Government Watchdog Hacked US Federal Agency To Stress-Test Its Cloud Security (techcrunch.com) 21
In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."
The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.
"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.
The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.
"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.
Re: (Score:1)
This had nothing to do with government employees, and then they can only be tasked with decisions policy makers give them.
Re: (Score:2)
This sounds like you are shilling for "government employees". Obviously government employees made the selection of that incapable tool and obviously government employees are responsible for the overall bad state of IT security, whether they messed it up themselves or paid somebody to mess it up.
By labeling them a government shill for stating a fact, you are ironically reinforcing your own signature quote.
Re: (Score:2)
Re: (Score:3, Informative)
If I understand the story, the cloud system was put together by private industry (contractors to the government), and the Department of the Interior's Office of the Inspector General (government) did a penetration test and found problems.
So, private industry screwed up and government employees found it.
(Yes, you are arguing that government employees selected the original contractor, but in fact purchasing regulations mean that if they choose anything other than the lowest bid they will draw a protest [duckduckgo.com] and ha
Re: (Score:3)
Re: (Score:2)
Peratron is the cloud provider (Score:4, Insightful)
From wikipedia, "Peraton was awarded a $2.69 billion contract by the U.S. Department of Homeland Security concerning Data Center and Cloud Optimization Support Services.[15][16] Peraton also captured a $1B contract from the Pentagon to counter "misinformation"
So it seems the Pentagon might also have some issues although OIG is an arm of the Interior Department. From the stated article.
"The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week."
DHS might have misconfigured their systems but the internal systems of Peraton should have caught intrusions before they were able to exfiltrate data. That company should be subject to fines but it probably depends upon how their contract was written.
Re: (Score:2)
DHS might have misconfigured their systems but the internal systems of Peraton should have caught intrusions before they were able to exfiltrate data. That company should be subject to fines but it probably depends upon how their contract was written.
If I asked you to take a guess, how do you think the contract was most likely written? Probability wise if you want...
Re: (Score:2)
Every federal department has their own OIG. Every federal department has their own contracts, although sometimes, particularly to take advantage of economies of scale, other departments will "piggyback" on contracts from other parts of the federal government.
Re:Next step: Stop these tests! (Score:5, Interesting)
Summary of the OIG report: lax processes allowed the purchasing of non-FedRAMP cloud services using department purchase cards (credit cards) instead of approved contract vehicles, which resulted in CSPs and cloud environments not on department inventory. Ghost clouds. Furthermore, they weren't properly audited nor were sufficient controls in place (obviously).
So, basically, "I need a waiver because none of the secured stuff will let my entire team have local admin! Screw you! I'll put it on a credit card and not tell IT!"
Re: (Score:2)
From Shadow IT to Ghost Clouds. Nice! This is even worse than I imagined. And I have seen quite a bit.
Re: (Score:2)
An absurdly incongruous oxymoron (Score:1)
Re: (Score:2)
It's not inherently insecure...well, that's not exactly true, but it could be a lot more secure that it is. But that's not the way the incentives are structured.
Re: (Score:2)
That's right, the only thing less secure than cloud security, is on-premise security.
GOOD! (Score:3)
This is exactly the kind of kind of oversight the government needs. Security seems to be an afterthought for all our "built by the lowest bidder" government systems.