Skip to content

Your Network May Be Used as a Flotation Device

February 11, 2009

So, we find yet another data breach, this time with the FAA.  Some people have been coming down pretty hard on this government agency, which I would argue is (contrary to some of its porky peers) one of the most critical and yet underfunded federal agencies out there.  Tom Waters, president of an AFSCME local, went so far as to criticize the FAA’s IT team and their response to the breach by referring to this event as “malpractice in their world.”  Given that most people in security understand that there is no such thing as “100% hack-proof”, and that the general public (including both us at eIQ, and Mr. Waters) don’t know what security controls were in place at the FAA when this breach occured — and whether they were risk-appropriate – I think that this comment is more than a bit overblown.

Moreover, the FAA appears to have responded to this incident in an appropriate way, by disclosing early, identifying the specific details of data that was breached, and (most importantly) identifying the problem on their own, without having the FBI or another three-letter-acronym agency do it for them long after the fact.  While the data that was breached was highly personal in nature (including both unencrypted and encrypted data on current and former FAA employees), this wasn’t a breach of air traffic control systems.  All in all, this incident was handled in a pretty professional manner.

However, regardless of how it was handled, the fact that this breach occured in the first place points to the criticality of proactive security.  While it’s good to be able to know (perhaps from a forensic analysis of event logs, system configuration changes, and other security-related data) that the data breach occured (especially in a timely manner), it wasn’t timely enough to actually prevent the breach from occuring at all.  To effectively address this kind of breach before critical data egresses from the environment, organizations need to get ahold of all of the relevant security data across the environment.  While we don’t know the exact profile of this particular breach (insider? low-and-slow attack that breached a network perimeter device? Brute-force credential attack against a web app?), we do know that in almost every case, it’s not enough to use only one source of data — such as log/event data, vulnerability scan results, system configuration data, and network flow data – to identify the problem; instead, it requires immediate correlation across all of these different silos of data, and an alerting capability that can identify the subtle nuances of attack profiles to ensure that security professionals get the information they need, without being downed by a sea of unrelated data.  And that, of course, is where point security solutions fail.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: