Friday, 2 August 2013

Behind the Firewall: Government

More often than not, malware stealthily infects systems and lifts valuable data long before it is ever detected, let alone eliminated.
That said, it’s not surprising that some of the most pernicious threats often go underestimated, or are dismissed altogether. But what happens when the opposite is true, when fear and panic surrounding malware come to a dramatic crescendo - so much so that users place valuable resources and security dollars into fighting a costly, but non-existent, threat?
That was a hard lesson to learn for one Commerce Department agency, which spent nearly $3 million and more than a year combating a malware infection that didn’t exist, CNN Money reported.
This most recent gaffe was attributed to the EDA, a small agency focusing on job growth and economic development. And like many agencies, the EDA was wary about becoming the next victim of a malicious threat.
But how did a minor security hiccup get blown so wildly out of proportion? The agency’s technological meltdown began almost two years ago, when it received a warning from the Commerce Department about the possibility of malware within its network.
A follow up alert indicated that the problem only affected two computers. But it was too late. Thanks to a series of misinterpretations - and what an audit report described as lack of appropriate IT skills on the part of the staff – the EDA believed it was under widespread attack and went nuclear on what would otherwise have been considered an insignificant problem.
What transpired was generally what occurs when an organization allows fear and panic to override logic and strategic planning: the agency launched an all-hands-on-deck response, among other things, trashing $170,000 worth of computers and other equipment believed to be infected.
It also commissioned a third-party security contractor and shut down its entire e-mail network. But perhaps what flummoxed auditors the most, in this bizarre series of missteps, is that the agency dismissed the contractor’s assessment contending there was no real threat. Instead, the agency’s chief information officer promptly ordered the physical destruction of all of the agency’s technological equipment, including TVs, cameras, computers, keyboards and mice.
When all was said and done, the clean-up effort lasted around 15 months and totaled approximately $2.7 million. Now, to ascertain that the EDA was victim of ignorance would be nothing short of a serious understatement. What’s more, the EDA’s gross overreaction and unnecessary expenditures could easily have been avoided at numerous intersections throughout the ordeal. So where exactly did the EDA go wrong? Lots of places.
For one, the EDA should have been paying much closer attention to the initial Commerce Department alert, questioning in particular the nature of the malware, its source, and how many computers could potentially have been affected. If malware was indeed discovered on the network, the organization needed to first run specific assessments to discover precisely which machines or systems were affected.
From there, the agency would likely be required to invest in software designed to eradicate the virus, or perhaps conduct OS reinstallations or extensive system reboots, as opposed to destroying thousands of dollars worth of technology that could have remained in use.
If the agency still determined that an outside audit was necessary, the agency should have been paying rapt attention to the final conclusion, and consulted on how to minimize expenses during the clean-up process. Granted, most organizations that fall victim to malicious attacks face different challenges, often failing to respond appropriately due to ignorance or lack of budget and IT staff. In addition to lack of awareness, that response paralysis is driven largely by fears about major damage to the organization’s reputation and brand.
That said, going to the other extreme is often just as destructive when dealing with a perceived threat. In the case of the EDA, government watchdogs got wind of the agency’s panic and nixed a $26 million request to further fund its recovery efforts. And down the road, it’s unlikely that the agency will be taken seriously should it actually encounter a real malware attack - a turn of events that could thwart future security efforts and represent a major setback in the ongoing struggle to keep users safe from malware.

No comments:

Post a Comment