BreachExchange mailing list archives
Cyberattackers breach USPS security, but what were they after?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 14 Nov 2014 13:29:03 -0700
http://searchcio.techtarget.com/news/2240234734/Cyberattackers-breach-USPS-security-but-what-were-they-after Another federal agency has been the target of cybercrime. Just a couple of weeks after it was revealed the White House's unclassified computer networks were breached, the United States Postal Service (USPS) announced Monday that cyberattackers had stolen data on all its 800,000-plus employees, including their names, addresses and Social Security numbers. The USPS security breach was discovered in September, officials said, and though they didn't confirm a perpetrator, many security experts speculate that Chinese hackers were responsible because the hack's signature was similar to recent breaches connected to the Chinese government. What's noteworthy about this attack is that it's unclear what the thieves were after. The USPS doesn't handle classified government information, nor is the stolen employee data as obviously marketable as the credit card information purloined from retail giants such as Target and Home Depot (which this week disclosed further information on its massive cybertheft). "It's an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyberintrusion activity. The United States Postal Service is no different," said Postmaster General Patrick Donahoe in a statement. In other words, you exist, therefore you're vulnerable. If everyone is vulnerable, what are businesses to do? According to a panel of experts at the recent Advanced Cyber Security Center Conference in Boston, instead of trying to predict if and when you'll get hit and what form that cyberattack is likely to take, plan for left of boom.The military term, coined by The Washington Post's Rick Atkinson, refers to the moment before a bomb explodes. Applied to cybersecurity, it refers to how well your organization is prepared just before the "boom," or cyberattack, to ideally prevent it from happening -- or at the minimum, contain the damage. State Street Corp. CIO Christopher Perretta, part of a diverse panel of experts, offered his thoughts on what constitutes a left-of-boom defense. For starters, many companies today have heterogeneous infrastructures -- the new stuff that is fairly resilient and the old stuff that you worry about, Perretta said. "It's about owning that entire response," he said. In addition, cybersecurity is not about checking the compliance box. It is about having a full-fledged, disciplined risk strategy that recognizes residual risk, the portion of risk left after all that can be done is done, Perretta said. This starts with understanding that low-probability, high-risk events can happen, that these risks have large implications, and that resources proportionate with those risk levels need to be applied. The governance mechanisms organizations have in place will be the difference between being able to handle residual risk and being undone by it. Another piece of advice? CIOs must think of themselves as stewards of the company's business operations, not just the service providers for those business operations. Sometimes this involves hard decisions, such as shutting down a transaction, regardless of what's on the other end, if there's anything suspicious at play, Perretta said. "It's a debate that says, 'What are the things I'm willing to seriously disrupt my business to protect?' It's an exercise that typically happens in disaster recovery, but should happen day to day," he said. The bottom line is to think of security not just as an IT responsibility, but something that transcends tools and processes and is built into the fabric of the organization, he said. That's easier said than done, though. "Changing the way people think about the business is much harder than the technology changes that we do."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyberattackers breach USPS security, but what were they after? Audrey McNeil (Nov 24)