The recently reported cyber security breach at the Department of Energy?s (DOE) National Nuclear Security Administration (NNSA) is another example of a disturbing trend of cyber attacks against government agencies and contractors. This particular attack is disturbing not only because it succeeded in heisting 1,502 identities of NNSA employees and contractors, but also the apparent ease in which the attackers were able to circumvent DOE cyber security barriers.
Proponents of the DOE?s cyber security efforts point out that the department spends approximately $140 million a year on cyber security. It is also worth noting that the department was running intrusion detection systems and firewalls at the time of the attack. However, as this successful attack demonstrates static line perimeter defenses rarely stop a determined attacker.
Critics of the Department of Energy?s cyber security posture point out that last year a DOE ?red team? of penetration testers successfully gained control of a DOE computer system. According to Glenn Podonsky, director of DOE Security and Safety Performance Assessment, ?we were able to get passwords, go from one account to another.? Moreover, Podonsky continued by noting, ?we had access to sensitive data including financial and personal data ? we basically had domain control.? While it is unclear how the red team gained control of the DOE system, this penetration test demonstrates that attackers simply need to exploit a single vulnerability in the perimeter defense to gain entry onto a sensitive network. Once inside, the attackers are then able to easily roam the network as a trusted user in search for sensitive and valuable data.
Unfortunately, as the ?red team? demonstrated and the hackers attack later confirmed, comprehensive security requires more then just intrusion detection systems and firewalls. In this theft of the NNSA employees and contractors identities the attackers bypassed the Administration?s perimeter defenses and relied on social engineering tactics to gain entry onto the network. The attackers crafted an email with a malicious attachment and were able to successfully convince an Administration employee to read the email and open the attachment. Presumably this attachment opened a backdoor on the offending users machine and thusly gave the attackers free passage onto the network.
This tactic, known as spear phishing for its targeted nature, is similar to a suspected ongoing espionage campaign carried out by Chinese cyber spies. The investigation into these ongoing intrusions into government agencies and contractors electronic systems has been codenamed ?Titan Rain? by the US government . According to Allan Paller, director of research for the SANS Institute, the attacks on the NNSA is ?the tip of a much bigger iceberg.? Moreover, Paller said, in reference to the Chinese espionage campaign, the attack on the National Nuclear Security Administration ?is an example of the kind of attack and extraction that was going on for the last 2 1/2 years.?
The specific attack against the NNSA and the suspected on-going cyber espionage campaign illustrate that government agencies and contractors must pay more careful attention to improving their cyber security posture. As evidence by the attack on the NNSA, static line perimeter defenses, such as firewalls and intrusion detection devices, are only one part of a comprehensive cyber security plan. Most cyber security experts recommend a defense-in-depth strategy. In cyber space defense-in-depth is the creation of multiple layers of defense that attempt to monitor not only the perimeter of the network but internal network operations as well. In case of the NNSA attack, a defense-in-depth strategy would have had a better opportunity of detecting the download of the malicious email attachment and may have detected anomalous network traffic indicating that attackers were preparing to steal sensitive NNSA data.