US Government Firewall Einstein fails to protect Govt agencies from massive data breach

Two weeks back there was a  crippling cyber attack to hit US Office of Personnel Management that breached US Government Firewall. It’s the agency responsible for managing the personnel records and security clearance details for millions of current and past US government employees.

US government alleged breach enabled attackers to make off with approximately four million recrods, but other sources say it could actually have been as many as 14 million records, many of which are highly sensitive. US Govt mega Firewall Einstein fails to protect Govt agencies from massive data breach - blackMORE Ops - 1

The data that was stolen includes highly sensitive background checks pertaining to CIA agents, NSA staffers and military personnel. That is big data leak.

So who is supposed to protect such Govt agencies? Apparently, there is a massive firewall named Einstein that is responsible for intrusion detection and protection.

Einstein (also known as the EINSTEIN Program) was originally an intrusion detection system that monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division (NCSD) of the United States Department of Homeland Security (DHS).The program was originally developed to provide “situational awareness” for the civilian agencies. While the first version examined network traffic while the expansion in development could look at content., today’s Einstein is significantly more. [wiki]

According to the Associated Press, “the forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, arrests and bankruptcies”. [Source: # 1]

How could that have happened with such critical technology? Was Einstein at fault, or did it not have enough information to do its job right? Further research shows that the latter seems to be the answer. The audit office tried to exploit 489 known vulnerabilities across Flash, Office, Java, IE and Acrobat, and found the system only identified and blocked 29.

Einstein was built in 2003 to automatically monitor agency network traffic, and later expanded to offer signature-based detection and malware-blocking abilities. The department told the office Einstein was always intended to be a signature-based detection system only.

“It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy,” the department told the auditors.

In April 2015, the US-CERT used Einstein to uncover a potential breach of personally identifiable information (PII), to which it sent a team of investigators to see who and what had been affected. It was then it discovered that the OPM had been hit.Considering this an historic incident, it updated the Einstein IDS with new signatures that detected the kind of attack the US-CERT had discovered, and it was only then it found the issue was ongoing. As soon as Einstein was updated to look for the historic signature, it lit up like a Christmas tree.

Nevertheless, the current version of Einstein did not stop the attack because it is simply a detection suite rather than a prevention system. The next version of Einstein should have the ability to do attack prevention, but for now it’s only as good as the information it’s given for stopping attacks that the US-CERT has seen before.

The government spent US$1.2 billion on this US Government Firewall system in the last year alone, for a total projected cost of US$5.7 billion to fiscal 2018.

Sources:

  1. Einstein alone can’t keep you safe from cyber attack
  2. Auditors slam US govt’s $8bn firewall as ineffective

Check Also

Migrate Plex Server - Ubuntu

Migrate Plex Server – Ubuntu

To migrate your Plex server to a new Ubuntu server, you can follow these steps: …

LibInjection-Detect-SQL-Injection-SQLi-and-Cross-Site-Scripting-XSS.png

Detect SQL Injection (SQLi) and XSS

SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error-prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. LibInjection is a new open-source C library that detects SQLi using lexical analysis. With little upfront knowledge of what SQLi is, the algorithm has been trained on tens of thousands of real SQLi attacks and hundreds of millions of user inputs taken from a Top 50 website for high precision and accuracy.

One comment

  1. Amazing, so much money for some shitty system that can not even detect the issues properly, more or less to protect the assets efficiently. Where is going all that money, how they present expenses, and to whom?

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.