Tuesday, November 27, 2012

This just can't be real

Wow, this whole South Carolina Department of Revenue fiasco is just amazing. With all the breaches and attacks that make the news, it's mind boggling there are still major organizations that simply cannot secure their data.

Reports estimate that 3.8 million people who filed taxes in SC may be affected by this breech. In addition, PII related to 1.9 million dependents as well as business info for almost 700K businesses was leaked. All combined they estimate 3.3 million bank accounts and 5,000 credit cards may be compromised. That's a pretty substantial chunk of people impacted by this mess.

So how did this happen? According to the SC governor, it's as simple as the IRS not telling them they had to encrypt SSNs. Hmmm, it's generally cool to bash the IRS, but in this case, I have to say bottom line is that SC dropped the ball big time. It's SC state tax information that was collected by the state of SC and stored for the use of SC Department of Revenue. Sounds to me like SC all the way.

The incident report by Mandiant is a pretty interesting read. Some highlights, or better yet low-lights:

  • Attackers got entry when one or more employees clicked on bogus link in phishing email which caused their machines to become infected
  • It is estimated the attackers had access for 2 months
  • 44 machines were compromised
  • At least 33 different tools were brought in and used by the attackers over those 2 months
  • Attackers installed at least one backdoor
  • Almost 75GB of data was exfiltrated - 15 files that compressed to a little moge than 8GB
  • Estimated cost to SC thus far, $14 million
  • Director of SC Department of Revenue will resign in Dec

So, after 2 months and 75GB data sucked from their network, SC only knew something was going on when contacted by law enforcement. That is a huge fail. Not only did they not provide adequate protection to PII, they apparently did no monitoring of their networks. They had no idea anyone was in their network shipping out huge gobs of data. That is simply irresponsible. It's a textbook attack scenario. Could it have been prevented? Who knows for sure. I'd like to think so. Better network awareness and monitoring could have detected anomalies much earlier and lead to immediate action. Maybe better training and desktop tools could have prevented the initial infection as well? Probably a lot of things should and could have been done differently. Now the big question is will other businesses and organizations use these kinds of events as a wake up call and do some checking on their own to see if something like this could happen to them. I have hoped that for quite some time but the huge breaches still keep coming.