Cyber Breach at the Pentagon

Friday, October 12th, 2018  AP News reported that the Pentagon revealed a cyber breach releasing over 30,000 travel records that included personal information belonging to US Military and Civil Employees. The Government losing our private information is becoming the status quo. It has become acceptable for our Government to be “compliant” instead of protecting our people. Here at ICISI, we hear every day how hard it is to defend against these hackers. It just isn’t true. The US Government is spending billions of dollars on “compliance” models that are not performing. The model is broken and based on results we can see it doesn’t work.  We are in dire need of a principles-based approach that matures agencies beyond a checklist.

In defense of the agencies that are being compromised, they have nowhere to turn for performance-based results. There are 100s of companies out there who can help, but compliance has gotten in the way of actual performance. In the article, it was stated that the breach happened some months ago. Why are they only finding the compromise now? We believe it comes down to a lack of proper training and broken models for cyber. Our Government must progress beyond compliance if we want to protect our nations most critical assets. The US is stuck as a nation and falling behind in the world of Cyber.

Based on the article the cyber breach came through the department’s services supply chain. A single commercial vendor created the pathway for the attackers. Our question is simple, “Who vetted the vendor’s systems, processes, and training before allowing access to critical systems at the Pentagon?” It appears the vendor will take the fall and the department has or will take steps to cease the vendor’s performance under its contracts. Halting work with the vendor is all well and good, but it’s us who pay the price, the US veterans, and civil servants.

In our experience, most breaches leverage a target’s weaknesses such as a lack of training, poor internal practices, and ignorance of things that matter.  Simply put we are distracted. It is cyber compromises like this that drove us to stand up our CCPA program. There is a better way to marry cyber-based principles and real performance objective to create a safer world. We are bridging the gap between knowing about cyber and becoming the solution to the treat by Democratizing Cybersecurity®.

John Walley

John Walley

  1. NSK left a comment on October 16, 2018 at 3:10 pm

    Great Post! I’ve noticed that Service Provider/Vendor Monitoring Services are becoming more sought after within the information security space; and for good reason.

    I began monitoring one specific vendor’s vulnerability stats/trends for their hosting environment. After four (4) short months I noticed significant improvements to their reporting formats, 75% reduction in the total number of vulnerabilities, and the average age of vulnerabilities was cut in half. It’s important to note that this vendor has been in place for five (5) years.

    I strongly support Infrastructure as a Service (IaaS) however just because you paid for it to get done doesn’t mean it is getting done.

    As with everything in this field we must “Trust but verify”.

    Customers may be resistant to paying for additional services to verify that they are getting all the services they paid for. This is often perceived as redundant monitoring. If this is the case, remind them that Service Provider/Vendor Monitoring services are relatively cheap considering they may have pay millions for something that hasn’t been done for the last five (5) years resulting significant impacts to the security posture of their organization.

    As the saying goes “That which is measured, improves.”

    https://www.linkedin.com/in/nwalley/

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.