AOH :: ISN-3211.HTM

Hackers - from locals to Chinese - challenge data security

Hackers - from locals to Chinese - challenge data security
Hackers - from locals to Chinese - challenge data security 

October 31, 2006

WILLIAMSBURG, Va.  From the Chinese government to homegrown hackers, 
groups are increasingly targeting agencies networks, data security 
experts claim.

The Chinese are in half of your agencies systems, Alan Paller, research 
director of the SANS Institute, told attendees Oct. 30 at the Executive 
Leadership Conference, which is held here by the American Council for 
Technology and the Industry Advisory Council.

Paller cited 2005 reports that hackers using servers in China stole 
designs for an aviation mission-planning system for Army helicopters, 
and, on one night in 2004, found vulnerabilities in computers at the 
Defense Information Systems Agency, the Naval Ocean Systems Center in 
San Diego, the Army Information Systems Engineering Command at Fort 
Huachuca, Ariz., and the Army Space and Strategic Defense Installation 
in Huntsville, Ala. Paller said officials believe the attacks were 
sponsored by the Chinese government.

And the problem extends to civilian agencies, he argued. The State 
Department said last July that hackers in China had broken into its 
computers in Washington and abroad.

The Washington Post reported Oct. 6 that Chinese-based attackers in 
search of information had forced the Commerce Departments Bureau of 
Industry and Security, which regulates the export of dual-use technology 
to states including China, to shut down Internet access for more than a 
month. The bureau also replaced hundreds of computers.

It has become clear that Internet access in itself is a vulnerability 
that we cannot mitigate, Acting Undersecretary of Commerce Mark Foulon 
said at the time.

Paller argued that many information security metrics established by the 
Federal Information Security Management Act do not measure how well 
agencies protect data.

Agencies must report the number of systems for which they complete 
reports on security vulnerabilities, but most reports are written by 
consultants and never read by top managers, Paller said.

Agencies are also required to count the number of officials who complete 
security awareness training, but do not have to measure what skills they 
acquired, he said, citing an example where trained employees fell for 
phishing exercises. Phishing involves e-mails, often apparently 
forwarded by by co-workers, which invite employees to click on links to 
download security patches supposedly from companies like Microsoft. Such 
e-mails often orgininate from hackers seeking sensitive data.

A better metric is used by New York State, which continually tests how 
many employees are fooled by phishing attempts, Paller said. Give the 
boss that data and see how fast behavior changes, he said.

Other officials at the conference recommended assigning responsibility 
for data security not just to information technology officials but to 
managers of divisions where data could be stolen. Steve Malphrus, staff 
director for management at the Federal Reserves Board of Governors, said 
that a culture of risk management at the Fed means managers are 
accountable for risks in their department.

Managing risk cannot be an afterthought, Malphrus said. IT has to be an 
important part of managing the enterprise. Its the managers 
responsibility. If they make a mistake, they take a salary hit. 
Officials said data can also be vulnerable at the personal level. 
Individuals can intentionally or accidentally give away sensitive 
information. For that reason, agencies should consider prohibiting 
access to Web sites like and to blogs, said Secret Service 
Special Agent Kyo Dolan.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods