Oz military megahack: When crappy defence contractor cybersecurity 'isn't uncommon', surely alarm bells ring? While Australia's federal government scrambles to hose down a hacking incident, it's important to ask why a defence contractor of any size could run a network so insecure it exposed default administrative interfaces to the Internet. An Australian Signals Directorate (ASD) presentation to the Australian Information Security …
"have a third party pen-test organisation try to break in with no warning"
The (potential) contractor would have to know about the test, so they would have to have SOME warning even if not knowing the exact date. It's illegal to commission a pen-test on a network you do not own, even for a government ministry. For all the horrorshows of government overreach, Australia is still not North Korea.
"What do you mean, I have to assure the vendor is doing their job? That's why we hired them!" is a common push-back from "The Business". "An on-site visit? I'm not paying for that! We outsourced to save money!"
So they request audit paperwork which comes back as an SSAE 16 SOC 1 Type 1, which can only be used for financial reviews and not technical operations and had no testing done. It covers the vendor's "cloud" provider's infrastructure and nothing else, not even the web apps the vendor wrote themselves. The security group writes them up for numerous problems marked in the vendor's own docs as "Requires management attention" where the vendor's response was "Accepted the risk".
The paper-pushers in the customer's Vendor Management program look it all over and say "We can't tell the vendor how to run their business and they accepted the risk. So did our business unit."
And then the vendor loses a butt-load of the company's customer data *cough* Equifax *cough* and "The Business" squawks "What do you mean, we have to notify our customers that the vendor we hired got breached? We're not the ones who lost it!"
That's my Monday. Want to know what the rest of the week looks like? You guessed it, the same.
Safe for work video on the subject: https://www.youtube.com/watch?v=9IG3zqvUqJY
The hypothetical Star Trek fan web site I run from my bedroom may have lax security like that (so does Starship Enterprise evidently, see "takeover of the week", at least it means that Kirk, Spock, Uhura and Chekov can break in themselves and take it back).
A real-world security industry resource should be held to a higher standard. So I hope this incompetence is, so, uncommon in this sector. Unless we declare war on Australia - then I hope they're all idiots of "Three Stooges" level.
Corporations exist to shield investors from financial risk
There is _nothing_ protecting irresponsible management from personal liablity for negligence or recklessness.
Adam Smith (The one who's regarded as a titan economic theory) felt that the concept of corporate managers was fatally flawed because such people had temptation to steal and/or play fast&loose with other people's money. He's been proven right many times since he raised his misgivings about corporate structures.
"There is _nothing_ protecting irresponsible management from personal liablity for negligence or recklessness."
No, you use corporate bureaucracy to deal with that.
As for Adam Smith, did anyone ever ask him what the alternative was if no one was willing to invest due to the liabilities involved? That's the main reason we have corporations in the first place: to encourage investment in an environment where investors were reluctant enough to make the money flow too slow for economic viability.
50 people in the company, 1 IT guy.
When companies CFO will stop seeing IT as a cost , when companies will understand that they have to invest in sufficient human resources to have a good service, when principals will stop pressuring subcontracting companies to get the lower price, then things will change (and pigs will probably fly too). Till then, we'll hear this story again and again.
"when principals will stop pressuring subcontracting companies to get the lower price,"
One of the bigger problems is subcontractors farming things out when their contract prohibits this from happening. Because it's a breach of contract it's covered up and the effort that goes into the coverup far exceeds any effort checking compliance at the sub-subcontractor.
Only this presentation is from the "Australian Signals Directorate "
Which (I'm taking a wild stab here) is the Aus miltary version of the US NSA (which people forget is also a military operation, despite all the suits being worn).
So I'm guessing they (and their sub-contractors, and their sub-sub-contractors) have something a little bit more important to guard than last weeks Fosters consumption figures. *
*Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed).
Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed).
I think there are only two other brands of lager in the world that would be interested in Fosters consumption figures, that would be Millers and Bud (the USian company), any other purveyor is in a different league , like, which Premier League team would care about the performance of Purbrook FC (Hampshire, England, UK) ?
"Which is only important if you're another lager mfg (IMHO lager is mfg'd, not brewed)."
By what do you mean? Ale brewing and lager brewing are very similar. They only diverge really in the maturation process since ales age warm and lagers age cold.
it is not as if Australia was a major military ally and NATO member
SEATO and ANZUS, not NATO. SEATO's dead and has been for 40 years, but ANZUS lives on, despite New Zealand's best efforts.
It should be remembered that Australia and South Korea sent troops to Vietnam to support the US. Indeed, the RoK Marines in Vietnam established a reputation somewhat similar to that enjoyed by the Waffen-SS in Russia and the Australian SAS weren't exactly namby-pamby either. https://www.quora.com/Were-ROK-troops-scary-in-the-Vietnam-war http://theaustraliansas.com/
"It should be remembered that Australia and South Korea sent troops to Vietnam to support the US."
As did New Zealand - and both ourselves and the Australians (and probably the South Koreans as well) had to dodge bullets not only from the Vietcong, whom at least were expected to be firing at our troops, but from our US allies as well on occasion - presumably as a result of general incompetence and crappy map reading skills..
One civilian newswatcher's impression from a series of wars where the U.S. had allies is that U.S. forces early on test the commitment of said allies by shooting some of them dead. If that is put up with, and it usually is, then so will a lot more be, e.g. Abu Ghraib (until the photos get out).
I mean years ago you'd have to go a bit Smiley, or Palmer. Infiltrate the country, set up an asset, use a dead drop, and exfil.
Nowadays you just find a defence contractor whose security team is run by bean counters, send a "joke" attachment and wait for some fool to open it.
The sub-contractor got the commercially sensitive information from somewhere. If the somewhere was a bundle of papers casually handed across at a meeting with no real warnings about the security to be provided for the data (or the email equivalent of that scenario) then any data loss is both the sub-contractor's and the main contractor's fault. If the main contractor gave specific and sufficient security instructions and got specific and sufficient assurances from the sub-contractor then it is the sub-contractor's fault. Even if it is the fault of some poor sod in purchasing who didn't read the Ts&Cs properly, someone didn't do his job properly.
Maybe in Australia a terse comment from the ASD is enough to get standards raised but they will still have to prove it.
"A contractor did a bad thing" didn't save anyone at MoD from the consequences of the EDS data leak when an unencrypted laptop containing 600,000 records of military personnel was stolen, leading to the revelation that this had happened three times before. The Burton report of 30 April 2008 resulted in shortened career paths.
reading the article on PCauthority, https://www.pcauthority.com.au/news/australian-contractors-only-it-technician-steals-30gb-of-defence-secrets-475238
It sounds like a local in the Middle East was used for the IT support and was not particularly careful with password or account security.
Suspect this contractor no longer has a contract.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
