Government // Cybersecurity
2/1/2013
04:05 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Alabama State Systems Hit By Cyberattack

The state’s IT network is deemed critical infrastructure

MONTGOMERY – Alabama Department of Homeland Security Director Spencer Collier on Tuesday discussed the recent cyber intrusion at the Alabama Information Services Division (ISD) and outlined action items the state is currently following as part of a coordinated response.

ISD is a part of the Alabama Department of Finance and is responsible for information technology services for the state of Alabama. The state's information technology (IT) network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security (ALDHS).

After becoming suspicious of unusual activities, ISD employees self-detected that the firewall protecting the state's IT system had been breached. ISD employees subsequently notified ALDHS. Immediately, the Alabama Department of Homeland Security contacted state and federal authorities to open a criminal case. Simultaneously, Director of ISD Jack Doane activated a computer emergency response team to confirm that an intrusion had taken place and formulate a plan to respond.

As the Director of Homeland Security and newly appointed Senior Law Enforcement Advisor, Director Collier initiated a confidential inquiry into this matter to determine if criminal action had taken place, to assess the initial damage, and to determine the steps necessary to properly address the incident.

According to Director Collier, "We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cyber security. We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature, and to prevent future intrusions."

The Alabama Department of Finance has taken further action and has hired a leading information security company to assist in the investigation, help secure the system, and to institute tighter controls on access to eliminate the possibility of a future intrusion.

According to Jack Doane, "ISD and the computer emergency response team is working closely with the contractor on all remediation efforts. We have assembled the best team possible to preserve the evidence and to do the analysis regarding exactly what occurred. There is no way to estimate how long the forensics will take, but it could be weeks or months."

The information regarding the cyber intrusion that is confirmed and available for public knowledge is as follows:

We know that someone:

· Obtained access into the state network, and

· Used this access to examine multiple computers within the network

We have evidence that:

· At least one server containing malware was used to gain access to the systems

In response to this attack, ISD:

· Immediately activated a computer emergency response team to monitor network activity and contain the threat

· Deployed additional firewalls to monitor and control access to State systems

· Consulted with local and federal officials and State Homeland Security to assist in the investigation; a criminal investigation is on-going

· Obtained the services of a national cyber security consulting firm to help collect and analyze attack data

· Began thoroughly examining Internet-accessible applications to ensure they are not vulnerable to future attack

We are still in the process of determining the extent of the unauthorized network access and the potential impact such loss may have on the citizens of Alabama.

Any detailed release of information pertaining to the scope of intrusion or the response measures used to remediate the vulnerabilities could negatively influence the investigation.

"While we are respectful of providing critical information to the public in a timely manner, this is an on going criminal investigation, and releasing sensitive information could jeopardize the process and outcome of the investigation," Director Collier reiterated.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youíre still focused on securing endpoints, youíve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web