Department of Defense Data breach – Four steps to prevent the next one

October 18, 2018//Ellen Neveux

Last Updated: April 29, 2019

On October 4, 2018, Lt. Col. Joseph Buccino, Pentagon spokesperson, announced a Department of Defense (DOD) data breach that affected at least 30,000 military and civilian personnel. It’s reported that hackers gained access through a third-party contractor that maintained travel records for the department. The breach compromised highly sensitive data including personal and financial information. Travel records are particularly delicate, researchers Karsten Nohl and Nemanja Nikodijevic explain; this information can provide bad actors with detailed employee itineraries, down to their airplane seat number. A clear threat to national security.

Unfortunately, this public sector breach should not have been a surprise. Around the same time, the U.S. General Accountability Office (GAO) issued the report “Weapons Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities.” Among the weak spots were not being proactive about preventing cyber attacks, poor password management, and lack of encryption. But even if the DOD had in-place many of these best cybersecurity practices for its own organization, a network is only as strong as its weakest link. In this case, the DOD didn’t secure their third-party vendor vulnerabilities.

It’s critical for all government agencies to take notice and address this specific risk. Remote Site & Equipment Magazine reports that government, nonprofits, and the private sector all have mandates to essentially “do more with less.” Quality, productivity, and turnaround time must continually be improved with increasingly limited budgets. IT services from remote third parties make this possible.

However, illustrates the growing threat of a mismanaged enterprise/vendor relationship, “… service providers are now firmly in the cyber-criminal’s crosshairs. Often having privileged access to multiple customer environments and inherently trusted to store and protect confidential information, cybercriminals view service providers as treasure troves. The Trustwave 2018 Global Security Report (GSR) found a marked increase of 9.5% in compromises targeting businesses that provide IT services.”

As these relationships become more frequent, organizations can reduce their exposure through these best practices:

  • Make cybersecurity the priority in all strategic planning, policies, and procedures. Although the DOD is the largest U.S. employer, GAO found it approached cyber issues as a kind of “add-on.” The responsibility should not be housed in a stand-alone department. Cybersecurity is every employee’s business. Some of this is common sense, such as not opening attachments on emails, guarding and changing passwords, and ensuring encryption is standard.
  • Performing due diligence in the selection of vendors is critical. At the top of the list must be their security policies and capabilities.
  • Maintain complete access control, down to the individual. Utilize vendor access management tools that restrict users access to only the systems and activity needed.
  • Audit all user activity on your network. This will provide vendor accountability, ensure regulatory compliance, and provide an early-warning system of emerging vulnerabilities. In the DOD breach, Forbes notes, investigators still do not know when the system was hacked.

Organizations that leverage third-party services must follow these best practices in order to maintain a value-adding partnership with vendors. SecureLink understands this challenge and has incorporated these security measures in our vendor access management platform. It facilitates credential management, multi-factor authentication, connection notifications, and real-time monitoring with comprehensive audit reports.

close close