In February 2010 Forbes.com ran a story on breaches of major Department of Defense contractors’ data networks. The story was largely based on research conducted by the Pentagon’s Cyber Crime Center. It found that between August of 2007 and August of 2009 there were numerous breaches of the networks of contractors, government agencies, and universities with ties to the U.S. military. The reason I choose to bring this to my clients’ attention is that the lessons that can be drawn from this research can certainly be applied to my clients’ networks and their sensitive information.
Here are some of the insights from the research:
- most of the breaches started when an employee was fooled by an e-mail message that appeared to come from a trusted sender
- the employee would then click on a file in the e-mail message, which would result in malicious software granting the hacker access to the victim’s network
- the majority of the attacks did not exploit new software vulnerabilities—they exploited old, known software bugs and poor password practices
My recommendations:
- make sure your software is up to date and patches are installed as soon as they become available
- educate employees on the risks of e-mail and in particular the risks of opening files
- require employees to use strong passwords with a mix of upper and lower case letters and numbers—no words or easy to guess passwords
- don’t use a password for more than one use or Web site. (e.g. if you use the same password at a Web retailer’s site to do shopping and for your corporate e-mail account, the Web retailer’s administrator could easily log into your corporate e-mail!)
Major defense contractors’ networks breaches: Lessons To Learn