Two weeks back there was a crippling cyber attack to hit US Office of Personnel Management that breached US Government Firewall. It’s the agency responsible for managing the personnel records and security clearance details for millions of current and past US government employees.
US government alleged breach enabled attackers to make off with approximately four million recrods, but other sources say it could actually have been as many as 14 million records, many of which are highly sensitive.
The data that was stolen includes highly sensitive background checks pertaining to CIA agents, NSA staffers and military personnel. That is big data leak.
So who is supposed to protect such Govt agencies? Apparently, there is a massive firewall named Einstein that is responsible for intrusion detection and protection.
Einstein (also known as the EINSTEIN Program) was originally an intrusion detection system that monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division (NCSD) of the United States Department of Homeland Security (DHS).The program was originally developed to provide “situational awareness” for the civilian agencies. While the first version examined network traffic while the expansion in development could look at content., today’s Einstein is significantly more. [wiki]
According to the Associated Press, “the forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, arrests and bankruptcies”. [Source: # 1]
How could that have happened with such critical technology? Was Einstein at fault, or did it not have enough information to do its job right? Further research shows that the latter seems to be the answer. The audit office tried to exploit 489 known vulnerabilities across Flash, Office, Java, IE and Acrobat, and found the system only identified and blocked 29.
Einstein was built in 2003 to automatically monitor agency network traffic, and later expanded to offer signature-based detection and malware-blocking abilities. The department told the office Einstein was always intended to be a signature-based detection system only.
“It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy,” the department told the auditors.
In April 2015, the US-CERT used Einstein to uncover a potential breach of personally identifiable information (PII), to which it sent a team of investigators to see who and what had been affected. It was then it discovered that the OPM had been hit.Considering this an historic incident, it updated the Einstein IDS with new signatures that detected the kind of attack the US-CERT had discovered, and it was only then it found the issue was ongoing. As soon as Einstein was updated to look for the historic signature, it lit up like a Christmas tree.
Nevertheless, the current version of Einstein did not stop the attack because it is simply a detection suite rather than a prevention system. The next version of Einstein should have the ability to do attack prevention, but for now it’s only as good as the information it’s given for stopping attacks that the US-CERT has seen before.
The government spent US$1.2 billion on this US Government Firewall system in the last year alone, for a total projected cost of US$5.7 billion to fiscal 2018.