'Chinese hackers' pop US weather bureau, flatten forecast feeds Chinese hackers have breached the USA's weather forecasting systems, disrupting emergency and disaster planning in a hack one US congressman described as a cover-up, the Washington Post reports. The September hack was not discussed internally by the National Oceanic and Atmospheric Administration (NOAA) until 20 October and …
Ok.. the NOAA has "an obligation to tell the truth" and they covered it up. I'm thinking this same ethics don't apply to Congress? A little late if the CongressCritter was trying to score points for the election. Let's take them all out and beat them with old shoes... as a certain former Iraqi military spokesman would say. I'm thinking that they fixed the problem and got on with business. The same can't be said for Congress.
Yeah.. I'm grumpier than hell about our government.
After 9 years of every US federal Windows box exposed to the Internet being hacked by the Chinese, the feds finally admitted what had happened in 2007. This is NOT the first time NOAA has been hacked. I doubt it will be the last. #MyStupidGovernment in action.
The first lesson in network security is this; they *will* get in. Period, end of story.
One can only try to delay actions on objectives long enough to catch them before data is exfiltrated.
This is true for government networks, it's equally true for commercial networks.
What is critical is proper incident response, with a knowledgeable team.
That they will get in is a wise statement to make.
But it does not have to be totally true. A suitably designed, multi-layer protection model implemented using multiple vendors kit will probably defeat almost all attacks, especially if the design is kept secret. The trick is to be utterly ruthless with what is allowed between each of your security zones.
By using multiple vendors kit, each boundary between the security zones presents a new problem to be 'cracked'. If things are designed properly, by the time the attacker gets to the third or fourth boundary, your intrusion detectors should have been tripped so that you can take action to protect the service being attacked, and other systems that lie further into the network.
You layer the servers themselves to form parts of the security infrastructure, so in the case of web-based services, your edge web servers only keep session and transient data, intermediate servers keep application logic and only enough data for the transactions in flight, and you keep the core databases separate still. In all cases, the servers have an external side and an internal side, and the networks on either side are never bridged by network infrastructure (obviously you have to have something to allow the servers to be administered, but the same rules apply to the management infrastructure).
In order to get access to the places where data is really present for bulk-download, the only practical way in is to have knowledge of everything in advance.
I'm not saying that even this design is intrusion free, but the idea is to make it so periphery intrusion does not expose data wholesale, so as to limit the damage. It also does not protect from DOS type attacks, or protect you from holes in the infrastructure you provide for your employee's internet access, but that's another story.
But the problem with a model like this is that it gets expensive. And too often, the risk vs. cost balance is set wrong because the managers are dominated by accountants. Too many organisations assume that a single or dual layer of security devices is sufficient to protect their internal networks, and once on a system on an internal network, the world is the cracker's oyster.
I know one bank that used a design like this, which had many zones boundaries, where the architect declared at the end of the first project that it would have been cheaper to give all the customers of the service access to a personal banker for a year than to build the infrastructure! But they did use the infrastructure again for other services, so the cost of later projects was reduced.
I don't follow, unless you are alluding to there being a much simpler vector for the breach, like an insider or a social engineering attack.
I was actually not making a judgement about this particular issue, but following up on the comment by Wzrd1 about intruders getting in. I think that we are actually talking the same thing about limiting the damage that can be done while the IDS and intrusion incident protocols are triggered.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
