Over the course of the last several weeks, a number of high-profile U.S. federal networks have been breached by attackers. The latest organization to be breached is the U.S. State Department, which had to take its email system offline.
The breach at the State Department follows attacks against the White House, the United States Postal Service (USPS) and the National Oceanic and Atmospheric Administration (NOAA).
The Associated Press, which broke the story on the State Department hack on Nov. 16, indicated that the entire unclassified email system was potentially at risk. The actual State Department email shutdown occurred late Friday, Nov. 14, as areas of concern about the email system were discovered.
Currently, there is no official attribution for the source of the State Department email incident. In the NOAA and White House incidents, reports have alleged that nation-state actors from China and Russia were involved.
Bob Stratton, managing partner at cyber-security accelerator Mach37, told eWEEK that he was somewhat surprised at the State Department disclosure. In general, his view is that the State Department’s discussion of this attack is a constructive development.
“While perfect security is a laudable goal, users of information technology are coming to realize that these events occur even in the face of diligent effort,” Stratton said. “There is some value in not immediately assuming that IT operations and security organizations are incompetent so much as that they are enduring a continuing, innovative, determined stream of network attacks.”
At this point, Stratton added, he’s more curious about how quickly and effectively a breached agency or company can do damage assessment, and how long it takes for them to perform remediation of the breach with confidence that it was done effectively.
In the State Department incident, the email system was the target, which makes sense considering what sort of information might be present.
“An email system contains not only information regarding users in the directory services, but also a wealth of information in the emails themselves,” John Fitzgerald, CTO North America at Wave Systems, told eWEEK. “So if an attacker is able to gain access to internal data repositories—databases, email systems and file stores—a great amount of direct and indirect information can be gathered.”
There is no question that the use of email as a vehicle for delivery of attacks is extremely popular, and has been for a while, according to Stratton.
“It makes sense if one is trying to collect information on an organization that the attacker might be interested in what is arguably the most commonly used and perhaps most critical collaboration tool,” he said.
In terms of next steps for the government, Fitzgerald said the information gathered from the attacks should be used to investigate whether other areas of the infrastructure have been compromised and look for similar fingerprints in other information systems.
Stratton added that he expects the State Department will be doing a damage assessment to determine what exactly was breached, and the sensitivity and implications of that, as well as developing a remediation plan.
“The question in situations where there is a large set of stored information is, Is there some way that the consistent use of encryption might have prevented the loss of some of this information?” Stratton said. “That is no panacea either, but it can sometimes help to make extracting information through an attack more difficult for the attacker.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.