Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Cloud Security United States

Government Watchdog Hacked US Federal Agency To Stress-Test Its Cloud Security (techcrunch.com) 21

In a series of tests using fake data, a U.S. government watchdog was able to steal more than 1GB of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The experiment is detailed in a new report by the Department of the Interior's Office of the Inspector General (OIG), published last week. TechCrunch reports: The goal of the report was to test the security of the Department of the Interior's cloud infrastructure, as well as its "data loss prevention solution," software that is supposed to protect the department's most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report. The Department of the Interior manages the country's federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud. According to the report, in order to test whether the Department of the Interior's cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that "would appear valid to the Department's security tools."

The OIG team then used a virtual machine inside the Department's cloud environment to imitate "a sophisticated threat actor" inside of its network, and subsequently used "well-known and widely documented techniques to exfiltrate data." "We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system," the report read. The OIG said it conducted more than 100 tests in a week, monitoring the government department's "computer logs and incident tracking systems in real time," and none of its tests were detected nor prevented by the department's cybersecurity defenses.

"Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data," said the OIG's report. "In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system's controls for protecting sensitive data from unauthorized access." That's the bad news: The weaknesses in the Department's systems and practices "put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access," read the report. The OIG also admitted that it may be impossible to stop "a well-resourced adversary" from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

This discussion has been archived. No new comments can be posted.

Government Watchdog Hacked US Federal Agency To Stress-Test Its Cloud Security

Comments Filter:
  • by gtall ( 79522 ) on Friday March 01, 2024 @05:20AM (#64281336)

    From wikipedia, "Peraton was awarded a $2.69 billion contract by the U.S. Department of Homeland Security concerning Data Center and Cloud Optimization Support Services.[15][16] Peraton also captured a $1B contract from the Pentagon to counter "misinformation"

    So it seems the Pentagon might also have some issues although OIG is an arm of the Interior Department. From the stated article.

      "The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week."

    DHS might have misconfigured their systems but the internal systems of Peraton should have caught intrusions before they were able to exfiltrate data. That company should be subject to fines but it probably depends upon how their contract was written.

    • by ls671 ( 1122017 )

      DHS might have misconfigured their systems but the internal systems of Peraton should have caught intrusions before they were able to exfiltrate data. That company should be subject to fines but it probably depends upon how their contract was written.

      If I asked you to take a guess, how do you think the contract was most likely written? Probability wise if you want...

    • Every federal department has their own OIG. Every federal department has their own contracts, although sometimes, particularly to take advantage of economies of scale, other departments will "piggyback" on contracts from other parts of the federal government.

  • by Anonymous Coward
    Cloud Security is clearly an absurdly incongruous oxymoron
    • by HiThere ( 15173 )

      It's not inherently insecure...well, that's not exactly true, but it could be a lot more secure that it is. But that's not the way the incentives are structured.

    • That's right, the only thing less secure than cloud security, is on-premise security.

  • by Gravis Zero ( 934156 ) on Friday March 01, 2024 @12:44PM (#64282366)

    This is exactly the kind of kind of oversight the government needs. Security seems to be an afterthought for all our "built by the lowest bidder" government systems.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...