Government // Cybersecurity
2/1/2013
04:05 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Alabama State Systems Hit By Cyberattack

The state’s IT network is deemed critical infrastructure

MONTGOMERY – Alabama Department of Homeland Security Director Spencer Collier on Tuesday discussed the recent cyber intrusion at the Alabama Information Services Division (ISD) and outlined action items the state is currently following as part of a coordinated response.

ISD is a part of the Alabama Department of Finance and is responsible for information technology services for the state of Alabama. The state's information technology (IT) network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security (ALDHS).

After becoming suspicious of unusual activities, ISD employees self-detected that the firewall protecting the state's IT system had been breached. ISD employees subsequently notified ALDHS. Immediately, the Alabama Department of Homeland Security contacted state and federal authorities to open a criminal case. Simultaneously, Director of ISD Jack Doane activated a computer emergency response team to confirm that an intrusion had taken place and formulate a plan to respond.

As the Director of Homeland Security and newly appointed Senior Law Enforcement Advisor, Director Collier initiated a confidential inquiry into this matter to determine if criminal action had taken place, to assess the initial damage, and to determine the steps necessary to properly address the incident.

According to Director Collier, "We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cyber security. We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature, and to prevent future intrusions."

The Alabama Department of Finance has taken further action and has hired a leading information security company to assist in the investigation, help secure the system, and to institute tighter controls on access to eliminate the possibility of a future intrusion.

According to Jack Doane, "ISD and the computer emergency response team is working closely with the contractor on all remediation efforts. We have assembled the best team possible to preserve the evidence and to do the analysis regarding exactly what occurred. There is no way to estimate how long the forensics will take, but it could be weeks or months."

The information regarding the cyber intrusion that is confirmed and available for public knowledge is as follows:

We know that someone:

· Obtained access into the state network, and

· Used this access to examine multiple computers within the network

We have evidence that:

· At least one server containing malware was used to gain access to the systems

In response to this attack, ISD:

· Immediately activated a computer emergency response team to monitor network activity and contain the threat

· Deployed additional firewalls to monitor and control access to State systems

· Consulted with local and federal officials and State Homeland Security to assist in the investigation; a criminal investigation is on-going

· Obtained the services of a national cyber security consulting firm to help collect and analyze attack data

· Began thoroughly examining Internet-accessible applications to ensure they are not vulnerable to future attack

We are still in the process of determining the extent of the unauthorized network access and the potential impact such loss may have on the citizens of Alabama.

Any detailed release of information pertaining to the scope of intrusion or the response measures used to remediate the vulnerabilities could negatively influence the investigation.

"While we are respectful of providing critical information to the public in a timely manner, this is an on going criminal investigation, and releasing sensitive information could jeopardize the process and outcome of the investigation," Director Collier reiterated.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.