For years, security professionals have been preaching about the need for basic cyber security hygiene, including vulnerability, patch, and password management. Indeed, many successful cyber-attacks are conducted leveraging these three threat vectors. In a recent report filed by the BBC we read that the Australian government, despite ASD mandates, received a critical reminder of the need for basic cyber security hygiene and are now dealing with the ramifications of failing to maintain it.
Details on the breach
In the breach (related to an Adelaide-based aerospace engineering company) we can speculate that requirements like those found inNIST 800-171 where clearly not enforced, but applicable, because some of the breach material included the F-35 Joint Strike Fighter, P-8 Poseidon, and C130 transport aircraft (in addition to other navy vessels) which are manufactured in the United States. In total, about 30GB of data was compromised. But like any good hack, the threat actor has still not been positively identified despite speculation of regional nation state involvement.
What went wrong
This sensitive military breach at a contractor is particularly annoying since so many basic cyber security hygiene policies, procedures and indicators where not followed, or just completely missed. For example:
- The breach began in July 2016, but government officials (ASD) were not notified until November 2016 – four months before disclosure and much too long by any standards.
- The exploit occurred in a software application that had not received security updates for a full year. No red flags from vulnerability or patch management were raised to remediate or mitigate the threat? It sounds like Equifax to me.
- The contractor was also using default passwords on the application! Wait. What? You’re protecting sensitive military secrets and cannot even change the default password on an application that could be leveraged against the crown jewels of your organisation? Clearly, hygiene went out the window here too.
If there is a silver lining, the stolen data was allegedly commercial information about the aircraft and not military data. Please think about that for a moment. What commercial information, totalling 30GB, is available about three military aircraft and a few navy vessels? High resolution JPGs? 30GB is a lot of commercially available information for a country’s offensive and defensive systems no matter how you look at it. It just was not relevant Australian military information; just information on the assets. This is completely the opposite of reports that North Korea hacked South Korea and stole vital military plans. It is the difference of knowing about your enemy’s weapons verses knowing what they plan to do with them.
What we can learn
As we continue into the middle of October, we are reminded yet again of the importance of basic cyber-security hygiene. October is Cybersecurity Awareness Month and incidents like this are a firm reminder that we must always be vigilant in securing, protecting, monitoring, and enforcing our basic policies and procedures – including the Essential Eight.
If you would like more information on how BeyondTrust can help with NIST, ASD, or Essential Eight implementations and reporting,contact us today. Our goal: to make sure you do not become the next victim.
BeyondTrust is a global information security software company that helps organisations prevent cyber-attacks and unauthorised data access due to privilege abuse. Our solutions give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Access Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your company goes. BeyondTrust’s security solutions are trusted by over 4,000 customers worldwide, including half of the Fortune 100. To learn more about BeyondTrust, please visitwww.beyondtrust.com.
Twitter: http://twitter.com/beyondtrust Blog: https://www.beyondtrust.com/blog/ LinkedIn: http://www.linkedin.com/companies/beyondtrust Facebook: http://www.facebook.com/beyondtrust
BeyondTrust Media & Interview Enquiries:
Mike Bradshaw Connect Marketing for BeyondTrust P: + 1 801 373-7888 E: firstname.lastname@example.org
Marketing Director – APAC
P: +61 (0)422 109 704