Your Tax Dollars need to work harder around security. CISA broke into a US federal agency, and no one noticed for a full 5 months
CISA is the Cybersecurity and Infrastructure Security Agency of the federal government. I still maintain that it was named by Department of Redundancy Department of the federal government.
A Red Team is basically a group of ethical hackers. They try (and all too often succeed) to infiltrate an organization. The sad truth is that a lot of organizations, government or private, don't really take security seriously. It inconveniences people who don't' want to be inconvenienced, and have enough clout to demand they not put up with stuff they don't like.
CISA conducts Red Team assessments of federal civilian executive branch (FCEB) agencies. This is a report of one such assessment.
The Red Team was able to gain access to the unnamed agency by way of a remote code execution flaw (CVE-2022-21587 - 9.8) in Oracle Solaris enclave (Unix system) in January of 2023. After having complete access to the unix environment for a few months, they were able to gain access to the Windows network of the agency by way of a targeted phishing campaign.
Once they gained that access, it was game over.
"The team found a password file left from a previous employee on an open, administrative IT share, which contained plaintext usernames and passwords for several privileged service accounts," the report reads. "With the harvested Lightweight Directory Access Protocol (LDAP) information, the team identified one of the accounts had system center operations manager (SCOM) administrator privileges and domain administrator privileges for the parent domain.
"They identified another account that also had administrative permissions for most servers in the domain. The passwords for both accounts had not been updated in over eight years and were not enrolled in the organization's identity management (IDM)."
Passwords left in plain text. Passwords not changed in 8 years.
If anyone is fired, it won't be the managers who didn't manage, or the upper managers who wouldn't allocate funds for security reviews, or insist on multi-factor authentication. If anyone is fired it will be the people working without much, or any, support from management. My guess is that there will be requests, going back years, for resources to review the security, to enforce multi-factor authentication, to do reviews, whatever. Those requests will have been denied because, "You IT people always want to spend money on something."
If you're interested in the details, the article is fairly concise. The tl;dr is that people were lazy. Slow to patch systems, didn't do an in depth intrusion analysis after they patched a known vulnerability, and more.
Hat tip to Pixy Misa.
Wait, the federal government noticed a massive problem in only five months?
And CISA still has the worst logo I've seen in decades. It seems to have a very 1950s or '60s vibe.
No comments:
Post a Comment
Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.
Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.