Washington Post reported Oct. 6 that Chinese-based attackers in search of information had forced the Commerce Departments Bureau of Industry and Security, which regulates the export of dual-use technology to states including China, to shut down Internet access for more than a month. The bureau also replaced hundreds of computers. It has become clear that Internet access in itself is a vulnerability that we cannot mitigate, Acting Undersecretary of Commerce Mark Foulon said at the time. Paller argued that many information security metrics established by the Federal Information Security Management Act do not measure how well agencies protect data. Agencies must report the number of systems for which they complete reports on security vulnerabilities, but most reports are written by consultants and never read by top managers, Paller said. Agencies are also required to count the number of officials who complete security awareness training, but do not have to measure what skills they acquired, he said, citing an example where trained employees fell for phishing exercises. Phishing involves e-mails, often apparently forwarded by by co-workers, which invite employees to click on links to download security patches supposedly from companies like Microsoft. Such e-mails often orgininate from hackers seeking sensitive data. A better metric is used by New York State, which continually tests how many employees are fooled by phishing attempts, Paller said. Give the boss that data and see how fast behavior changes, he said. Other officials at the conference recommended assigning responsibility for data security not just to information technology officials but to managers of divisions where data could be stolen. Steve Malphrus, staff director for management at the Federal Reserves Board of Governors, said that a culture of risk management at the Fed means managers are accountable for risks in their department. Managing risk cannot be an afterthought, Malphrus said. IT has to be an important part of managing the enterprise. Its the managers responsibility. If they make a mistake, they take a salary hit. Officials said data can also be vulnerable at the personal level. Individuals can intentionally or accidentally give away sensitive information. For that reason, agencies should consider prohibiting access to Web sites like MySpace.com and to blogs, said Secret Service Special Agent Kyo Dolan. _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Tue Oct 31 2006 - 22:47:55 PST