OSD CIO: Network configuration, scanning softened cyberattack blow
- By Mary Mosquera
- Mar 06, 2008
ORLANDO, Fla. – Dennis Clem, chief information officer at the Pentagon and the Office of the Secretary of Defense, didn’t think his network was as vulnerable to attack as it was.
But last June, malicious code hit part of his network. To isolate the intrusion, he shut down part of the network of the Office of the Secretary of Defense, which affected 1,500 users.
“They used every tool they could against us,” he said March 4 at the Information Processing Interagency Conference. Although Clem did not identify the source of the code, public reports later identified it as most likely coming from the Chinese government.
It was a judgment call on Clem’s part to block only part of the network that handles the e-mail system. He had staff advising him to shut down the whole network.
“It was a huge gamble,” he said, adding that the security operations center had in place an effective scanning tool which supported his view that the intrusion had not yet spread throughout the network. But his next step would have been to shut down all of the office’s network, Clem said.
The hackers took advantage of a known Microsoft software vulnerability and sent spoof e-mail messages with the names of staff in Clem’s division. When the messages were opened, the code sent back the user names and passwords, which allowed access to the network. In follow-up forensics, Clem discovered that the hackers accessed sensitive information, which they encrypted as they transmitted it back to their sites.
In total, it took three weeks and $4 million to recover from the incident, he said.
The Pentagon experiences 70,000 illegal-entry attempts daily from small, innocuous probes to full-blown attack attempts, Clem said. Hackers know within minutes when a new server or software is deployed in the Pentagon, and they attempt to intrude. They have stolen lots of information from the Defense Department, he said.
“We don’t know how our adversaries will use the information," Clem said. "It can be as dangerous as a weapon and used later it may cost someone’s life.”
It was crucial that he understood his network configuration, he said. He had been in the process of consolidating 14 networks into one enterprise network, and he had to know what was on them, he said.
“If you don’t know what’s on your network, you can’t protect it,” he said.
Besides disconnecting part of the network, Clem took some actions that mitigated the damage. He proceeded systematically through the processes and procedures. He used a utility to check user identifications and required the regular use of smart cards, which have two-factor authentication. He implemented digital signatures to protect against spoof e-mail. He recorded all his activities and communications during the response period.
Information technologysecurity has to be comprehensive to be effective. “You have to close every possible door that can be opened,” Clem said, but cautioned, “Even the best intrusion detection program can’t stop all of them.”
Mary Mosquera is a reporter for Federal Computer Week.