The United States Postal Service (USPS) publicly admitted that it was the victim of a cyber-intrusion on Nov. 10. As it turns out, the USPS had been aware of a potential intrusion since Sept. 11, and it took several months of planning and strategic actions until the public and USPS employees were informed.
Full details on the USPS breach were provided by Randy Miskanic, vice president of secure digital solutions at the USPS, in testimony before the Subcommittee on Federal Workforce, U.S. Postal Service & the Census at the U.S. House of Representatives. The testimony, which took place on Nov. 19, is posted online and provides 11 pages of details on the actions and timeline of the USPS breach incident.
The testimony gives insight into how much time and process is involved in detecting and responding to a breach, which is far from a rapid process.
Miskanic testified that on Sept. 11, 2014, the U.S. Postal Service Office of Inspector General (USPS OIG) received information from the U.S. Computer Emergency Readiness Team (US-CERT) regarding four Postal Service servers that may have been compromised. Rather than immediately take action to shut down or otherwise block the compromised servers, the USPS was advised to take no action.
“The USPS OIG provided the CISO [Chief Information Security Officer] with an operational security warning advising that actions taken without coordination are likely to adversely impact the Postal Service’s overall security posture,” Miskanic testified. “The guidance document instructed the CISO to take no action—including further investigative activity, scanning, re-imaging, resetting account passwords, taking systems offline or searching IP addresses.”
Initially, the USPS suspected that only four servers were compromised, but through monitoring actions that occurred from Sept. 19 to Oct. 2, an additional 29 servers were identified as potentially being compromised. The USPS identified three Postal Service user accounts as potentially being compromised as well.
On Oct. 20, USPS staff provided a classified briefing to the National Security Council staff and the White House cyber-security director about the incident. It wasn’t until Nov. 7, nearly two months after first being alerted to the breach in September, that the USPS activated a full remediation plan to remove the attacker risk from the network.
“Implementing remediation plan elements required initiation of an information systems network brownout period, which limited communications between the Postal Service network and the Internet,” Miskanic testified. “During the Nov. 8-Nov. 9 brownout period, virtual private network (VPN) connections were blocked and remote network access was denied.”
The USPS also put in additional security controls during the two-day brownout, including two-factor authentication for administrative accounts. Going a step further, the USPS began to block access to personal online email services, including Gmail and Yahoo.
“In addition, direct database access is now only enabled to technology support staff, and a number of business applications have been retired,” Miskanic testified. “These safeguards will continue to be reviewed and enhanced over the coming months in order to increase our overall security posture.”
What the Miskanic testimony clearly illustrates is that detecting or being alerted to a breach is only the first step in what can be a lengthy process to recovery. It’s interesting to note that the USPS itself did not initially detect the breach, but rather was alerted to it by US-CERT.
The fact that the initial course of action was to not immediately block the impacted servers is also very interesting.
The USPS and its security partners wanted to be thorough and make sure they fully understood the problem so it could be properly fixed in a coordinated manner. In many security incidents, there is often a rush to judgment, but that’s not necessarily always the right course of action. The USPS attack and response provide organizations with a case study in how a thoughtful process can be implemented in the event of a cyber-security incident.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.