This past week has been a rough week for cybersecurity in the Pentagon. Not only did the Pentagon fail in their weapons program security protocols, but the Pentagon has announced a data breach affecting over 30,000 DOD employee records.
So, where did the Pentagon fail in security protocols? And what lead to the data breach?
Very simply, the Pentagon made simple mistakes that a lot of businesses make. In fact, testers found examples of weaknesses in all four security protocol categories: protect, detect, respond, and recover.
In a previous article we talked about the top ten mistakes to avoid regarding security. Now we are going to focus just on the few the Pentagon got wrong. And what you can do to protect your business.
Missing the basics
Passphrases and passwords are the first thing a new employee encounters in an office. Yet, this is where the Pentagon failed the worst. In fact, one report stated a test team was able to guess a Pentagon administrator password in nine seconds.
Nine seconds to guess a password for administration access to the Pentagon’s weapon program.
While it’s easy for the average American to scoff and doubt how this could be, most people do not have strong passwords. In fact, the Pentagon was found guilty of something most American’s do: leaving default passwords for open source software.
The easiest fix for this solution? Setting expirations on all system passwords, with 30 days as the recommended time limit. Requiring certain elements within passwords. In fact, most security professionals will state a passphrase is often more successful at deterrence than a password with standard requirements (symbols, upper and lower case, etc).
Most importantly, reset all passwords for any software or device connected to your network.
While the average consumer can maintain their system with firewalls and once a week virus scans, businesses and the Pentagon require consistent monitoring for any breaches.
Unfortunately, that is not the case in the weapons program. In one situation, a testing team gained access to the terminals of the system’s operators. This means the team could see, in real time, everything the operators had on their screens.
Since defending a perimeter is no longer enough for any type of network, continuous monitoring is required to detect any type of breach. Quick detection can save money and prevent a breach from reaching a massive scale.
Believing there is no risk
The largest weakness of the weapons program is the entire computerized system was designed without security protocols in mind. Even systems not attached to the network are at risk because the DOD did not account for security while building the systems.
While most individuals do not consider cybersecurity when building their networks, it should be a top priority. All networks contain data. Data is valuable, so that puts all networks at risk.
The problem the DOD may have encountered is cybersecurity staff is in high demand and can request large salaries. However, that is no excuse to not put security as a top priority.
Ultimately, the Pentagon is guilty of one main breach of cybersecurity protocol, and it’s one most businesses forget as well.
Contractor/vendor security protocols
The DOD contracts to third-party vendors for most their network projects. It is this fact that caused over records to be stolen from the Pentagon.
Rather than attacking the Pentagon directly, the breach occurred via a compromised contractor. While the number will likely increase as the investigation continues, the attackers were able to steal personal information and credit card information for over 30,000 military and civilian personnel.
Out of 20 cybersecurity risk factors, vendor risk is the costliest risk per capita. Ensuring vendors have and follow security protocols should be a top priority for any IT department.
Lessons for business
While the news has been hard for the Pentagon this past week, the data breach announcement following on the heels of the weapons program weaknesses has highlighted cybersecurity for all business.
Have security software is no longer enough. While most businesses can argue they are not the Pentagon, every network contains data that is valuable to someone. Making sure passphrases are strong and expire, continuous monitoring, and vetting vendors are all steps every business should take to ensure data security.
Most importantly, with the shortage of cybersecurity professionals, it’s important for businesses to not try and handle this alone. To see how MobileWare can help your business thrive in the face of cyber adversity, read here.