Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Russian Hackers Pilfered Data from NSA Contractor's Home Computer: Report
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jsmwaste
50%
50%
jsmwaste,
User Rank: Apprentice
10/11/2017 | 1:25:34 PM
Re: Whose fault?
Nice infomartion..Thanks for sharing
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/10/2017 | 4:48:33 PM
Re: Security Corrective Action
@REISEN: To clarify: I 100% agree about the severity of the situation, which absolutely must go into account -- as must the role of the particular employee (big difference, for instance, between, say, an IT worker and a public-relations admin).

At the same time, speaking generally and not necessarily on this particular incident, the severity of the situation has to be taken into account the other way too. Some situations do call for extreme measures, but if every reaction is one of draconian you-know-what-to-the-wall maximum punishment, then you greatly risk decreased self-reporting of highly serious situations involving highly sensitive data. Everything is a balancing act.

More on my take here, including insights from another federal agency that deals with highly sensitive data: enterprisenetworkingplanet.com/netsysm/minimize-shadow-it-damage-by-encouraging-self-reporting.html
LouiseMiller
50%
50%
LouiseMiller,
User Rank: Apprentice
10/10/2017 | 9:11:04 AM
Re: Whose fault?
And they are always here - hackers 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/10/2017 | 7:31:02 AM
Re: Security Corrective Action
If the data in question was merely QUARTLERLY ERESULTS for a public company, I would agree.  But this is NATIONAL SECURITY data!!!  We are on a different scale here.  This material HAS to be classified!!!!!  This is not a powerpoint presentation of the 2017 Kick off meeting at Atlanta.  And what about COMMON SENSE for a contract worker?  Or emplooyee for that matter.  No, we are dealling with national secrets!!!  Different ball game. 
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
10/9/2017 | 3:27:43 PM
Re: Security Corrective Action
>  I think conseqiuences such as termination, lawsuit, jail can be persuasive. 

While I don't disagree with your overall reaction, there are certain problems with immediately going to extreme retributive measures when it comes to this stuff. At the end of the day, it's shadow IT -- and if you unrelentingly flog the peasants every time something like this comes to light, you're going to discourage self-reporting of security incidents for other employees who may be violating IT rules.

Perhaps the employee should be fired, but that shouldn't be the one-size-fits-all insta-solution for every IT violation. Otherwise, you risk not finding out about compromises until it's far too late because employees will fear for their jobs.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/9/2017 | 3:22:22 PM
Re: Whose fault?
> actually an NSA employee, not a contractor.

That's kind of worse, no?

I certainly support work-from-home and telecommuting, but when you're talking about that kind of high-level government work, things need to be vetted for the home office.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/9/2017 | 2:43:27 PM
Re: Security Corrective Action
The virtue of simplicity.  How about NO GOVERNMENT-PRIVATE DATA EVER EVER EVER on a "home" system particularly if you are dealing with SECURITY CLEARANCE ISSUE!!!    I think conseqiuences such as termination, lawsuit, jail can be persuasive.  A home computer IS NOT secure and most government systems sure are not either.  But to add pain to the pudding through a home system exposure is a violation of every sane security law in the book!!!!  RTFM as they used to say ages ago. 
rdusek483
50%
50%
rdusek483,
User Rank: Apprentice
10/7/2017 | 8:08:48 AM
Security Corrective Action
Internal-External Airgapping needed . . .
Kelly Jackson Higgins
0%
100%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2017 | 3:25:39 PM
Re: Whose fault?
Mainframes for the win!
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
10/6/2017 | 3:21:52 PM
Re: Whose fault?
I suppose we may all be thankful that the USA Nuclear command and control seems to be hosted on 1970s vintage mainframe systems of which NOBODY remembers HOW to hack and invade?   Those old System/370 systems, S/34 - 36 and 38 go on forever.  
Page 1 / 2   >   >>


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18987
PUBLISHED: 2019-11-15
An issue was discovered in the AbuseFilter extension through 1.34 for MediaWiki. Once a specific abuse filter has (accidentally or otherwise) been made public, its previous versions can be exposed, thus potentially disclosing private or sensitive information within the filter's definition.
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.